User perception of Context-Based Micro-Training – a method for cybersecurity training

ABSTRACT User behavior is one of the biggest challenges to cybersecurity in modern organizations. Users are continuously targeted by attackers and required to have sufficient knowledge to spot and avoid such attacks. Different training methods are suggested and used in the industry to support users to behave securely. The challenge remains, and improved methods for end-user cybersecurity training are needed. This paper introduces and evaluates user perception of a method called Context-Based Micro-Training (CBMT). This approach suggests that training should be delivered in short sequences when the information is of direct relevance. The intention is to provide training directly related to the user’s current situation while also providing an awareness-increasing effect. This notion is tested in a survey-based evaluation involving 1,452 respondents from Sweden, Italy, and the UK, comparing the perception of CBMT against the experience of traditional approaches. The results emphasize that current methods are not effective enough and show that CBMT is perceived positively by respondents in all sample groups. The study further evaluated how demographic aspects impact the perception of CBMT and found that a diverse group of users can appreciate it.


Introduction
As the world continues the adoption of technology, digitalization affects most people's lives (OECD, 2019).Access to digital services, such as online banking, communication, and more, is undoubtedly positive.However, the increased reliance on digital services also means an increased exposure to digital threats.The number of cybersecurity incidents continues to grow and affects individuals and organizations alike (Henriquez, 2019;Sen, 2018).Indeed, the threat landscape is multifaceted and ranges from phishing and malware faced by endusers to insider threats and cyber espionage carried out by highly sophisticated adversaries (Sfakianakis et al., 2019).
Cybersecurity is a socio-technical domain in which users' awareness and behavior are crucial aspects (Safa & Von Solms, 2016).Exploiting human behavior in various ways has become common for attackers targeting individual users and organizations (Joinson & van Steen, 2018).Several industry reports suggest that human behavior plays a role in most cyberattacks, with some suggesting that it is a factor in up to 95\% of cases (Cybint, 2020;EC-council, 2019).Insecure user behavior makes one of the most pressing matters in cybersecurity (Hadlington, 2017).The go-to solution for improving user behavior is Security Education, Training, and Awareness (SETA) (Joinson & van Steen, 2018).SETA comprises three elements, as follows (Wilson et al., 1998): • Awareness, where the users' attention is focused on security.• Provide the user with skills and competence through training.• Education, which intends to integrate skills and competencies into a body of knowledge.
SETA is discussed in existing literature as efforts to train users to adopt a desired (secure) behavior, and that definition is adopted in this paper.Interestingly, research shows that almost everyone has heard about cybersecurity, and many organizations are using SETA programs (De Bruijn & Janssen, 2017).However, other research suggests that existing SETA is not working (Bada et al., 2019), as shown by the continuous incidents exploiting the human element.A possible explanation for this paradox can be that knowledge does not always translate to behavior (Boss et al., 2015;Parsons et al., 2018).This factor could be particularly relevant in the context of cybersecurity, as it is often perceived as an overhead and seen to require behaviors that are not aligned with the user's natural inclinations.Another cause can be that SETA methods are not effectively evaluated nor appropriately based in theory (Abraham & Chengalur-Smith, 2019;Siponen & Baskerville, 2018).Third, user behavior is complex and influenced by different factors such as personality traits and cultural background (Ameen et al., 2021;Anwar et al., 2017).As such, the need for further research in this domain is evident.
Any SETA effort aims to support users to behave in a secure way (Anwar et al., 2017).To do that, it must provide users with knowledge on how to act.However, knowing how to act does not always translate to correct behavior (Boss et al., 2015).Several theories explain user behavior and the services users choose to adopt.Three that are commonly used in cybersecurity are as follows: • Protection Motivation Theory (PMT) which indicates that protective behavior is affected by someone's perception of the severity of, vulnerability to, and ability to protect oneself against a threat (Rogers, 1975).• Theory of Planned Behaviour (TPB), which highlights the effect of perceived ease upon performing a particular action (Ajzen, 1985).• Technology Acceptance Model (TAM), which identifies that a user's attitude toward using technology is influenced by her perception of the technology's benefit and the perceived effort of using it (Y.Lee et al., 2003).
Applied to the cybersecurity domain, SETA should ideally make users understand that the desired behavior is beneficial (to them and/or the organization) and provide users with the means to engage in such behavior with little effort.Further, the SETA activity must in itself be perceived as valuable and low-effort for the user to follow.As such, user perception of SETA is an essential factor in evaluating SETA methods.This paper evaluates user perceptions of a particular method called Context-Based Micro-Training (CBMT), which suggests that cybersecurity training should be presented to users in situations where such training is relevant, thus acting as both an awareness-raising and a warning function.Further, CBMT suggests that such training should be developed so that it can be easily understood and digested quickly.The approach has been demonstrated in practice and found to assist users in creating strong passwords effectively (Kävrestad & Nohlberg, 2020a).It has also been seen as positive by users in an initial evaluation involving 198 participants from Sweden (Kävrestad et al., 2019).This paper seeks to evaluate user perceptions of CBMT using a larger sample that allows for more generalization of the results.The paper further seeks to assess if different demographic factors impact the users' perception of the approach.The evaluation primarily focuses on Swedish users but analyzes the generalizability of the results through smaller samples from UK and Italy.The remainder of the paper is structured as follows; the background briefly describes different existing SETA options before presenting CBMT and the theory behind it.The applied methodology is described before the execution of the study, and its results are presented.The results are then discussed before conclusions, and areas for future work are outlined.

