Home Browse Information security education: a thematic trend analysis
ALL Metrics
-
Views
-
Downloads
Get PDF
Get XML
Cite
Export
Track
Systematic Review
Revised

Information security education: a thematic trend analysis

[version 2; peer review: 2 approved]
Paula Andrea Rodríguez-Correa1Alejandro Valencia-Arias
https://orcid.org/0000-0001-9434-6923
2Ezequiel Martínez Rojas
https://orcid.org/0000-0002-0914-951X
3[...] Aarón Oré León4Ray Harvey Mellin Rubio
https://orcid.org/0000-0002-9655-9997
5Manuel Humberto Vásquez Coronado2Jesus Alberto Jimenez Garcia
https://orcid.org/0000-0002-0722-8484
2
Paula Andrea Rodríguez-Correa1Alejandro Valencia-Arias
https://orcid.org/0000-0001-9434-6923
2[...] Ezequiel Martínez Rojas
https://orcid.org/0000-0002-0914-951X
3Aarón Oré León4Ray Harvey Mellin Rubio
https://orcid.org/0000-0002-9655-9997
5Manuel Humberto Vásquez Coronado2Jesus Alberto Jimenez Garcia
https://orcid.org/0000-0002-0722-8484
2
PUBLISHED 17 Feb 2025
Author details Author details
OPEN PEER REVIEW
REVIEWER STATUS

This article is included in the Cybersecurity collection.

Abstract

The evolution of information technologies has led to a significant increase in information security risks, underscoring the urgent need for professional education in this field to safeguard organizational data. Publications on this topic highlight the necessity of educating individuals about data security, and their number has grown in recent years. This study aims to identify thematic trends in information security education through a bibliometric analysis based on five research questions, following PRISMA guidelines. Ninety-nine documents from Scopus and Web of Science were analyzed, revealing a quadratic growth, with 2023 as the year of greatest research activity. Prominent contributors such as Von Solms, Safa, and Furnell stand out, along with the journal Computers & Security and the significant influence of the United States in this field. The potential is identified in the following areas: information security culture, media, information security regulations, higher education institutions, information security management, and cybersecurity. The study also identifies gaps and proposes a research agenda to address these gaps.

Keywords

Information security, cybersecurity, data protection, information security training, higher education

Corresponding author: Alejandro Valencia-Arias
Competing interests: No competing interests were disclosed.
Grant information: The author(s) declared that no grants were involved in supporting this work.
Copyright:  © 2025 Rodríguez-Correa PA et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
How to cite: Rodríguez-Correa PA, Valencia-Arias A, Martínez Rojas E et al. Information security education: a thematic trend analysis [version 2; peer review: 2 approved]. F1000Research 2025, 14:5 (https://doi.org/10.12688/f1000research.159828.2) First published: 02 Jan 2025, 14:5 (https://doi.org/10.12688/f1000research.159828.1) Latest published: 17 Feb 2025, 14:5 (https://doi.org/10.12688/f1000research.159828.2)

Revised Amendments from Version 1

Dear readers, in this latest version, suggestions made by the evaluator have been addressed, associated with specific elements such as the research problem, the presentation and analysis of the results in a more critical and in-depth manner, greater detail of the limitations of the study, as well as an expansion in the sources consulted for conceptual development.

See the authors' detailed response to the review by Lynette Drevin

1. Introduction

As information technologies advance, information security risks also increase. Consequently, companies are increasingly concerned about cyber-attacks (Safa et al., 2015). Thus, information security has become one of the most important and debated topics among experts. Actions are being taken by implementing organizational information security procedures and policies, encouraging information security-conscious behavior, and promoting the sharing of information security knowledge (Safa et al., 2018).

Given the rapid technological evolution, continuous evaluation and constant innovation to improve security systems, such as multi-layer firewalls, have become essential. According to Torten et al. (Torten et al., 2018), cyberattacks often target the installation of ransomware, intellectual property infringement, theft of medical records, unauthorized banking transactions, and credit card misuse. Consequently, companies worldwide have placed a high priority on information systems risk management (Flores & Ekstedt, 2016).

Given the growing importance of protecting information systems within organizations, there has been an increased focus on developing human talent in cybersecurity in recent years as a key component of information technology education. This focus is reflected in both core and advanced curricula (Rowe et al., 2011). In addition, higher education plays a key role in society, particularly in terms of research, development, and education. Consequently, faculties are establishing their own Information Technology (IT) networks designed to support research, development, and teaching activities in the field of information security (Ulven & Wangen, 2021).

Therefore, several literature reviews have focused on investigating the fundamental knowledge, skills, and capabilities required by cybersecurity professionals (Jones et al., 2018), as well as analyzing information security curricula (Parrish et al., 2018). These studies have highlighted that information security has emerged as a crucial area of learning that demands specific professional education, particularly in areas such as secure programming, network security, and offensive security (Švábenský et al., 2020).

Information security education and training are critical for preparing both current and future IT professionals to adequately and effectively address real-world security risks and incidents (Beuran et al., 2016). Consequently, universities have acknowledged the necessity of maintaining currency with cyber threats and risks to provide students with contemporary cybersecurity tools and knowledge through innovative methodologies (Cheung et al., 2011). Furthermore, Bada and Nurse (2019) underscore the significance of devising cybersecurity education and awareness programs that are tailored to the specific needs of small- and medium-sized enterprises (SMEs), as these organizations frequently encounter unique challenges in safeguarding their systems. Their research underscores the necessity for accessible, practical training that can empower employees at all levels to understand and mitigate cybersecurity risks, which is imperative in fostering a culture of security awareness across diverse organizational sizes and sectors.

Thus, it has been evidenced that in the current era, where information is an invaluable asset and technology drives most human activities, information security has become a paramount concern (Burov et al., 2020). This concern is compounded by the increasing sophistication of cyber threats and the proliferation of cyber-attacks in both business and personal domains (Khaleefah & Al-Mashhadi, 2024). Therefore, the growing need for trained information security professionals is evident, making university programs dedicated to information security education essential (AlDaajeh et al., 2022).

