{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,20]],"date-time":"2026-04-20T13:37:11Z","timestamp":1776692231203,"version":"3.51.2"},"reference-count":50,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2019,11,11]],"date-time":"2019-11-11T00:00:00Z","timestamp":1573430400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,11,11]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees. One of these adaptive controls, namely, the mode of training provided, is then empirically tested for its effectiveness.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>In total, 1,048 working Australian adults completed the human aspects of the information security questionnaire (HAIS-Q) to determine their individual information security awareness (ISA). This included questions relating to the various modes of cyber-security training they had received and how often it was provided. Also, a set of questions called the cyber-security learning-styles inventory was used to identify their preferred learning styles for training.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The extent to which the training that an individual received matched their learning preferences was positively associated with their information security awareness (ISA) level. However, the frequency of such training did not directly predict ISA levels.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>Further research should examine the influence of matching cyber-security learning styles to training packages more directly by conducting a controlled trial where the training packages provided differ only in the mode of learning. Further research should also investigate how individual tailoring of aspects of an adaptive control framework (ACF), other than training, may improve ISA.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>If cyber-security training is adapted to the preferred learning styles of individuals, their level of ISA will improve, and therefore, their non-malicious behaviour, whilst using a digital device to do their work, will be safer.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>A review of the literature confirmed that ACFs for cyber-security does exist, but only in terms of hardware and software controls. There is no evidence of any literature on frameworks that include controls that are adaptable to human factors within the context of information security. In addition, this is the first study to show that ISA is improved when cyber-security training is provided in line with an individual\u2019s preferred learning style. Similar improvement was not evident when the training frequency was increased suggesting real-world improvements in ISA may be possible without increasing training budgets but by simply matching individuals to their desired mode of training.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2019-0022","type":"journal-article","created":{"date-parts":[[2019,11,13]],"date-time":"2019-11-13T05:59:33Z","timestamp":1573624773000},"page":"1-14","source":"Crossref","is-referenced-by-count":23,"title":["Matching training to individual learning styles improves information security awareness"],"prefix":"10.1108","volume":"28","author":[{"given":"Malcolm","family":"Pattinson","sequence":"first","affiliation":[]},{"given":"Marcus","family":"Butavicius","sequence":"additional","affiliation":[]},{"given":"Meredith","family":"Lillie","sequence":"additional","affiliation":[]},{"given":"Beau","family":"Ciccarello","sequence":"additional","affiliation":[]},{"given":"Kathryn","family":"Parsons","sequence":"additional","affiliation":[]},{"given":"Dragana","family":"Calic","sequence":"additional","affiliation":[]},{"given":"Agata","family":"McCormac","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"3","key":"key2020040311053592100_ref001","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1080\/0144929X.2012.708787","article-title":"User preference of cyber-security awareness delivery methods","volume":"33","year":"2014","journal-title":"Behaviour and Information Technology"},{"issue":"4","key":"key2020040311053592100_ref002","doi-asserted-by":"crossref","first-page":"432","DOI":"10.1016\/j.cose.2009.12.005","article-title":"Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study","volume":"29","year":"2010","journal-title":"Computers and Security"},{"issue":"5","key":"key2020040311053592100_ref003","doi-asserted-by":"crossref","first-page":"497","DOI":"10.1177\/001872088602800501","article-title":"Maintenance training simulator fidelity and individual differences in transfer of training","volume":"28","year":"1986","journal-title":"Human Factors: The Journal of the Human Factors and Ergonomics Society"},{"key":"key2020040311053592100_ref004","article-title":"Information Technology \u2013 Security Techniques \u2013 Code of practice for information security management, (27002:2015)","author":"AS_ISO\/IEC_27002","year":"2015"},{"issue":"1","key":"key2020040311053592100_ref005","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1016\/0092-6566(86)90110-8","article-title":"Desire for control and the illusion of control: the effects of familiarity and sequence of outcomes","volume":"20","year":"1986","journal-title":"Journal of Research in Personality"},{"key":"key2020040311053592100_ref006","article-title":"Breaching the human firewall: social engineering in phishing and spear-phishing