Embed Size (px)
Citation preview
MAXIMIZING ADULT LEARNING METHODOLOGIES IN CORPORATE CYBER
SECURITY TRAINING PROGRAMS
by
Tanya M. Jeffers
A Capstone Project Submitted to the Faculty of
Utica College
June 2016
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in
Cybersecurity
All rights reserved
INFORMATION TO ALL USERSThe quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscriptand there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States CodeMicroform Edition © ProQuest LLC.
ProQuest LLC.789 East Eisenhower Parkway
P.O. Box 1346Ann Arbor, MI 48106 - 1346
ProQuest 10127527
Published by ProQuest LLC (2016). Copyright of the Dissertation is held by the Author.
ProQuest Number: 10127527
ii
© Copyright 2016 by Tanya M. Jeffers
All Rights Reserved
iii
Abstract
The purpose of this research study was to determine if best practices exist in adult
learning theories, and how they can be applied in today’s corporate cyber-security training
programs. Identifying why corporate training fails and what can be done to superimpose the best
practices available. With current research is important as it can have compound effects on an
organization. After analyzing the advantages and disadvantages of each of the learning
methodologies, the result in applying a blended method of training to get the best result has been
deemed the best approach. There are some areas where more research can be done as far as how
adult learning theories can be applied specifically to corporate cyber security training programs
in general and what laws and regulations can be tightened also to include corporate America.
Keywords: Cybersecurity, Michael Sanchez, Corporate, Training, Learning, Methodologies,
Adult, Compliance
iv
Acknowledgements
I would like to take this opportunity to thank my four amazingly gifted children for their
patience and understanding during the process of this research study. This study has been a
challenge with such limited resources available and it has also been very rewarding. This
finished product could not have been completed without the love and support of my family,
friends and professors that have crossed my path. As an adult learner myself, this study has been
a personal adventure itself. To those that will read this study and find usefulness in its
compilation, always remember to never give up on your goals or yourself.
v
Table of Contents
Introduction ......................................................................................................................... 1
Background .................................................................................................................. 3
Statement of the Problem .................................................................................................... 5
Purpose of the Study .................................................................................................... 6
Research Questions ...................................................................................................... 6
Literature Review ............................................................................................................... 7
Introduction .................................................................................................................. 7
Laws and Regulations ................................................................................................ 10
Structural Business Challenges.................................................................................. 12
Corporate Training failures ........................................................................................ 14
Effects on the Corporation ......................................................................................... 15
Adult Learning Models/Theories ............................................................................... 17
Formal and Informal Training ................................................................................... 24
Determining Learning Styles ..................................................................................... 25
Conflicting opinions .................................................................................................. 26
Combining best practice methods into corporate security training ........................... 27
Summary .................................................................................................................... 28
Discussion of the Findings ................................................................................................ 31
Recommendations ............................................................................................................. 32
Conclusion ........................................................................................................................ 33
vi
References ......................................................................................................................... 34
Appendix ........................................................................................................................... 41
vii
List of Illustrative Materials
Figure 1 – Model of the Training Process .............................................................22
1
Introduction
There are issues with the ineffectiveness of cyber security training. The general nature of
this study is to research and evaluate the effectiveness of continued employee training for adult
learners within organizational information technology IT security training programs. There is no
one single training philosophy applicable to adult learners. Senior technical writer and planner
for the Arizona Department of Health Services, and part-time Instructor at South Mountain
Community College, Stephen Lieb identified four different critical elements that must be met to
ensure participants effectively learn. These four critical elements are motivation, reinforcement,
retention and transference. This study will also research how effectively training employees
affects the organization and present recommendations for future research in this area. Prolific
security researcher Bruce Schneier has stated, “Our industry's focus on training serves to obscure
greater failings in security design” (Schneier, 2013, p. 1). Several security experts, to include
Schneier, have assessed current corporate cybersecurity training practices to be ineffective (Salas
E. , Tannenbaum, Kraiger, & Smith-Jentsch, 2012; Schneier, Security awareness training, 2013;
Silverman R. E., 2012; Strother J. B., 2002). “Companies devote a lot of time, effort, and money
to corporate training—with little to show for it” (Silverman R. , 2012, p. 1). Dr. Eduardo Salas,
who has studied corporate training programs for over twenty years, has identified in his research
four mistakes companies make. Not taking the time to analyze training needs, failure to evaluate
how well employees have learned, a false belief that technology will solve training problems and
not setting a climate to learn with lack of conditions to motivate and sustain are the four mistakes
made according to Dr. Salas (Salas E. , 2012).
Scientific consensus in the field of education is that adults learn differently than children
(Knowles, Holton III, & Swanson, 2015). Children rely on others to decide importance of what
2
is to be learned whereas adults decide for themselves what is important to be learned.
Acceptance of the information being presented at face value is another characteristic of child
learning yet adult learners need to validate the information based on their own beliefs and values.
Children expect what they are learning to be useful in their future; however; adults’ expectation
is that what they are learning will be immediately useful. Little or no experience to reflect an
opinion for children varies from adults who have a substantial array of experiences to draw from,
as well as fixed viewpoints. The last characteristic of child learning is that children have little to
no experience to draw from whereas adults have a significant ability to serve as knowledgeable
resources to trainers and fellow learners (Edmunds, Lowe, Murray, & Seymour, 1999).
Current corporate models used in today’s training programs require modification with
technological advances (Bernatek, 2016). Innovations in technology are providing organizations
more of an opportunity to reach all of the employees within the organization, in ways that have
been non-traditional, such as instructor led training classes. Instructor led training is becoming a
technique of the past with more focus now on learner outcomes as opposed to being taught
information at face value. Former training programs had the primary focus on training adults as
if they had childlike learning characteristics (Edmunds, Lowe, Murray, & Seymour, 2002). As
further research in the field has discovered, adult learners need to be engaged in order to improve
performance (Wentworth & Lombardi, 2014). Emerging trends in the area of employee
performance improvements and a Brandon Hall Group 2014 Learning and Development
Benchmarking Study showed that more than 50 percent of companies have revisited their
learning strategy less than two times over the last five years (Grebow, 2014). Depending on
volume of people to train, delivery methods change. Various online tools and assessments exist
to help determine the best learning style profile and delivery methods to compliment such
3
profiles. One example of the various online tools is provided in Appendix A section of this
study.
People do learn differently based on Leib’s four different elements considered best
practice learning model components. The Journal of Clinical and Diagnostic Research
concluded that one single approach does not work for every student (Kharb, Samanta, Jindal, &
Singh, 2013). Corporate security training presents itself in two main approaches, formal or
informal. Informal learning is the most common, casual, less effective for specific tasks and is
ideal for experienced people. Formal training that is based on a standard has clear learning
objectives, uses a variety of learning methods, and applies some type of evaluation at the end
(Shaw, 2016).
A consideration for which delivery method is the most efficient requires evaluation, to
enable adults to learn in ways they find to be most effective (Reyes, 2014). This study will
investigate the cost efficiency of existing education models for adult learners, compared to the
cost per data breach and explore their applicability in corporate cybersecurity training. Further
examination of the disadvantages of using limited educational delivery methods and
recommendations for further research in this area will conclude this study.
Background
This research topic is currently of interest due to the increasing advances in technology
and cyber-attacks. Effective cyber security or information security (IS) training in the corporate
sector has many benefits that minimize the costs associated with training adults in the corporate
workplace. Lack of effective planning from the organization as well as lack of engagement from
the employees does contribute to such failures (Salas E. , Tannenbaum, Kraiger, & Smith-
4
Jentsch, 2012). The most common delivery method used in corporations today, formal
instructor-led training, has been deemed ineffective (Silverman R. E., 2012).
Several laws and regulations about information technology training exist; however, they
are mainly geared toward federal and government employees, as well as contractors who support
government operations. Eighteen infrastructure sectors, such as banking and finance, energy,
healthcare and public health, and telecommunications are identified by Federal policy as critical
to the nation's security, economy, public health, and safety (U.S. G.A.O., 2008). These eighteen
sectors rely heavily on computerized information systems and electronic data, so it is important
that the security of these systems and the data within them be maintained. Most of these
infrastructures are owned by the private sector and it is crucial that the public and private sectors
work together to protect these assets (U.S. G.A.O., 2008). There was a lack of guidance in the
private sector to establish basic or minimal cyber training criteria from the research performed
thus far, which may require further research beyond the scope of this paper. Lack of this clear
legal guidance and regulations to support the constant change in technology compounds the issue
related to corporate IT cybersecurity training that make it almost universally ineffective.