Background
This section outlines existing methods for SETA, describes the development of CBMT, and provides an overview of related research.

Methods for SETA
SETA has been discussed in scientific literature and used in practice for decades (Siponen, 2001).It can be delivered to end-users in several different ways, with different intended benefits and shortcomings.Delivery methods can be classified at a high level as delivered by an instructor, typically in a classroom or using some e-learning technique (Al Daeef et al., 2017).There are several different ways in which e-learning has been used to deliver SETA.Those can broadly be classified as follows (Al Daeef et al., 2017;Aldawood & Skinner, 2018): • Broadcasted online delivery, including training sent out using e-mail or other means of direct communication.Nano-learning is a typical example.Even with the availability of diverse SETA delivery methods, cybersecurity incidents rooting in insecure user behavior still occur frequently (Zimmermann & Renaud, 2019).SETA programs used in practice fail to provide their intended effect efficiently (Bada et al., 2019).There are several possible reasons for this discussed in recent literature.SETA programs often focus on knowledge delivery rather than on behavioral change (Alshaikh et al., 2021).Knowing how to act in various situations is undoubtedly a precursor for such behavior (Bada et al., 2019).However, several researchers argue that knowing how to act does not always translate to correct behavior (Bada et al., 2019;Boss et al., 2015;Parsons et al., 2018).Furthermore, knowledge acquired during a training session has been shown to deteriorate over time, suggesting that training should be reoccurring (Burris et al., 2018;Dincelli & Chengalur-Smith, 2020;Huynh et al., 2017).The challenge of knowledge retention is most emergent for SETA methods that present information to users on one or a few occasions.
Another challenge is that of user adoption.Any SETA method must be used by its intended users to be able to provide its intended effect.Some studies that evaluate SETA methods have shown that participants learn from using the evaluated SETA method but that a significant proportion of the participants would not have used the SETA voluntarily (Gjertsen et al., 2017;Kim, 2014;Micallef & Arachchilage, 2017).

