Professional Documents
Culture Documents
013 Cybersecurity Awareness in The Context of The Industrial Internet of Things A Systematic Literature ReviewComputers in Industry
013 Cybersecurity Awareness in The Context of The Industrial Internet of Things A Systematic Literature ReviewComputers in Industry
Computers in Industry
journal homepage: www.elsevier.com/locate/compind
⁎
Angelo Corallo, Mariangela Lazoi, Marianna Lezzi , Angela Luperto
Università del Salento, Dipartimento di Ingegneria dell’Innovazione, Campus Ecotekne, Via per Monteroni, 73100 Lecce, Italy
a r t i cl e i nfo a bstr ac t
Article history: Cybersecurity is one of the main challenges faced by companies in the context of the Industrial Internet of
Received 30 July 2021 Things (IIoT), in which a number of smart devices associated with machines, computers and people are
Received in revised form 10 December 2021 networked and communicate with each other. In this connected industrial scenario, personnel need to be
Accepted 22 January 2022
aware of cybersecurity issues in order to prevent or minimise the occurrence of cybersecurity incidents and
Available online 3 February 2022
corporate data breaches, and thus to make companies resilient to cyber-attacks. In addition, the recent
increase in smart working due to the COVID-19 pandemic means that the need for cybersecurity awareness
Keywords:
Cybersecurity awareness is more relevant than ever.
Information security awareness In this study, we carry out a systematic literature review in order to analyse how the existing state of the
Industrial internet of things art deals with cybersecurity awareness in the context of IIoT, and to provide a comprehensive overview of
Industry 4.0 this topic. Four areas of analysis are considered: (i) definitions of the concepts of cybersecurity awareness
Cybersecurity awareness techniques and information security awareness, with keyword extrapolation (e.g. cybersecurity control level, in
formation and responsibility); (ii) the industrial context of the analysed studies (e.g. manufacturing, critical
infrastructure); (iii) the techniques adopted to raise company awareness of cybersecurity (e.g. serious
games, online questionnaires); and (iv) the main benefits of a large-scale campaign of cybersecurity
awareness (e.g. the effectiveness of employees in terms of managing cybersecurity issues, identification of
cyber-attacks). Practitioners and researchers can benefit from our analysis of the features of each area in
their future research and applications.
© 2022 Elsevier B.V. All rights reserved.
Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 2
2. Research method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 2
3. Selection process for literature resources . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 3
4. Analysis of literature resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 4
4.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 5
4.2. Industrial context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 5
4.3. Techniques for raising cybersecurity awareness . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 6
4.3.1. Cybersecurity awareness systems . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 6
4.3.2. Cybersecurity awareness methods and methodologies . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 7
4.3.3. Cybersecurity awareness methodological frameworks . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 7
4.3.4. Cybersecurity awareness models . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 8
4.3.5. Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 9
4.3.6. Insights into the main features of cybersecurity awareness techniques . . ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... . 11
4.4. Benefits of cybersecurity awareness. . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... 12
5. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... 13
6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... ..... . ..... . ..... . ..... . ..... . ..... . ..... . ..... 14
⁎
Corresponding author.
E-mail address: marianna.lezzi@unisalento.it (M. Lezzi).
https://doi.org/10.1016/j.compind.2022.103614
0166-3615/© 2022 Elsevier B.V. All rights reserved.
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
2
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
1.1 Defini�on of analysis 2.1 Source interroga�on 3.1 Examina�on of 4.1 Quan�ta�ve
objec�ves through search queries selected documents descrip�on of consulted
REPORTING OF RESULTS
DOCUMENT ANALYSIS
references
SEARCH EXECUTION
REVIEW PLANNING
the SLR procedure proposed by Corallo et al. (2021a) was adopted in poorly investigated in the literature in reference to modern in
this work, as it was considered most suitable with respect to the dustrial contexts, characterised by the use of IoT, big data ana
objectives of this research paper. An SLR was carried out following lytics, cloud computing technologies, and wireless sensor
four steps: (i) review planning; (ii) search execution, (iii) analysis of networks. We therefore added the term “Industr* ” to the query
documents; and (iv) reporting of results. Each stage involves specific to extend our analysis to the entire industrial scenario. The
activities that were performed in sequential order, as illustrated complete search query was then as follows:
in Fig. 1. • (“Cybersecurity awareness” OR “Information security awareness”
Although our literature review cannot be considered exhaustive, OR “Cyber security awareness”) AND (“Industr*” OR “Industry
we provide an important overview of the role played by cyberse 4.0″ OR “Smart manufacturing” OR “Smart Factory” OR “Industrial
curity awareness in industrial contexts as a means of preventing or Internet of Things” OR “IIoT” OR “Industrial Internet”).
minimising the occurrence of cybersecurity incidents and corporate
data breaches, and of making companies resilient to cyber-attacks. We then applied a process of filtering and selection to these
This is an emerging field of research at the international level. papers with respect to the research objective. This process is re
presented numerically in Fig. 2.
3. Selection process for literature resources The Scopus search, which was conducted using the 'title', 'ab
stract' and 'keywords' fields, returned 98 articles, whereas the Web
Using the SLR strategy, once the objective of the analysis has of Science search, conducted based on the 'topic' field (involving
been defined, our search process involved the selection of scientific title, abstract, author keywords and ‘keywords plus’), returned 41
papers from Scopus (www.scopus.com) and Web of Science articles. In view of the search requirements, these articles were then
(www.webofknowledge.com), as the two major and most compre filtered, based on language (to select only documents in English) and
hensive sources of publication metadata and impact indicato document type (to exclude conference papers). At this stage, no filter
(Pranckutė , 2021; Pranckutė , 2021). All sources were accessed in was applied with respect to the subject area.
June 2021. From an initial selection of 139 scientific papers (as shown in the
Our search criteria were based on two keywords: “cybersecurity “#Results” column in Fig. 2), the application of filters for language
awareness” and “Industrial Internet of Things”. However, in order to and document type reduced the number of papers to 120 (as shown
strengthen the search, several variants were considered. In parti in the “#Filtered Results” column in Fig. 2). A comparative analysis of
cular, with regard to the first keyword, we also used the term “in the title and authors of the papers was carried out to avoid multiple
formation security awareness”, which is better known in the inclusions of the same paper from different sources (Scopus and
literature. With regard to the second keyword, we included the ac Web of Science), which reduced this number to 83 (as shown in the
ronym “IIoT” and the terms “Industrial Internet”, “Industry 4.0″, “Filter duplicate documents” column in Fig. 2). After reading the
“smart manufacturing” and “smart factory” in the search query. A title, abstract and keywords, 50 papers were discarded from the
preliminary analysis of the definitions of IIoT found in the literature analysis, as they were not in line with the objectives of the study. We
(Xu et al., 2017; Van Lier, 2017; Smith, 2017; Palavicini et al., 2017; then analysed the entire content of the remaining 33 articles (shown
Urquhart and McAuley, 2018; Hassanzadeh et al., 2015; Gurtov et al., in the “Selection after reading title and abstract” column in Fig. 2).
2016) indicated that all of these terms could be related to the con This revealed that some of the papers did not make explicit re
cept of IIoT. ference to the concepts of cybersecurity awareness or information
Following this preparatory analysis, the following search query
was established:
3
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
Table 1
Details of selected scientific papers.