Based on the background of the literature, the objective of this research is established: to identify the thematic trends in information security education. To this end, the following research questions are formulated:

  • Who are the research actors with the greatest impact on the field?

  • What is the thematic evolution of the information security education phenomenon in recent years?

  • What are the research clusters related to the phenomenon under study?

  • What are the most frequent and current topics within the information security education phenomenon?

  • What are the most promising topics for future research on the phenomenon under study?

2. Methods

A bibliometric analysis was used, a technique that allows for evaluating the quality and quantity of published scientific literature, as well as studying research trends and various citation analyses within a given field. It is considered a useful and productive tool for determining research trends across different disciplines (Buber & Koseoglu, 2022). To ensure data quality, the parameters of the PRISMA 2020 guidelines for systematic reviews and meta-analyses were followed. The PRISMA guidelines establish protocols for proper literature review, including a four-phase flowchart and a 27-item checklist (Selçuk, 2019). The phases followed in this study are detailed below.

2.1 Eligibility criteria

One of the first steps to meet the criteria of the PRISMA statement is to establish the inclusion and exclusion criteria used in the selection of documents (Moraga & Cartes-Velásquez, 2015). For inclusion, a search was conducted using the following keywords: “information,” “security,” “education,” and “training.” As for exclusion criteria, conference proceedings were omitted, as they typically represent very recent studies that have not yet been consolidated as relevant research in the field addressed by this study. Additionally, documents with indexing errors were excluded.

2.2 Information sources

The two most commonly used databases for this type of analysis were selected: Scopus and Web of Science. The choice of these databases is based on their significant differences in terms of coverage, accessibility, updating, and the number of citations retrieved (Manriquez et al., 2015).

2.3 Search strategy

As part of the search strategy, a search equation was applied in both databases. The AND operators were used to include the terms “information” and “security” in the search. Additionally, OR was used to broaden the search to include the fields of “education” or “training.” The following search equations were applied:

In Scopus: TITLE (information AND security AND (education OR formation))

In Web of Science: TI= (information AND security AND (education OR formation))

2.4 Selection process

Once the search equations were applied in the databases, 261 records were obtained from Scopus and 44 from Web of Science, totaling 305 records. Subsequently, duplicates were removed, resulting in 271 documents that were then subjected to inclusion and exclusion criteria. After applying these eligibility criteria, 99 documents were selected for analysis. Figure 1 displays the flowchart of the document selection process.

ac068980-464b-4a76-80a1-35b3d662ec93_figure1.gif

Figure 1. PRISMA flow chart.

Own elaboration based on Scopus and Web of Science.

3. Results

First, an analysis of publications by year is conducted. As shown in Figure 2, a steady increase has been observed in recent years regarding the subject of this research. However, a decrease is noted in 2022, followed by an increase in 2023. Therefore, since 2013, there has been a continuous rise in the number of publications. Additionally, an analysis of quantity, quality, and structural indicators is performed.

ac068980-464b-4a76-80a1-35b3d662ec93_figure2.gif

Figure 2. Publications by year.

Own elaboration based on Scopus and Web of Science.

3.1 Analysis of the most important research actors

As stated in the first research question, the aim is to identify the most relevant research actors. Figure 3 displays the most influential authors. The blue color indicates the authors with the highest number of citations, while the green color represents the authors with the highest number of publications. Authors highlighted in yellow are those with both the highest number of publications and the highest number of citations.

ac068980-464b-4a76-80a1-35b3d662ec93_figure3.gif

Figure 3. Most relevant authors.

Own elaboration based on Scopus and Web of Science.

In the realm of information security education, numerous scholars have made substantial contributions to the field, particularly in the area of understanding the role of awareness and human behavior in adopting secure practices. In this context, Von Solms, Safa, and Furnell have been pivotal figures in propelling research on information security-conscious behaviors in organizations. Their seminal work has examined a myriad of factors influencing security behavior, including awareness, organizational policies, user attitudes, and self-efficacy (Safa et al., 2015). Building on these findings, Safa, Von Solms, and Furnell (2016) developed a compliance model for information security policies, underscoring the pivotal role of awareness and behavioral factors in adherence to security protocols. Moreover, Safa et al. (2019) put forward a deterrence- and prevention-based model to address insider threats, underscoring the necessity of proactive measures to mitigate security risks stemming from human factors.

Rezgui and Marks have also made significant contributions in this field of study. Their research is centered on the factors that influence information security awareness among university personnel, particularly those involved in decision-making processes concerning information systems, within the context of a developing nation. They have identified that variables such as meticulousness, cultural norms and beliefs, and social dynamics significantly influence staff attitudes and behaviors, both in their general professional conduct and in their level of awareness regarding information security (Rezgui & Marks, 2008). Additionally, Marks and Rezgui (2010) explored the role of IT leadership in higher education, emphasizing the importance of Chief Information Officers (CIOs) in formulating institutional security policies and promoting a culture of information security awareness.

Conversely, Vorakulpipat et al. (2011) conducted a comprehensive analysis of security and privacy concerns on social media from the perspective of the user, underscoring mounting concerns regarding the safeguarding of personal data and emphasizing the pivotal role of awareness in mitigating security vulnerabilities. Their research underscores the need to integrate educational and behavioral approaches into cybersecurity training programs to strengthen users’ resilience against emerging threats. Consequently, these contributions underscore the necessity of addressing both technological and human dimensions in information security education to cultivate a culture of awareness and compliance in security.

Figure 4 shows the journals with the greatest impact on the field of study. Among them, the journal Computers & Security stands out, having both the highest number of publications and the highest number of citations. Notably, the study by Safa et al. (Safa et al., 2015) has 226 citations and is recognized as one of the most relevant publications in this field. Additionally, the study by Rezgui and Marks (Rezgui & Marks, 2008) also warrants special attention, as it aligns with the trends identified in this research and has 138 citations.

ac068980-464b-4a76-80a1-35b3d662ec93_figure4.gif

Figure 4. Most relevant journals.

Own elaboration based on Scopus and Web of Science.