An overview of context-based micro-training
CBMT is a method for SETA, and the fundamental idea behind it is to provide users with training when they encounter situations in which that training is of relevance.You should, for instance, train users on password security when they are about to create an account or on phishing when they are about to open an e-mail that is evaluated as a possible threat (Kävrestad & Nohlberg, 2020a).The intent is to provide an awareness-increasing mechanism while presenting training relevant to the users' current situation.CBMT requires two distinct functions.The first can detect when a user enters a risky situation, and the second then provides the user with training tailored to the specific situation.CBMT avoids the issue of knowledge retention by presenting users with training every time they encounter a potentially risky situation.CBMT does also intend to address the issue of user participation in the same way.It is argued that even a user who immediately closes the provided training will benefit from CBMT´s awareness-increasing mechanism.A possible downside of the CBMT approach is that users may find the training disruptive.While previous studies suggest that is not the case (Kävrestad & Nohlberg, 2020b), that further motivates the present study.
CBMT is based on the theory of Andragogy as presented by (Knowles, 1984).Andragogy describes that adult learners respond best to problemoriented learning and must be motivated in order to learn.Further, Herrington and Oliver (1995) argue that presenting information to learners in situations where it is of direct relevance makes the learning experience more meaningful (Herrington & Oliver, 1995).Further, CBMT is informed by PMT, TPB, and TAM, which applied to the SETA domain suggests that it should be easy for a user to participate in training.The notion of being easy to participate has also been interpreted as meaning that training should be provided in a short and easy-to-digest format.CBMT is, in that sense, similar to nano-learning (or microtraining) (Kävrestad & Nohlberg, 2019), which has been evaluated in previous research with positive results in terms of user participation (Bruck et al., 2012).As a consequence of delivering training in a situation of direct relevance, CBMT inherently includes an awareness-increasing mechanism similar to security nudges.Security nudges provide subtle information to users when they are about to perform an action.It has been evaluated in the security domain with positive results (Furnell et al., 2018).
CBMT has been iteratively designed and evaluated through several years of research and provides goals and guidelines for SETA implementation.The goals are intended to describe goals that SETA implementations should facilitate, while the guidelines are more practical guidelines for the implementation of SETA (Kävrestad & Nohlberg, 2020b): • Goals: a. Provide training that users want to make use of, instead of forcing them to participate in the training.b.Include an awareness-increasing mechanism.c.Require no prior knowledge from the user.d.Be short and easy to absorb.e.Should minimize annoyance for all users, especially users already familiar with the subject.
• Guidelines: a. Delivered to users when it is relevant to their current situation; the situation can be constructed or natural.b.Delivered in short sequences.c.Relevant to the users' current situation.d.Include or directly relate to a practical element.e.The information presented must in itself be easy to understand.f.The most crucial points of the information should be highlighted.g.Must be possible to opt-out or skip.
A sample implementation of CBMT is demonstrated in Figure 1.It shows a training module for password guidelines and is activated when a user clicks in the password creation field within an online account registration form.The training included is structured as follows: (1) The first window provides essential information on how a password should be structured.
(2) The second window provides deeper information on password management.(3) Windows three to five contains a quiz where the user can self-test her knowledge (4) The last window allows the user to create a password and includes a password strength meter.Note that all previous windows contain a shortcut to the last window.

Related work
CBMT is an instantiation of contextual learning, as described by Karweit (1998), for use within the domain of cybersecurity training.CBMT has been evaluated in several previous studies as follows.
Studies evaluating the effect of CBMT on cybersecurity behavior have found that it effectively improves users' password selection and phishing prevention behaviors.Kävrestad and Nohlberg (2020a) evaluated the effect of using CBMT to train users on password strength upon account creation.They found that those using CBMT created longer and stronger passwords than a control group.Further, Kävrestad et al. (2022) show that users subjected to CBMT training were better at identifying phishing than participants using a game-based training alternative.
Regarding user perception, the topic of the present research, CBMT has been evaluated in two previous studies.First, a qualitative usability review suggests that CBMT can support usability (Kävrestad & Nohlberg, 2020b).That evaluation was, however, based on data gathered from usability experts rather than potential experts.
User perception of CBMT has also been evaluated using a survey with 198 participants recruited via social media (Kävrestad et al., 2019).In that study, participants were subjected to three learning modules and asked about their perception of those learning modules and CBMT in general.The results showed that the participants were positive toward the learning modules and the CBMT method.Kävrestad et al. (2019) also evaluated if the perception of CBMT was affected by IT competence but did not identify any such differences.Sampling using social media is convenient but makes it challenging to generate a representative sample (De Choudhury et al., 2010).Further, while a proper sample size is hard to decide upon, a larger sample increases the possibility of detecting a true difference between groups (Whitley & Ball, 2002).
In addition to CBMT, contextual learning is described in previous literature as a method for combating phishing.Such approaches typically involve a phishing test in which unknowing users are sent a malicious e-mail containing a link they are urged to click.Upon clicking that link, they receive training (Qabajeh et al., 2018).Yeoh et al. (2022) show, in a recent study, that embedded phishing training effectively mitigates phishing.However, other research points toward possible negative implications of such training.Rizzoni et al. (2022) point out that phishing tests can make users feel under surveillance.A potential consequence can be internal trust problems (Archibald & Renaud, 2019).
In conclusion, related research suggests that contextual learning effectively improves user behavior regarding cybersecurity.However, implementing such training in the form of drills for unknowing users can cause unexpected problems.CBMT does not include drills but has been shown to improve user behavior nonetheless.CBMT has also been shown to be appreciated by users, which is argued to facilitate user adoption.However, previous research evaluating user perception of CBMT utilized small samples in a limited population.Consequently, we argue that there is a need to replicate the previous evaluation of CBMT with a larger sample and a more robust sampling technique.