1 (Maggi et al., 2021) Conference paper 2021 Trend Micro Italy Italy
Politecnico di Milano Italy
2 (Lechner et al., 2020) Article 2020 Siemens AG Germany
Universität der Bundeswehr München Germany
Instituto Universitario de Lisboa Portugal
3 (Kam et al., 2020) Article 2020 University of Tampa USA
University of Richmond USA
University at Albany USA
4 (Prins et al., 2020) Conference paper 2020 University of Johannesburg South Africa
5 (Bello and Maurushat, 2020) Conference paper 2020 School of Social Sciences, WSU Australia
6 (Aldawood and Skinner, 2020) Article 2020 University of Newcastle Australia
7 (Gundu, 2019) Conference paper 2019 Sol Plaatje University South Africa
8 (Li, Wang, and Qj, 2018) Conference paper 2018 Space Engineering University China
9 (Tsohou and Holtkamp, 2018a, 2018b) Article 2018 Ionian University Greece
Università di Jyväskylä Finland
10 (Cook et al., 2018) Book chapter 2018 De Montfort University UK
11 (Kritzinger et al., 2018) Conference paper 2018 University of South Africa South Africa
12 (Tsuchiya et al., 2018) Book chapter 2018 Nagoya Institute of Technology Japan
13 (Adu and Adjei, 2020) Article 2018 University of South Africa South Africa
University of Ghana Ghana
14 (Lee et al., 2016) Conference paper 2016 SK Infosec Korea
Yonsei University Korea
15 (Daniel Ani, et al., 2016) Conference paper 2016 Cranfield University UK
16 (Cholez and Girard, 2014) Article 2014 CRP Henri Tudor Luxembourg
17 (Kaur and Mustafa, 2013) Conference paper 2013 Universiti Teknologi MARA Malaysia
18 (Haeussinger and Kranz, 2013) Conference paper 2013 University of Göttingen Germany
19 (Gundu and Flowerday, 2013) Article 2013 University of Fort Hare South Africa
20 (Tsohou et al., 2010) Conference paper 2010 University of the Aegean Greece
Athens University of Economics and Business Greece
21 (Kritzinger and Smith, 2008a, 2008b) Article 2008 University of South Africa South Africa
22 (Abawajy et al., 2008) Conference paper 2008 Deakin University Australia
Hannam University Korea
23 (Dojkovski et al., 2006) Conference paper 2010 Deakin University Australia
security awareness, or did not mention any methods or tools for source; reference; abstract; keywords; focus of the study; industry
supporting compliance with corporate cybersecurity policies. As a of reference; definition of cybersecurity awareness; definition of
result, a total of 23 papers (shown in the “Selection after reading information security awareness; techniques used to investigate
paper” column in Fig. 2) were found to be highly relevant references company compliance with cybersecurity policies and employees’
in terms of investigating the role of cybersecurity/information se security-related behaviour; and the benefits of cybersecurity
curity awareness in smart industrial environments. awareness within the company. The first eight fields of the matrix
Table 1 shows a summary of the selected references. In particular, consisted of general information on the papers, which made it
it can be observed that although cybersecurity awareness began to possible to track the consulted references, while the remaining five
be investigated in industrial contexts in 2008, a significant increase fields corresponded to the objectives of our research work (i.e., to
in scientific production has occurred since 2018. Of the 23 scientific investigate the terms in which the concept of cybersecurity aware
papers selected, the majority were conference papers (13), a large ness is addressed in Internet-based industrial contexts). In parti
proportion were articles (eight) and only two were book chapters. cular, it was important to create a taxonomy of the concepts of
An examination of the country of origin of the authors shows that cybersecurity awareness and information security awareness, in
there are six papers from South Africa, four from Australia, two each order to identify the main differences and similarities; it was also
from Germany, Korea, Greece and the UK, and only one each from important to identify the industries to which these concepts were
Italy, Finland, the USA, China, Luxembourg, Ghana, Malaysia and mainly applied, in order to highlight any gaps that needed to be
Japan. filled. Moreover, in order to systematise the knowledge base re
garding techniques for supporting companies in increasing cyber
4. Analysis of literature resources security awareness, we carried out a review of the solutions
available in the literature. These techniques are referred to using a
To evaluate the selected papers, a matrix was created to record wide number of different terms, such as systems, methods, models,
certain metadata about each paper and its authors. This matrix was methodologies, methodological frameworks, and surveys. Finally,
composed of 13 records, in which the following information was the main benefits to companies, in terms of business performance, of
stored: title; authors and their affiliations; year of publication; increasing cybersecurity awareness were highlighted.
Table 2
Areas of analysis.
TOPIC FOCUS
These categories of information were analysed and compared to use information system responsibly” (Kaur and
between the different papers, and the main results are discussed. Mustafa, 2013);
Table 2 shows the four areas of analysis considered in this study, and • “Ensuring that all employees in an organisation are aware of their
the results of this comparative review are discussed in the following role and responsibility towards securing the information they
sections. work with” (Kritzinger and Smith, 2008a and, 2008b).
4.1. Definitions A comparative analysis of the different definitions was also car
ried out for the concept of information security awareness, leading
An analysis of the selected papers showed that several definitions to several keywords: awareness/consciousness (Haeussinger and
of information security awareness were used. However, none of the Kranz, 2013; Kritzinger and Smith, 2008a and, 2008b), threats and
studies provided a definition of cybersecurity awareness, which is a risks (Tsohou and Holtkamp, 2018a, 2018b; Haeussinger and Kranz,
key aspect of our study. A further literature search was therefore 2013), understanding/knowledge (Tsohou and Holtkamp, 2018a,
conducted through which the following definitions of cybersecurity 2018b; Kaur and Mustafa, 2013; Haeussinger and Kranz, 2013), in
awareness were collected: formation (Tsohou and Holtkamp, 2018a, 2018b; Kaur and Mustafa,
2013; Haeussinger and Kranz, 2013; Kritzinger and Smith, 2008a,
• “The degree of understanding of users about the importance of 2008b) (Tsohou et al., 2010) and responsibility (Tsohou and
information security and their responsibilities and acts to ex Holtkamp, 2018a, 2018b; Kaur and Mustafa, 2013; Kritzinger and
ercise sufficient levels of information security control to protect Smith, 2008a, 2008b). In this case, it was revealed that being aware
the organization’s data and networks” (Shaw et al., 2009); of the risks and threats to information security, and hence having the
• “All the steps that are taken to raise the cyber security knowledge knowledge to use information responsibly and understand its im
level at the end-users and direct them to react properly online” portance to the company, allows employees to be responsible for the
(Shamsi, 2019); security of the information they work with. These concepts are ex
• “The security training that is used to inspire, stimulate, establish tremely important, since for many companies, employees represent
and rebuild cyber security skills and expected security practise the main source of weakness in terms of cybersecurity (Kaspersky
from a specific audience. Cybersecurity awareness is used to Lab, 2018). In fact, it has been estimated that 85% of company data
promote and encourage Internet users to practise safety pre breaches are related to human error (Verizon, 2021).
cautions, and train them on online defence methods. Finally, when we put together these concepts, it can be seen that
Furthermore, it equips these users with cyber security skills on there are some slight differences between cybersecurity awareness
all the aspects of cyber security so that not only the nation net and information security awareness; unlike the latter, the former has
work infrastructures are kept resilience to cyber-attacks and a ‘cyber’ component and a focus on protecting networks, data and
threats, but also the users are well informed” (Dlamini and information. However, the goals of the two concepts are the same:
Modise, 2012); both cybersecurity and information security awareness increase the
• “A methodology to educate internet users to be sensitive to the employees' level of knowledge about possible security threats,
various cyber threats and the vulnerability of computers and data system vulnerabilities and security risks, and allow them to be re
to these threats” (Siponen, 2000). sponsible in terms of information security and aware of possible
cyber-attacks, thus ensuring that the information, systems and
A comparative analysis of these definitions made it possible to networks they interact with are well protected. Fig. 3 shows a gra
identify several keywords: data and network infrastructures (Shaw phical representation of the main elements extracted from the
et al., 2009; Shamsi, 2019; Dlamini and Modise, 2012; Siponen, concepts of cybersecurity awareness and information security
2000), cybersecurity knowledge/control level (Shaw et al., 2009; awareness.
Shamsi, 2019), cyber threats, cyber-attacks and vulnerabilities
(Dlamini and Modise, 2012; Siponen, 2000). Based on these defini 4.2. Industrial context
tions and keywords, it can be seen that cybersecurity awareness has
two main roles: (i) to educate industrial workers to become con In this section, we give an overview of the industries in which the
scious of cyber threats and cyber-attacks (Dlamini and Modise, 2012) topic of cybersecurity awareness has been addressed, to highlight
in order to protect companies' data and network infrastructures any gaps that need to be filled. This study was carried out based on
(Shaw et al., 2009); and (ii) to increase their level of knowledge the 83 papers resulting from the first stage of the filtering process
about cyber threats and vulnerabilities (Siponen, 2000). (see Fig. 2), in which only the filters for language, document type and
By analysing the papers found in the literature in terms of the duplicate papers were applied. From this analysis, it was possible to
concept of information security awareness, it was possible to acquire identify a number of industries that were not relevant to the focus of
a number of further definitions. Some of the most significant defi interest (see Table 3). Table 4 shows the relevant industries, i.e.,
nitions of information security awareness are as follows: those in which the issue of cybersecurity awareness has been ad
dressed by explicitly or implicitly referring to IIoT environments.
• “Understanding of security threats and their consequences, in This table also includes papers in which cybersecurity awareness has
formation security policies rules, as well as resulting responsi been addressed with reference to IIoT environments, but where no
bilities” (Tsohou and Holtkamp, 2018a, 2018b); specific industry was mentioned.
