Publication Date

December 2017


Organizational information system users (OISUs) that are open to cyber threats vectors are contributing to major financial and information losses for individuals, businesses, and governments. Moreover, technical cybersecurity controls may be rendered useless due to a lack of cybersecurity competency of OISUs. The main goal of this research study was to propose and validate, using subject matter experts (SMEs), a reliable hands-on assessment prototype tool for measuring the knowledge, skills, and abilities (KSAs) that comprise the cybersecurity competency of an OISU. Primarily using the Delphi methodology, this study implemented four phases of data collection using cybersecurity SMEs for proposing and validating OISU: (a) KSAs, (b) KSA measures, (c) KSA measure weights, and (d) cybersecurity competency threshold. A fifth phase of data collection occurred measuring the cybersecurity competency of 54 participants. Phase 1 proposed and validated three OISU cybersecurity abilities, 23 OISU cybersecurity knowledge units (KU), and 22 OISU cybersecurity skill areas (SA). Phase 2 proposed and validated 90 KSA measures for 47 knowledge topics (KT) and 43 skill tasks (ST). Phase 3 proposed and validated the weights for four knowledge categories (KC) and four skill categories (SC). Phase 4 proposed and validated an OISU cybersecurity competency threshold (index score) of 80%. Phase 5 of this study measured the cybersecurity competency of 54 OISUs using the MyCyberKSAsTM prototype cybersecurity competency assessment tool. Phase 5 conducted data analysis by computing levels of dispersion and one-way analysis of variance (ANOVA), which indicated that annual cybersecurity training and job function are significant, providing evidences for significant differences in OISU cybersecurity competency.