You are here: Home Contents V19 N2 V19N2_Alshammari.html
Personal tools

House of Cards: Developing KPIs for Monitoring Cybersecurity Awareness (CSA)



Full text

Journal of Information Systems Security
Volume 19, Number 2 (2023)
Pages 133161
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Mohammad Mulayh Alshammari — University of Hail, Saudi Arabia
Dionysios S. Demetis — Hull University Business School, UK
Information Institute Publishing, Washington DC, USA




Non-malicious insider threats continue to pose a significant concern to an organisation’s cybersecurity defence strategy, yet organisations still struggle to contain such insider threats. A critical pillar for doing so rests on the development and monitoring of Cybersecurity Awareness (CSA) programmes. CSA programmes need to be both prioritised and acknowledged as an important and crucial approach to the reduction of such threats. Although CSA programmes are developed on an ad-hoc basis by many organisations, the effectiveness of such programmes and how their entire lifecycle needs to be reviewed, monitored and managed needs to be further explored. In order to do so, this paper extracts a number of key performance indicators (KPIs) for monitoring CSA programmes. The paper relies on empirical data from an in-depth case study of University X in Saudi Arabia and sensitises the research approach by using Kirkpatrick’s four level model as a theoretical scaffold. Through the combined use of Kirkpatrick’s model that is recognised as a comprehensive model for evaluating the results of training and learning programmes and the empirical data from the case study, we offer a customised CSA-oriented model for managing cybersecurity awareness programmes, reflect on its associated KPIs, and consider broader information security management considerations.




Cybersecurity Awareness, Kirkpatrick, Information Security, Key Performance inductors (KPI).




Abawajy, J. (2014). User Preference of Cyber Security Awareness Delivery Methods. Behaviour and Information Technology 33(3), 237–248.

Abawajy, J. et al. (2008). Investigation of Stakeholders Commitment to Information Security Awareness Programs. In 2008 International Conference on Information Security and Assurance, pp 472-476, IEEE, Busan, 2008.

Balozian, P. and Leidner, D. (2017). The Assumptions and Profiles Behind It Security Behavior. In International Conference on System Sciences, pp 4987-4996, Hawaii, USA.

Bettinghaus, E. (1986). Health Promotion and the Knowledge-Attitude-Behavior Continuum. Preventive Medicine 15, 475-491.

Bulgurcu, B. et al. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness1. MIS Quarterly 34(3), 523-548.

Chan, A. and Chan, A. (2004). Key Performance Indicators for Measuring Construction Success. Benchmarking: An International Journal 11(2), 203-221.

Chan, M. et al. (2005). Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior. Journal of Information Privacy and Security 1(3), 18-41.

D’Arcy, J. et al. (2009). User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research 20, 79-98.

Davis, F. D. et al. (1989). User Acceptance of Computer Technology: A Comparison of Two Theoretical Models. Management Science 35(8), 982-1003.

Dhillon, G. (2007). Principles of Information Systems Security: Texts and Cases. Wiley, Hoboken, NJ.

Dhillon, G. et al. (2016). Interpreting Information Security Culture: An Organizational Transformation Case Study. Computers and Security 56, 63-69.

Dhillon, G. and Torkzadeh G. (2006). Value-Focused Assessment of Information System Security in Organizations. Information Systems Journal 16(3), 293-314.

Doherty, N. F. and Tajuddin S. T. (2018). Towards a User-Centric Theory of Value-Driven Information Security Compliance. Information Technology and People 31(2), 348-367.

Farooq, A. et al. (2015). Observations on Genderwise Differences among University Students in Information Security Awareness. International Journal of Information Security and Privacy 9(2), 60-74.

Foltz, C. B. et al. (2005). Have You Met Your Organization’s Computer Usage Policy? Industrial Management and Data Systems 105(2), 137-146.

Furnell, S. et al. (2023). Assessing Organizational Awareness and Acceptance of Digital Security by Design. Journal of Information Systems Security 19(1), 3-18.

Furnell, S. and Vasileiou I. (2017). Security Education and Awareness: Just Let Them Burn? Network Security 5(9),

Furnell, S. M. et al. (2007). Assessing the Security Perceptions of Personal Internet Users. Computers and Security 26(5), 410-417.

Galba, T. et al. (2015). An Information Security and Privacy Self-Assessment (Ispsa) Tool for Internet Users. Acta Polytechnica Hungarica 12(3), 149-162.

Hanus, B. and Wu Y. (2016). Impact of Users' Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective. Information Systems Management 33(1), 2-16.

Hart, S. et al. (2020). Riskio: A Serious Game for Cyber Security Awareness and Education. Computers and Security 95,

Hitachi, S. (2018). 5 Benefits of Project Management for Cybersecurity. Hitachi Systems Security.

Jaeger, L. (2018). Information Security Awareness: Literature Review and Integrative Framework. In 51st Hawaii International Conference on System Sciences, Hawaii.

Kim, E. (2013). Recommendations for Information Security Awareness Training for College Students. Information Management and Computer Security 22(1), 115-126.

Kirkpatrick, D. L. (1983). Four Steps to Measuring Training Effectiveness. Personal Administrator 28(11), 19-25.

Kirkpatrick, D. L. (1996). Great Ideas Revisited. Training and Development 50(1), 54-57.

Kirkpatrick, D. L. and Kirkpatrick, J. D (2005). Transferring Learning to Behavior: Using the Four Levels to Improve Performance. Berrett-Koehler Publishers.