Leaders in the educational field have spent most of their adult lives researching
differences between child and adult learners (Knowles, Holton III, & Swanson, 2015).
Educational theories and models have been established throughout many decades to establish
best practices in the educational arena. This study will explore the most common educational
theories and how they can be incorporated in to today’s technologically advanced corporate IS
training programs.
5
Statement of the Problem
The problem that will be investigated will be how current corporate cyber-security
training programs fail and what can be learned from best practices in industry. Based on existing
education models, as well as more commonly published research studies, knowing when to
change delivery methods is key, as one approach is not suitable for all employees. This study
will examine training failures that exist in the current corporate environment and the effects this
training failure has on the organization, adult learning theories, formal vs. informal training
formats, learning styles, and conflicting opinions. Disadvantages of using only one approach for
delivering corporate cyber training as well as advantages to revamping training programs and
how they benefit all involved will be researched. On the surface, the costs associated with
implementing effective IT training plans appear to be minimal, compared to costs associated
with data breaches and lost information, especially when IT is outsourced. In today’s corporate
environment, paper is being replaced with electronic data and the data being used and stored
electronically continues to grow daily. All of the electronic data used, stored, or in motion pose
a potential risk of becoming compromised (Pfleeger, 2007).
6
Purpose of the Study
The purpose of this study is to explore the potential causes of ineffective IT security
training models, and to identify potentially effective adult learning models that may be
implemented to create more effective organizational IT security training programs. An article
published in Security Week in April 2013 by Fahmida Rashid, Does security awareness training
actually help? When it comes to phishing and spear-phishing attacks, many executives appear to
think it does make a difference discussed the importance of organizations providing relevant
training materials to reinforce lessons learned during simulated attacks and to identify when
individuals could benefit from follow on training. The cost associated per lost or stolen record,
estimated to be $216.00, seems minimal compared to the cost of training employees annually of
just over $1200.00. However, when one expands that cost per record out to the overall impact it
has on the business, monetary losses as a result of a data breach are estimated to be $2.7 million
per cyber incident (ATD Research, 2014; Ponemon Institute, 2015).
Research Questions
This study will explore several questions. The questions this study intends to research
include:
Q1. What underlying issues exist that make corporate training ineffective?
Q2. What existing educational models are considered best practices in
academia and industry?
Q3. Do opportunities exist to superimpose best practice adult learning
methodologies to increase the effectiveness of corporate cyber security
training?
7
Literature Review
Introduction
Confidentiality, integrity, and availability set the foundation for what is expected in a
corporate networked environment. It can be a daunting task to those accountable for managing
those networks (Pfleeger, 2007). The National Institute of Standards and Technology (NIST)
was founded in 1901 as one of the nation’s oldest physical science laboratories. Since then,
NIST has expanded greatly from its original intent from removing a major handicap to United
States (U.S.) industrial competitiveness, to supporting the largest and most complex human-
made creations, to include global communication networks such as the World Wide Web (NIST
Public Affairs Office, 2009). The NIST framework, although not applicable to a vast majority of
corporations in the business landscape, may have some relevance in today’s corporate cyber-
security environment.
Each individual that owns, uses, relies on, or manages information and information
technology (IT) systems must fully understand their specific security responsibilities.
This includes ownership of the information and the role individuals have in protecting
information. Information that requires protection includes information they own,
information provided to them as part of their work and information they may come into
contact with. (NIST SP 800-16, 2014, p. 7)
This framework is required by Federal Information Security Management Act (FISMA)
Implementation Project of 2003 and is applicable only to federal agencies and contractors doing
business with the government. To that extent, there is a lack of regulatory guidance to be applied
in the private sector.
8
The due diligence belief that employers owe it to their employees to provide them with
the training and tools necessary to protect the companies’ most precious asset, information, is
because the modern business environment processes information on computers (Nemesh, 2007).
Providing training to employees mitigates liability exposures faced by the organization. Legal
ramifications of failing to provide employees with a training program compound the already
complex corporate environment and relevant legal requirements are still in process (Training
Today, 2016). Cross-sector coordination and information sharing is difficult to enforce because
many private sector concerns and fears of sharing that information are due to liability issues, or
unintentional damage as well as lack of laws (Bucci, Rosenzweig, & Inserra, 2013). Due to
jurisdictional issues such as branch of law, type of case, grade of offense, monetary damages,
level of government and geographical location, imposing fines and penalties are more
complicated than other crimes (Shinder, 2011). The geographical location alone is difficult to
obtain as obfuscation tools and anonymity of hiding ones identification are in abundant supply
and mostly free of charge to end users or perpetrators (Shinder, 2011).
This due diligence for training supports reasonable efforts provided by the organization to
provide effective training across all levels within their company when it relates to information
security (IS). Social engineering is one of the most prevalent areas where cyber-crimes
commence (Conteh & Royer, 2016). Training employees to recognize some of the scams, such
as phishing, spam email, shoulder surfing or other social engineering techniques such as
telemarking fraud are steps in the right direction (Federal Bureau of Investigation (FBI), 2016).
Some basics of securing passwords and creating strong passwords by using characters other than
A-Z include choosing longer passwords with more than 15 characters. Avoiding actual names or
words and choosing unlikely passwords are some other options under consideration. Changing
9
passwords regularly, not writing it down and not telling anyone will also mitigate some risk
posed to any organization by making it much more difficult for password hacking attempts to
occur (Pfleeger, 2007). Incorporating proper employee cyber-security training provides a
layered approach to information security for the corporation and its network (Federal
Communications Commission, 2015). This layered approach is a defense in depth strategy that
addresses internal and external threats by creating protection at the physical, electronic, and
procedural levels (Banathy, Panozzo, Gordy, & Senese, 2013).
Corporate training effectiveness has been deemed ineffective according to several
studies, educators, professionals in the field of effective training and researchers alike (Salas E. ,
Tannenbaum, Kraiger, & Smith-Jentsch, 2012; Strother, 2002; Silverman R., 2012; Schneier, B.,
2013). A 2013 article, So Much Training, so Little to Show for it, published in the Wall Street
Journal (WSJ) with an interview between Rachel Silverman and Dr. Eduardo Salas states that
there are four main reasons companies fail at training. They fail to organize training needs, fail
to evaluate employee learning, believe that technology solves training problems, and fail to set
the climate to learn by not setting conditions to motivate and sustain employees (Silverman R.
E., 2012). The pace at which technology is changing along with more of the information being
stored electronically is creating a skill gap in the cyber workforce. The people responsible for
safeguarding that data are in high demand because employees in IT fields can be linked to the 74
percent increase in the IS skill gap. Since 2010, an increase in cybersecurity job postings has
risen to over 209,000 (Veltsos, 2015). In 2011, a worldwide management and consulting firm
McKinsey & Company who conducts qualitative and quantitative analysis for public and private
sectors to evaluate management decision-making estimated approximately 150,000 unfilled data
analytics expert positions will exist by 2018.
10
Available laws and regulations that support workforce training will be reviewed later in
this study to see if they can be applied to corporate training programs. The study will analyze
how corporate training fails and what effects that has on the corporation. The research of three
major adult learning theories and identify best practices by professional in the field to implement
into corporate information technology (IT) training programs will also be explored “There is no
single theory of learning that can be applied to all adults (TEAL Center Staff, 2011, p. 1).” An
attempt is made to describe benefits and weaknesses of each theory in further detail later in this
study.
