Assessing Cybersecurity Awareness Among Public Sector Employees in Saudi Arabia: A Study on Social Engineering Vulnerabilities

Abstract

The purpose of this study is to evaluate the level of cybersecurity awareness among employees in the public sector of Saudi Arabia with a specific focus on understanding their vulnerability to social engineering attacks. This literature review examines cybersecurity awareness among public sector employees towards social engineering vulnerabilities. Understanding and mitigating these vulnerabilities is critical due to the increasing prevalence of cyber-attacks that exploit human factors. The review critically examines theories (i.e., Protection Motivation Theory (PMT) and the Theory of Planned Behaviour (TPB)) about motivations and behaviours that influence cybersecurity practices among employees. In addition, the review evaluates established frameworks of (i.e., the National Institute of Standards and Technology's Security Awareness, Training, and Education (NIST SATE) framework, the Human Aspects of Information Security Questionnaire (HAIS-Q), and the Cybersecurity Awareness Training (CSAT) framework) to assess for their effectiveness in buttressing cybersecurity awareness and their limitations such as the challenges in measuring training effectiveness and adapting to diverse organisational needs. Furthermore, the review categorises multifarious social engineering threats of (i.e., phishing, spear phishing, pretexting, baiting, tailgating and quid pro quo) so as to provide detailed thoughts into their mechanisms and management strategies. Past studies are critically scrutinised to evaluate the effectiveness of existing cybersecurity training programs, revealing specific vulnerabilities, knowledge gaps and the significant impact of organisational culture and policies on cybersecurity awareness. Such comprehensive analysis identifies critical areas for improvement and underscores the need for continuous updates and tailored training programs. By bridging the gap between theoretical information and practical applications, this review aims to provide a foundation for developing targeted strategies that enhance cybersecurity awareness and resilience among public sector employees. This study measures cybersecurity knowledge across Saudi public sector workers using a quantitative, positivist-guided methodology. It employs a logical approach to test hypotheses using online surveys that are examined using SPSS. Convenience sampling as well as the cross-sectional approach allow for extensive data gathering while upholding participant protection ethics. The results of the T-test, all the alternative hypotheses are accepted as the obtained p-values are less than 0.05 (p<0.05). Oppositely, the results of regression analysis indicate that the first and second hypotheses are accepted, but the third alternative hypothesis cannot be accepted. Hence, by comparing the results of regression analysis with the results of the T-test and graphical analysis, it can be stated that cybersecurity training, organisational policy and organisational culture significantly and positively influence cybersecurity awareness among employees.