From Table 3, it can be inferred that the concept of cybersecurity
• “A measure of the extent to which an organisation’s employees awareness is most popular in the following domains: academia and
understand the importance and implications of maintaining an education (with 10 papers); legal and banking, business operations and
acceptable level of security of their organisation’s information health (with seven papers each). Table 4 reveals that cybersecurity
assets” (Pattinson et al., 2017); awareness was referred to in relation to the following Internet-based
• “An employee’s state of mind, which is characterized by re industries: manufacturing (mentioned only in one paper) and critical
cognizing the importance of information security systems and infrastructure (mentioned in two papers).
being aware and conscious about information systems security A comparison was therefore carried out between the industries
objectives, risks and threats, and having the required knowledge shown in Table 3 and those within the IIoT environment, shown in
Table 4. From this comparison, it first emerged that more targeted
5
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
studies would be needed in the field of cybersecurity awareness, 4.3.1. Cybersecurity awareness systems
both in the manufacturing industry and in the critical infrastructure Special Publication 800–34 from NIST (Swanson et al., 2010)
industry, as these are still under-represented in the literature. Sec defines a system as “a discrete set of resources organized for the
ondly, these studies should include specific discussions with respect collection, processing, maintenance, use, sharing, dissemination, or
to high-tech manufacturing sectors (such as automotive and aero disposition of information”.
space), in order to provide a solid knowledge base of techniques that With the aim of raising awareness of cybersecurity, (Maggi et al.,
would be useful in increasing the level of cybersecurity awareness in 2021) propose a smart manufacturing system that is able to analyse
these critical sectors, which are representative of the IIoT paradigm. possible attacks and promote a more compartmentalised security
Finally, although there were many papers in which the industry architecture. This system comprises seven stations, each with pro
was not made explicit, these were useful in terms of providing an grammable logic controllers (PLCs) and human machine interfaces
overview of techniques for supporting companies to increase cy (HMIs), various physical actuators (e.g., drills, presses), Arduino-
bersecurity awareness in the context of IIoT. based sensors, an inspection camera, a conveyor belt, and an in
dustrial robot. The countermeasures adopted to achieve a more
compartmentalised architecture are: (i) employing a behavioural-
4.3. Techniques for raising cybersecurity awareness based detection system that can recognise when any software
component is performing generically suspicious activities (e.g.,
After providing an overview of the industrial sectors in which the suddenly modifying numerous files); (ii) detecting vulnerable or
concept of cybersecurity awareness was addressed, the next step malicious apps and implementing an authentication mechanism to
was to identify techniques in the literature aimed at increasing cy prevent phishing attacks.
bersecurity awareness within the industrial context. As previously In their study, (Gasiba et al., 2020) assume that one possible way
mentioned, several terms may be used to refer to such techniques to raise cybersecurity awareness is by employing serious games. In
(i.e., systems, methods, models, methodologies, methodological particular, they propose the use of a new cybersecurity awareness
frameworks, and surveys). The following sections are dedicated to platform called Sifu, which allows these games to take place online
each of these, as treated in the selected papers. by combining serious game techniques with cybersecurity. This
platform automatically assesses challenges in terms of compliance
Table 3
Industry analysis of papers that were not relevant to the research objective.
6
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
Table 4
Industry analysis of papers that were relevant to the research objective.
with secure coding guidelines and uses an artificial intelligence believe that it is possible to improve the awareness of information
method to provide players with solution-guiding hints to rectify or security in this way.
rewrite parts of the source code of a simple software project, in Finally, the work of (Bello and Maurushat, 2020) uses a qualita
order to eliminate one or more known vulnerabilities and preserve tive methodology to identify cybersecurity awareness and educa
the functionality of the system. In this way, the Sifu platform enables tional solutions that can be used to mitigate the risks of socially
remote (online) learning and provides a preliminary analysis of the engineered ransomware attacks. The qualitative data for the study
suitability of the proposed architecture in terms of increasing the were collected via semi-structured interviews with 30 senior man
cybersecurity awareness of software developers in industrial en agement employees. These data are analysed using a thematic con
vironments. Table 5 characterises the systems found in the literature tent analysis technique to identify themes and models from the
that aim to increase cybersecurity awareness. responses. The themes and models that are identified as ensuring
cybersecurity training and awareness are: (i) serious games, in
which the training technique is based on virtual, real-time scenario
4.3.2. Cybersecurity awareness methods and methodologies formation, which enables a trainee to learn about different attack
According to the Guide to the Software Engineering Body of situations and how to deal with them; (ii) the use of remote virtual
Knowledge (IEEE Computer Society, 2014), a formal method is used labs to enable trainees to learn about security threats; (iii) simula
“to specify, develop, and verify the software through application of a tion training, where a model of a real threat can be deployed to
rigorous mathematically based notation and language”. A metho conduct experiments, which is useful in understanding the beha
dology is considered to be a system of methods. viour of trainees or evaluating various mitigation strategies; (iv)
(Cook et al., 2018) and (Tsuchiya et al., 2018) show that cyber gamification training, with a focus on assessing the behaviour of
security awareness can be increased through the adoption of hypothetical victims using gaming strategies in non-game activities;
learning methods based on the use of serious games. In particular, and (v) software applications based on the security threats that need
the work of (Cook et al., 2018) uses SCIPS (Simulated Critical Infra to be addressed by the companies.
structure Protection Scenarios), a configurable serious gaming en Table 6 gives an overview of the methods and methodologies
vironment for experiential learning, which can be adapted to specific found in the literature that aim to increase cybersecurity awareness.
industries. This serious game raises awareness of cybersecurity using
fear appeals, and is intended for senior stakeholders within critical 4.3.3. Cybersecurity awareness methodological frameworks
national infrastructure (CNI) organisations. For this reason, the game A methodological framework provides structured practical gui
focuses on the strategic risks to a CNI facility, and presents scenarios dance or a tool to guide the user through a process, using stages or a
in which participants experience the financial implications of a step-by-step approach (McMeekin et al., 2020).
cyber-attack on an industrial control system. This game is mainly Three research papers (Tsohou et al., 2010; Cholez and Girard,
collaborative (multiplayer), with some competitive elements that 2014) (Dojkovski et al., 2006) propose methodological frameworks
drive conversation among players about how to reallocate budgets in for promoting, sensitising and evaluating information security
order to mitigate cyber threats. The flow of the game follows a awareness in industries. In the first case, the work conducted by
campaign that models a series of events based on a typical cyber kill- (Tsohou et al., 2010) suggests a theoretical and methodological fra
chain, in order to provide a credible scenario that leads to cyber- mework based on the actor network theory (ANT) and the due
attacks. Moreover, the game consists of time-limited rounds. process model, which allows researchers and practitioners to more
(Tsuchiya et al., 2018) propose Kaspersky Interactive Protection Si effectively analyse, understand and manage security awareness ac
mulation (KIPS), a hybrid game with a game board, action cards and tivities. An ANT-based analysis is carried out to consider the dif
a game console. This game aims to deepen the common under ferent roles of the actors involved, in order to improve
standing of cyber incidents in order to improve cybersecurity understanding of information security awareness based on their
awareness for critical infrastructure companies. The game board interests and activities within the organisation and to examine how
represents the plant and the network configuration of the virtual network stability emerges and evolves. Stability means that the
company, as it is useful for players to understand how the plant and actor-network and its underlying ideas have become in
the devices related to its operation work. The action cards represent stitutionalised, and are no longer seen as controversial. The due
a set of cybersecurity countermeasures. Finally, the game console is process model is applied to the process of decision-making in order
used to simulate the game and provides players with information to provide a dynamic view of the transformation of the network over
about the virtual company. time and to identify the most suitable actors to ensure that this
(Lee et al., 2016) adopt the latent Dirichlet allocation (LDA) topic network is protected. In the second paper, (Cholez and Girard, 2014)
modelling method and use an algorithm to identify information present a framework composed of (i) a concept (in this case, a ma
security issues by analysing words in a body of text that specifically turity assessment for small and medium enterprises (SMEs)); (ii) a
relate to people's concerns about cybersecurity issues. They also method (consisting of interviews with stakeholders on organisa
implement a sentiment analysis technique in accordance with tional and operational issues) and (iii) a tool (based on the ISO/IEC
ISO270:2014 to compare the results and to improve the accuracy of 27001 standard) to assess the level of maturity of information se
their analysis. To conduct this analysis, a scale with scores ranging curity and to provide an overview of information security in these
from zero to five was used to analyse three aspects of security, re enterprises. Their framework can be useful as a first approach to
lating to technical, administrative, and physical factors. The authors information security, to identify critical problems and associated
7
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
2020
Year
Artificial intelligence
8
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
Table 6
Cybersecurity awareness methods and methodologies.