Additionally, the study by Rajab and Eydgahi (Rajab & Eydgahi, 2019), which has received 53 citations, is notable for presenting a theoretical framework that encompasses various behavioral theories. This framework focuses on assessing factors such as perceived vulnerability, response effectiveness, response cost, and information security compliance intentions in higher education, making it a significant contribution to the field. Likewise, the study conducted by Bongiovanni (Bongiovanni, 2019) deserves attention, as it currently has 44 citations and focuses on literature related to information security management in higher education.

The countries that have had the greatest impact on research in information security education are presented below. The United States stands out in the first place, both in terms of the number of citations and the number of publications related to this topic. Notable among these is the study by Rowe et al. (Rowe et al., 2011), which analyzes the crucial role of cybersecurity in IT education and argues for the integration of this topic into IT programs. Also noteworthy is the study by Conklin (Conklin, 2006), conducted in the United States, which proposes an active learning solution for a capstone course designed to enhance students’ competencies in cyberdefense and information security education.

ac068980-464b-4a76-80a1-35b3d662ec93_figure5.gif

Figure 5. Most relevant countries.

Own elaboration based on Scopus and Web of Science.

In addition, South Africa stands out due to the significant contributions of the study by Safa et al. (Safa et al., 2015), which has made a notable impact on the field of information security. Also highlighted is a study that provides operational definitions for information security education, information security training, and information security awareness. This research aims to help institutions determine when it is necessary to train or educate employees and when it is appropriate to implement information security awareness programs (Amankwa et al., 2014).

3.2 Thematic evolution analysis

The second research question focuses on the thematic evolution of the phenomenon under study. Figure 6 presents a count of the most frequent keywords from 2000 to 2024. Recently, there has been a significant increase in interest in the topic of security perception. In this context, the work of Mohr and Walter (Mohr & Walter, 2019) is notable, as it addresses information security education and users’ perceptions regarding the security of their personal information and online banking transactions. Another relevant topic is Higher Education, where there has been growing concern in recent years about individuals’ awareness of information security. This concern has led to the development of training programs in this area (Wahyudiwan et al., 2017).

ac068980-464b-4a76-80a1-35b3d662ec93_figure6.gif

Figure 6. Thematic evolution.

Own elaboration based on Scopus and Web of Science.

Another topic that has generated interest in recent years is Information Technologies, driven by the need to train personnel across various organizations and economic sectors on the security of information systems (Katsikas, 2000). Similarly, security behavior has gained relevance during this period. With the rise in cyber-attacks affecting business performance and reputation, as well as compromising intellectual property, human factors have been identified as the weakest link in the security posture of any networked system. Consequently, studies have been conducted to analyze the relationship between threat perception and the understanding of countermeasures concerning the adoption of secure behaviors (Torten et al., 2018).

In the last five years, data protection and data security have become highly relevant, particularly due to the increasing pressure on data storage. This rise, driven by massive data generation, has led to rapid development in the storage market. Consequently, data protection has become a critical issue for organizations (Yang et al., 2020).

3.3 Thematic cluster analysis

The third research question focuses on the thematic clusters present in the field of study. Figure 7 shows the keyword co-occurrence network, generated by the VOSviewer software (Van Eck and Waltman, 2010). In this representation, several clusters in the form of nodes are identified, with the largest cluster corresponding to information security education, which is the main topic of this research. This cluster is associated with topics such as e-learning and information assurance education. In this context, researchers such as Pastor et al. (Pastor et al., 2010) argue that the best way to enhance an individual’s response to security threats is through robust education, engaging hands-on training, and increased general awareness of information security.

ac068980-464b-4a76-80a1-35b3d662ec93_figure7.gif

Figure 7. Thematic clusters.

Own elaboration based on Scopus and Web of Science.

A significant cluster concentrates on higher education, particularly addressing issues such as awareness and human factors. As previously emphasized, these factors represent the most vulnerable element in information protection. Consequently, enhancing security awareness is paramount (Brill et al., 2013). This emphasis is further underscored in the information security awareness cluster, highlighting the need for research in this area (Lebek et al., 2014). This cluster is associated with topics such as gamification, which is a system that uses game-based elements to enhance motivation and learning outcomes. Consequently, gamification exhibits considerable potential for integration within security awareness and training programs (Gjertsen et al., 2017). Additionally, Silic and Lowry (2020) explore the application of design-science-based gamification to improve organizational security training and compliance. Their study underscores how gamification can foster enhanced engagement and compliance among employees by aligning training programs with motivational techniques that augment the learning experience and contribute to a culture of security awareness within organizations.

Generally spoken, it should look like this document. Using the styles of this document may make things easier for you, but you don’t need to use them.

In addition, the information security management cluster is highlighted due to the significant expansion of online business opportunities brought about by information technology. However, these opportunities have also introduced serious information security risks (Soomro et al., 2016). This cluster is related to topics such as information society, systems, and governance. It encompasses areas like social network analysis, distance education, and security culture. Similarly, an information security training cluster has emerged, addressing topics such as digital education and the impact of COVID-19. Consequently, research has been conducted to analyze information security behavior and awareness among Zoom application users, particularly during the COVID-19 pandemic (Candiwan et al., 2022).

3.4 Issues of currency and frequency

The fourth research question focuses on identifying the most frequent and relevant topics in the research area. Figure 8 displays four research quadrants. The first quadrant highlights the most frequent and relevant keywords, indicating topics that could guide future research on information security education. In this quadrant, the key topics are information security awareness and higher education. Notably, a study on the information security awareness of end users, including information systems decision-makers, within the context of three higher education environments is emphasized (Rezgui & Marks, 2008).

ac068980-464b-4a76-80a1-35b3d662ec93_figure8.gif

Figure 8. Most frequent and current topics.

Own elaboration based on Scopus and Web of Science.

The second quadrant highlights topics that, while less recurrent in the literature, are considered relevant, especially in recent years. Key aspects include information laws, higher education institutions (HEIs), risk assessment, cybersecurity, information security incidents, data analysis, security awareness, best practices, information technologies, information security policy, information security training, hacking, computer security, information security management, and security management. These keywords also hold significant potential for future research.

In quadrant three, less frequent and recurrent topics are identified, suggesting that they either need more momentum to become common and current or that researchers have lost interest over time. These themes include governance, information, and e-learning. Finally, quadrant four contains topics that are more frequent but less current, with evidence of a decreasing interest among researchers in recent years. Among these, awareness stands out.