Laws and Regulations
The Computer Security Act of 1987, introduced January 6, 1987, directed the National
Bureau of Standards (now the National Institute of Standards and Technology, or NIST) to
develop a standardized program for federal computers and “…draw upon computer system
technical security guidelines developed by the National Security Agency (NSA) regarding
protecting sensitive information (H.R. Rpt. No. 145, 1987, p. 3).” The Act also suggests that
agencies provide periodic mandatory training in computer security using such developed
guidelines by the National Bureau of Standards (NBS) for all involved in managing, using, or
operating computer systems. Alternative training programs can be determined by the agency
head to meet the objective of the Bureaus guidelines have also been authorized. All federal
employees and contractors are responsible to obtain computer security training if they manage,
use, or operate a government computer system. The Computer Security Act of 1987 does not
specifically mandate public sector employees to follow the regulations set forth by the Bureau.
With no federal mandate from NIST to regulate corporate IT training programs, further
evaluation within other departments that cover workforce training is required.
11
FISMA, entitled by Title III of the E-Government Act of 2002, sets forth several
requirements for effective information security programs for Federal agencies and contractors
doing business with the government (US GSA, 2015). Included in the information security
program is security awareness training. Security awareness training is recommended to inform
personnel of IS risks associated with activities, the responsibilities that comply with
organizational policy and procedure and designed to reduce risk posed by new technologies (US
GSA, 2015). FISMA compliance is dependent upon several other legislative requirements such
as NIST and The Privacy Act of 1974. Part of the FISMA requirement mandates the application
of NIST 800-53 for information security configurations for Federal Agencies and contractors
who do business with such agencies, which fall under the Awareness & Training umbrella (AT)
and subsequent controls that mandate training. The U.S. General Services Administration (GSA)
provides annual security and privacy awareness training for more than 16,000 employees and
contractors (US GSA, 2015).
The Department of Labor (DOL) Workforce Investment Act of 1998 was passed by the
105th Congress with a purpose “…to consolidate, coordinate, and improve employment, training,
literacy, and vocational rehabilitation programs in the United States, and for other purposes
(Department of Labor, 1998, p. 1)”. For the purposes of this study, adult learners are those who
are over the age of 22 and under the age of 72, which complies with the Public Law 205-220
definition. Department of Labor offers Adult Training Program information with links to various
laws and regulations. Corporate training failures are significantly impacted with such lack of
heavy regulations, as up to this time there have been no strict or enforceable regulations, policy,
or mandates that are applicable to the public sector itself. Security experts agree while various
security bills have been proposed, it is only a matter of time before information security is
12
mandated by law and are worried about the compliance burden this would create (Loveland &
Lobel, 2012).
Structural Business Challenges
Structural business challenges will appear more evident as the nature of business today
has changed. In the past 20 years, we have been introduced to new communication technologies
such as e-mail, mobile phones and video or web conferencing (The Economist Intelligence Unit,
2014). Proliferation of communication technology being on the rise accounts for the decline on
centrally located employees to one company location (The Economist Intelligence Unit, 2014).
The lack of heavy regulations and lack of business incentives in the modern environment
significantly contribute to businesses only attempting to meet minimum requirements by
developing training in house as opposed to outsourcing training. The cost associated with hiring
training professionals to train the workforce differs from the cost associated with developing
training internally, outsourcing versus insourcing. There are several benefits associated with
outsourcing training such as cost, resources, control, and location. Costs for outsourcing IS
training are much lower than if maintaining the training internally because outsourced training
already has a workflow in process and individuals already familiar with the process (Marquis,
2016). The same holds true for the skill gap that was previously mentioned with IT jobs. The
increased trend of outsourcing IT jobs overseas to reduce expenses internally was released in a
2015/2016 study, IT Outsourcing Statistics by Computer Economics. The recent study indicated
that 92% of companies that outsourced their disaster recovery were the same or lower than if
they had retained that function in-house (Computer Economics, 2015). They study profiled 11
IT functions of outsourcing activity: application development, application hosting, application
maintenance, data center operations, database administration, desktop support, disaster recovery
13
services, help desk services, IT security, network operations, and web/e-commerce systems.
Measurements were based on level and frequency of outsourcing as well as current plans and
customer experience.
Forecasters have predicted that the cost of information technology outsourcing (ITO) has
contributed to more than half of that market growth. The industry will continue to grow to an
estimate of $1.1 trillion by 2018 (Rossi, 2015). The real cost associated with outsourcing IT
security is more than just bottom line salaries as this opens the door to the organizations network
to outsiders.
Salaries alone can entice business executives to say yes easily to outsourcing IT security
and training programs. However, saving money up front can cost more over time. Risk and
additional liabilities are some of the hidden costs associated with sending such jobs outside the
enterprise. Protecting information internally when opening your organization to outsiders is a
real risk that needs to be assessed and mitigated. Assessing and mitigating this risk can be
accomplished internally through a multitude of risk management frameworks. Determining the
likelihood and ratings of each vulnerability is out of scope for this study. “According to the PwC
report, other than current and former employees, there is no higher cyber security threat than
service providers, consultants, and contractors (Rossi, 2015)”. The cost associated with a cyber-
breach incident continues to increase. An IBM sponsored research company Ponemon Institute
performed a 2015 study, Cost of Data Breach Study, stated that the “average cost for each lost or
stolen record containing sensitive and confidential information increased from $201 to $217.
The total average cost paid by organizations increased from $5.9 million to $6.5 million
(Ponemon Institute, 2015, p. 2).” The volume of records in the study ranged from 5,655 to
14
96,550 records and excluded any cases involving over 100,000 records so the data was not
artificially skewed.
Corporate Training failures
One of the basic and most fundamental steps to protect against privacy loss is training, so
people accessing data understand what to protect and how to do so (Pfleeger, 2007). There are
many challenges in protecting computers and data that require different and more effective
approaches than what was done in the past. Physical valuables and information or data valuables
are not the same; however, electronic property can be treated as intellectual property. “Any
system is most vulnerable at its weakest point (Pfleeger, 2007, p. 5)”.
As The Wall Street Journal has reported in 2012, in an article entitled So Much Training,
So Little to Show for It, U.S. corporations have spent over $150 billion in training annually, and
many do not see a real return on investment on their training costs (Silverman R. E., 2012).
Ninety percent of newly acquired skills are lost within a year. In 2014, the State of the Industry
Report by ATD Research reported the training cost per employee average was $1,229.00
compared to $1,208.00 per employee in 2013 (ATD Research, 2014). The average direct
expenditure of training per employee had a gradual incline since 2006 and continued to increase
slightly through 2014 per the State of the Industry Reports. In 2006, the average direct
expenditure per employee was $1,040; 2007 average was $1,110; 2008 average was $1,068;
2009 average was $1,081; 2010 average was $1,228; 2011 average was $1,182; 2012 average
was $1,195 (ATD Research, 2014).
Is corporate training ineffective? If so, why do so many researchers and experts in the
field claim corporate training fails and what mistakes are currently being made? Dr. Eduardo
Salas, professor of organizational psychology at the University of Central Florida and a leading
15
authority in the field of adult education has studied corporate training for over two decades and
articulated what his research results were in published studies. Companies fail to take the time to
analyze the training needs and they need to focus on proper design. He also stated there are four
reasons for such failures:
1) Not taking the time to analyze training needs
2) Failure to evaluate how well employees have learned
3) A false belief that technology will solve training problems
4) Not setting a climate to learn with lack of conditions to motivate and sustain.
These training failures can affect corporations in various areas and have a monetary value
associated to them as well (Silverman R. E., 2012).
Effects on the Corporation
There are several factors that can affect an organization. The most important factors are
regulatory requirements compliance, customer trust and satisfaction, compliance with published
policies, due diligence, corporate reputation and accountability (Herold, 2010). Confidentiality
is a key factor in protecting information and information is one of a company’s most valuable
business assets. Human involvement, in the use of computers and protection of networks, is one
component to the security chain protecting corporate information. Humans will always be
considered the weakest link because people are easy to manipulate (Conteh & Royer, 2016). The
psychological dimension that exists in humans does not exist in computers. Exploiting human
emotion is the vulnerability that cannot be manipulated on strictly logic based computer systems.
Money, reputation, and time lost can be more crippling to an organization than just assets
taken (Ponemon Institute, 2015). Globally, the average financial loss associated with cyber
security incidents in 2014 was $2.7 million, a 34 percent increase from 2013 (Rossi, 2015).