Methodology
This study aims to generate quantitative data from a large set of respondents spread out over three different nations.A web-based survey methodology was used because it provides the ability to do just that.The web panel company Webropol was employed to distribute the survey and enabled the study to decide the number of respondents in advance.The target number of respondents from Sweden was set to 800, and the target for UK and Italy was set to 300 each.Sweden was selected as the primary focus to ensure comparability with the previous study.UK and Italy were chosen since they, while also European countries, are classified in other cultural groups according to the World Values Survey culture map (Inglehart & Welzel, 2010).Focusing on European cultures was purposefully selected to enable an evaluation of the result's generalizability over a European population.The rationale behind this decision was that the study intends to research if results from the Swedish population are transferable to closely related cultures, leaving other cultures to future research.Researching the results' transferability provides another dimension compared to the previous study, which only focused on a Swedish population.
A stratified sampling approach was used (Henry, 1990), where the population within each nation was divided into subgroups based on gender, age, and geographical region.Equal proportions of each subgroup were recruited to the survey using simple random sampling (Scheaffer et al., 2011).The survey provider Webropol performed the practical sampling using their web panel.As such, the range of possible participants was restricted to members of their panel.Before starting the survey, the participants were presented with an informed consent.No data that could be used to identify individuals were gathered during this survey.Further, it did not involve any intervention or method that aimed to affect the participants and did therefore not require ethical approval (Vetenskapsrådet, 2017).
The survey was developed by the authors of this research.It consisted of demographic questions, multiple-choice questions about the respondents' previous experience with SETA, and a Likert scale developed to measure the respondents' perception of CBMT.The survey questions are presented in full throughout the results section.A description of CBMT preceded the Likert scale, which was followed by a free-text field where respondents could add additional comments.The scale contained seven statements related to aspects of CBMT, and the respondents were asked to rate how well they agreed with each statement on a five-graded scale.
The statements were as follows and were presented to the participants in a randomized order: • I would like to use such a tool Likert scales are typically used to measure perceptions and attitudes.They were employed to measure user perceptions of CBMT in this research (Joshi et al., 2015).Likert scales are well used for similar purposes within cybersecurity research (Addae et al., 2017;Anwar et al., 2017;Weiss et al., 2015).Likers scales include statements that participants are asked to respond to on a scale typically ranging from "Fully agree" to "Do not agree."The construction of those scales is an area of debate (Maeda, 2015).In this study, all statements were positively worded, with the highest level of agreement placed on the right-hand side.Some scholars suggest that mixing positive and negative questions minimize acquiescence bias, while others argue that it confuses respondents (Maeda, 2015).
Further, subjects tend to favor the responses on the left side of a scale (Nicholls et al., 2006).
The rationale behind the scale development in this study was that placing the most positive responses to the right would counteract acquiescence bias while not confusing the respondents.Due to this design, left-side response option selection bias may affect the study by making the respondents seem less positive to CBMT than they are, and that risk was accepted.The results should be interpreted with that in mind.Equally, it is acknowledged that by adopting this approach, respondents were not offered a means to respond to statements that would otherwise have enabled them to directly express concerns or doubts about CBMT (e.g., by offering options such as "I would find such a tool distracting or disruptive") Before the distribution of the survey, it was taken through a pilot procedure involving a small sample recruited via social media.Additionally, two participants completed the survey under the researcher's supervision and followed a "think aloud" protocol to share their experiences.These actions enabled refinement of both the wording and presentation of the material before recruiting the larger sample group.
