Systematically Improving Cybersecurity Training

Notes:Julia Prümmer describes her transition from legal psychology into cybersecurity research and how psychological methods shape her approach to cybersecurity training.The discussion explores the role of systematic reviews in mapping what a research field actually knows, rather than relying on highly visible or frequently cited studies.Findings from a large-scale systematic review of cybersecurity training methods are discussed, highlighting the diversity of training approaches used across the literature.The episode examines results from a meta-analysis assessing the overall effectiveness of cybersecurity training and the gap between improvements in precursors such as knowledge and intentions versus observable behaviour.Julia explains why many cybersecurity training programmes lack explicit behavioural theory and rely on trial-and-error design choices.A key theme is the distinction between cybersecurity behaviours that require active engagement, such as phishing detection, and behaviours that may benefit from habit formation, such as screen locking or password management.The conversation draws on research into email habits and phishing susceptibility to illustrate how habitual behaviour can increase vulnerability in certain contexts.Julia discusses the use of psychological theory, including habit formation and implementation intentions, to design and evaluate cybersecurity training interventions.The episode concludes with reflections on the future of cybersecurity training research and the need for behaviour-specific, theory-informed models.About our Guest:Julia Prümmerhttps://www.universiteitleiden.nl/medewerkers/julia-prummer#tab-1https://www.linkedin.com/in/julia-prümmer-376778159/Papers or resources mentioned in this episode Prümmer, J., van Steen, T., & van den Berg, B. (2024). A systematic review of current cybersecurity training methods. Computers & Security, 136, 103585.https://doi.org/10.1016/j.cose.2023.103585Prümmer, J. (2024). The role of cognition in developing successful cybersecurity training programs: Passive vs. active engagement. In D. D. Schmorrow & C. M. Fidopiastis (Eds.), Augmented cognition. HCII 2024 (Lecture Notes in Computer Science, Vol. 14695, pp. 185–199). Springer.https://scholarlypublications.universiteitleiden.nl/handle/1887/4093101Prümmer, J., van Steen, T., & van den Berg, B. (2025). Assessing the effect of cybersecurity training on end-users: A meta-analysis. Computers & Security, 150, 104206.https://doi.org/10.1016/j.cose.2024.104206Vishwanath, A. (2015). Examining the distinct antecedents of e-mail habits and its influence on the outcomes of a phishing attack. Journal of Computer-Mediated Communication, 20(5), 570–584.https://doi.org/10.1111/jcc4.12126Other If this topic of training as an intervention to reduce susceptibility to cybercrime, you might also enjoy the recent Episodes 123, 116, 110, 106, 60, and 59 that are all on related topics. If you are brave you can even go right back to Episodes 6, 7 and 8, there is a lot to listen to.