16
Sixty-two U.S. companies across sixteen industry sectors participated in a 2015 survey published
by IBM. $6.5 million was the average total cost per data breach reported. These costs not only
included what money was taken by attackers, but business loss due to non-availability, recovery
of deleted data, or information and labor costs associated with paying IT staff overtime or
outsourcing specialists. This was an increase from the previous year of eleven percent. The cost
per incident continues to rise, and was last reported at $217 per lost or stolen record, which is an
eight percent increase from the previous year (Ponemon Institute, 2015).
Losing customer trust and poor reputation are other factors that can be costly and can
have a negative effect on companies. Organizations should be practicing reasonable measures in
safeguarding customer information, especially that which contains personally identifiable
information (PII). Keeping customers informed as to what is being done to protect their
information should be available through security awareness messages so they know what is
being done to protect their privacy. When customers and employees lose trust sales drop and
employee turnover increases (Ponemon Institute, 2015; Herold, 2010). Reputation is also be
affected by trust and must be managed well to reduce the risk of losing customers. Employees
and business partners need to follow information security and privacy precautions to lessen the
likelihood of creating a bad reputation for the company. Indiana University published a listing in
2016 of some precautions you can follow to lessen the risk of a potential breach of privacy
information. The top four recommendations to protect a computer are to use secure software,
practice the principle of least privilege, maintain current software and updates, and frequently
backup current documents and files (Indiana University TS, 2016). To lessen the likelihood of
some of the adverse effects on the corporation, those responsible for training plans need to have
17
a baseline understanding of adult learning models and theories in order to implement successful
IT training programs effectively (Herold, 2010).
Adult Learning Models/Theories
Scientific consensus in the field of adult education indicates that adults learn differently
than children (Edmunds, Lowe, Murray, & Seymour, 2002; CCU CAGS, 2011; Smith,
Andragogy, 2010). Three major theories that are commonly used in training programs today are
andragogy, self-directed learning, and transformational learning. The research completed of
these three theories will follow.
The first training theory we will review called andragogy. Malcolm Knowles was one of
the pioneers for intellectual contributions in the area of adult education and andragogy, the art
and science of helping adults learn. He received his bachelor degree from Harvard University
and continued on to the University of Chicago where he earned his masters and eventually his
PhD. His thesis was eventually what started him with writing his first book, Informal Adult
Education published in 1950. He went on to write over 230 articles and 18 books in the area of
adult education (Smith, 2002). Knowles further defined pedagogy as the art and science of
teaching children and this the common terminology used among professionals who study such
learning theories. Andragogy is the first learning theory we will explore. He explained in
several published books how adults learn differently than children and based this upon an
original four key assumptions with a fifth added later.
1. Self-concept: As a person matures his self concept moves from one of being a
dependent personality toward one of being a self-directed human being
2. Experience: As a person matures he accumulates a growing reservoir of experience
that becomes an increasing resource for learning.
18
3. Readiness to learn. As a person matures his readiness to learn becomes oriented
increasingly to the developmental tasks of his social roles.
4. Orientation to learning. As a person matures his time perspective changes from one of
postponed application of knowledge to immediacy of application, and accordingly his
orientation toward learning shifts from one of subject-centeredness to one of problem
centredness.
5. Motivation to learn: As a person matures the motivation to learn is internal
(Knowles, Holton III, & Swanson, 2015)
A key aspect to adult learning is motivation. Motivation is also one of four the critical
elements to ensure learning is productive. Stephen Lieb identified at least six sources of
motivation in adult learning: social relationships, external expectations, social welfare, personal
advancement, escape/simulation and cognitive interest. One of the best ways to motivate adults
is to enhance the reason for enrolling in training programs while decreasing some of the three
main barriers; situational, institutional and dispositional. These barriers have a negative impact
on adult learning by making the learning less effective (Lieb, 1991). Each barrier is explained in
more detail below.
Situational barriers adult learners may encounter are based on circumstantial conditions
that may limit an ability to gain access or pursue learning opportunities. Examples of situational
barriers that exist might include time, money, confidence, interest, scheduling, family
responsibilities or even lack of support from others. Even transportation can become a barrier if
training is on campus or in a designated classroom environment.
Institutional barriers are based on practices and procedures being used to deliver and
administer the information. Examples of institutional barriers might include higher costs of
19
tuition and end user fees, negativity toward adult learners, location, or program scheduling time
and lack of recognition for prior learning and previously established skills, experiences, or
academic credentials. Some institutional barriers may cross over into situational barriers as well.
Dispositional barriers, also known as attitudinal barriers, consist of psychological factors
affecting an individual’s perception of their own ability to participate in continued learning
activities. Examples in the category of attitudinal barriers consist of low self-esteem, negativity
about being an adult learner (too old, too busy, too sick, lack of interest, etc.) and feeling of not
enough prior educational experience to succeed. Choices will need to be made by the adult
based upon their own demanding work and family circumstances (Unesco, 2013)
Licensing requirements, for example, can be a great motivator and a barrier
simultaneously. Professional licensure is a process that establishes conditions for entry into a
specific occupation for the purpose of obtaining higher salaries (The Federal Trade Commission,
2014). Another important benefit in obtaining a professional license is that it can protect
consumers from certain risks associated with valuable policy goals and in some cases
regulations. On the negative aspect of licensure, unlicensed practices may be subject to criminal
or civil penalties for the individual, the organization, or both. Costs and burdens associated with
training and education can also be discouraging (The Federal Trade Commission, 2014).
According to a complex case study The Prevalence and Effects of Occupational Licensing,
written by Morris M. Kleiner and Alan B. Krueger and published in the British Journal of
Industrial Relations states “…29 percent of the workforce is required to hold a license, which is a
higher percentage than that found in other studies (Kleiner & Krueger, 2010, p. 1)”. This study,
which provides the first national analysis of the labor market implications of workers who are
licensed, also stated that those with a higher level of education are more likely to work in career
20
fields that require licensing. Certification as an alternative to professional licensing and is less
restrictive. Licensing is usually a state’s grant of legal authority to practice a profession within a
designated scope of practice and is required in order to practice or to call oneself a licensed
professional. It many times is mandatory and not voluntary. Certification is thought to be
voluntary but can be mandatory in some states. Certification proves that an individual may
demonstrate an ability to perform their profession with competence (IC & RC, 2015). Some
examples of IT/IS can be vendor specific such as Microsoft Certified IT Professional (MCITP)
for database administrators or vendor neutral such as Certified Information Systems Security
Professional (CISSP) for security managers and security engineers (ISC2, 2016). For the IT/IS
professional, maintaining certification also has set training expectations, such as mandatory
continuing educational requirements that must be met to maintain the applicable certification
within specified time frames.
Promotion potential is more motivational in the eyes of an adult learner. (Lieb, Principles
of adult learning, 1991) As previously discussed, all of the employees who access computers in
their day-to-day business process require some sort of information security training. Those same
employees may be looking for a promotion to stay motivated and they may also be drawn away
from an organization that promotes from within by appointing specific people to higher positions
within the organization based on academia, certification, and seniority. The higher paying
positions may also come with more responsibility than the individual desires. (Billikopf, 2006)
Establishing the foundation of how adults learn differently than children is important
because adults compromise the corporate workforce today and not children. Based on the theory
of andragogy, this will allow us to enter into another approach in learning. The second learning
approach is self-directed or self-paced. Individuals take the initiative to identify resources,
21
formulate goals, choose, implement their own learning strategy approach, and then evaluate
learning outcomes. Self-directed learning occurs outside a classroom environment. Self-paced
learning has been proven beneficial as it is at the learners’ convenience to participate. Studies
performed by the TEAL Center staff (2011) show that 90 percent of all adults conduct at least
one self-directed learning project per year and almost 70 percent of adult learning is self-
directed. Disadvantages to self-paced learning also exist. It is left up to the adult learner to
determine what is important and what is irrelevant. Effective allocation of study time is left up
to the adult learner, to allow more time on difficult subject items and less time for the easier
items. Self-paced learning is based on individual discretion. This approach may enhance
motivational factors previously discussed. In a 2011 study published by the US National Library
of Medicine, National Institutes of Health, it is revealed that the individual control of study time
is beneficial for learning and learning is enhanced through self-guided study time allocation.
Giving them more control over the study behavior resulted in better memory performance (Tullis
& Benjamin, 2011).