emails","year":"2015"},{"key":"key2020040311053592100_ref007","first-page":"12","article-title":"Na\u00efve and accidental behaviours that compromise information security: what the experts think","year":"2016"},{"issue":"2","key":"key2020040311053592100_ref008","first-page":"135","article-title":"Teach them how they learn: learning styles and information systems education","volume":"22","year":"2011","journal-title":"Journal of Information Systems Education"},{"key":"key2020040311053592100_ref009","volume-title":"Influence: Science and Practice","year":"2009"},{"key":"key2020040311053592100_ref010","article-title":"Special publication 800-61 revision 2","year":"2012"},{"issue":"2","key":"key2020040311053592100_ref011","doi-asserted-by":"crossref","first-page":"196","DOI":"10.1016\/j.cose.2009.09.002","article-title":"A framework and assessment instrument for information security culture","volume":"29","year":"2010","journal-title":"Computers and Security"},{"issue":"4","key":"key2020040311053592100_ref012","first-page":"18","article-title":"Matters of style","volume":"6","year":"1996","journal-title":"ASEE Prism"},{"key":"key2020040311053592100_ref013","unstructured":"Felder, R.M. and Soloman, B.A. (2000), \u201cLearning styles and strategies\u201d, available at: www.engr.ncsu.edu\/learningstyles\/ilsweb.html"},{"key":"key2020040311053592100_ref014","volume-title":"Teaching and Learning Styles: VARK Strategies","year":"2001"},{"issue":"3","key":"key2020040311053592100_ref015","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1016\/S1361-3723(07)70035-0","article-title":"Phishing: can we spot the signs?","volume":"2007","year":"2007","journal-title":"Computer Fraud and Security"},{"key":"key2020040311053592100_ref016","article-title":"'Securing the human factor","volume-title":"Understanding Public Perceptions: Trust and Engagement in ICT Mediated Services","year":"2008"},{"key":"key2020040311053592100_ref017","first-page":"91","article-title":"'Online persuasion and compliance: social influence on the internet and beyond","volume-title":"The Social Net: The Social Psychology of the Internet","year":"2005"},{"issue":"1","key":"key2020040311053592100_ref018","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1037\/a0030592","article-title":"Social influence online: the impact of social validation and likability on compliance","volume":"2","year":"2013","journal-title":"Psychology of Popular Media Culture"},{"key":"key2020040311053592100_ref019","article-title":"Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks","year":"2015"},{"issue":"6","key":"key2020040311053592100_ref020","doi-asserted-by":"crossref","first-page":"578","DOI":"10.1177\/0956797611436349","article-title":"Personalized persuasion: tailoring persuasive appeals to recipients\u2019 personality traits","volume":"23","year":"2012","journal-title":"Psychological Science"},{"key":"key2020040311053592100_ref021","volume-title":"COBIT5: A Business Framework for the Governance and Management of Enterprise IT","author":"ISACA","year":"2012"},{"key":"key2020040311053592100_ref022","volume-title":"Risk management - Guidelines","author":"ISO_3100","year":"2018"},{"issue":"3","key":"key2020040311053592100_ref023","doi-asserted-by":"crossref","first-page":"464","DOI":"10.3758\/s13421-013-0364-z","article-title":"The role of individual differences in cognitive training and transfer","volume":"42","year":"2014","journal-title":"Memory and Cognition"},{"key":"key2020040311053592100_ref024","first-page":"183","article-title":"Adaptive persuasive messages in an e-commerce setting: the use of persuasion profiles","year":"2011"},{"issue":"3","key":"key2020040311053592100_ref025","doi-asserted-by":"crossref","first-page":"176","DOI":"10.1016\/j.intmar.2012.02.002","article-title":"Heterogeneity in the effects of online persuasion","volume":"26","year":"2012","journal-title":"Journal of Interactive Marketing"},{"key":"key2020040311053592100_ref026","doi-asserted-by":"crossref","first-page":"166","DOI":"10.1016\/j.compedu.2016.12.006","article-title":"Stop propagating the learning styles myth","volume":"106","year":"2017","journal-title":"Computers and Education"},{"key":"key2020040311053592100_ref027","first-page":"72","volume-title":"The Kolb Learning Style Inventory\u2013Version 3.1 2005 Technical Specifications","year":"2005"},{"issue":"2","key":"key2020040311053592100_ref028","doi-asserted-by":"crossref","first-page":"323","DOI":"10.1177\/0013164409344507","article-title":"Attempted validation of the scores of the VARK: learning styles inventory with multitrait\u2013multimethod confirmatory factor analysis models","volume":"70","year":"2010","journal-title":"Educational and Psychological Measurement"},{"issue":"1","key":"key2020040311053592100_ref029","doi-asserted-by":"crossref","first-page":"43","DOI":"10.1061\/(ASCE)0733-9488(2007)133:1(43)","article-title":"Model reference adaptive control framework for real-time traffic management under emergency evacuation","volume":"133","year":"2007","journal-title":"Journal of Urban Planning and Development"},{"key":"key2020040311053592100_ref030","first-page":"80","article-title":"Understanding the relationships between resilience, work stress and information security awareness","year":"2017"},{"key":"key2020040311053592100_ref031","article-title":"Test-retest reliability and internal consistency of the human aspects of information security questionnaire (HAIS-Q)","year":"2016"},{"key":"key2020040311053592100_ref032","doi-asserted-by":"crossref","first-page":"151","DOI":"10.1016\/j.chb.2016.11.065","article-title":"Individual differences and information security awareness","volume":"69","year":"2017","journal-title":"Computers in Human Behavior"},{"key":"key2020040311053592100_ref033","unstructured":"MediaPro (2017), \u201cBest practices guide for comprehensive employee awareness programs\u201d, available at: www.mediapro.com\/blog\/white-paper-best-practices-guide-comprehensive-employee-awareness-programs\/ (accessed 12 June 2018)."