The questions about the respondents' previous experiences with SETA were based on the presented background and provided insight into how the respondents perceive the current situation.The results of those questions were summarized and presented as percentages of respondents picking a particular option.A 95% confidence interval was also computed (Wheelan, 2013).The purpose of the Likert scale was to measure the respondents' perception of CBMT.Cronbach's Alpha was used to measure if the statements of the scale measured the same underlying concept (Tavakol & Dennick, 2011).Cronbach's Alpha measures how closely related items on a scale are and returns a value between 0 and 1.A higher value signifies a higher relationship between the items, and values above 0.65 are typically considered appropriate for studies with human participants and was adopted as the acceptance threshold for this study (Vaske et al., 2017).The answers to the individual statements were then transformed into an index that reflected the respondents' perception of CBMT on a 1-5 scale, where 5 signified the most positive perception.The index and the mean values for the individual statements were reported and compared.
First, the mean values for the three national samples were compared to 3 using a one-sample T-test.As the median value, 3 signified a neutral standpoint, and a mean value separated from 3 would signify a positive or negative perception.
The hypotheses tested in this analysis were: • H1 main : Respondents in all national sample groups have a positive perception of CBMT.• H1 alt : Respondents in Sweden, Italy, or the UK have a positive perception of CBMT.• H1 NULL : A positive perception of CBMT cannot be identified in any national sample group.
The main hypothesis corresponds to a result where all national samples display a positive perception toward CBMT and is the most favorable result possible.Should it not be supported, the alternative hypothesis leaves room for a positive perception in one or two samples.That would mean a partially positive result that is not generalizable.The corresponding null hypothesis is that no positive perception can be identified in any of the samples and signifies a negative evaluation of CBMT.Next, pairwise independent sample T-tests were used to identify if different sample groups perceived CBMT differently.Thus, the following three hypotheses were independently tested in this step, and the null hypothesis is accepted only if all other hypotheses fall: • H2 a : Swedish and Italian respondents perceive CBMT differently.A related discussion is how the so-called Digital Divide, where parts of the aging population are not participating in the digital society, is discussed.That discussion includes how different generations behave differently regarding cybersecurity (Debb et al., 2020), and age is included as a demographic factor in this study for that reason.IT competence and gender were included because of their frequent use in previous studies measuring demographic impact on cybersecurity behavior (Anwar et al., 2017;Siponen, 2001).While there was no prior reason to assume that gender would represent a specific influence, it was considered interesting to test whether it led to any discernible differences in the preference on training format.Meanwhile, IT competence was considered a potential factor of influence because the user's self-declared level of IT competence may affect their underlying appetite for being trained, and the format in which this might usefully occur.
The index reflecting the overall perception of CBMT was used in this analysis, and the hypotheses tested in this step were (Demographic X being substituted for each of the demographic aspects discussed): • H3 main : Demographic X impacts how CBMT is perceived by the users in all national sample groups.• H3 alt : Demographic X impacts how CBMT is perceived by the users in Sweden, Italy, or the UK.• H3 NULL : Demographic X is not found to impact users' perception of CBMT in any national answer group.
These hypotheses were tested for each included demographic factor.The main hypothesis is supported only if a demographic factor is found to significantly impact the respondents' perception of CBMT in all national samples, while the alternative hypothesis was tested once for each sample.The null hypothesis is accepted if no significant impact on the respondents' perception of CBMT can be found in any national sample groups.Independent sample T-tests were used to find statistically significant differences between groups where the demographic variable was dichotomous (perceived gender).The conventional significance level of 95\% was used, and the T-test is considered robust regardless of distribution form given the relatively large samples in this study (Norman, 2010).Pearsons Correlation Coefficient was calculated to find correlations between the CBMT perception index and incremental demographics (age and IT competence).Pearson's correlation coefficient is a value between −1 and 1 and describes the linear correlation between two variables.Linear correlation is when two variables are related so that one variable increases while the other increases and vice versa.−1 or 1 shows perfect correlations, while correlations under 0.3 or −0.3 are considered weak (Akoglu, 2018).Thus, the hypothesis was considered to be supported if a statistically significant coefficient of at least 0.3 or −0.3 was found.The statistical analysis tool SPSS version 25 was used for statistical analysis.Finally, the free-text answers were subjected to thematic coding in an open fashion (Braun & Clarke, 2006).