SCIPS (Simulated Critical Infrastructure Learning method using a configurable serious gaming • Configurable serious game 2018 (Cook et al., 2018)
Protection Scenarios) environment to raise cybersecurity awareness • Experiential learning
• Fear appeals
• Strategic risks
KIPS (Kaspersky Interactive Protection Learning method using a hybrid game to raise • Hybrid game 2018 (Tsuchiya
Simulation) cybersecurity awareness • Game board, action cards and et al., 2018)
game console
• Game simulator
• Incident simulation
• Countermeasure’s analysis
LDA (latent Dirichlet allocation) LDA (latent Dirichlet allocation) topic modelling • Algorithm focusing on 2016 (Lee et al., 2016)
method to improve the awareness of information information security issues
security • Word analysis
• Sentiment analysis
• Comparison of results
TCA (thematic content analysis) Qualitative methodology using a thematic content • Education solutions 2020 (Bello and
technique analysis technique to identify solutions to ensure • Qualitative data collection Maurushat, 2020)
cybersecurity awareness • Semi-structured interviews
• Themes and models
identification
• Remote virtual labs
• Training on virtual scenario
• Simulation training
• Gamification training
• Evaluation of the hypothetical
behaviour of victims
Table 7
Methodological frameworks for cybersecurity awareness.
Theoretical and methodological Theoretical and methodological framework based on the • Actor network theory 2010 (Tsohou
framework actor network theory and the due process model • Due process model et al., 2010)
• Analysis of security awareness
activities
• Management of security
awareness activities
• Process of decision-making
Maturity assessment and process Framework to assess the level of maturity of information • Maturity assessment 2014 (Cholez and
improvement framework security and to provide an overview of information • Interviews with stakeholders Girard, 2014)
security in enterprises • ISO/IEC 27001 standard
Conceptual framework Conceptual framework for developing an information • Individual and organisational 2006 (Dojkovski
security culture in SMEs learning et al., 2006)
• Cooperation, collaboration, and
knowledge sharing
• Awareness programs, training
and education
• Management initiatives
• Value network for companies to
share knowledge
security awareness in the organisation, to ensure that all new in learning represents the acquisition of new behaviour through con
formation security issues are handled and integrated. ditioning.
(Tsohou and Holtkamp, 2018a, 2018b) develop an ISP (Informa Lastly, to fill the gap between knowledge of cybersecurity and
tion Security Policies) compliance competence model that can be associated attitudes toward cybersecurity practices, (Gundu, 2019)
used by organisations to communicate their rules on the use of in develops a model built on the theory of planned behaviour (TPB) and
formation systems. This model is based on three main dimensions of deterrence theory (DT). The TPB asserts that employee behaviour is
competence: attitudes towards compliance with information se motivated by behavioural intentions: stronger behavioural intent is
curity policies; skills in terms of perceiving the benefits resulting more likely to be translated into actual behaviour. On the other hand,
from compliance behaviour; and knowledge of security awareness the DT claims that control over employees is achieved through fear
and related policies. of punishment or loss of remuneration, as this is the only way to
An awareness campaign on the information security awareness improve their attitudes towards compliance with cybersecurity po
process is presented by (Gundu and Flowerday, 2013). This campaign licies.
uses a behavioural intention model based on three persuasive the Table 8 summarises the models found in the literature that are
ories: (i) the theory of reasoned action, which explains how an useful in raising cybersecurity awareness.
employee’s behaviour towards information security is influenced by
perceived corporate expectations; (ii) protection motivation theory, 4.3.5. Surveys
which is based on a prediction of an individual’s intention to engage A survey "provides a quantitative description of trends, attitudes,
in protective actions; and (iii) behaviourism theory, in which the and opinions in a population, or tests associations between variables
in a population, by studying a sample of that population" (Creswell
9
A. Corallo, M. Lazoi, M. Lezzi et al.
Table 8
Cybersecurity awareness models.
Cybersecurity awareness model Cyber security awareness model based on connectionism theories to facilitate the • Connectionism theories 2018 (Li et al., 2018)
evaluation of cybersecurity awareness training • Construction and evaluation of cybersecurity
awareness training systems
• Parallel structure and processing mechanisms
• Distributed characterisation and processing
• Continuity and sub-symbol characterisation
• Huge tolerance
• Self-learning, self-adaptation and self-
organising functions
WCSC (Workforce Cyber Security The WCSC model can help enterprises to evaluate the level of cybersecurity awareness of • Knowledge level 2016 (Daniel et al., 2016)
Capability) employees and their responsiveness • Skill level
• Knowledge accumulated from experience
ISRA (Information Security Retrieval and Multi-dimensional Information ISRA model that consists of three parts: ISRA • Three-dimensional approach 2008 (Kritzinger and Smith,
Awareness) dimensions, information security retrieval and awareness, and measuring and Relevant information is retrieved 2008a, 2008b)
10
•
monitoring • Measuring and monitoring of security
information
ISP (Information Security Policies) ISP compliance competence model can be applied to investigate the competencies • Attitudes, skills and knowledge 2018 (Tsohou and Holtkamp,
associated with users' ISP compliance behaviour 2018a, 2018b)
BIM (Behavioural Intention Model) Awareness campaign using a information security awareness model based on three • Theory of reasoned action 2013 (Gundu and
theories: theory of reasoned action, protection motivation theory and behaviourism • Protection motivation theory Flowerday, 2013)
theory • Behaviourism theory
• Information security behaviour
• Perceived expectation
• Engagement in protective actions
• Acquisition of new behaviour
Cybersecurity policy compliance Model based on the theory of planned behaviour (TPB) and deterrence theory (DT) to fill • Theory of planned behaviour 2019 (Gundu, 2019)
motivation/ the gap between knowledge of cybersecurity and associated attitudes towards • Deterrence theory
reinforcement model cybersecurity practices • Attitudes towards cybersecurity practices
• Behavioural intentions
Computers in Industry 137 (2022) 103614
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
Table 9
Cybersecurity awareness surveys.
Online questionnaire Questionnaire as an appropriate tool to empirically • Collection of data 2020 (Kam et al., 2020)
investigate the relationship between industry and • Neo-institutional theory
information security awareness • Data analysis
• Partial least squares (PLS) with SmartPLS 3.2
software
Online questionnaire Questionnaire as an appropriate tool to collect data about • Collection of data 2020 (Prins et al., 2020)
the participant’s knowledge of cybersecurity awareness • Four-point Likert scale
and perceived level of impact regarding risks • Document analysis
Online questionnaire Questionnaire as tool to find the best working tools to • Collection of data 2020 (Aldawood and
mitigate threats besides awareness programs and then to • Qualitative research approach Skinner, 2020)
provide reliable solutions to create a safe work • Questions based on intuition, opinion and
environment. experience
• Semi-structured questions
• Theoretical thematic analysis
Online questionnaire Questionnaire as tool to explore possible new trends in • Collection of data 2018 (Kritzinger
creating awareness among cyber users • Qualitative research approach et al., 2018)
• Inductive approach
• Open-ended questions
Online questionnaire Questionnaire as appropriate tool to collect data on • Collection of data 2020 (Adu and
employees' knowledge of cybersecurity awareness and to • Information on different aspects Adjei, 2020)
assess their awareness of information security (demographics, cyber security practices,
cybercrime awareness, and incident reporting)
Online questionnaire Questionnaire used to evaluate employees' information • Collection of data 2013 (Kaur and
security awareness • Seven-point Likert scale Mustafa, 2013)
Online questionnaire Questionnaire as appropriate tool to collect data about • Collection of data 2013 (Haeussinger and
information security awareness • Seven-point Likert scale Kranz, 2013)
Online questionnaire Questionnaire as tool to investigate the availability of • Collection of data 2008 (Abawajy
security-related training programs • Investigation of the degree of IT security et al., 2008)
awareness
• Investigation of interest in being trained in IT
security
and Creswell, 2018). Of the four main data collection methods (i.e., (Abawajy et al., 2008) use a questionnaire to investigate not only
online, face-to-face, telephone and paper surveys), an online survey the degree of IT security awareness of employees, but also their in
is the most cost-effective and time-efficient method of reaching the terest in being trained on IT security within their workplace.
maximum number of people in a company. Finally, (Kam et al., 2020) provide a questionnaire that uses neo-
In the field of cybersecurity awareness, the use of online surveys institutional theory as a basis for a empirical investigation of the
is important, as it allows the necessary information to be collected relationship between industry and information security awareness.
and grouped into similar topics, in order to identify gaps that need to They employ a partial least squares (PLS) method with SmartPLS 3.2
be filled in the company, such as the most relevant threats and software to analyse the collected data.
vulnerabilities, countermeasures to be taken, and the implementa Table 9 provides an overview of the surveys found in the litera
tion of more targeted and appropriate cybersecurity courses ture in relation to increasing cybersecurity awareness.
(Aldawood and Skinner, 2020).