},{"key":"key2020040311053592100_ref034","first-page":"444","article-title":"Evidence-Based higher education\u2013is the learning styles \u2018myth\u2019 Important?","volume":"8","year":"2017","journal-title":"Frontiers in Psychology"},{"key":"key2020040311053592100_ref035","volume-title":"Framework for Improving Critical Infrastructure Cybersecurity","author":"NIST","year":"2017"},{"issue":"7","key":"key2020040311053592100_ref036","doi-asserted-by":"crossref","first-page":"913","DOI":"10.1177\/0146167208316691","article-title":"Normative social influence is underdetected","volume":"34","year":"2008","journal-title":"Personality and Social Psychology Bulletin"},{"key":"key2020040311053592100_ref037","first-page":"366","article-title":"'Phishing for the truth: a scenario-based experiment of users\u2019 behavioural response to emails","year":"2013"},{"key":"key2020040311053592100_ref038","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers and Security"},{"key":"key2020040311053592100_ref039","doi-asserted-by":"crossref","first-page":"194","DOI":"10.1016\/j.cose.2015.02.008","article-title":"The design of phishing studies: Challenges for researchers","volume":"52","year":"2015","journal-title":"Computers and Security"},{"key":"key2020040311053592100_ref040","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1016\/j.cose.2017.01.004","article-title":"The human aspects of information security questionnaire (HAIS-Q): two further validation studies","volume":"66","year":"2017","journal-title":"Computers and Security"},{"issue":"3","key":"key2020040311053592100_ref041","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1111\/j.1539-6053.2009.01038.x","article-title":"Learning styles: concepts and evidence","volume":"9","year":"2008","journal-title":"Psychological Science in the Public Interest"},{"key":"key2020040311053592100_ref042","article-title":"Managing phishing emails: a scenario-based experiment","year":"2011"},{"issue":"1","key":"key2020040311053592100_ref043","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1108\/09685221211219173","article-title":"Why do some people manage phishing e-mails better than others?","volume":"20","year":"2012","journal-title":"Information Management and Computer Security"},{"key":"key2020040311053592100_ref044","first-page":"67","article-title":"Adapting cyber-security training to your employees","year":"2018"},{"key":"key2020040311053592100_ref045","unstructured":"Proofpoint (2018), \u201cThe human factor - people-centred threats define the landscape\u201d, available at: www.proofpoint.com\/ (accessed 7 June 2018)."},{"issue":"9","key":"key2020040311053592100_ref046","first-page":"199","article-title":"Process model comprehension: the effects of cognitive abilities, learning style, and strategy","volume":"34","year":"2014","journal-title":"Communications of the Association for Information Systems"},{"issue":"10","key":"key2020040311053592100_ref047","doi-asserted-by":"crossref","first-page":"1907","DOI":"10.1109\/TAC.2007.906215","article-title":"A unified adaptive iterative learning control framework for uncertain nonlinear systems","volume":"52","year":"2007","journal-title":"IEEE Transactions on Automatic Control"},{"issue":"1","key":"key2020040311053592100_ref048","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1108\/ICS-04-2017-0025","article-title":"Cybersecurity and information security \u2013 what goes where?","volume":"26","year":"2018","journal-title":"Information and Computer Security"},{"issue":"3","key":"key2020040311053592100_ref049","doi-asserted-by":"crossref","first-page":"130","DOI":"10.12968\/bjhc.2015.21.3.130","article-title":"Nudging\u2019behaviours in healthcare: insights from behavioural economics","volume":"21","year":"2015","journal-title":"British Journal of Healthcare Management"},{"issue":"2","key":"key2020040311053592100_ref050","doi-asserted-by":"crossref","first-page":"385","DOI":"10.1287\/isre.2014.0522","article-title":"Research note-influence techniques in phishing attacks: an examination of vulnerability and resistance","volume":"25","year":"2014","journal-title":"Information Systems Research"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2019-0022\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2019-0022\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:37Z","timestamp":1753406557000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/1\/1-14\/108336"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,11]]},"references-count":50,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2019,11,11]]}},"alternative-id":["10.1108\/ICS-01-2019-0022"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2019-0022","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2019,11,11]]}}}