EMPLOYEE CYBERSECURITY AWARENESS TRAINING PROGRAMS CUSTOMIZED FOR SME CONTEXTS TO REDUCE HUMAN-ERROR RELATED SECURITY INCIDENTS
DOI:
https://doi.org/10.60087/jklst.vol3.n3.p382-409Abstract
Abstract
Introduction: Employee cybersecurity awareness training programs in Small and Mediumsized Enterprises (SMEs) have become increasingly critical as organizations face mounting cyber threats and security challenges. Studies have shown that human contribution is a major risk factor in security incidents hence the imperative need for proper training. SMEs are especially at risk since they are compared to large enterprises characterized by less resources and poorer technical knowledge and security equipment. Research has further shown that organisational context specific and targeted training programs could go a long way in enhancing the security awareness, and the overall incidence rates through modifications in behaviour and perceived security risks. Materials and Methods: A systematic literature review was conducted following the PRISMA protocol to analyze peer-reviewed articles, doctoral dissertations, and scholarly publications focusing on cybersecurity awareness training in SME contexts. In terms of inclusion criteria, only papers presenting empirical findings related to training program outcomes, practices, and assessment methodologies were chosen. Articles were screened on the basis the research method employed, their applicability to SMEs, and the efforts devoted to human factors in cybersecurity. Documents were analyzed for quantitative and qualitative data and an analysis of themes, successful training methods and challenges in implementation. To minimize missing potentially informative articles, multiple databases weresought andusedwithpredetermined search terms. Results: Analysis revealed that effective SME cybersecurity training programs share common characteristics: They are topicality, applicability, and the possibility of constant evaluation. The companies that adopted the corporate training programs that were tailored to their specific business environments realised an improvement of 45-65 percent reduction in security breaches that resulted from personnel mistakes. For management support internalization and frequent reminding of the security practices as key success factors were reported. The findings revealed that employee engagement levels of 72% was realized if training elements included CBT interactivity and realistic workplace simulations. The latter are applicable in resource-scarce environments and displayed a high potential for cost efficient training based on cloud-based platforms and gamification; the average implementation costs were 40%less than with traditional training approaches. Discussion: Evidence suggests that successful cybersecurity training programs must balance technical content with practical application while considering SME resource constraints. Applying principles of behavioural psychology in making lessons and trainings proved to be more effective in creating changes in the security behavioral patterns. These trends suggest increasing use of AI adapted student oriented learning and training in realistic ensembles. Some limitations exist when it comes to assessing behaviour change over a long term period and establishing constantly high security competencies across multiple organizational granularity levels. Cultural issues and employees’ resistance proved to be the main program implementation issues that could only be addressed with specific interventions to unmask implementation challenges. Conclusion: The synthesis of current research demonstrates that customized cybersecurity awareness training programs significantly impact security incident reduction in SME environments. Sources of competitive advantage have to do with having content germane to specific contexts, the focus on practical application, and presence of training reinforcement measures. This empirical research reveals that management commitment, resources, and employees’ participation are key success factors for the program success. Further research should focus on more effective approaches for delivering security messages, defining a suitable set of measures for recording behavior changes, and creating development plans for reliable security culture.
Downloads
References
References
Abu-Amara, F., & Tamimi, H. (2021). Cyber shield security awareness program. Proceedings of the 2021 8th International Conference on Computing for Sustainable Global Development, INDIACom 2021, 422–425. https://doi.org/10.1109/INDIACom51348.2021.00075
Adam, E. D. (2015). Knowledge management cloud-based solutions in small enterprises. https://www.diva-portal.org/smash/record.jsf?pid=diva2:867635
Adilia, F. (2023). Raising cybersecurity awareness of telecommunication company employee through Instagram campaign, case study: PT Media Telekomunikasi Mandiri (Master's thesis). https://repositorio.iscte-iul.pt/handle/10071/30432
Aigbefo, Q. A. (2018). Understanding SME employees' security behaviours when performing work tasks using BYOD from multiple work locations (Doctoral dissertation, Macquarie University). https://figshare.mq.edu.au/ndownloader/files/34543061
Arroyabe, I. F. D., & de Arroyabe, J. C. F. (2021). The severity and effects of Cyber-breaches in SMEs: A machine learning approach. Enterp. Inf. Syst, 1-27.
