Cybersecurity Training in Norwegian Critical Infrastructure Companies

Abstract

Human preparedness is a critical aspect of critical infrastructure (CI) cybersecurity. Many efforts, including educational curricula and training programs, have been taken at both national and company level to ensure human preparedness in CI incident response. These efforts are usually based on corporate requirements or external guidelines and policies. However, the best practices recommended for these efforts in the literature differ significantly from the measures implemented in CI companies. For this reason, we compared state of practice in cybersecurity awareness and training in selected CI companies with the recommendations in literature, aiming to identify the areas that CI companies need to increase efforts for further security implementations. Specifically, we conducted interviews (n=7) and sent out questionnaires to cybersecurity personnel (n=11) in different CI sectors of Norway. The collected data were analyzed to establish the commonalities, differences, and areas of concern among the interviewees, with respect to certain critical attributes. All Norwegian companies involved in the study offered some type of awareness or training activities to their employees, but these activities varied greatly in the level of maturity. Besides, we noted several limitations in methods and contents. According to many participants, the team skills, communication skills, and managerial skills were often inadequately developed. Additional limitations in delivery methods were noticed, too. Finally, we suggested the solutions from the best practices in the literature, and pointed out the areas where the literature has not provided effective measures.