Skip to main content

Research Repository

Advanced Search

House of Cards: developing KPIs for monitoring cybersecurity awareness (CSA)

Alshammari, Mohammad Mulayh; Demetis, Dionysios S.


Mohammad Mulayh Alshammari


Non-malicious insider threats continue to pose a significant concern to an organisation’s cybersecurity defence strategy, yet organisations still struggle to contain such insider threats. A critical pillar for doing so rests on the development and monitoring of Cybersecurity Awareness (CSA) programmes. CSA programmes need to be both prioritised and acknowledged as an important and crucial approach to the reduction of such threats. Although CSA programmes are developed on an ad-hoc basis by many organisations, the effectiveness of such programmes and how their entire lifecycle needs to be reviewed, monitored and managed needs to be further explored. In order to do so, this paper extracts a number of key performance indicators (KPIs) for monitoring CSA programmes. The paper relies on empirical data from an in-depth case study of University X in Saudi Arabia and sensitises the research approach by using Kirkpatrick’s four level model as a theoretical scaffold. Through the combined use of Kirkpatrick’s model that is recognised as a comprehensive model for evaluating the results of training and learning programmes and the empirical data from the case study, we offer a customised CSA-oriented model for managing cybersecurity awareness programmes, reflect on its associated KPIs, and consider broader information security management considerations.


Alshammari, M. M., & Demetis, D. S. (2023). House of Cards: developing KPIs for monitoring cybersecurity awareness (CSA). Journal of Information Systems Security, 19(2), 133-161

Journal Article Type Article
Acceptance Date Aug 28, 2023
Online Publication Date Nov 6, 2023
Publication Date Jan 1, 2023
Deposit Date Sep 14, 2023
Publicly Available Date Oct 3, 2023
Journal Journal of Information Systems Security
Print ISSN 1551-0123
Electronic ISSN 1551-0808
Peer Reviewed Peer Reviewed
Volume 19
Issue 2
Pages 133-161
Keywords Cybersecurity awareness; Kirkpatrick; Information security; Key performance inductors (KPI)
Public URL
Publisher URL


Accepted manuscript (746 Kb)

Copyright Statement
©2023 The authors. All rights reserved. No part of this publication may be reproduced without the written permission of the copyright holder.

You might also like

Downloadable Citations