Our literature search resulted in eight papers (Kam et al., 2020;
Prins et al., 2020; Aldawood and Skinner, 2020; Kritzinge et al., 2018; 4.3.6. Insights into the main features of cybersecurity awareness
Adu and Adjei, 2020; Kaur and Mustafa, 2013; Haeussinger and techniques
Kranz, 2013; Abawajy et al., 2008) that consider the online ques By comparing the cybersecurity awareness techniques in the
tionnaire to be the most appropriate tool for collecting data on literature, it was possible to make some interesting observations and
employees' knowledge of cybersecurity awareness and to assess to define some common features.
their awareness of information security. In particular, (Kritzinger In particular, (Maggi et al., 2021; Bello and Maurushat, 2020;
et al., 2018) and (Aldawood and Skinner, 2020) use a qualitative Gundu and Flowerday, 2013; Gundu, 2019) and (Dojkovski et al.,
research approach to define the content of the questionnaire. The 2006) believe that the best practice for increasing cybersecurity
former follow an inductive approach with open-ended questions, in awareness is the employment of solutions based on a study of be
order to collect information on new trends in creating awareness haviour. Research on employee behaviour in regard to cybersecurity
among cyber users, while the latter base their questions around the practices has been a growing trend, especially in recent years
employees' insights, opinions, and experiences of the most up-to- (Gundu, 2019). it has been shown to be to be a useful tool to identify
date measures, tools, and solutions against cybersecurity threats. employees' attitudes towards corporate cybersecurity policies
In contrast, (Prins et al., 2020; Kaur and Mustafa, 2013) and (Gundu and Flowerday, 2013; Gundu, 2019) and to propose man
(Haeussinger and Kranz, 2013) adopt a Likert scale as an instrument agement initiatives enabling the development of behaviours of re
to assess the level of cybersecurity awareness and knowledge of each sponsibility, integrity and trust (Dojkovski et al., 2006), as well as
respondent. (Kaur and Mustafa, 2013) and (Haeussinger and Kranz, more appropriate educational solutions to increase employees' cy
2013) use a seven-point Likert scale (ranging from strongly disagree, bersecurity awareness and to reduce the possibility of cyber-attacks
with a score of one, to strongly agree, with a score of seven), while (Bello and Maurushat, 2020). The use of a behaviour-based system is
(Prins et al., 2020) use a four-point Likert scale (not aware, some also very important because it can recognise when any software
what aware, moderately aware and extremely aware). component is performing suspicious activities (Maggi et al., 2021).
Another feature that is common to various papers is related to
the use of serious games. (Gasiba et al., 2020; Cook et al., 2018;
Tsuchiya et al., 2018) and (Bello and Maurushat, 2020) believe that
11
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
the adoption of serious games in the field of cybersecurity allows for According to (Li et al., 2018) and (Aldawood and Skinner, 2020),
a deeper understanding of cyber incidents, resulting in an increase in solid cybersecurity awareness and effective implementations of cy
cybersecurity awareness. This is because credible cyber-attack sce bersecurity practices are essential for companies to: (i) prevent
narios that could occur within the company are provided, allowing cyber threats, especially those affecting employees; (ii) reduce the
players to simulate responses to cyber incidents and thus determine associated business risks; and (iii) ensure the security and stability
the most suitable cybersecurity countermeasures. This feature is of systems, while improving the effectiveness of processes across the
interesting, and should be considered by companies that want to organisation. In order for the level of cybersecurity awareness to be
increase cybersecurity awareness, as it allows them to provide such that employees act correctly, they must (Cook et al., 2018):
game-like training on different attack solutions and how to deal
with them in real time. • Know that threats exist and be able to identify them if they
Finally, employees’ attitudes, skills and knowledge of cyberse occur;
curity issues are recurring themes in several papers. In particular, • Be able to assess both the immediate and long-term impact of
according to (Daniel et al., 2016; Tsohou and Holtkamp, 2018a, cyber-attacks;
2018b; Gundu, 2019), the use of these three characteristics by the • Be conscious of how an attack can evolve over time;
proposed models allows a company to estimate its employees' level • Understand the attacker's intentions;
of cybersecurity awareness and their ability to react to potential • Recognise the conditions under which an attack might occur;
cyber vulnerabilities and attacks. (Dojkovski, Lichtenstein, and • Have evaluated the information that is needed to make decisions
Warren, 2006) find that sharing knowledge about information se during an attack;
curity threats is important in order to develop a cybersecurity cul • Consider the possible actions attackers might take to achieve
ture in companies. their intent.
Of the different cybersecurity awareness techniques analysed
here, the aspect of fear-related appeals is an outlier. Indeed, the use For this reason, cybersecurity awareness and training initiatives
of fear appeals to motivate people to take a particular action in the are important. There is considerable evidence to show that security
cybersecurity domain (Cook, Smith, Maglaras, and Janicke, 2018) has awareness training is the most cost-effective form of security control
not been shown to be an effective tool, as increasing cybersecurity (Adu and Adjei, 2020). It is only through proper training that em
awareness depends exclusively on the individual's ability to respond ployees can:
to the situation.
• Recognise the importance of security and the negative con
sequences of information security failure (Gundu and
4.4. Benefits of cybersecurity awareness Flowerday, 2013);
12
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
Table 10
Tabular outline of cybersecurity awareness research in the context of IIoT.
AREAS OF ANALYSIS
• Acquire knowledge and skills that are specific to security (Tsohou The main representative elements of the benefits that can be
and Holtkamp, 2018a, 2018b); achieved through greater cybersecurity awareness are shown
• Refine and improve their cybersecurity interventions to max in Fig. 4.
imise their effectiveness (Gundu, 2019);
• Prevent, or improve their response to, any cyber incident (Daniel 5. Discussion
et al., 2016).
The results presented above show that the issue of cybersecurity
Moreover, greater cybersecurity awareness ensures the adequate awareness needs to be better investigated, in order to provide an
protection of systems and infrastructure in organisations, and can overview of the main features and instruments that are useful in
prevent significant damage to daily business operations, including terms of supporting companies to face cybersecurity challenges.
operational shutdowns, equipment damage, financial losses, in Table 10 provides a tabular outline of the results obtained from
tellectual property losses, and health and safety risks (Prins our systematic literature review. They are divided into four areas of
et al., 2020). analysis: definitions of cybersecurity awareness and information
13
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
security awareness; the industrial context; the main techniques for for companies in terms of increasing their level of cybersecurity
raising cybersecurity awareness; and the benefits of cybersecurity awareness.
awareness. For each of these categories, the focus and main features Future researchers can use this study as a reference framework
of each study are given. This table provides a unique overview of the for further investigations in industrial settings, thus extending the
main evidence for each area of analysis, which will be useful in current state of the art. From a managerial point of view, this study
guiding not only future research but also managerial actions in the can be used to support managers in activities with the aim of in
field of cybersecurity awareness. creasing the level of cybersecurity awareness, and thus the resilience
This summary offers researchers an immediate overview of the of the company to cyber-attacks, with reference to contexts based on
topics that have been treated in the literature in relation to cyber the IIoT paradigm.
security awareness in the context of IIoT, which will allow them to
focus their research by applying content developed by other fields or Declaration of Competing Interest
to create something new and specific to IIoT. Furthermore, it can be
used as a basis for defining new conceptual models that can be ex The authors declare that they have no known competing fi
plored or explained using qualitative and quantitative data. The nancial interests or personal relationships that could have appeared
features identified here can also be applied to define the topic of a to influence the work reported in this paper.
survey on cybersecurity awareness within companies, or to establish
experience levels and goals to be achieved associated with cyber References
security awareness maturity models (both at employee and com
pany level). IBM, 2020. Cost of a Data Breach Report. IBM Corporation, Armonk, NY.
Abawajy, J., Thatcher, K., Kim, T.-H., 2008. Investigation of stakeholders commitment
Practitioners can consider this overview as a form of inspiration to information security awareness programs. 2008 International Conference on
with respect to new techniques that they can apply to increase cy Information Security and Assurance (isa 2008) (p. 472- 476). Busan, Korea
bersecurity awareness in their organisation, leverage cybersecurity (South): IEEE.
Adawiyah, R., Hidayanto, A., Chandra Hapsari, I., Samik Ibrahim, R., 2019. Identification
awareness to achieve specific benefits, or extend the results achieved of how health information security awareness (HISA) influence in patient’ health
in other industrial sectors to their own field. information protection awareness (PHIPA). Computing Engineering and Design
(ICCED). IEEE, Singapore.
Adu, K., Adjei, E., 2020. The phenomenon of data loss and cyber security issues in
Ghana. Foresight 150–161.
6. Conclusions Aldawood, H., Skinner, G., 2020. Analysis and findings of social engineering industry
experts explorative interviews: perspectives on measures, tools, and solutions.
IEEE Access 67321–67329.
