Cybersecurity threats are increasing as organizations navigate digital transformation and hybrid work models, with human error accounting for 95% of security breaches and the human factor emerging as the critical vulnerability in organizational security. Interns, as transient organizational members, remain underexplored regarding their role in cybersecurity risk. This study investigates cybersecurity training and awareness among 75 interns from organizations in Spain. We assess sources -formal instruction, on-the-job learning, and informal guidance-, content, and adequacy of cybersecurity education received, and examine their awareness of organizational cybersecurity protocols, practices and incident response procedures. Our findings reveal significant gaps in formal training programs and communication of internal cybersecurity policies, leaving many interns poorly prepared to address cybersecurity threats. Demographic analyses further reveal that age and gender differences affect confidence and risk perceptions. The results indicate that insufficient onboarding and inadequate training contribute to elevated cybersecurity risks. This research underscores the urgent need for enhanced cybersecurity education and robust onboarding procedures for interns. The implications extend to improved risk management strategies and a stronger overall cybersecurity culture in organizations.
AlsharifMMishraSAlShehriM (2022) Impact of human vulnerabilities on cybersecurity. Computer Systems Science and Engineering40: 1153–1166.
2.
AnwarMHeWYuanX (2016) Employment Status and Cybersecurity Behaviors. IEEE, 1–2.
3.
ArreguiDMaynardSBAhmadA (2016) Mitigating BYOD Information Security Risks, AAIS, 1–11.
4.
BalzanoM (2025) Post-Error Adjustments: Strategic Agility and Organizational Zemblanity. California Management Review67(4): 121–153. Available at:https://doi.org/10.1177/00081256251332311
5.
BauerTNErdoganB (2011) Organizational socialization: the effective onboarding of new employees. APA Handbook of Industrial and Organizational Psychology. American Psychological Association, 51–64.
6.
BeenenGPichlerS (2014) Do I really want to work here? Testing a model of job pursuit for MBA interns. Human Resource Management53(5): 661–682.
7.
BlažičBJBlažičAJ (2022) Cybersecurity skills among European high-school students: a new approach in the design of sustainable educational development in cybersecurity. Sustainability14(8): 1–23.
8.
BradtGBVonnegutM (2009) Onboarding: How to Get Your New Employees up to Speed in Half the Time. John Wiley and Sons.
9.
Branley-BellDCoventryLDixonM, et al. (2022) Exploring age and gender differences in ICT cybersecurity behaviour. Human Behavior And Emerging Technologies2022(1): 1–10.
10.
CameronEMarcumT (2019) Why business schools must incorporate cybersecurity into the business curriculum: preparing the next generation for success. Journal of Higher Education Theory and Practice19(4): 25–33.
11.
CanoJJ (2019) The Human Factor in Information Security. ISACA journal5: 42–49.
12.
CCN-CERT (2024) IA-28/24 Ciberamenazas Y Tendencias. Edición 2024. CCN-CERT Ministerio de Defensa de España.
CrickT (2020) Overcoming the challenges of teaching cybersecurity in UK computer science degree programmes, Uppsala, Sweden. IEEE, pp. 1–9.
16.
European Parliament (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC General Da. Official Journal of the European Union.
17.
FatokunFBHamidSNormanA, et al. (2019) The impact of age, gender, and educational level on the cybersecurity behaviors of tertiary institution students: an empirical investigation on Malaysian universities. Journal of Physics: Conference Series1339(1): 1–13.
GlaspieHWKarwowskiW (2018) Human factors in information security culture: a literature review. Advances in Intelligent Systems and Computing593: 269–280.
22.
GoldaAMekonenKPandeyA, et al. (2024) Privacy and security concerns in generative AI: a comprehensive survey. IEEE Access12: 48126–48144.
23.
HargittaiEShaferS (2006) Differences in actual and perceived online skills: the role of gender. Social Science Quarterly87(2): 432–448.
24.
HenshelDSampleCCainsM, et al. (2016) Integrating cultural factors into human factors framework and ontology for cyber attackers. Advances in Intelligent Systems and Computing501: 123–137.
25.
HerathTRaoR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems18: 106–125.
26.
HudockAWeidmanJGrossklagsJ (2020) Security Onboarding: An Interview Study on Security Training for Temporary Employees. Association for Computing Machinery, 183–194.