Ascic, H. J. (2023). Effectiveness of cybersecurity awareness training in lowering the risks of email- borne attacks for Irish SME (Doctoral dissertation, Dublin, National College of Ireland). https://norma.ncirl.ie/7112/
Bada, M., & Nurse, J. R. C. (2019). Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs). Information and Computer Security, 27(3), 393–410. https://doi.org/10.1108/ICS-07-2018-0080
Bak, O., Shaw, S., Colicchia, C., & Kumar, V. (2020). A systematic literature review of supply chain resilience in small–medium enterprises (SMEs): A call for further research. IEEE Transactions on Engineering Management, 70(1), 328-341.
https://ieeexplore.ieee.org/abstract/document/9184862/
Beyer, R.E. and Brummel, B., 2015. Implementing effective cyber security training for end users of computer networks. Society for Human Resource Management and Society for Industrial and Organizational Psychology.
Blay, F. (2020). Cloud Adoption Decision-Making Processes by Small Businesses: A Multiple Case Study (Doctoral dissertation, Walden University). https://search.proquest.com/openview/825dfc8544056598193e098db20b94f7/1?pq- origsite=gscholar&cbl=18750&diss=y
Bokharee, M. N. (1993). Small business information security systems: A theoretical model and an interactive expert decision support system for management. The George Washington University. https://search.proquest.com/openview/63c60093fc2c5a486b336972c6e38648/1?pq- origsite=gscholar&cbl=18750&diss=y
Bush, L. (2020). Examining the Relationship Between Cybersecurity-Employee Vulnerabilities and Reduction of Security Breaches in Information Technology Organization (Doctoral dissertation, Colorado Technical University). https://search.proquest.com/openview/899c75705b381db7a2625c7e947f7941/1?pq- origsite=gscholar&cbl=44156
Byrne, R. (2020). The importance of cybersecurity awareness training on small corporations to reduce the risk of a social engineering attack (Master's thesis, Utica College). https://search.proquest.com/openview/8a0e93196ef8fc2a883d4524925f9f07/1?pq- origsite=gscholar&cbl=44156
Carías, J. F., Borges, M. R., Labaka, L., Arrizabalaga, S., & Hernantes, J. (2020). Systematic approach to cyber resilience operationalization in SMEs. IEEE access, 8, 174200-174221. https://ieeexplore.ieee.org/abstract/document/9204611/
Chapman, P. (2021). Defending against insider threats with network security's eighth layer.
Computer Fraud and Security, 2021(3), 8–13. https://doi.org/10.1016/S1361-3723(21)00029-4
Chaudhary, S., Gkioulos, V., & Katsikas, S. (2023). A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises. Computer Science Review, 50, 100592. https://www.sciencedirect.com/science/article/pii/S157401372300059X
Dahabiyeh, L. (2021). Factors affecting organizational adoption and acceptance of computer- based security awareness training tools. Information and Computer Security, 29(5), 836–849. https://doi.org/10.1108/ICS-12-2020-0200
Danzig, R. J. (2016). Cyber insecurity: navigating the perils of the next information age. Rowman & Littlefield.