3.5 Research agenda

Finally, a research agenda is proposed with potential future lines of inquiry based on the findings of this study, as visualized in Figure 9. One of the topics with significant future potential is the culture of information security. Continuous failures in information security within organizations have highlighted the importance of focusing on organizational culture. It is argued that developing an information security culture would subsequently lead to a more secure organization; therefore, this topic should be considered in the education of information security professionals (Tejay & Mohammed, 2023).

ac068980-464b-4a76-80a1-35b3d662ec93_figure9.gif

Figure 9. Research agenda.

Own elaboration based on Scopus and Web of Science.

Similarly, the potential of media is noteworthy, as it facilitates education in information security. Consequently, research has been developed to understand the current challenges in information literacy, analyze their causes, and offer solutions and strategies. These studies provide valuable references for future information literacy education through various communication channels (Tao, 2023). Additionally, the relevance of information regulations is highlighted. Information technology, as a regulated element, is interpreted differently across various sectors of security legislation. Therefore, research in this field is essential to promote consistency in the regulatory framework (Brinker, 2024).

Higher education institutions also emerge as a relevant topic for future research on compliance with information security policies. Although the literature in this area is still limited, it shows promising advancements (Hina & Dominic, 2020). Another crucial aspect is information security risk assessment, which is a fundamental component of business management practices. This assessment helps to identify, quantify, and prioritize risks based on risk acceptance criteria and organization-specific objectives. Therefore, education in this area is essential for information security professionals (Kuzminykh et al., 2021).

Information security management is a critical issue that must be continuously addressed in the future. As Merchan-Lima et al. (Merchan-Lima et al., 2021) emphasize, adopting effective information security management practices is imperative, especially in the context of higher education. Future professionals should be trained to design and implement these practices. Additionally, cybersecurity plays a significant role in the future of higher education. According to Kweon et al. (Kweon et al., 2021), security training and education are effective methods for detecting cyberattacks in both academic and industrial settings. Their research found a positive association between cybersecurity training and a reduction in cyberattacks within organizations.

Studies such as the Joint Task Force on Cybersecurity Education (2017) offer guidance to develop a comprehensive curriculum guide on cybersecurity education based on theoretical and conceptual knowledge essential to understanding the discipline, and opportunities to develop the practical skills that support the application of that knowledge. Thus, the parameters for cybersecurity education have been set for the future based on the fourth industrial revolution, charting the way forward for cybersecurity-inspired education and skills development in the real world (Drevin et al., 2022). In that sense, the World Conference on Information Security Education (WISE) marks the future lines of knowledge, understanding and practice of computer security and information protection (Bishop et al., 2021).

Based on the identified potential topics, the following research questions are proposed for future research:

  • What are the main aspects of information security culture in organizations, and how do they influence the effectiveness of training programs?

  • What role does the media play in promoting information security awareness and education among the general public and industry professionals?

  • What are the most relevant international and national (e.g., Colombia) information security regulations, and how do they impact information security education programs?

  • How are higher education institutions integrating information security into their academic programs, and what pedagogical approaches are they using?

  • What are the key challenges in managing information security within organizations, and how can these challenges be addressed through education and staff training?

  • What are the essential competencies that information security professionals need to acquire, and how are these competencies being developed in education programs?

  • What strategies are organizations implementing to foster a culture of cybersecurity among their employees, and how are they evaluating the effectiveness of these strategies?

  • How are higher education institutions collaborating with industry and other organizations to ensure that information security training programs align with labor market needs?

  • What are the emerging trends in cybersecurity, and how are they being addressed in education programs to ensure relevance and up-to-date knowledge?

  • What is the impact of information security education on risk reduction and data protection within organizations and society at large?

4. Discussion

Information security education and awareness are crucial issues in today’s world. Similar to the study conducted by Amankwa et al. (2015), a literature review has been employed to evaluate models aimed at improving security education and awareness. These models focus on stakeholder domains such as end users, institutions, and industry. This study also identifies a research gap regarding the relationship between higher education institutions and industry (a key stakeholder), as well as other organizations, to ensure that information security education programs align with labor market needs.

Previous research aligns with the findings of this study on information security policies. For example, Alassaf and Alkhalifah (Alassaf & Alkhalifah, 2021) found that the literature lacks information on the positive and negative (direct or indirect) influences of human and organizational theories and their factors affecting information security policy compliance behavior. This study also identifies gaps in higher education related to information security policy education. Addressing these gaps is crucial to ensure that future professionals are prepared to design and implement secure practices within higher education institutions.

The results of this study are consistent with insights from other research, such as the systematic review by Hina and Dominic (2020) on compliance with information security policies. Their review emphasized that limited attention has been given to critical infrastructures, including higher education institutions, that are particularly vulnerable. They also examined the role of institutional governance in shaping protection motivation for information security. Similarly, this study underscores the importance of further exploring the intersection of information security policies and higher education. It also highlights the need for information security professionals to develop essential skills in policy implementation and gain a deeper understanding of how these policies are integrated into educational programs.

The findings of the study by Merchan-Lima et al. (Merchan-Lima et al., 2021), who conducted a systematic literature review on effective information security management practices in higher education institutions, align with the results of this research. These authors suggest that future research should focus on how to educate users and the mechanisms to help higher education institutions select the appropriate risk assessment models for their needs. This study similarly highlights the importance of information security management and risk assessment within the context of professional education, underscoring the need for further exploration in future studies. Additionally, it emphasizes the relevance of designing curricula that align with the current needs of organizations.

This study contributes from two fundamental perspectives. First, from a theoretical standpoint, it identifies the predominant trends in information security education research. Additionally, it explores emerging themes, underdeveloped areas, and persistent challenges. These findings provide a clearer picture of the structure of knowledge in the field of information security education, including the relationships between influential concepts, authors, journals, and countries. Second, the study highlights underexplored areas and topics that require further attention in future research. This information is valuable for formulating new hypotheses and raising relevant research questions. Ultimately, it contributes to the advancement and enhancement of information security practices in an increasingly digitized world.