Combining the key elements of andragogy along with self-paced learning creates an
opportunity in the context of corporate cyber security training to establish best practices in the
field. This combination is commonly referred to as blended learning approach. Self-paced
learning incorporated into a blended learning method appears to be ideal, in the context of this
research, and will be expanded upon in a later section (Training Today, 2016).
The U.S. Department of Health and Human Services provides annual information
security awareness training free to anyone interested that covers privacy, information system
security awareness and role-based for executives, administrators and managers. The training
22
process itself undergoes evaluation throughout. Analysis, design, development, and
implementation are the four main components in the training process.
Figure 1. Model of the Training Process (Blanchard & Simmering, 2008)
Lastly, transformational learning is used to change the way an individual thinks and
involves a shift in consciousness. Jack Mezirow, sociologist and formal Emeritus Professor of
Adult and Continuing Education at Teachers College, Columbia University founded this
educational concept. There is minimal current research in the area of transformational learning
as it relates to IS or IT training programs. Research available so far indicates that there is more
criticism involved in transformation learning than usefulness as it relates to IT and IS corporate
training programs (Cervero & Wilson, 2001; Corley, 2003; Sheared & Johnson-Bailey, 2010;
Silver-Pacuilla, 2003) . “Transformative learning is defined as the process by which we
transform problematic frames of reference (mindsets, habits of mind, meaning perspectives) –
23
sets of assumption and expectation – to make them more inclusive, discriminating, open,
reflective and emotionally able to change (Illeris, 2009, p. 92).”
Transformative learning often involves task-oriented learning. The evidential and
reasoning components that encompass this learning theory involve several processes. Those
transformative learning processes include:
1. Critical reflection of relevant assumptions
2. Instrumental learning using empirical learning
3. Communicative learning by participating freely
4. Taking action on the transformed perspective and not changing beliefs until new
evidence is encountered
5. Acquiring disposition and becoming more critically reflective of our own beliefs
(Illeris, 2009).
Transformative learning theory, like other theories, has documented advantages and
disadvantages associated with it in practice. Roles of participants identified in transformational
learning are that of the instructor and student. Not all teachers and not all learners are
predisposed to this learning theory. Two characteristics of the adult educator include acting as a
seasoned mentor, reflecting on his or her own journey and have compassionate criticism to allow
students to question their own journey (Cooper, 2013). Challenges associated with this learning
theory result in transforming adult learners themselves.
As previously discussed, there is not one specific training method available today that
will encompass the needs for every adult learner. Adult learning models exist as well as online
tools to evaluate which method of learning fits each individual. Using such tools can provide
insight and play a role in the analysis of IT and/or IS training that the corporation deem
24
applicable. “There is no single best teaching-learning strategy that can work for every student,
no matter how good that approach is (Kharb, Samanta, Jindal, & Singh, 2013)”. Once training
needs are established, delivery of training and learning styles can be clarified.
Formal and Informal Training
IS awareness training needs to be relevant, thorough and regular (Conteh & Royer, 2016).
There are two basic delivery methods for training, formal and informal. The differences in these
training deliveries are clear and both have benefits and weaknesses. Both have usefulness in
corporate cyber security training programs and across all levels of employees working for the
organization.
Formal learning is organized, structured with learning objectives and intentional.
Intentional learning is usually carefully thought out and provided under the direction of training
instructors who have a basic understanding and competency to facilitate the defined objectives.
Many times formal learning is delivered in a classroom or other formal setting (OECD, 2016).
Informal learning is not organized, less structured with no specific learning objective or
intentions. This can occur at work with peer conversations, at home with family and friends or
even on leisure time while listening to the radio or television. Experience based learning is also
informal (OECD, 2016).
Applying adult learning theories and models into formal and informal learning
approaches can be done in a wide variety of ways. Combining aspects of each learning theory
into formal and informal learning can be developed by the organization for the benefit of the
employees being trained. There is an assumption that all training is beneficial regardless if its
formality or lack thereof. Capitalizing on informal learning is also cost effective. As an
example, job shadowing and apprenticeships are fairly cheap in terms of money utilized from the
25
company perspective. Job shadowing allows a new employee or prospective employee to learn
by watching what a more experienced employee does on the job. A student or intern may also
gain comprehensive insight into what the professional does along with any nuances a field may
entail (Heathfield, 2016). Learning styles may also foster the less formal approach.
Determining Learning Styles
Each individual has his or her own learning style. Learning profile is a means to group
different ways people learn in an attempt to assist in the way each learns best (Tomlinson, 2001).
Profiles are determined by taking a voluntary assessment. Various online tools and assessments
exist to help determine the best learning style profile and delivery methods to complement each
individual. The visual, aural, read/write, kinesthetic (VARK) questionnaire is one online tool
that anyone can use to help determine his or her own learning style. Visual learners prefer to
look at charts, graphs, diagrams, and plans and learn best looking at these formats of
information. Aural learners prefer learning by means of storytelling, discussions and guest
speakers. Reading and writing learners process information more effectively in terms of lists and
notes either in print or on-line. Kinesthetic learning is the process of learning by which the
delivery method is in the format of cases, senses, practical exercises, and examples. The VARK
learning questionnaire provides users with a profile of their learning preferences and in turn
provides information about the ways that they want to take-in and give-out information (VARK
Learn Limited, 2016). Once completed, the site will redirect you to strategies that compliment
your learning style profile
Training Today is one of several service providers that offer online education programs
for employees and supervisors. The website compares different learning formats along with
advantages and disadvantages for each format such as instructor-led, interactive, hands-on,
26
computer based (CBT), on-line or E-learning and blended training approaches (Training Today,
2016). Further advances in technology today allow options for training other than the traditional
instructor-led training. “In 2010 the U.S. Department of Education reported an updated meta-
analysis because technology had evolved considerably since 2004.” (Clark, 2012) The
conclusion of the 2010 report was that “experimental and quasi-experimental studies contrasting
blends of online and face-to-face instruction with conventional face-to-face classes, blended
instruction has been more effective. When used by itself, online learning appears to be as
effective as conventional classroom instruction”. (U.S Department of Education Office of
Planning, Evaluation, and Policy Development,, 2010).
Conflicting opinions
Conflicting research from prolific security researcher Bruce Schneier claims that
corporate security failures are not due to lack of training or poor training. These failures are
simply wasting funds that should be repurposed to correct flaws in security designs. He stated
“…training users in security is generally a waste of time, and that the money can be spent better
elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater
failings in security design.” (Schneier, Security awareness training, 2013)
Andragogy is not without criticism. Brookfield called the theory culture blind,
stating that the concept of self-directed learning and the concept of the student’s
establishing a non-threatening relationship with the teacher as facilitator of
learning may neglect races and cultures that value the teacher as the primary
source of knowledge and direction. (TEAL Center Staff, 2011)
27
With clear lack of regulatory guidance and conflicting opinions, it may be possible to
learn from the best practices set forth in academia and apply federal laws that are applicable to
corporate sector IT training programs (Zanderigo, 2016).
Combining best practice methods into corporate security training
Bridging the gap between best practices and the skills required in corporations requires
further research. There is; however, a best practice in the field today that assists in closing that
same gap. Educating and training users will always be required because end users will always be
the weakest link in information security (Zanderigo, 2016). Perhaps combining instructor-led
training and self-paced learning into a blended learning program can be the essential component
in today’s technologically advanced security training. There is no currently published concrete
evidence to support this idea. Creating a human firewall, and building a workforce for today’s
digital age, might simply be misunderstood and the way forward (Musthaler, 2012).
