A methodology for quantifying the level of cybersecurity awareness

According to the yearly publication of Dutch National Cyber Security Center of the current cyber security situation of the country ( Cyber Security Beeld Nederland -CSBN- 2017) a cyber-attack originated in 91% of the investigated cases from some form of phishing. This is in line with data from the SysAdmin, Audit, Network and Security (SANS) institute that states:
Governmental organizations invest millions in the protection of their internal systems and infrastructure, but only train their employees in a low-cost, short duration, Cybersecurity Awareness (CSA) course. There are huge investments in defensive technologies, but little investments in human awareness. Quantifying the level of awareness of employees can be used to measure changes in the level of CSA of that particular organization. Some methodologies to quantify the level of CSA are available, but these methods are scarce and sometimes inconsistent.
This thesis researches the available CSA-level measurement methods and proposes a ’95% of all attacks on enterprise networks are the result of successful spear phishing.’ Because a very high percentage of cybersecurity incidents start with some kind of phishing, the action and reaction of employees on phishing attacks could be used as a measurement method to quantify the level of cybersecurity awareness (CSA) of an organization. methodology based on quantification of the factual measurement level of cybersecurity awareness of organizations. The methodology finds its foundation in literature, expert interviews and a case study in which gamification of a phishing attack was studied. Data from a case study performed within the Dutch Ministry of Defense is examined, in order to explain why gamification can be used as a CSA-level measurement method and/or why gamification can be used as supplement or validation method of existing methods. Phishing is used as gamification method. A distinction is made between phishing and spear phishing. Using the optional ‘Vishwas’ triad and psychological influence factors, a differentiation in phishing methods can be used in quantification methods. To create validated findings, the gamification research has to be conducted in a scientific manner, with an appropriate research design, defining the minimum target population, selecting a proper sampling scheme and by collecting the data in a secure and privacy preserving manner.