In terms of practical implications, the findings of this research may be valuable as a guide and foundation for planning higher education training programs. These results offer relevant information on key topics, methods, and approaches in the field of information security, which may influence the design of academic and training programs.

In addition, these findings can support decision-making in both academia and business. They help to understand the needs in information security education and to allocate resources more effectively. By examining the existing literature, best practices in information security education based on currently relevant topics have been identified. This information can serve as a reference for the development and implementation of successful programs.

Additionally, evidence gathered from existing literature on the impact of information security education interventions, such as awareness programs or professional development initiatives, is valuable for informing future strategies. Finally, the findings of this study can be used as input for designing international benchmarking and comparison reports. By comparing scientific output in information security education across different countries, institutions, and sectors, opportunities for collaboration and mutual learning can be identified (Escuela Europea de Excelencia, 2021).

Similarly, the study has some limitations. First, it is based on the Scopus and Web of Science databases, which are the most widely used in academia. However, it would be beneficial to explore other databases, such as IEEE, that focus on engineering topics, including information security. Second, the selection criteria were not extremely specific, so future research could define more detailed criteria and carry out a systematic literature review to deepen the research topic. Third, although the study analyzes thematic trends, it does not focus as much on research gaps. Despite this, a research agenda is provided to guide future studies.

A critical limitation of this study pertains to the inclusion criteria employed in the selection of documents. While the search was conducted using key terms such as “information security,” “education,” and “training,” additional terms like “awareness” and “human behavior” in the context of information security were not included. This omission may have constrained the scope of the included studies, particularly in relation to the impact of human behavior on the adoption of best practices and the development of information security awareness. As these factors are critical to the effectiveness of information security education, future research could expand the search criteria to include these terms, allowing for a more comprehensive view of thematic evolution in this field.

The following Table ( Table 1) presents a summary of the gaps identified in the research, these gaps cover various aspects, from the integration of information security in academic programs to the lack of standardized assessment methodologies and the need for an interdisciplinary perspective, each gap is accompanied by a brief justification and questions to guide future research in the field, this table provides an overview of the critical areas that require attention and development to advance information security education.

Table 1. Convergent validity testing results.

Gap typeGapJustificationQuestions for future research
MethodologicalShortage of research on the integration of information security in higher education academic programs.Although the importance of integrating information security into academic programs is recognized, there is a lack of specific research on how this integration is being done and what are the most effective approaches.- How are higher education institutions integrating information security into their academic programs and what pedagogical approaches are they using?
- What are the best practices for integrating information security into academic programs?
Gap on the impact of information security education on risk reduction and data protection in organizations and society at large.Despite the growing importance of information security, there is a lack of research on the concrete impact of information security education on risk reduction and data protection.- What is the impact of information security education on risk reduction and data protection in organizations and society at large?
- What education strategies are most effective in achieving these objectives?
Lack of standardized methodologies to evaluate the effectiveness of information security education programs.Although various information security education programs have been developed, the lack of standardized methods for evaluating their effectiveness makes it difficult to compare different programs and identify best practices.- What are the most effective methodologies for evaluating the effectiveness of information security education programs?
- How can researchers develop standardized methodologies for evaluating the effectiveness of education programs?
Data and MetricsShortage of available data and metrics to measure the impact of information security education programs.The lack of specific data and metrics makes it difficult to accurately assess the impact of information security education programs, limiting our understanding of their effectiveness and ability to improve them.- What data and metrics are most relevant to measuring the impact of information security education programs?
- How can these data and metrics be effectively collected and analyzed?
InterdisciplinaryNeed for an interdisciplinary perspective to address information security challenges from multiple angles.Given the complex and multifaceted nature of information security challenges, an interdisciplinary perspective that integrates knowledge from different fields, such as technology, psychology, and politics, is required to develop effective solutions.- How can interdisciplinary approaches improve the understanding and management of information security risks?
- How can researchers from different disciplines collaborate to address information security challenges?

Integrating information security into higher education programs is crucial for ensuring that students are equipped with the necessary skills to address modern cyber threats. This integration helps bridge the gap between theoretical knowledge and practical application, preparing graduates to handle real-world security challenges effectively. Developing detailed curricula that include up-to-date practices and emerging technologies could greatly enhance students’ readiness for the evolving landscape of information security.

Another significant gap lies in the lack of standardized methodologies for evaluating the effectiveness of information security training programs, without a consistent evaluation framework, it is difficult to determine which pedagogical approaches are most effective and how to improve the quality of the training offered, this gap highlights the need to develop robust evaluation tools that can measure the real impact of information security training on risk reduction and data protection.

Furthermore, the paucity of data and metrics available to measure the impact of information security education programs presents an additional challenge. The lack of quantitative and qualitative information limits our understanding of the effectiveness of these programs and makes it difficult to identify areas for improvement, it is critical to address this gap by systematically collecting relevant data and developing robust metrics that can guide informed decision-making in the design and implementation of information security education programs.

Your analysis highlights crucial areas where further research and development are needed. Addressing these gaps can significantly enhance the effectiveness and relevance of information security education programs. By focusing on integration, standardized evaluation, data collection, and interdisciplinary approaches, future research can contribute to a more comprehensive and robust framework for preparing professionals to tackle the evolving challenges in information security.

5. Conclusion

The increasing complexity and frequency of cyber threats underscore the critical need for robust information security education. Universities play a pivotal role in this by preparing future professionals with the necessary skills and knowledge to combat these threats effectively. As technology evolves and cyber risks become more sophisticated, higher education institutions must adapt their programs to ensure they align with current and future demands. This includes not only teaching technical skills but also fostering a deep understanding of organizational policies, risk management, and the broader context of information security.

The objective of this research was to identify thematic trends in the field of information security education. To achieve this, five research questions were formulated. The first question made it possible to identify the research actors, i.e., the most influential authors, journals, and countries in this field. Authors Von Solms R, Safa NS, and Furnell S, as well as Rezgui Y and Marks A, stand out as the most influential due to their large number of publications and citations recorded. In terms of journals, Computers & Security stands out as the most influential, with a high volume of publications and citations on this topic. In addition, the United States and South Africa are the most relevant countries in this context. This leads to the conclusion that the aforementioned actors are the ones that generate the most impact within the field of education research in information security.