This study has explored the issue of cybersecurity awareness
Al-Hawawreh, M., den Hartog, F., Sitnikova, E., 2019. Targeted ransomware: a new
within industrial contexts based on the IIoT paradigm, using a cyber threat to edge system of brownfield industrial internet of things. IEEE
structured literature review approach. Although this topic re Internet Things J. 6 (4), 7137–7151.
presents a relevant research field in the current networked in Alotaibi, F., Clarke, N., Furnell, S., 2020. A novel approach for improving information
security management and awareness for home environments. Inf. Comput. Secur.
dustrial environment, which has also been affected by the COVID-19 25–48.
pandemic, in which it is a strategic aim for companies to prevent the Alshaikh, M., Adamson, B., 2021. From awareness to influence: toward a model for
occurrence of cyber-attacks and breaches of corporate data, in improving employees’ security behaviour. Pers. Ubiquitous Comput.
Amankwa, E., Loock, M., Kritzinger, E. , 2016. Enhancing information security educa
vestigations in the literature are scarce. Although there are a few tion and awareness: Proposed characteristics for a model. 2015 Second
studies that have carried out preliminary reviews of methods, International Conference on Information Security and Cyber Forensics (InfoSec)
models and frameworks in the field of cybersecurity awareness (p. 72 - 77). Cape Town, South Africa: IEEE.
Beats, W.R., van der Linden, G., 2003. Virtual Corporate Universities: A Matrix of
(Cook et al., 2018; Tsohou et al., 2010) and (Dojkovski et al., 2006), Knowledge and Learning for the New Digital Dawn. Springer.
none of these aimed to carry out a systematic literature review of Bello, A., Maurushat, A., 2020. Technical and behavioural training and awareness so
industrial scenarios based on the IIoT paradigm. lutions for mitigating ransomware attacks. Applied Informatics and Cybernetics in
Intelligent Systems. Springer, Cham, pp. 164–176.
The papers selected for this study were analysed by means of a
Bernabe, J., Skarmeta, A., 2019. Challenges in Cybersecurity and Privacy - The
qualitative content analysis, and a comparative evaluation of the European Research Landscape. River Publishers, Spain.
matic areas also made it possible to highlight their main features. In Bin Yeop, Y., Othman, Z., Abdullah, S., Mokhtar, U., Fauzi, W., 2018. BYOD im
plementation factors in schools: a case study in Malaysia. Int. J. Adv. Comput. Sci.
particular, our evaluation of these papers focused on the following
Appl. 311–317.
four areas of analysis: (i) definitions of cybersecurity awareness and Blue, C., Weiss, C., 2020. Cybersecurity awareness in the printing industries: variable
information security awareness; (ii) the industrial context; (iii) the data and direct mail enterprises. Proc. Tech. Assoc. Graph. Arts 145–152.
main models and tools for enhancing cybersecurity awareness; and Bothur, D., Zheng, G., Valli, C. (2017). A critical analysis of security vulnerabilities and
countermeasures in a smart ship system. The Proceedings of 15th Australian
(iv) the benefits of cybersecurity awareness. As a result, we were Information Security Management Conference (p. 81 - 87). Western Australia:
able to define a framework for the main findings for each area. To Cowan University.
create this framework, we gathered the most relevant evidence for Boyes, H., Hallaq, B., Cunningham, J., Watson, T., 2018. The industrial internet of things
(IIoT): an analysis framework. Comput. Ind. 101, 1–12.
each area of analysis and summarised it to provide a useful overview Bryman, A., Bell, E., 2015. Business Research Methods. Oxford University Press, Oxford.
to guide future research and management decisions in the field of Catota, F., Granger Morgan, M., Sicker, D., 2019. Cybersecurity education in a devel
cybersecurity awareness. oping nation: the Ecuadorian environment. J. Cybersecur.
Centobelli, P., Cerchione, R., Esposito, E., 2017. Knowledge management in startups:
In general, our literature review revealed that there are a number systematic literature review and future research agenda. Sustainability 9, 1–19.
of studies that have addressed information security awareness Chakraborty, N., Sharma, V., Ranjan, J., 2016. A perceptual study on factors of medical
within industrial domains; however, little attention has been given data security in Indian organizations. J. Theor. Appl. Inf. Technol. 59–78.
Chapman, D., Smalov, L., 2004. On information security guidelines for small/medium
to the concept of cybersecurity awareness within modern networked
enterprises. e Sixth International Conference on Enterprise Information Systems
industrial contexts, which are characterised by the use of advanced (p. 3 - 9). SciTePres.
IoT technologies, big data analytics and cloud computing. In parti Choi, N., Kim, D., Goo, J., Whitmore, A., 2008. Knowing is doing: an empirical vali
dation of the relationship between managerial information security awareness
cular, more focused studies are needed in the field of cybersecurity
and action. Inf. Manag. Comput. Secur. 484–501.
awareness, in both the manufacturing and critical infrastructure Cholez, H., Girard, F., 2014. Maturity assessment and process improvement for in
sectors, as these are still underrepresented in the literature. These formation security management in small and medium enterprises. J. Softw. Evol.
studies should include specific discussions with respect to high-tech Process 496–503.
14
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
Chung, K.C., Chen, C.H., Tsai, H.H., Chuang, Y.H., 2021. Social media privacy manage IEEE Computer Society. (2014). SWEBOK V3.0. Guide to the Software Engineering Body
ment strategies: a SEM analysis of user privacy behaviors. Comput. Commun. of Knowledge. IEEE.
122–130. Jeremiah, P., Samy, G., Shanmugam, B., Ponkoodalingam, K., Perumal, S., 2019.
Colelli, R.P., Pascucci, F. , 2019. Securing connection between IT and OT: the Fog Potential measures to enhance information security compliance in the healthcare
Intrusion Detection System prospective. 2019 II Workshop on Metrology for internet of things. Reliable Information and Communication Technology. Springer,
Industry 4.0 and IoT (MetroInd4.0&IoT). Naples, Italy. pp. 726–735.
Cook, A., Smith, R., Maglaras, L., Janicke, H., 2018. SCIPS: using experiential learning to Jin , G. , Tu , M. , Kim , T. , Heffron , J. , White , J. , 2018. Game based cybersecurity
raise cyber situational awareness in industrial control system. Cyber Security and training for High School Students. in: SIGCSE 2018 - Proceedings of the 49th ACM
Threats: Concepts, Methodologies, Tools, and Applications. IGI Global, pp. Technical Symposium on Computer Science Education 2018-January. SIGCSE 2018
1168–1183. - Proceedings of the 49th ACM Technical Symposium on Computer Science
Corallo, A., Lazoi, M., Lezzi, M., 2020. Cybersecurity in the context of industry 4.0: a Education, (p. 68 - 73). USA.
structured classification of critical assets and business impacts. Computers in Kajava, J., Varonen, R., 2005. Experiences from building an information security e-
Industry. 114, 1–15. https://doi.org/10.1016/j.compind.2019.103165 learning environment for industry. Proceedings of the 5th European Conference
Corallo, A., Crespino, A.M., Del Vecchio, V., Lazoi, M., Marra, M., 2021a. Understanding on Information Warfare and Security (p. 151 - 156). Ireland: Dan Remenyi.
and Defining Dark Data for the Manufacturing Industry. IEEE Transaction on Kajtazi, M., Bulgurcu, B. , 2013. Information security policy compliance: An empirical
Engineering Management 1–13. https://doi.org/10.1109/TEM.2021.3051981 study on escalation of commitment. 19th Americas Conference on Information
Corallo et al. 2021b. Cybersecurity challenges for manufacturing systems 4.0: Systems, AMCIS 2013 (p. 2011 - 2020). New York: Curran Associates, Inc.
Assessment of the Business Impact Level, IEEE Transactions on Engineering Kam, H., Mattson, T., Goel, S., 2020. A cross industry study of institutional pressures on
Management, 1–21,10.1109/TEM.2021.3084687. organizational effort to raise information security awareness. Inf. Syst. Front.
Craggs, B., Rashid, A., Hankin, C., Antrobus, R., Şerban, O., Thapen, N. , 2019. A reference 1241–1264.
architecture for IIoT and industrial control systems testbeds. Living in the Internet Kanobe, F., Alexander, M., Bwalya, K., 2019. Information security management scaffold
of Things (IoT 2019). London, UK. for mobile money systems in uganda. 18th European Conference On Cyber
Creswell, J.W., Creswell, J.D., 2018. Research Design. SAGE, Los Angeles. Warfare & Security, (p. 239 - 247). Portugal.
Creswell, J.W., Poth, C.N., 2018. Qualitative Inquiry Research Design: Choosing Karampidis, K., Panagiotakis, S., Vasilakis, M., Markakis, E.K., Papadourakis, G. , 2019.
AmongFive Approaches. SAGE, Newbury Park, CA, USA. Industrial CyberSecurity 4.0: Preparing the Operational Technicians for Industry 4.