One of the unique requirements inherent in cyber security training involves a complex and
continually changing computer based environment. In “a 2014 study by the Enterprise Strategy
Group discovered that one-quarter of firms felt they lacked sufficient numbers of personnel with
infosec skills (Trend Micro, 2015)”. The threat landscape today is more complex than it was a
year ago and will be more complex next year than it is today. Skilled professionals are in short
supply while malware and cyber-attacks are on the rise, increasing the demand for trained
individuals. Examples such as JP Morgan Chase, Target, Home Depot and United States Office
of Personnel Management (OPM) have all faced recent severe security breaches. The
combination of large corporations and government entities proves that no one organization,
public or private is immune to such attacks. In a 2014 article, Cybersecurity Skills Shortage
Panic in 2015, published by Network World, security professionals identified the following
28
problematic shortages; 43 percent cloud computing and server virtualization security skills, 31
percent each of endpoint security skills and network security skills, and 30 percent each of data
security skills and security analytics/forensic skills (Oltsik, 2014). What this means is that the
shortfall in skilled workers will bid up cybersecurity salaries to new highs and “employees with
years of faithful employment at small regional banks, Universities, and State governments will
get offers they simply can’t refuse” (Oltsik, 2014, p. 2).
Summary
Providing IS education training programs to employees does take time and there are
many factors to consider such as money, planning resources, outsourcing training, individual
adult learning styles, and planning requirements. The IS skill gap has increased in the past five
years. Corporate training failures do require attention. The skill gap in trained professionals and
corporate IT vacancies needs to be narrowed to protect company data. Laws and regulations
such as FISMA and NIST frameworks do exist in the public sector. They set forth guidance for
federal agencies and those doing business with these agencies while corporations are not
required by law to follow such guidance. Loose guidance does not create a culture of cross-
sector sharing of IS related information nor being enforced. Challenges faced by organizations
are clear. Clearly defined goals or objectives of training need to be established, identification of
which employees require such training, budget and time constraints need to be allocated and
resources and materials required are some of the key factors to consider. Costs of outsourcing
training seem minimal on the surface but can be more costly than the hard salary figures. The
costs associated with outsourcing also include risk of data leakage and complications associated
with a risk of a data breach.
29
Companies have to maintain their own budget constraints and in essence want the biggest
bang for the buck when it comes to cost and effectiveness in maintaining secure networks. There
are also several layers of security to take into consideration outside of what technological
advances already in existence such as the human component to security. Creating human
firewalls by providing effective training is important. Companies need to take time to analyze
training needs and evaluate how well employees have learned from the provided training.
Organizations cannot rely on technology alone. Setting a climate to learn by motivating
employees and reducing some of the barriers to adult learning should be included. Assessing
learning style profile tools, like VARK can help to further develop training plans. Incorporating
the learning style profiles based on the learning theories explored in this research study can be
considered a blended learning approach. Using formal training with a mix of informal training,
such as job shadowing is one example. Continual re-evaluation of the training plans is key to
ensure corporate training does not continue fail. Taking into consideration Salas’ first two
components as to why corporate training fails (failure to analyze training needs and how well
employees learned) and combining Leibs’ four critical elements motivation, reinforcement,
retention, and transference with Knowles’ five assumptions about adult learning can provide an
effective IS training plan for a company, other than strictly relying on logic within a computer.
Benefits of having more secure networks far outweigh the costs involved with data breaches,
upwards of $6.5 million.
One of the leading critics, Schneier, continues to believe money will be better spent on
the logic hard coded in systems rather than spent on humans to protect these environments. The
human aspect in coding that logic however cannot be ignored. Further research is still needed in
the area of training for IT and IS within corporations. Outputs from hard coded logic will still
30
require interpretation by skilled and professionally trained individuals and analysts. Continued
training and building a trained workforce will not decrease anytime in the near future. Part of
that training should include professional licensure or certifications so the professionals keep up
to speed on the ever-changing cyber landscape.
31
Discussion of the Findings
The purpose of the research study was to determine the effect IT training has on
corporations, training failures and incorporating best practices for overall benefit. When training
failed, understand why it failed through continual evaluation in an attempt to protect companies
from negative implications better, this can have to the employees and the organization itself.
Some of the issues that clearly existed to make the current IT training ineffective are a direct
result of poor planning on behalf of the company itself due to lack of strict laws and regulatory
guidance. Other factors to consider include the adult learners themselves, how they understand
new data, and which barriers exist to prevent the learners from becoming fully engaged in
corporate cyber training programs. If companies are willing to assist in the removal some of the
situational and institutional barriers posed to their employees, they may also alleviate the
overwhelming feeling that employees may encounter, especially if the company requires the
employee to become certified.
Academia professionals and experts in the field of education concur that adult learning
varies. Models exist today to help alleviate the frustration on teaching adult learners new
information and this information can be used in an attempt that can better prepare for changing
technology for today’s corporate environment. When effective training methods are deployed, it
is imperative to monitor and make changes as appropriate. Incorporating a blended and flexible
approach to professional security training, organizations may receive greater benefits in the long
run. Employee retention will decrease any turnover and costs associated with hiring and training
new employees. Any individual working in an organization, from working on computers,
answering phone calls, or janitorial staff are subject to cyber-attack through data leakage or data
breaches because they are the human component to an organization. Social engineering attempts
32
can seem subtle to an untrained employee and very lucrative to an outsider. In some cases, they
never know it has occurred. The cost in creating human firewalls through effective security
training for under $2,000 seems minimal compared to the cost a company may face should data
breach occur upward of $6 million.
Recommendations
As a result of this study, several recommendations can be devised. Corporations can
develop blending learning delivery methods with the use of flexible formal training and informal
learning approaches to minimize cost and maximize learning effectiveness. The cost associated
with training staff is minimal compared to the cost of a data breach. It is recommended to invest
in proper IT and IS training for those individuals that own, use, rely on, or manage information
and information technology (IT) systems. An estimated $1200.00 per employee to be trained
verses $1.5 billion per data breach should be incentive enough to any company considering
training costs are not worth the investment.
Extracting the benefits of Malcolm Knowles andragogy key assumptions and
incorporation them into today’s cyber workforce training programs has benefits all around.
Companies can identify why their previous training attempts have failed and learn from past
experiences. From a company perspective, the financial cost associated with training employees
is much less than the cost it would undertake should regulatory guidance be enforced, loss of
company information due to data breach or loss of computer network access itself. Creating a
positive public image and reputation does not happen overnight and may take some time to
develop. Once the reputation is tarnished, it can be difficult as well as costly to rectify.
33
Conclusion
In summary, this research study was an attempt to obtain a clearer understanding of
today’s corporate IT training. Evaluating which regulations and laws are applicable to the
corporate world was a bit of a challenge as most of the information available only relates to
federal agencies. The lack of corporate guidance sets corporations up to interpretation of what
they feel is needed or can be justified for their organization very generic. The effects on
businesses can be costly and damaging. Learning theories do exist as well as a variety of
learning style evaluations to help interpret learning styles into learning methodologies. While
conflicting opinions do exist, they are not that numerous to counter what the research has
indicated. The cost of effectively training IT security staff and those associated with the use of
such systems with corporate information is still beneficial compared to the cost associated with
just one data breach.
Maximizing adult methodologies in corporate cyber security training programs is going
to be a key component in successful business practices for years to come based on research and
study findings thus far. With such a skill gap in education and where technology is taking us in
the future it can be concluded that closing that gap will take some time and it needs to be done in
the most effective and efficient manner possible at the least cost. Confidentiality, integrity and
availability are the foundation on what is expected in a corporate networked environment and a
professionally trained and skilled workforce is the key component in protecting that intricate
environment to preserve corporations most precious asset, its information.
34
References
Angeli, E., Wagner, J., Lawrick, E., Moore, K., Anderson, M., Soderlund, L., & & Brizee, A. (2010, May 5). General format. Retrieved February 26, 2016, from https://owl.english.purdue.edu/owl/resource/560/01/
ATD Research. (2014, November 8). 2014 State of the Industry. Retrieved March 8, 2016, from Association for Talent Development: https://www.td.org/Publications/Research-Reports/2014/2014-State-of-the-Industry
Banathy, A., Panozzo, G., Gordy, A., & Senese, J. (2013, July). A layered approach to network security. Retrieved June 2016, from Industrial IP Advantage website: http://www.industrial-ip.org/en/knowledge-center/solutions/security-and-compliance/a-layered-approach-to-network-security
Bernatek, B. (2016). Training and development. Retrieved 2016, from Reference for business: http://www.referenceforbusiness.com/encyclopedia/Thir-Val/Training-and-Development.html
Billikopf, G. (2006, August 11). Promotions, transfers and layoffs. Retrieved April 15, 2016, from nature.berkeley.edu: http://nature.berkeley.edu/ucce50/ag-labor/7labor/04.htm
Blanchard, P., & Simmering, M. J. (2008). Training delivery methods. Retrieved March 1, 2016, from Reference for Business: http://www.referenceforbusiness.com/management/Tr-Z/Training-Delivery-Methods.html
Bucci, S., Rosenzweig, P., & Inserra, D. (2013, April 1). A congressional guide: Seven steps to U.S. security, prosperity, and freedom in cyberspace. Retrieved May 26, 2016, from Heritage.org website: http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace
CCU CAGS. (2011, October 6). How adults learn compared to younger learners. Retrieved February 10, 2016, from http://www.ccu.edu/blogs/cags/2011/10/how-adults-learn-compared-to-younger-learners/
Cervero, R. M., & Wilson, A. L. (2001). Power in practice: Adult education and the struggle for knowledge and power in society. San Francisco: Jossey-Bass.