The second research question focused on the thematic evolution in recent years within the research field. Through an analysis of the most recurring keywords for each year, significant researcher interest was identified in the following topics: security perception, higher education, information technology, security behavior, data protection, and data security. The third research question addressed thematic research clusters. In this analysis, the following information security relevant clusters were identified: information security education, information security awareness, higher education, information security management, cybersecurity, and information security training.

In the fourth research question, an analysis of the currency and frequency of keywords related to the research topic was conducted. The findings revealed that the most frequent and current topics are information security awareness and higher education. This suggests that future research can be oriented towards these two topics. Finally, from the fifth question, a research agenda was proposed that identifies potential in the following thematic areas: information security culture, media, information security regulations, higher education institutions, information security management, and cybersecurity. From these thematic areas, research questions were proposed that could be answered in future research.

Ethics and consent

Ethical approval and consent were not required.

Disclosure statement. No.

Data availability statement

Underlying data

No data are associated with this article.

Extended data

Zenodo: Dataset and supporting materials for the study “Information security education: a thematic trend analysis”. https://doi.org/10.5281/zenodo.14271117 (Valencia-Arias, 2024).

The project contains the following underlying data:

  • 1. PRISMA Flow Diagram (Flowchart illustrating the study selection process based on PRISMA guidelines).Dataset.xlsm (Raw data supporting the findings of this study).

  • 2. Editable _ seguridad de la info en educación.xlsm

  • 3. PRISMA Checklist.pdf (Checklist detailing compliance with PRISMA 2020 guidelines).

Data are available under the terms of the Creative Commons Attribution 4.0 International license (CC-BY 4.0).

Acknowledgement

Not applicable.