Results
The survey was distributed by the panel company Webropol as a paid service and sent out to a sample of 10 times the target sample size.It was open for a week and answered by 1,452 participants distributed as follows: • Sweden: 834 participants.
The remainder of this section outlines the findings, and the data that supports the findings are deposited in Swedish National Data Service (SND) at https://doi.org/10.5878/pv4m-s237,reference number 2021-198.The full data set is not publicly available due to restrictions imposed by the informed consent form but can be made available upon reasonable request.The demographic composition of the sample is displayed in Table 1.
The following question asked the respondents about the primary way they received SETA in the past.The answers are presented in Table 2.
Table 2 shows that a large portion, about onethird, of the respondents did not receive any security training and that the most common way of receiving training was through guidance appearing during activities, recorded lectures, physical lectures, or written material.The confidence intervals for those four training types overlap, and no  The following question measured the respondents' perception of their previous experiences with SETA.They were asked to select all options that applied from a list of predefined options.The options and results are displayed in Table 3 and reflect the responses from respondents who reported having some previous experience with security training (n = 963).The table shows that about half of the respondents perceived their previous security training as informative and learned about security and/or improved their security behavior.However, below 40% reported that it improved their security behavior, and below 20% that it was interesting or fun.
A further breakdown of the respondents' perception of their prior SETA experiences suggests that the different SETA methods are perceived in similar ways, even if some overall patterns emerge.First, Physical and recorded lectures are perceived as slightly more positive than the other SETA methods.Second, SETA sent in short sequences at regular intervals is seen as less positive than the other SETA methods.Still, all proportions are below 55%, suggesting that the impression of SETA overall is low, as seen in Table 4.
The following part of the survey intended to measure the respondents' perception of CBMT.The following description of CBMT preceded it.
Consider a tool which you can install on your computer that can: • Detect when you are in a potentially risky situation.security-wise  They were then asked to rate how well they agreed with a series of statements regarding the role and function of a CBMT tool, placing their level of agreement on a 5-point scale (5=fully agree and 1= do not agree at all).The scale's internal consistency was measured using Cronbach's Alpha, which returned an alpha of 0.775.Since that is over the threshold of 0.65, the scale is considered to measure the participants' perception of CBMT.
The sum of the answer values for each statement was divided by 7 to compute an index value.The mean values for the index and the individual statements are presented in Table 5, which suggests that respondents from Sweden and the UK are slightly more positive toward CBMT than those from Italy.Nevertheless, the positive attitude displayed by Swedish participants can also be observed amongst participants from Italy and the UK.
One-sample T-test was used to evaluate whether the results were separated from 3 with statistical significance.All results were significantly separated from 3, even using a significance level of 99%, and the data support the following hypothesis: • H1 main :Respondents in all national sample groups have a positive perception of CBMT.
Next, pairwise independent sample T-tests were used to evaluate if CBMT was perceived differently in the national sample groups.The results of the analysis are presented in Table 6.
Table 6 shows a significant difference in perception of CBMT between Sweden and Italy, and the UK and Italy.The confidence intervals reflect the size of that difference.The following hypotheses are therefore supported: • H2 a :Swedish and Italian respondents perceive CBMT differently.• H2 c :British and Italian respondents perceive CBMT differently.
The demographic impact on user perception of CBMT was then evaluated (H3), starting with perceived gender.Mean values in the three national groups, divided by gender, are presented in Table 7. Table 7 also displays the p-value from an independent sample T-test, and a p-value below 0.05 identify a statistically significant difference.
As seen in Table 7, there are minor differences in the mean index value between the gender groups.However, the difference is not significant for any national sample.Thus, the main or alternative hypothesis for gender is not supported by the data.Instead, the following null hypothesis is accepted: Gender is not found to impact users' perception of CBMT in any national answer group The impact of perceived IT competence and age was analyzed next.The linear correlations between the CBMT perception index and each of those variables were computed for each national answer group.Note that the correlation coefficient must be above 0.3 or −0.3, and the p-value below 0.05 for the results to indicate a significant, meaningful correlation.The results are presented in Table 8.
As seen in Table 8, only one correlation is statistically significant, but that correlation is weak.The data fails to detect any relationship between any of the evaluated demographics and the perception of CBMT.Formally, the main and alternative hypotheses for age and IT competence are not supported by the data.Instead, the following null hypotheses are accepted: • Age is not found to impact users' perception of CBMT in any national answer group.• IT competence is not found to impact users' perception of CBMT in any national answer group.
Following the statistical analysis, the answers to free-text questions were categorized into themes.The comments were classified as positive, negative, or suggestive.There were 13 positive comments, where several mentions an automatic warning as a positive aspect, and only one negative word.Further, ten suggestive comments argued that the tool must be easy to use and non-intrusive for them to use it.A selection of free-text answers is presented in Table 9.