Daniel Ani, U., He, H., Tiwari, A., 2016. Human capability evaluation approach for cyber 0. 2019 IEEE 24th International Workshop on Computer Aided Modeling and
security in critical industrial infrastructure. Advances in Human Factors in Design of Communication Links and Networks (CAMAD). Limassol, Cyprus.
Cybersecurity. Springer, Cham, pp. 169–182. Kaspersky Lab. , 2018. The Human Factor in IT Security: How Employees are Making
Dlamini, Z., Modise, M., 2012. Cyber security awareness initiatives in South Africa: a Businesses Vulnerable from Within. Kaspersky. Tratto da Kaspersky daily.
synergy approach. 7th International Conference on Information Warfare and Kaur, J., Mustafa, N. , 2013. Examining the effects of knowledge, attitude and beha
Security, ICWI 2012, (p. 98 - 102). Seattle. viour on information security awareness: A case on SME. Research and Innovation
Dojkovski, S., Lichtenstein, S., Warren, M., 2006. Challenges in fostering an informa in Information Systems, ICRIIS (p. 286 - 290). Kuala Lumpur: IEEE.
tion security culture in australian small and medium sized enterprises. European Kolev, K., Dimitrov, N. , 2017. Cyber threat in maritime industry-Situational awareness
Conference on Information Warfare and Security (p. 31- 40). Helsinki, Finland: and educational aspect. 18th Annual General Assembly of the International
Remenyi, Dan. Association of Maritime Universities - Global Perspectives in MET: Towards
Eminaǧaoǧlu, M., Uçar, E., Eren, S., 2009. The positive outcomes of information se Sustainable, Green and Integrated Maritime Transport, (p. 352 - 360).
curity awareness training in companies - a case study. Inf. Secur. Tech. Rep. Kritzinger, E., Smith, E., 2008a. Information security management: an information
223–229. security retrieval and awareness model for industry. Comput. Secur. 224–231.
ENISA , 2020. Data breach. ENISA Threat Landscape. ENISA. Kritzinger, E., Smith, E., 2008b. Information security management: an information
ENISA , 2021. ENISA Threat Landscape 2021. ENISA. security retrieval and awareness model for industry. Comput. Secur. 224–231.
FIPS 201. (2021, November 22). Information Technology Laboratory. Computer Kritzinger, E., Bada, M., Nurse, J., 2017. A study into the cybersecurity awareness in
Security Resource Center. Tratto da NIST: https://csrc.nist.gov/glossary/term/ itiatives for school learners in South Africa and the UK. 10th World Conference on
model. Information Security Education, (p. 110 - 120).
Gasiba, T., Lechner, U., Pinto-Albuquerque, M., 2020. Sifu - a cybersecurity awareness Kritzinger, E., Loock, M., Mwim, E., 2018. Cyber Safety Awareness and Culture Planning
platform with challenge assessment and intelligent coach. Cybersecurity. in South Africa. International Symposium on Cyberspace Safety and Security (p.
Ghazvini, A., Shukur, Z., 2018a. A serious game for healthcare industry: information 317 - 326). Springer, Cham.
security awareness training program for Hospital Universiti Kebangsaan Malaysia. Kruger, H., Kearney, W., 2008. Consensus ranking - an ICT security awareness case
Int. J. Adv. Comput. Sci. Appl. 236–245. study. Comput. Secur. 254–259.
Ghazvini, A., Shukur, Z., 2018b. Review of information security guidelines for aware Lacerda, T.C., von Wangenheim, G.C., 2018. Systematic literature review of usability
ness training program in healthcare industry. Electrical Engineering and capability/maturity models. Comput. Stand. Interfaces 55, 95–105.
Informatics (ICEEI). IEEE, Langkawi, Malaysia, pp. 1–6. Lechner, U., Pinto-Albuquerque, M., Gasiba, T., 2020. Sifu - a cybersecurity awareness
Grandiri, A., 1999. Organizzazione e Comportamento Economico. Il Mulino, Bologna. platform with challenge assessment and intelligent coach. Cybersecurity.
Grobler, M., Van Vuuren, J., Zaaiman, J. , 2011. Evaluating cyber security awareness in Lee, I., 2020. Internet of things (IoT) cybersecurity: literature review and iot cyber risk
South Africa. Proceedings of the 10th European Conference on Information management. Future Internet 12 (9), 157.
Warfare and Security, (p. 113 - 121). Estonia. Lee, T.-H., Sung, W.-K., Kim, H.-W., 2016. A text mining approach to the analysis of
Gundu, T. , 2019. Acknowledging and reducing the knowing and doing gap in em information security awareness: Korea, United States, and China. Pacific Asia
ployee cybersecurity compliance. 14th International Conference on Cyber Warfare Conference on Information Systems, PACIS 2016 - Proceedings. Taiwan, Province
and Security, (p. 94 - 102). of China: Pacific Asia Conference on Information Systems.
Gundu, T., Flowerday, S., 2013. Ignorance to awareness: Towards an information se Lejaka, T., Da Veiga, A., Loock, M., 2019. Cyber security awareness for small, medium
curity awareness process. SAIEE Afr. Res. J. 69–79. and micro enterprises (SMMEs) in South Africa. Information Communications
Gurtov, A., Liyanage, M., Korzun, D., 2016. Secure communication and data processing Technology and Society. IEEE, Durban, South Africa.
challenges in the industrial internet. Balt. J. Mod. Comput. 4 (4), 1058–1073. Lezzi, M., Lazoi, M., Corallo, A., 2018. Cybersecurity for Industry 4.0 in the current
Haeussinger, F., Kranz, J. , 2013. Understanding the antecedents of information se literature: a reference framework. Comput. Ind. 103, 97–110. https://doi.org/10.
curity awareness - An empirical study. 19th Americas Conference on Information 1016/j.compind.2018.09.004
Systems, AMICIS 2013, (p. 3762 - 3770). Chicago. Li, J., Wang, Y.,Qj, B. , 2018. Discussion on cyber security awareness and awareness
Hassandoust, F., Singh, H., Williams, J., 2019. How contextualisation affects the vul model building based on connectionism. 2018 IEEE 4th Information Technology
nerability of individuals to phishing attempts. PACIS 2019 Proc. and Mechatronics Engineering Conference (ITOEC) (p. 259 - 263). China: IEEE.
Hassanzadeh, A., Modi, S., Mulchandani, S. , 2015. Towards effective security control Li, L., He, W., Xu, L., Ash, I., Anwar, M., Yuan, X., 2019. Investigating the impact of
assignment in the Industrial Internet of Things. 2015 IEEE 2nd World Forum on cybersecurity policy awareness on employees’ cybersecurity behavior. Int. J. Inf.
Internet of Things (WF-IoT). Milan, Italy. Manag. 45, 13–24.
He, W., Ash, I., Anwar, M., Li, L., Yuan, X., Xu, L., Tian, X., 2020. Improving employees’ Lu, Y., Xu, L.D., 2019. Internet of things (IoT) cybersecurity research: a review of cur
intellectual capacity for cybersecurity through evidence-based malware training. rent research topics. IEEE Internet Things J. 6 (2), 2103–2115.
J. Intellect. Cap. 21 (2) 2013-213. Maggi, F., Balduzzi, M., Vosseler, R., Rösler, M., Quadrini, W., Tavola, G.,. Zanero, S.
Hills, M., Atkinson, L., 2016. Towards cyber-resilient and sustainable smes: the case (2021). Smart Factory Security: A Case Study on a Modular Smart Manufacturing
study of added value from a large IT Re-seller. In: Hills, M. (Ed.), Why Cyber System. International Conference on Industry 4.0 and Smart Manufacturing, (p.
Security is a Socio-Technical Challenge: New Concepts and Practical Measures to 666 - 675). Austria.
Enhance Detection Prevention and Response. Nova Science Publishers, New York, Malik, M., Islam, U., 2019. Cybercrime: an emerging threat to the banking sector of
pp. 71–80. Pakistan. J. Financ. Crime. 50–60.
Holdsworth, J., Apeh, E. , 2017. An effective immersive cyber security awareness Mawgoud, A., Taha, M., Khalifa, N., Loey, M., 2020. Cyber security risks in MENA re
learning platform for businesses in the hospitality sector. 25th International gion: threats. Challenges and Countermeasures. Advances Intelligent Systems and
Requirements Engineering Conference Workshops (REW) (p. 111 - 117). Lisbon, Informatics 2019. Springer, Cham, pp. 912–921.
Portugal: IEEE. McMeekin, N., Wu, O., Germeni, E., Briggs, A., 2020. How methodological frameworks
Ibrahim, N., Ali, N., 2019. An empirical exploration of information security manage are being developed: evidence from a scoping review. BMC Med. Res. Methodol.
ment system (ISMS) in Malaysian Public Sector: A PLS-SEM method. Test. Eng. 20 (173), 1–9.