References

  •  Alassaf M, Alkhalifah A: Exploring the Influence of Direct and Indirect Factors on Information Security Policy Compliance: A Systematic Literature Review. IEEE Access. 2021; 9: 162687–162705. Publisher Full Text
  •  AlDaajeh S, Saleous H, Alrabaee S, et al.: The role of national cybersecurity strategies on the improvement of cybersecurity education. Comput. Secur. 2022; 119: 102754. Publisher Full Text
  •  Amankwa E, Loock M, Kritzinger E: A conceptual analysis of information security education, information security training, and information security awareness definitions. The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014). 2014.
  •  Amankwa E, Loock M, Kritzinger E: Enhancing information security education and awareness: Proposed characteristics for a model. 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), Cape Town, South Africa. 2015. Publisher Full Text
  •  Bada M, Nurse JR: Developing cybersecurity education and awareness programmes for small-and medium-sized enterprises (SMEs). Inf. Comput. Secur. 2019; 27(3):393–410. Publisher Full Text
  •  Beuran R, Chinen K -i, Tan Y, et al.: Towards Effective Cybersecurity Education and Training. Japan Advanced Institute of Science and Technology; 2016.
  •  Bishop M, Drevin L, Futcher L, et al.: Brief History and Overview of WISE. In: Drevin L, Miloslavskaya N, Leung WS, von Solms S (eds). Information Security Education for Cyber Resilience. WISE 2021. IFIP Advances in Information and Communication Technology. Vol. 615. . Springer; 2021; pp. 3–9. Publisher Full Text
  •  Bongiovanni I: The least secure places in the universe? A systematic literature review on information security management in higher education. Comput. Secur. 2019; 86: 350–357. Publisher Full Text
  •  Brill JC, DeLucia PR, Flach JM, et al.: Invisible Factors: Strategies for Raising Awareness of Human Factors Among Undergraduate Students. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 2013; 57(1): 447–451. Publisher Full Text
  •  Brinker N: Identification and demarcation—A general definition and method to address information technology in European IT security law. Comput. Law Secur. Rev. 2024; 52: 105927. Publisher Full Text
  •  Buber M, Koseoglu B: The bibliometric analysis and visualization mapping of net environmental benefit analysis (NEBA). Mar. Pollut. Bull. 2022; 181: 113931. PubMed Abstract | Publisher Full Text
  •  Burov O, Lytvynova S, Lavrov E, et al.: Cybersecurity in Educational Networks.Ahram ET, Karwowski W, Vergnano A, et al., editors. Intelligent Human Systems Integration 2020. IHSI 2020. Advances in Intelligent Systems and Computing. Springer; 2020; Vol. 1131. : pp. 359–364. Publisher Full Text
  •  Candiwan C, Azmi M, Alamsyah A: Analysis of Behavioral and Information Security Awareness among Users of Zoom Application in COVID-19 Era. Int. J. Saf. Secur. Eng. 2022; 12(2): 229–237. Publisher Full Text
  •  Cheung RS, Cohen JP, Lo HZ, et al.: Challenge based learning in cybersecurity education. Proceedings of the International Conference on Security and Management (SAM). 2011; 1.
  •  Conklin A: Cyber Defense Competitions and Information Security Education: An Active Learning Solution for a Capstone Course. Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS’06). 2006. Publisher Full Text
  •  Drevin L, Miloslavskaya N, Leung WS, et al.: Information Security Education - Adapting to the Fourth Industrial Revolution. 15th IFIP WG 11.8 World Conference, WISE 2022. Copenhagen, Denmark; 2022. Publisher Full Text
  •  Escuela Europea de Excelencia: Importancia de la formación en seguridad de la información en la nueva normalidad. Artículos Técnicos. 2021. Reference Source
  •  Flores WR, Ekstedt M: Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Comput. Secur. 2016; 59: 26–44. Publisher Full Text
  •  Gjertsen EGB, Gjære EA, Bartnes M, Flores WR: Gamification of Information Security Awareness and Training. ICISSP 2017-3rd International Conference on Information Systems Security and Privacy. 2017.
  •  Hina S, Dominic DD: Information security policies’ compliance: a perspective for higher education institutions. J. Comput. Inf. Syst. 2020; 60(3): 201–211. Publisher Full Text
  •  Joint Task Force on Cybersecurity Education: Cybersecurity Curricula 2017. Association for Computing Machinery (ACM); 2017. Publisher Full Text
  •  Jones KS, Namin AS, Armstrong ME: The Core Cyber-Defense Knowledge, Skills, and Abilities That Cybersecurity Students Should Learn in School: Results from Interviews with Cybersecurity Professionals. ACM Trans. Comput. Educ. 2018; 18(3): 1–12. Publisher Full Text
  •  Katsikas S: Health care management and information systems security: awareness, training or education? Int. J. Med. Inform. 2000; 60(2): 129–135. Publisher Full Text
  •  Khaleefah AD, Al-Mashhadi HM: Methodologies, Requirements, and Challenges of Cybersecurity Frameworks: A Review. Iraqi J. Sci. 2024; 65(1): 468–486. Publisher Full Text
  •  Kuzminykh I, Ghita B, Sokolov V, et al.: Information Security Risk Assessment. Encyclopedia. 2021; 1(3): 602–617. Publisher Full Text
  •  Kweon E, Lee H, Chai S, et al.: The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence. Inf. Syst. Front. 2021; 23: 361–373. Publisher Full Text
  •  Lebek B, Uffen J, Neumann M, et al.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 2014; 37(12): 1049–1092. Publisher Full Text
  •  Manriquez J, Andino-Navarrete R, Cataldo-Cerda K, et al.: Bibliometric characteristics of systematic reviews in dermatology: A cross-sectional study through Web of Science and Scopus. Dermatol. Sin. 2015; 33(3): 154–156. Publisher Full Text
  •  Marks A, Rezgui Y: IT leadership in higher education: The CIO candidate. IT Prof. 2010; 13(3):52–56. Publisher Full Text
  •  Merchan-Lima J, Astudillo-Salinas F, Tello-Oquendo L, et al.: Information security management frameworks and strategies in higher education institutions: a systematic review. Ann. Telecommun. 2021; 76: 255–270. Publisher Full Text
  •  Mohr H, Walter Z: Formation of Consumers’ Perceived Information Security: Examining the Transfer of Trust in Online Retailers. Inf. Syst. Front. 2019; 21: 1231–1250. Publisher Full Text
  •  Moraga J, Cartes-Velásquez R: Pautas de Chequeo, Parte II: QUOROM Y PRISMA. Revista chilena de cirugía. 2015; 67(3): 325–330. Publisher Full Text
  •  Parrish A, Impagliazzo J, Raj RK, et al.: Global perspectives on cybersecurity education for 2030: a case for a meta-discipline. ITiCSE 2018 Companion: Proceedings Companion of the 23rd Annual ACM Conference on Innovation and Technology in Computer Science Education. 2018. Publisher Full Text
  •  Pastor V, Díaz G, Castro M: State-of-the-art simulation systems for information security education, training and awareness. IEEE EDUCON 2010 Conference. 2010. Publisher Full Text
  •  Rajab M, Eydgahi A: Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Comput. Secur. 2019; 80: 211–223. Publisher Full Text
  •  Rezgui Y, Marks A: Information security awareness in higher education: An exploratory study. Comput. Secur. 2008; 27(7–8): 241–253. Publisher Full Text
  •  Rowe DC, Lunt BM, Ekstrom JJ: The role of cyber-security in information technology education. SIGITE’11: Proceedings of the 2011 Conference on Information Technology Education. 2011. Publisher Full Text
  •  Safa NS, Maple C, Furnell S, et al.: Deterrence and prevention-based model to mitigate information security insider threats in organisations. Future Gener. Comput. Syst. 2019; 97:587–597. Publisher Full Text
  •  Safa NS, Maple C, Watson T, et al.: Information security collaboration formation in organisations. IET Inf. Secur. 2018; 12(3): 238–245. Publisher Full Text
  •  Safa NS, Sookhak M, Solms R, et al.: Information security conscious care behaviour formation in organizations. Comput. Secur. 2015; 53: 65–78. Publisher Full Text
  •  Safa NS, Von Solms R, Furnell S: Information security policy compliance model in organizations. Comput. Secur. 2016; 56:70–82. Publisher Full Text
  •  Selçuk AA: A Guide for Systematic Reviews: PRISMA. Turk Arch Otorhinolaryngol. 2019; 57(1): 57–58. PubMed Abstract | Publisher Full Text | Free Full Text
  •  Silic M, Lowry PB: Using design-science based gamification to improve organizational security training and compliance. J. Manag. Inf. Syst. 2020; 37(1):129–161. Publisher Full Text
  •  Soomro ZA, Shah MH, Ahmed J: Information security management needs more holistic approach: A literature review. Int. J. Inf. Manag. 2016; 36(2): 215–225. Publisher Full Text
  •  Švábenský V, Vykopal J, Čeleda P: What Are Cybersecurity Education Papers About?: A Systematic Literature Review of SIGCSE and ITiCSE Conferences. SIGCSE’20: Proceedings of the 51st ACM Technical Symposium on Computer Science Education. 2020. Publisher Full Text
  •  Tao H: Investigation on the Current Situation of Information Technology Education in Rural Primary Schools in Hainan. Proceedings of the 2023 4th International Conference on Education, Knowledge and Information Management (ICEKIM 2023). 2023.
  •  Tejay GPS, Mohammed ZA: Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective. Inf. Manag. 2023; 60(3): 103751. Publisher Full Text
  •  Torten R, Reaiche C, Boyle S: The impact of security Awareness on information technology professionals’ behavior. Comput. Secur. 2018; 79: 68–79. Publisher Full Text
  •  Ulven JB, Wangen G: A Systematic Review of Cybersecurity Risks in Higher Education. Future Internet. 2021; 13(2): 39. Publisher Full Text
  •  Valencia-Arias A: Information security education: a thematic trend analysis. [Data set]. Zenodo. 2024. Publisher Full Text
  •  Van Eck N, Waltman L: Software survey: VOSviewer, a computer program for bibliometric mapping. Scientometrics. 2010; 84(2): 523–538. PubMed Abstract | Publisher Full Text | Free Full Text
  •  Vorakulpipat C, Marks A, Rezgui Y, et al.: Security and privacy issues in Social Networking sites from user’s viewpoint. In 2011 Proceedings of PICMET’11: Technology Management in the Energy Smart World (PICMET). 2011, July; pp. 1–4. IEEE.
  •  Wahyudiwan DDH, Sucahyo YG, Gandhi A: Information security awareness level measurement for employee: Case study at ministry of research, technology, and higher education. 3rd International Conference on Science in Information Technology (ICSITech). 2017. Publisher Full Text
  •  Yang P, Xiong N, Ren J: Data Security and Privacy Protection for Cloud Storage: A Survey. IEEE Access. 2020; 8: 131723–131740. Publisher Full Text