Kirkpatrick, D. L. and Kirkpatrick J. D. (2006). Evaluating Training Programs. Berrett-Koehler Publishers, Inc, San Francisco: CA.

Korovessis, P. (2011). Information Security Awareness in Academia. International Journal of Knowledge Society Research.

Lebek, B. et al. (2014). Information Security Awareness and Behavior: A Theory-Based Literature Review. Management Research Review 37(12), 1049-1092.

Mani, D. et al. (2014). Information Security in the South Australian Real Estate Industry. Information Management and Computer Security 22(1),

McCormac, A. et al. (2017.) Individual Differences and Information Security Awareness. Computers in Human Behavior 69, 151-156.

Mejias, R. J. (2012). An Integrative Model of Information Security Awareness for Assessing Information Systems Security Risk. 45th Hawaii International Conference on System Sciences, Maui, HI, pp 3258-3267.

Montesdioca, G. P. Z. and Maçada, A. C. G. (2015a). Measuring User Satisfaction with Information Security Practices. Computers and Security 48, 267-280.

Montesdioca, G. P. Z. and Maçada, A. C. G. (2015b). Measuring User Satisfaction with Information Security Practices. Computers and Security 48, 267-280.

Monzelo, P. and Nunes S. (2021). Information Security Awareness and Its Impact on the Ciso's Responsibilities – a Study of the Portuguese Environment. Journal of Information System Security 17(2), 81–102.

Morrison, D. (2018). 5 Reasons Why Cyber Security Projects Fail, Loop.

Okenyi, P. O. and Owens T. J. (2007). On the Anatomy of Human Hacking. Information Systems Security 16(6), 302.

Paddeu, D. (2016). How Do You Evaluate Logistics and Supply Chain Performance? A Review of the Main Methods and Indicators. European Transport/Trasporti europei 61(4), 1-16.

Parmenter, D. (2007). Key Performance Indicators: Developing, Implementing, and Using Winning Kpis. John Wiley and Sons, New Jersey.

Parmenter, D. (2010). Key Performance Indicators (Kpi): Developing, Implementing, and Using Winning Kpis. John Wiley and Sons, Hoboken, New Jersey.

Parsons, K. et al. (2014). A Study of Information Security Awareness in Australian Government Organisations. Information Management and Computer Security 22(4), 334-345.

Pathari, V. and Sonar, R. (2012). Identifying Linkages between Statements in Information Security Policy, Procedures and Controls. Information Management and Computer Security 20(4), 264-280.

Pattinson, M. et al. (2017). Managing Information Security Awareness at an Australian Bank: A Comparative Study. Information and Computer Security 25(2), 181-189.

Pérez-González, D. et al. (2019). Organizational Practices as Antecedents of the Information Security Management Performance: An Empirical Investigation. Information Technology and People 32(5), 1262-1275.

Ponemon, and I. B. M. (2017). Cost of Data Breach Study: Global Overview. Ponemon, North Traverse City, Michigan.

Puhakainen, P. and Siponen, M. (2010). Improving Employees’ Compliance through Information Systems Security Training an Action Reseach Study. MIS Quarterly 34(4), 757-778.

Radujkovic, M. and, et al. (2010). Application of Key Performance Indicators in South-Eastern European Construction. Journal of Civil Engineering and Management 16, 521-530.

Rahim, N. H. A. et al. (2015). A Systematic Review of Approaches to Assessing Cybersecurity Awareness. Kybernetes 44(4), 606-622.

Rezgui, Y. and Marks A. (2008). Information Security Awareness in Higher Education: An Exploratory Study. Computers and Security 27, 241-253.

Rhee, H-S. et al. (2009). Self-Efficacy in Information Security: Its Influence on End Users' Information Security Practice Behavior. Computers and Security 28(8), 816-826.

Rhee, H-S, et al. (2012). Unrealistic Optimism on Information Security Management. Computers and Security 31(2), 221-232.

Roy, S. et al. (2011). Detecting and Defeating Sql Injection Attacks. International Journal of Information and Electronics Engineering 1(1),

Safa, N. S. et al. (2016). Information Security Policy Compliance Model in Organizations. Computers and Security 56(70), 70-82.

Sheng, S. et al. (2010). {Who Falls for Phish?: A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. In SIGCHI Conference on Human Factors in Computing Systems, pp 373-382, ACM, New York, NY, USA.

Siponen, M. T. (2000). Critical Analysis of Different Approaches to Minimizing User-Related Faults in Information Systems Security: Implications for Research and Practice. Information Management and Computer Security 8(5), 179-209.

Slusky, L. and Navid P. P. (2012). Students Information Security Practices and Awareness. Journal of Information Privacy and Security 8(4), 3-26.

Spears, J. and Barki H. (2010). User Participation in Information Systems Security Risk Management. MIS Quarterly 34(3), 503-522.

Stanton, J. M. et al. (2005). Analysis of End User Security Behaviors. Computers and Security 24(2), 124-133.

Tripathi, K. K. and Jha K. N. (2018). An Empirical Study on Performance Measurement Factors for Construction Organizations. KSCE J Civ Eng 22, 1052-1066.

Walsham, G. (2006). Doing Interpretive Research. European Journal of Information Systems 15, 320-330.

Whitman, M. E. and Mattord H. J. (2012). Principles of Information Security. Thomson Course Technology, Boston, MA, USA.

Wiley, A. et al. (2020). More Than the Individual: Examining the Relationship between Culture and Information Security Awareness. Computers and Security 88.