The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence

Abstract

As recent cyber-attacks have been increasing exponentially, the importance of security training for employees also has become growing ever than before. In addition, it is suggested that security training and education be an effective method for discerning cyber-attacks within academia and industries. Despite the importance and the necessity of the training, prior study did not investigate the quantitative utility of security training in an organizational level. Due to the absence of referential studies, many firms are having troubles in making decisions with respect to arranging optimal security training programs with limited security budgets. The main objective of this study is to find out a relationship between cybersecurity training and the number of incidents of organizations. Thus, this study quantified the effectiveness of security training on security incidents as the first study. This research examined the relationship among three main factors; education time, education participants, and outsourcing with numbers of cybersecurity incidents. 7089 firm level data is analyzed through Poisson regression method. Based on analysis results, we found that the negative relationship between security trainings and the occurrence of cybersecurity incidents. This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective. The result of this study can be used as a referential guide for information security training decision-making procedure in organizations.