Clark, R. C. (2012, July 16). Blended learning is better than instructor-led or online learning alone. Retrieved March 1, 2016, from Association for Talent Development: https://www.td.org/Publications/Blogs/L-and-D-Blog/2012/07/Blended-Learning-Is-Better-Than-Instructor-Led-or-Online-Learning-Alone
Computer Economics. (2015, August). Disaster recovery tops list of outsourcing cost savings. Retrieved June 2016, from Computer Economics Website: http://www.computereconomics.com/article.cfm?id=2117
35
Conner, M. (2015). Introduction to adult learning. Retrieved March 1, 2016, from MarciaConner.com: http://marciaconner.com/resources/adult-learning/
Conteh, D. N., & Royer, M. D. (2016). The rise in cybercrime and the dynamics of exploiting the human vulnerability Factor. International Journal of Computer, 20(1), 1-12.
Cooper, S. (2013). Jack Mezirow: Transofrmational learning. Retrieved April 15, 2016, from Theories of Learning in Educational Psychology: http://www.lifecircles-inc.com/Learningtheories/humanist/mezirow.html
Corley, M. A. (2003). Poverty, racism, and literacy. ERIC Digest, 243.
Cross, K. (1981). Adults as learners: Increasing participation and facilitating learning. San Francisco, CA: Jossey-Bass. Retrieved from http://jmunescopresentation.weebly.com/barriers-to-participation.html
Department of Labor. (1998, August 7). Workforce investment act of 1998 . Retrieved February 14, 2016, from Public Law 105-220--Aug. 7, 1998: https://www.doleta.gov/regs/statutes/wialaw.txt
Edmunds, C., Lowe, K., Murray, M., & Seymour, A. (1999). OVC Archive. Retrieved February 15, 2016, from NCJRS.GOV: https://www.ncjrs.gov/ovc_archives/instructor/section2.html
Edmunds, C., Lowe, K., Murray, M., & Seymour, A. (2002, June). Historical roots of adult learning principles. (O. f. U.S. Department of Justice, Ed.) Retrieved February 14, 2016, from National Victim Assistance Academy: https://www.ncjrs.gov/ovc_archives/instructor/section2.html
Federal Bureau of Investigation (FBI). (2016). Common fraud schemes. Retrieved from FBI.gov website: https://www.fbi.gov/scams-safety/fraud/fraud
Federal Communications Commission. (2015, October 8). Cyber Security Planning Guide. Retrieved April 10, 2016, from https://transition.fcc.gov/cyber/cyberplanner.pdf
Gabel, D., Liard, B., & Orzechowski, D. (2015, July 1). Cyber risk: Why cyber security is important. Retrieved April 10, 2016, from White & Case: http://www.whitecase.com/publications/insight/cyber-risk-why-cyber-security-important
Grebow, D. (2014, April). The state of learning and development 2014: Coming of age. Retrieved May 2016, from Brandon Hall Group Web site: https://membership.brandonhall.com/posts/798456-executive-summary-state-of-l-d-2014
H.R. Rpt. No. 145. (1987, January). Computer Security Act of 1987. Retrieved March 1, 2016, from https://www.congress.gov/bill/100th-congress/house-bill/145
36
Halim, A., & Ali, M. M. (1998). Improving agricultural extension. A reference manual. Rome, Italy: Food and Agriculture Organization of the United Nations. Retrieved from http://www.fao.org/docrep/W5830E/w5830e0h.htm
Heathfield, S. M. (2016, May 19). Job shadowing is effective on-the-job training. Retrieved June 3, 2016, from Human Resources About Money website: http://humanresources.about.com/od/training/g/job-shadowing.htm
Herold, R. (2010). Why information security training and awareness are important (2nd ed.). New York: Auerbach Publications.
Hight, S. D. (2005, November). The importance of a security, education, training and awareness program. Retrieved February 2016, from http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf
IC & RC. (2015). Licensure vs. Certification. Retrieved 2016, from International Credentialing website: http://internationalcredentialing.org/lic-cert
Illeris, K. (2009). Contemporary theories of learning. New York, NY: Routledge.
Indiana University TS. (2016, May 3). Best practices for computer security. Retrieved June 2, 2016, from Indiana University Knowledge Base website: https://kb.iu.edu/d/akln
ISC2. (2016). CISSP® - Certified Information Systems Security Professional. Retrieved 2016, from ISC2 website: https://www.isc2.org/cissp/default.aspx
Kharb, P., Samanta, P. P., Jindal, M., & Singh, V. (2013, June). The learning styles and the preferred teaching—learning strategies of first year medical students. Journal of Clinical and Diagnostic Research, 7(6), 1089–1092.
Kleiner, M. M., & Krueger, A. B. (2010). The Prevalence and Effects of Occupational Licensing. British Journal of Industrial Relations, 48(4), 676-687.
Knowles, M., Holton III, E., & Swanson, R. (2015). The adult learner: The definitive classic in adult education and human resource development (Eigth Edition ed.). New York: Routledge.
Korpela, K. (2015, June 9). Improving cyber security awareness and training programs with data analytics. Information Security Journal: A Global Perspective, 24(1-3), 72-77.
Lieb, S. (1991). Principles of adult learning. Retrieved March 1, 2016, from lidenwood.edu: https://www.lindenwood.edu/education/andragogy/andragogy/2011/Lieb_1991.pdf
Lieb, S. (1991). Principles of Adult Learning. Retrieved February 14, 2016, from LindenWood.edu: http://www.lindenwood.edu/education/andragogy/andragogy/2011/Lieb_1991.pdf
37
Loveland, G., & Lobel, M. (2012). Cybersecurity: The new business priority. Retrieved 2016, from http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html
Marquis, A. (2016). The difference between outsourcing & insourcing. Retrieved 2016, from Small Business Chron website: http://smallbusiness.chron.com/difference-between-outsourcing-insourcing-32400.html
Mezirow, J. (2003). Biograhy. Retrieved 2016, from IACE Hall of Fame Repository: http://trace.tennessee.edu/utk_IACE-browseall/152/
Musthaler, L. (2012, November 16). Best practices for creating 'the human firewall'. Retrieved June 4, 2016, from Network Worl web site: http://www.networkworld.com/article/2161514/infrastructure-management/best-practices-for-creating-the-human-firewall.html
Nemesh, A. (2007). Office technology. Retrieved 2016, from Encyclopedia of business and finance, 2nd ed.: http://www.encyclopedia.com/topic/Office_Technology.aspx
NIST Public Affairs Office. (2009, August 18). About NIST. Retrieved May 2, 2016, from NIST website: http://www.nist.gov/public_affairs/nandyou.cfm
NIST SP 800-16. (2014, March). A role-based model for federal information technology: Cybersecurity training. Retrieved February 2016, from US Department of Commerce: NIST Special Publication 800-16: http://csrc.nist.gov/publications/drafts/800-16-rev1/sp800_16_rev1_3rd-draft.pdf
OECD. (2016). Recognition of non-formal and informal learning. Retrieved April 15, 2016, from OECD.org: http://www.oecd.org/edu/skills-beyond-school/recognitionofnon-formalandinformallearning-home.htm
Oltsik, J. (2014, December 9). Cybersecurity skills shortage panic in 2015?: Global cybersecurity skills shortage and high demand could lead to high turnover and hyper wage inflation next year. Retrieved April 15, 2016, from NetworkWorld.com: http://www.networkworld.com/article/2857305/cisco-subnet/cybersecurity-skills-shortage-panic-in-2015.html
Pfleeger, C. a. (2007). Security in computing (Vol. 4th Edition). Upper Saddle River, NJ: Pearson Education, Inc.