Discussion
User behavior remains one of the significant challenges in cybersecurity, and SETA is the go-to solution suggested by scholars and practitioners (Joinson & van Steen, 2018).While the challenge and SETA as the solution have been recognized for quite some time, the challenge remains, and so does the need for effective SETA methods (Bada et al., 2019).SETA efforts cannot only be measured by how they convey knowledge to users but also by how the users perceive them.This study aimed to measure European users' perception of CBMT, a method for implementing SETA that has been shown to be effective for assisting users in creating strong passwords (Kävrestad & Nohlberg, 2020a).This study first measured the participants' previous experience of SETA and their perception of that experience.The results first show that about one third of the respondents never received any significant security training.This is surprising given that research and industry have suggested training to improve cybersecurity behavior for decades.Nevertheless, it emphasizes the need for continued efforts toward effective SETA.The participants were also asked about their perception of previous SETA.The results revealed that about half of the respondents perceived their previous security training was informative and taught them about security.However, below 40% reported that it improved their security behavior, and below 20% that it was interesting or fun.The results suggested that recorded or physical lectures were perceived as more positive than other SETA methods, and receiving short training sequences at regular intervals was the least preferred SETA method.Still, the overall impression of all the included SETA methods was low.The results are well in line with previous work arguing that existing SETA methods are not effective Negative enough (Bada et al., 2019).Given the notion that security is only as strong as the weakest link, the results unveil a need for the continued development of SETA methods that work for a larger part of the population.
The study then evaluated the participants' perception of CBMT.The evaluation was performed as a survey that asked users about their attitudes toward various aspects of CBMT using a Likert scale.The scale items were designed to capture different aspects of CBMT and presented to the respondents in randomized order to minimize responder bias.The items on the scale were transformed to an index representing the users' perception of CBMT.The survey was distributed in Sweden.Italy, and the UK, with Sweden as the primary target population, where a sample of 834 respondents was acquired.Smaller samples were drawn from the UK (304) and Italy (314) to evaluate if the results were generalizable in a European context.The results show that respondents from all samples leaned toward a positive perception of CBMT since the mean index value was higher than 3, which signified a neutral standpoint.
The results can be compared to a previous evaluation of CBMT in an all-Swedish context by Kävrestad et al. (2019).They reported on a Likert scale with five items, creating a scale from zero to four.They had 198 respondents and found a CBMT preference index of 2.7, interpreted as a positive evaluation of CBMT.Given the different scale sizes, a direct comparison is not possible.However, this research provides a second and large-scale positive evaluation of CBMT and furthers the results from Kävrestad et al. (2019).
Further, this study evaluated if the perception of CBMT was impacted by nation, respondents' declared gender, age, and IT competence.Previous studies demonstrated that various demographic factors impact cybersecurity behavior, and it is relevant to evaluate its impact on the perception of CBMT (Anwar et al., 2017;Harrison & Thomas, 2009).The effect of nation and gender was analyzed using independent sample T-test.No significant difference between male and female respondents was identified.However, the study found that respondents from Sweden and the UK perceived CBMT as more positive than respondents from Italy.
In contrast, no difference between Swedish and British respondents could be observed.This suggests that the nation of residence does impact how users perceive CBMT.This study purposefully selected to only include European nations, and the results reveal a need for future studies including more distant cultures.Pearson's rank correlation was used to analyze correlations between the other demographics and the CBMT perception index.Again, no correlations were found.While the statistical procedures used in this study are designed to identify differences and correlations rather than disprove them, the lack of identified impact of demographic factors suggests that the evaluated demographic aspects do not significantly impact the perception of CBMT.
A contribution to the practitioner community is that CBMT shows promise as a SETA method that various user groups can accept.However, the study does indicate that the nation of residence does impact how positively CBMT is perceived.Because this study is limited to a European context, two insights follow this result.First, further studies, including further cultures, are needed.Second, the results suggest that different SETA methods may be needed in different cultures around the world.
The scientific contributions of this study are twofold.First, the study contributes with a largescale evaluation of user perceptions of CBMT.The results are in line with previous smaller evaluations, and the notion of CBMT as a positive method for users is therefore strengthened.Second, while we acknowledge that demographic factors affect cybersecurity behavior, the results of this paper suggest that a one-size-fits-all approach to training may indeed be possible.
Further, the free-text answers suggest that any SETA implementation must be implemented with usability in mind.The respondents mention that an implementation must in itself be easy to use and should be non-intrusive.Previous research has shown that some SETA methods require the users to actively seek up and participate in training or that knowledge acquired may deteriorate over time (Reinheimer et al., 2020).CBMT avoids those issues since the training is presented to users regularly and automatically when the user encounters risky situations.This study highlights that the main risk with the CBMT approach is that the training can be perceived as intrusive, and that must be considered when developing implementations.

