| dc.description.abstract | Critical Infrastructures (CIs) are defined as the ensemble of assets that are essential for the functioning of a society and economy. As suggested by their namesake, they cover a key role in many of today’s developed and developing nations. From energy producing sectors to transportation sectors, the role of CI industry is of such criticality in modern societies that any malfunction or downtime could result both in financial and physical damage to economies, services, people and the environment. Due to their key roles, ensuring their protection and security is of utmost importance. While in previous decades physical security of these infrastructures was often the sole priority, recent integration to the functions supported by Industrial Control Systems (ICS), Internet of Things (IoT) and other connected devices meant that their Cyber-Security (CS) had to be also prioritized.
Since then, a variety of CS measures has been installed both at a national and international level, with many institutions being dedicated to CS for CIs. When it comes to defending CIs CS, one of the critical points of defense as well as weakness is that of human operators. Recent studies have shown that exploitation of lack of awareness by human personnel accounts for a majority of cyber-attacks. For this reason, the development and implementation of effective CS awareness and training is a priority for Critical Infrastructure Protection (CIP). Currently, several CS training offerings can be found and have been adopted by CI companies. Nonetheless, several key shortcomings of these offerings have been highlighted in the literature, including inability to change participants’ behaviour, lack of engagement and motivation in commencing or continuing training, lack of tailoring and personalization based on participants’ preferences and profiles.
For this purpose, in this thesis, we have developed a framework for modeling CS training exercises, based on Personalized Learning Theory (PLT) concepts. The objective of the framework is to allow for the development of training exercises using the stages of a revised ADDIE model. The resulting exercises will take into consideration input and feedback from all stakeholders involved in the training, and each component of the exercise is designed and tailored to either individual preferences or the targeted group’s requirements and goals.
The first part of this research is focused on reviewing the key knowledge and competence required by CI personnel for CI CS protection. Additionally, we conduct extensive reviewing of CS training offerings currently proposed in the literature, as well as offerings that have been adopted by Norwegian CI companies in recent years. The purpose of this research is to obtain an in-depth understanding of the state-of-the-art in CS training, with the goal of uncovering the gaps afflicting current offerings.
The second part of this research involves the development of a framework for modeling CS training that takes into consideration the limitations found in current offerings. In particular, due to the previously mentioned limitations of current proposals when it comes to training soft skills and effectively engaging participants, the proposed framework incorporates key concepts of PLT. The framework was primarily developed through a Delphi process which involved stakeholders from both industry and academia. This allowed to collect and compare input and prioritization of many of the different key attributes to consider when developing CS training frameworks.
The final part of this research is focused on testing the framework by conducting three experiments with three different target groups, two of which involved critical infrastructure personnel. The objective of this part was to evaluate the design and effectiveness of the CS training exercises developed using the framework, as well as collect feedback from participants. The framework was progressively adjusted based on the feedback obtained from the participants. The results of this evaluation show that the framework is effective at developing engaging, targeted training exercises, as well as allowing for a thorough evaluation of training and development of learning paths specific to participants’ needs and goals. | en_US |