Comments on this article Comments (0)

Version 2
VERSION 2 PUBLISHED 02 Jan 2025
Comment
Author details Author details
Competing interests
Grant information
Article Versions (2)
Copyright
Download
 
Export To
metrics
Views Downloads
F1000Research - -
PubMed Central
Data from PMC are received and updated monthly.
 - -
Citations
SEE MORE DETAILS
CITE
how to cite this article
Rodríguez-Correa PA, Valencia-Arias A, Martínez Rojas E et al. Information security education: a thematic trend analysis [version 2; peer review: 2 approved]. F1000Research 2025, 14:5 (https://doi.org/10.12688/f1000research.159828.2)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
track
receive updates on this article
Track an article to receive email alerts on any updates to this article.

Open Peer Review

Current Reviewer Status: ?
Key to Reviewer Statuses VIEW
ApprovedThe paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approvedFundamental flaws in the paper seriously undermine the findings and conclusions
Version 2
VERSION 2
PUBLISHED 17 Feb 2025
Revised
Views
2
Cite
Reviewer Report 09 Apr 2025
Arina Alexei, Technical University of Moldova, Moldova, Moldova 
Approved
VIEWS 2
https://doi.org/10.5256/f1000research.178018.r372462
I believe that the content of the article is appropriate. The findings obtained through the review of the specialized literature are both interesting and informative. The article effectively highlights current and future research directions, which is important for understanding the ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Alexei A. Reviewer Report For: Information security education: a thematic trend analysis [version 2; peer review: 2 approved]. F1000Research 2025, 14:5 (https://doi.org/10.5256/f1000research.178018.r372462)
The direct URL for this report is:
https://f1000research.com/articles/14-5/v2#referee-response-372462
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
Report a concern
Views
6
Cite
Reviewer Report 25 Feb 2025
Lynette Drevin, North West University, Potchefstroom, South Africa 
Approved
VIEWS 6
https://doi.org/10.5256/f1000research.178018.r367030
Thank you. 
I ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Drevin L. Reviewer Report For: Information security education: a thematic trend analysis [version 2; peer review: 2 approved]. F1000Research 2025, 14:5 (https://doi.org/10.5256/f1000research.178018.r367030)
The direct URL for this report is:
https://f1000research.com/articles/14-5/v2#referee-response-367030
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
Report a concern
Version 1
VERSION 1
PUBLISHED 02 Jan 2025
Views
12
Cite
Reviewer Report 25 Jan 2025
Lynette Drevin, North West University, Potchefstroom, South Africa 
Approved with Reservations
VIEWS 12
https://doi.org/10.5256/f1000research.175613.r356007
1 Are the rationale for, and objectives of, the Systematic Review clearly stated?
The aim of the paper is presented and the research questions are stated clearly and are addressed in the paper.

2 Research design ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Drevin L. Reviewer Report For: Information security education: a thematic trend analysis [version 2; peer review: 2 approved]. F1000Research 2025, 14:5 (https://doi.org/10.5256/f1000research.175613.r356007)
The direct URL for this report is:
https://f1000research.com/articles/14-5/v1#referee-response-356007
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
Report a concern
  • Author Response 17 Feb 2025
    JHOANY ALEJANDRO VALENCIA ARIAS, Universidad Senor de Sipan, Chiclayo, Peru
    17 Feb 2025
    Author Response
    In accordance with the suggestions of the reviewer in our article “Information security education: a thematic trend analysis”, the following changes were made, properly marked with red letters in the ... Continue reading
    Report a concern
  • Respond or Comment
COMMENTS ON THIS REPORT
  • Author Response 17 Feb 2025
    JHOANY ALEJANDRO VALENCIA ARIAS, Universidad Senor de Sipan, Chiclayo, Peru
    17 Feb 2025
    Author Response
    In accordance with the suggestions of the reviewer in our article “Information security education: a thematic trend analysis”, the following changes were made, properly marked with red letters in the ... Continue reading
    Report a concern

Comments on this article Comments (0)

Version 2
VERSION 2 PUBLISHED 02 Jan 2025
Comment

Open Peer Review

Reviewer Status

Alongside their report, reviewers assign a status to the article:

Approved
The paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations
A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approved
Fundamental flaws in the paper seriously undermine the findings and conclusions

Reviewer Reports

Invited Reviewers
1 2
Version 2
(revision)
 17 Feb 25 		read read
Version 1
02 Jan 25 		read
  1. Lynette Drevin, North West University, Potchefstroom, South Africa
  2. Arina Alexei, Technical University of Moldova, Moldova, Moldova

Comments on this article

All Comments(0)

Add a comment
Sign up for content alerts

Browse by related subjects

    keyboard_arrow_left Back to all reports
    keyboard_arrow_left Back to all reports
    keyboard_arrow_left Back to all reports
    Alongside their report, reviewers assign a status to the article:
    Approved - the paper is scientifically sound in its current form and only minor, if any, improvements are suggested
    Approved with reservations - A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
    Not approved - fundamental flaws in the paper seriously undermine the findings and conclusions
    Sign In
    If you've forgotten your password, please enter your email address below and we'll send you instructions on how to reset your password.

    The email address should be the one you originally registered with F1000.
    Email address not valid, please try again

    You registered with F1000 via Google, so we cannot reset your password.

    To sign in, please click here.

    If you still need help with your Google account password, please click here.

    You registered with F1000 via Facebook, so we cannot reset your password.

    To sign in, please click here.

    If you still need help with your Facebook account password, please click here.

    Code not correct, please try again
    Email us for further assistance.
    Server error, please try again.