Security awareness training: A review

Abstract

Phishing is a type of social engineering cybercrimes in which, phishers try to steal users' information. Human unawareness and inattention factors are usually exploited by phishers to bypass anti-phishing systems. This impose on anti-phishing solutions to target the vulnerabilities at both of technical and non-technical layers of phishing problem. This paper reviews users' training approach as a non-technical solution to mitigate security threats in general and phishing problem in particular. Security training methods should be designed to attract users' attention in order to enhance their awareness and make them retain acquired knowledge for longer time. Training activities therefore, must consider knowledge acquisition, knowledge retention, and knowledge transfer aspects. Training in addition, should be embedded into something that users are familiar with and continually practice to make training as ongoing activity. Security training as a non-technical solution must be highly considered to complement the performance of anti-phishing technical tools and thus, improve their results.