Ponemon Institute. (2015, May). 2015 Cost of data breach study: United States. Retrieved March 9, 2016, from IBM: http://public.dhe.ibm.com/common/ssi/ecm/se/en/sew03055usen/SEW03055USEN.PDF
Puhakainen, P., & Siponen, M. (2010, December). Improving employees' compliance through information systems security training: An action research study. MIS: Quarterly, 34(4), pp. 757 - 778.
38
Rashid, F. Y. (2013, April 15). Security awareness training debate: Does it make a difference? Retrieved February 16, 2016, from SecurityWeek.com: http://www.securityweek.com/security-awareness-training-debate-does-it-make-difference
Reyes, S. (2014, February 7). Workplace training and education: Effective methods for training adults. Retrieved February 19, 2016, from Tribehr.com: http://tribehr.com/blog/workplace-training-and-education-effective-methods-for-training-adults
Reyes, S. (2014, February 7). Workplace Training and Education: Effective Methods for Training Adults. Retrieved February 19, 2016, from Tribehr.com: http://tribehr.com/blog/workplace-training-and-education-effective-methods-for-training-adults
Rossi, B. (2015, April 7). The real cost of outsourcing IT. Retrieved April 11, 2016, from InformationAge.com: http://www.information-age.com/it-management/outsourcing-and-supplier-management/123459275/real-cost-outsourcing-it
Rubin, J. (2013, March 29). The Hidden Costs of Outsourcing. Retrieved April 12, 2016, from Forbes.com: http://www.forbes.com/sites/forbesinsights/2013/03/29/the-hidden-costs-of-outsourcing/#a98d1303957b
Russell, D., & Gangemi, S. G. (1991). Computer Security Basics. Sebastopol, CA: O'Reilly & Associates.
Salas, E., Tannenbaum, S., Kraiger, K., & Smith-Jentsch, K. (2012). The science of training and development in organizations: What matters in practice. Association for Phsychological Science, 74 - 101.
Salas, E., Tannenbaum, S., Kraiger, K., & Smith-Jentsch, K. (2012). The Science of Training and Development in Organizations: What Matters in Practice. Association for Phsychological Science, 74 - 101.
Schneier, B. (2013, March 27). Security awareness training. Retrieved February 16, 2016, from Schneier.com: https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html
Schneier, B. (2013, March 27). Security Awareness Training. Retrieved February 16, 2016, from Schneier.com: https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html
Shaw, J. (2016). Ways to Look at Training and Development Processes: Informal/Formal and Self-Directed/Other-Directed. Retrieved April 7, 2016, from Free Management Library: http://managementhelp.org/training/methods/formal-and-informal-methods.htm
Sheared, V., & Johnson-Bailey, J. (2010). The handbook of race and adult education: A resource for dialogue on racism. San Francisco: Wiley & Sons.
39
Shinder, D. (2011, January 26). What makes cybercrime laws so difficult to enforce. Retrieved May 27, 2016, from TechRepublic website: http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-to-enforce/
Silverman, R. (2012, October 26). So Much Training, So Little to Show for It. Retrieved February 19, 2016, from The Wall Street Journal: http://www.wsj.com/articles/SB10001424052970204425904578072950518558328
Silverman, R. E. (2012, October 26). So much training, so little to show for It. Retrieved February 10, 2016, from The Wall Street Journal: http://www.wsj.com/articles/SB10001424052970204425904578072950518558328
Silver-Pacuilla, H. (2003). Transgressing transformation theory. Miami: 52nd Yearbook of the National Reading Conference.
Smith, M. K. (2002). Malcolm Knowles, informal adult education, self-direction and andragogy. Retrieved from the encyclopedia of informal education: http://infed.org/mobi/malcolm-knowles-informal-adult-education-self-direction-and-andragogy/
Smith, M. K. (2010). Andragogy. Retrieved 2016, from the encyclopaedia of informal education: http://infed.org/mobi/andragogy-what-is-it-and-does-it-help-thinking-about-adult-learning/
Strother, J. (2002, April). An Assessment of the Effectiveness of e-learning in Corporate Training Programs. Retrieved February 14, 2016, from IRRODL.ORG: http://www.irrodl.org/index.php/irrodl/article/view/83/160
Strother, J. B. (2002, April). An assessment of the effectiveness of e-learning in corporate training programs. Retrieved February 14, 2016, from IRRODL.ORG: http://www.irrodl.org/index.php/irrodl/article/view/83/160
TEAL Center Staff. (2011). Adult learning theories. Retrieved March 1, 2016, from https://teal.ed.gov/sites/default/files/Fact-Sheets/11_%20TEAL_Adult_Learning_Theory.pdf
The Economist Intelligence Unit. (2014, February). What’s next: Future global trends affecting your organization evolution of work and the worker. Retrieved June 3, 2016, from Future Trends website: http://futurehrtrends.eiu.com/report-2014/challenges-human-resource-management/
The Federal Trade Commission. (2014, July 16). Competition and the potential costs and benefits of professional licensure. Retrieved April 15, 2016, from FTC.gov: https://www.ftc.gov/system/files/documents/public_statements/568171/140716professionallicensurehouse.pdf
Tomlinson, C. A. (2001). How to Differentiate Instruction in Mixed-Ability Classrooms (2nd Edition ed.). (S. Allan, Ed.) Alexandria, VA: Association for Supervision & Curriculum Development.
40
Training Today. (2016). The most effective training techniques. (B.—B. a. Resources, Producer) Retrieved March 1, 2016, from trainingtoday.blr.com: http://trainingtoday.blr.com/employee-training-resources/How-to-Choose-the-Most-Effective-Training-Techniques
Trend Micro. (2015, March 9). The challenges of cyber security education and training in 2015. Retrieved 16 2016, April, from Trendmicro.com: http://blog.trendmicro.com/the-challenges-of-cyber-security-education-and-training-in-2015/
Tullis, J. G., & Benjamin, A. S. (2011, February 1). On the effectiveness of self-paced learning. (http://doi.org/10.1016/j.jml.2010.11.002, Ed.) Journal of Memory and Language, 64(2), 109-118.
U.S Department of Education Office of Planning, Evaluation, and Policy Development,. (2010). Evaluation of evidence-based practices in online Learning: A Meta-analysis and review of online learning studies. Washington, D.C.
U.S. G.A.O. (2008). GAO-08-1075R – Federal Legal Requirements for Critical Infrastructure IT Security. United States Government Accountability Office. D.C.: GAO.
Unesco. (2013). Barriers to Adult Education and the Current Strategies in Overcoming Them. Retrieved 2016, from Barriers to Adult Education: http://jmunescopresentation.weebly.com/barriers-to-participation.html
US GSA. (2015, November 29). 2012 Agency financial report. Retrieved June 3, 2016, from GSA.gov website: http://www.gsa.gov/portal/content/150159
VARK Learn Limited. (2016). Frequently Asked Questions. Retrieved from VARK: A guide to learning styles: http://vark-learn.com/introduction-to-vark/frequently-asked-questions/
Veltsos, C. (2015, October 9). Addressing the information security skills gap in partnership with academia. Retrieved March 10, 2016, from Security intelligence: Analysis and insight for information security professionals: https://securityintelligence.com/addressing-the-information-security-skills-gap-in-partnership-with-academia/
Wentworth, D., & Lombardi, M. (2014, August 28). 5 trends for the future of learning and development. Retrieved April 7, 2016, from TrainingMag.com: https://trainingmag.com/5-trends-future-learning-and-development
Zanderigo, M. (2016, April 15). 10 Best practices for cyber security in 2016. Retrieved June 2016, from Observe IT web site: http://www.observeit.com/blog/10-best-practices-cyber-security-2016
41
Appendix
Appendix A
Example profile test from NoMoLos.org (http://www.nomolos.org/trdv500/frame_a.html )
