The effectiveness of learner-controlled information cybersecurity training

Cybersecurity training allows organizations to raise awareness among employees about information security best practices. Employee training and awareness is a critical and neglected area in cybersecurity. Indeed, about 19% of Canadian businesses provided formal training to develop or upgrade their cybersecurity-related skills, and a little over half (51%) of them shared general cybersecurity practices through email, bulletin boards, or information sessions with their employees. However, cybersecurity training is often viewed by employees as just another task infringing their productivity, and there are few efforts from the organizations to evaluate if employees benefited from the training.

Many cybersecurity training sessions are not effective since they are perceived to be boring and lack user interaction and involvement. However, there has been a rise in a more interactive approach to training that has proven to be more effective. Web-based training has become a popular training medium in organizations, with a variety of different ways to deliver online cybersecurity training, including options to set varying levels of control for the learner.

“Learner control refers to the autonomy given to the learner in having control over the sequence, content, and events of instruction.” Learner control can have both advantages and disadvantages in the context of cybersecurity training. Indeed, some employees might not see information security as being part of their job function and lack the motivation to learn about information security best practices. Also, learner-controlled training could result in learners skipping over content to be done with the training more quickly, or because they overestimate their competence. On the other hand, employees could use the flexibility of learner-controlled training to their advantage by effectively managing their time by focusing on the topics that they need to learn about.

It is important for organizations to not only provide employees with cybersecurity training but also to evaluate the effectiveness of the training program. The Kirkpatrick evaluation method of training is widely to examine training effectiveness in work environments using four levels of evaluations: reactions, learning, behavior, and results. In this article, Sherly Abraham and InduShobha Chengalur-Smith focused on two of these evaluation components: the reactions to the training and the learning outcomes of the training. The reaction component measures trainees’ reactions to the training immediately after the training. The learning component evaluates the actual learning acquired as a result of the training.

The authors developed two web-based cybersecurity training program, one that incorporated Learner-controlled C features and another that did not.

The result of the experiment showed that learner-controlled training has a positive effect on training satisfaction and training performance and self-efficacy. Learner-controlled cybersecurity training could make employees more confident in their abilities to prevent a threat causing them to feel less susceptible to threats. Regarding the retention of security training, the results of the study showed that training with learner control resulted provided higher levels compared to participants in training with no learner control.

As cybersecurity threats continue to evolve, organizations need to ensure that employees are provided with adequate training to raise awareness and knowledge about cyber threats. As such, cybersecurity training programs need to be designed to keep employees motivated and engaged in completing the training.


Cite: Abraham, S., & Chengalur-Smith, I. (2019). Evaluating the effectiveness of learner-controlled information security training. Computers & Security, 87