Manag. 3266–3275.
15
A. Corallo, M. Lazoi, M. Lezzi et al. Computers in Industry 137 (2022) 103614
Murane, I., 2008. Raising awareness in information security: Everyone should parti Conference on Intelligent and Interactive Systems and Applications (p. 657- 663).
cipate. Proceedings of the 2008 International Conference on Security and Springer, Cham.
Management, (p. 190 - 195). Wu, Y. , Linfeng, Wu, S. 2018b. A study on the impact of regulatory compliance
Nguyen, H., Nguyen, D., 2021. Drone application in smart cities: the general overview awareness on security management performance and information technology
of security vulnerabilities and countermeasures for data communication. capabilities. 13th International Conference on Natural Computation, Fuzzy
Development and Future of Internet of Drones (IoD): Insights, Trends and Road Systems and Knowledge Discovery (p. 2866 - 2871). China: IEEE.
Ahead. Springer, pp. 185–210. Xu, P., He, S., Wang, W., Susilo, W., Jin, H., 2017. Lightweight searchable public-key
Palavicini, G., Bryan, J., Sheets, E., Kline, M., San Miguel, J., 2017. Towards Firmware encryption for cloud-assisted wireless sensor networks. IEEE Trans. Ind. Inform.
Analysis of Industrial Internet of Things (IIoT) - Applying Symbolic Analysis to IIoT 14 (8), 3712–3723.
Firmware Vetting. 2nd International Conference on Internet of Things, Big Data Zhang-Kennedy, L., Chiasson, S., 2021. A systematic review of multimedia tools for
and Security. Porto, Portugal. cybersecurity awareness and education. ACM Comput. Surv.
Park, E., Kim, J., Park, Y., 2017. The role of information security learning and individual Zhao, H., Silverajan, B. , 2020. A Dynamic Visualization Platform for Operational
factors in disclosing patients’ health information. Comput. Secur. 65, 64–76. Maritime Cybersecurity. International Conference on Cooperative Design,
Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., Calic, D., 2017. Managing Visualization and Engineering (p. 202 - 208). Springer, Cham.
information security awareness at an Australian bank: a comparative study. Inf.
Comput. Secur. 181–189.
Persky, A.S., 2020. Other industries are well ahead when it comes to cybersecurity Angelo Corallo received his M.Sc. degree in physics from
awareness and prevention. What can the legal industry learn from them? ABA J. the University of Lecce, Lecce, Italy, in 1999. He is an
30–31. Associate Professor at the Department of Engineering for
Policastro, E., 2007. Sniffing out rats. InTech 24–30. Innovation, University of Salento, Lecce, and is re
Pranckute, ̇ R., 2021. Web of science (WoS) and scopus: the titans of bibliographic sponsible for CORELab (Collaborative hOlistic Research
information in today’s academic world. Publications 9 (12), 1–59. https://doi.org/ Approach Laboratory) at the same University. His main
10.3390/publications9010012 research interests include technologies and organiza
Prins, S., Marnewick, A.,Von Solms, S., 2020. Cybersecurity awareness in an industrial tional strategies in complex industries, knowledge
control systems company. European Conference on Information Warfare and management, collaborative working environments and
Security (p. 314 - 323). UK: ACPI. cybersecurity management with specific reference to the
Sari, P., Prasetio, A., 2018. Customer awareness towards digital certificate on E- manufacturing industry. He is coordinator and scientific
Commerce: Does it affect purchase decision? 2018 Third International Conference responsible of several European, national and regional
on Informatics and Computing (ICIC). Palembang, Indonesia: IEEE. research projects.
Sari, P., Candiwan, Trianasari, N., 2014. Information security awareness measurement
with confirmatory factor analysis. 2014 International Symposium on Technology
Management and Emerging Technologies (p. 218 - 223). Bandung, Indonesia: IEEE. Mariangela Lazoi, PhD, is a researcher at the Department
Shamsi, A.A., 2019. Effectiveness of cyber security awareness program for young of Engineering for Innovation, University of Salento. She
children: a case study in UAE. Int. J. Inf. Technol. Lang. Stud. IJITLS 8–29. received her PhD degree in eBusiness from the University
Shaw, R., Chen, C.C., Harris, A.L., Huang, H.-J., 2009. The impact of information richness of Salento, Lecce, in 2009. She is responsible for the
on information security awareness training effectiveness. Comput. Educ. Digital Engineering for Industry area in CORELab
Silverajan, B. , Vistiaho, P. , 2019. Enabling cybersecurity incident reporting and co (Collaborative hOlistic Research Approach) at the
ordinated handling for maritime sector. 2019 14th Asia Joint Conference on University of Salento and collaborates with different
Information Security (AsiaJCIS) (p. 88 - 95). Kobe, Japan: IEEE. companies addressing tecno-organizational solutions.
Siponen, M., 2000. A conceptual foundation for organizational information security Her research interests are product design methods and
awareness. Inf. Manag. Comput. Secur. 31–41. tools, product lifecycle management, business process
Smith, C., 2017. IoT decision making with process and energy control architectures. management and cybersecurity management. She is
2017 Petroleum and Chemical Industry Conference Europe (PCIC Europe). Vienna, scientifically responsible for European, national and re
Austria. gional research projects.
Stokes, P., Wall, T., 2015. Research Methods. Palgrave Macmillan, London, UK.
Swanson, M., Bowen, P., Phillips, A.W., Gallup, D., Lynes, D., 2010. NIST special pub
lication 800-34. Contingency Planning Guide for Federal Information Systems.
Marianna Lezzi, PhD, is a researcher at the Department
NIST.
of Engineering for Innovation at the University of Salento.
Talib, S., Clarke, N., Furnell, S., 2010. An analysis of information security awareness
She received her PhD degree in Complex Systems
within home and work environments. 2010 International Conference on
Engineering from the University of Salento, Lecce, in
Availability, Reliability and Security (p. 196 - 203). Krakow, Poland: IEEE.
2020. Her research focuses on cybersecurity manage
Tsohou, A., Holtkamp, P., 2018a. Are users competent to comply with information
ment for networked industrial contexts. She is currently
security policies? An analysis of professional competence models. Information
involved in the OK-INSAID research project (funded by
Technology and People. Emerald Publishing Limited, pp. 1047–1068.
Italian MIUR) for activities related to the analysis and
Tsohou, A., Holtkamp, P., 2018b. Are users competent to comply with information
management of cybersecurity issues within networked
security policies? An analysis of professional competence models. Information
manufacturing systems. She has taken part in European
Technology and People. Emerald Publishing Limited, pp. 1047–1068.
research projects (such as PRACTICE and TOREADOR)
Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E., 2010. Analyzing information
based on the development of Big Data management
security awareness through networks of association. Trust, privacy and security in
models for aeronautical companies. She also has ex
digital business. Bilbao. Springer, Berlin, Heidelberg, pp. 227–237.
perience in the definition of innovative business man
Tsuchiya, A., Ota, Y., Takayama, Y., Tomomi Aoyama, Takashi. Hamaguchi, Hashimoto,
agement methodologies and secure collaborative processes within the aeronautical
Y., Koshijima, I., 2018. Cyber Incident Exercise Admitting Inter-Organization for
supply chain.
Critical Infrastructure Companies. In M. Eden, M. Ierapetritou, & G. Towler, 13th
International Symposium on Process Systems Engineering (p. 1645- 1650).
California, USA: Elsevier B.V.
Angela Luperto is a research fellow at the Department of
Tuptuk, N., Hailes, S., 2018. Security of smart manufacturing systems. J. Manuf. Syst.
Engineering for Innovation at the University of Salento.
47, 96–106.
She received her Master's Degree in management en
Urquhart, L., McAuley, D., 2018. Avoiding the internet of insecure industrial things.
gineering from the University of Salento, Italy, in 2021.
Comput. Law Secur. Rev. 34 (3), 450–466.
Her research interests include model based enterprise
Van Lier, B., 2017. The Industrial Internet of Things and Cyber Security. An ecological
approach, product lifecycle management, ICT for
and systemic perspective on security in digital industrial ecosystems. 2017 21st
Industry 4.0 and cybersecurity management. She is cur
International Conference on System Theory, Control and Computing (ICSTCC).
rently working on regional and national research pro
Sinaia, Romania.
jects.
Verizon, 2021. DBIR 2021 data breach investigation report. Verizon.
Wang, H.W., Kuo, S.Y., Chen, L.B., 2021. Exploring the relationship between internal
information security, response cost, and security intention in container shipping.
Appl. Sci.
Wu, S. , Guo, D. , Wu, Y. , 2018a. The effects of bank employees’ information security
awareness on performance of information security governance. International
16