Conclusion
This study aimed to evaluate the user perception of CBMT, a method for implementing SETA, and evaluate if the perception of CBMT is affected by nation of residence, age, gender, or IT competence.The study first assessed the respondent's previous experiences with SETA and concludes that about one third of the participants had never received any significant security training.This is surprising given the continuous calls for user training in this domain and reveals a continued need for work around SETA.The study also shows that about 40% of the respondents who had received training believed it changed their security-related behavior.Below, 20% considered the training to be fun or interesting.A natural conclusion is that this study suggests that existing SETA methods fail to engage users and improve their behavior to a large enough degree.
As an evaluation of CBMT, this study replicates the result of a previous study with 198 Swedish respondents (Kävrestad et al., 2019) and concludes that the respondents in the present study perceive CBMT as positive.It does so with a larger sample and a more robust sampling technique.The present study also concludes that CBMT is perceived as positive not only by respondents in Sweden but also in the UK and Italy.
As for the demographic impact on user perception of CBMT, the study concludes that CBMT is perceived differently by respondents from different nations.However, age, gender, or IT competence could not be found to impact the respondents' perception, which suggests that a diverse group of users can appreciate CBMT.
While this study used well-established techniques to gather large samples from different cultures, analyzing all cultures in one study is nearly impossible.Further, there are more demographic factors to evaluate by than those considered here.As such, areas for future work include similar studies in other nations and with a focus on other demographic factors.This study employed a European focus, which is an obvious limitation.A second direction for future work would be to evaluate the effects of using CBMT-based training in reality.After all, while positive user perception is an essential factor, the ultimate goal of any SETA is to assist users toward secure behavior in reality.

Disclosure statement
No potential conflict of interest was reported by the author(s).
H2 NULL :CBMT is perceived in the same way in all national sample groups.

Table 1 .
Demographic composition of the data sample.

Table 2 .
Previous SETA experiences of respondents.

Table 4 .
Participants perceptions of previous experiences of SETA (Questions are shortened for readability).
• Provide you with information that helps you handle the situation in a secure way.To exemplify: a.If you are about to create a password.the tool would provide you with password creation tips

Table 3 .
Perception of previous SETA experiences.

Table 5 .
Results for each statement and a composite index.

Table 6 .
Analysis of national differences in perception of CBMT.

Table 7 .
Results for the demographic gender.

Table 8 .
Results for the various demographics.

Table 9 .
Selection of Free-Text responses.a typical "I hate this tool" kind of tool.Annoying, and not at all beneficial.