27.
HwangIWakefieldRKimS, et al. (2021) Security awareness: the first step in information security compliance behavior. Journal of Computer Information Systems61(4): 345–356.
28.
IBM (2024) Cost of a Data Breach Report. IBM Corp.
29.
KannelønningKKatsikasSK (2023) A systematic literature review of how cybersecurity-related behavior has been assessed. Information and Computer Security, ahead-of-print.
LiLHeWXuL, et al. (2019) Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management45: 13–24.
32.
Maertz JrCPStoeberlPAMarksJ (2014) Building successful internships: lessons from the research for interns, schools, and employers. Career Development International19(1): 123–142.
33.
MetinBÖzhanFGWynnM (2024) Digitalisation and cybersecurity: towards an operational framework. Electronics13(21): 4226.
MitznerTLBoronJBFaussetCB, et al. (2010) Older adults talk technology: technology usage and attitudes. Computers in Human Behavior26(6): 1710–1721.
36.
MohamudAJAbdulT (2022) Impact of information security policies compliance (ISPC) on reducing the incidence of security breaches in organizations: systematic literature review. Preprints1–27, In press.
37.
OrehekŠPetričG (2021) A systematic review of scales for measuring information security culture. Information and Computer Security29: 133–158.
38.
PalanisamyRNormanAAKiahLM (2020) Compliance with bring your own device security policies in organizations: a systematic literature review. Computers & Security98: 101998.
39.
PandelicăIL (2020) The phenomenon of cyber crime. International Journal of Information Security and Cybercrime9: 29–36.
40.
ParsonsKMcCormacAButaviciusM, et al. (2014) Determining employee awareness using the human aspects of Information security questionnaire (HAIS-Q). Computers & Security42: 165–176.
41.
PolliniACallariTCTedeschiA, et al. (2022) Leveraging human factors in cybersecurity: an integrated methodological approach. Cognition, Technology and Work24: 371–390.
42.
PosaTGrossklagsJ (2022) Work experience as a factor in cyber-security risk awareness: a survey study with university students. Journal of Cybersecurity and Privacy2(3): 490–551.
43.
RakovićLSakalMMatkovićP, et al. (2020) Shadow IT – systematic literature review. Information Technology and Control49: 144–160.
44.
RatchfordMEl-GayarONoteboomC, et al. (2021) BYOD security issues: a systematic literature review. Information Security Journal31: 253–273.
45.
RielMRomeikeR (2020) IT Security in Secondary CS Education: Is It Missing in Today’s. s.l, ACM, 1–2.
46.
ShaikhA (2018) Shadow-IT System and Insider Threat: Opportunity as a Situational Perspective. Association for Information Systems, 88.
SilicM (2015) Emerging from the shadows: survey evidence of shadow IT use from blissfully ignorant employees. Innovation and Management Science12. (July 18, 2015). DOI: 10.2139/ssrn.2633000.
49.
StepneyOAllisonJ (2023) Cyber Security in English Secondary Education Curricula: A Preliminary Study. Association for Computing Machinery, 193–199.
50.
TripathyS (2023) Investigating How Employees’ Cybersecurity Behaviour Is Affected by their Knowledge of Cybersecurity Policy. IEEE, 1–6.
51.
TriplettWJ (2022) Addressing human factors in cybersecurity leadership. Journal of Cybersecurity and Privacy2: 573–586.
52.
TrumbachCCPayneDMWalshK (2022) Cybersecurity in business education: the ‘how to’ in incorporating education into practice. Industry and Higher Education27(1): 35–45.
53.
Vallejo-BlanxartA (2025) Cybersecurity education gaps in Spain university business degrees. The Journal of Education for Business100(4): 1–15.
54.
XiaoSWarkentinMWaldenE, et al. (2020) “Do We Protect What We Own?: A Proposed Neurophysiological Exploration of Workplace Information Protection Motivation,” Lecture Notes in Information Systems and Organization, in: Fred D. Davis & René Riedl & Jan vom Brocke & Pierre-Majorique Léger & Adriane Randolph & Thomas Fis (ed.),Information Systems and Neuroscience page101–109, Springer.
55.
ZwillingMKlienGLesjakD, et al. (2022) Cyber security awareness, knowledge and behavior: a comparative study. Journal of Computer Information Systems62: 82–97.