Davis, K. (2020). Cybersecurity risk-responsibility taxonomy: The role of cybersecurity social responsibility in small enterprises on risk of data breach. Nova Southeastern University. https://search.proquest.com/openview/b0a239318b5182e8695f453a4676a991/1?pq- origsite=gscholar&cbl=51922&diss=y
Daengsi, T., Pornpongtechavanich, P., & Wuttidittachotti, P. (2021). Cybersecurity awareness enhancement: A study of the effects of age and gender of Thai employees associated with phishing attacks. Education and Information Technologies. https://doi.org/10.1007/s10639- 021-10806-7
Fagbule, O. (2023). Cyber Security Training in Small to Medium-sized Enterprises (SMEs): Exploring Organisation Culture and Employee Training Needs (Doctoral dissertation, Bournemouth University). http://eprints.bournemouth.ac.uk/39148/
Foo, A. (2021). How Can Employee Retention Be Improved? A Quantitative Study of Cybersecurity Professionals. California Southern University. https://search.proquest.com/openview/0b594cea1730cf9168bf3b41cb1f6f05/1?pq- origsite=gscholar&cbl=18750&diss=y
Griffin, L. (2021). The Effectiveness of Cybersecurity Awareness Training in Reducing Employee Negligence Within Department of Defense (DoD) Affiliated Organizations-Qualitative Exploratory Case Study (Doctoral dissertation, Capella University). https://search.proquest.com/openview/3f9ba5f2497720820c5c758bc6118a2e/1?pq- origsite=gscholar&cbl=18750&diss=y
Gundu, T. (2013). Towards an information security awareness process for engineering SMEs in emerging economies (Doctoral dissertation, University of Fort Hare). https://core.ac.uk/download/pdf/145047872.pdf
Harris Jr, J. (2023). Exploring Small Business Cybersecurity Perceptions and Preparedness (Doctoral dissertation, Northcentral University). https://search.proquest.com/openview/e2c5a9f134afdb628cea606d6c063300/1?pq- origsite=gscholar&cbl=18750&diss=y
Hatzivasilis, G., Ioannidis, S., Smyrlis, M., Spanoudakis, G., Frati, F., Goeke, L., ... & Koshutanski, H. (2020). Modern aspects of cyber-security training and continuous adaptation of programmes to trainees. Applied Sciences, 10(16), Article 5702. https://doi.org/10.3390/app10165702
Hendrix, M., Al-Sherbaz, A., & Bloom, V. (2016). Game based cyber security training: Are serious games suitable for cyber security training? International Journal of Serious Games, 3(1), 53-61. https://doi.org/10.17083/ijsg.v3i1.107
Idahosa, M. D. (2020). Strategies for implementing successful IT security systems in small businesses (Doctoral dissertation, Walden University). https://search.proquest.com/openview/34facf5429c83e988c6e4f9c55e9b06e/1?pq- origsite=gscholar&cbl=18750&diss=y
Jenkins, J. L., Durcikova, A., & Burns, M. B. (2013). Simplicity is bliss: Controlling extraneous cognitive load in online security training to promote secure behavior. Journal of Organizational End User Computing, 25(3), 52-66. https://doi.org/10.4018/joeuc.2013070104
Karim, A., & Törnqvist, A. (2023). Guardians at the Gate: The Influence of Senior Management on Cybersecurity Culture and Awareness Training: A Qualitative Multiple Case Study. https://www.diva-portal.org/smash/record.jsf?pid=diva2:1821441
Kessler, W. A. (2016). Effectiveness of the protection motivation theory on small business employee security risk behavior. Northcentral University. https://search.proquest.com/openview/0dca0c5fe0c22110ab7f28d0ecd11b40/1?pq- origsite=gscholar&cbl=18750
Kholoanyane, M. E. (2020). Security awareness and training policy guidelines to minimise the risk of BYOD in a South African SME (Doctoral dissertation, North-West University (South Africa)). https://repository.nwu.ac.za/handle/10394/36906
Korpela, K. (2015). Improving cyber security awareness and training programs with data analytics. Information Security Journal: A Global Perspective, 24(1-3), 72-77. https://doi.org/10.1080/19393555.2015.1051676
Korpinen, M. (2023). Cyber insurance: case: a qualitative study of Finnish cyber insurance products offering for SMEs. https://lutpub.lut.fi/handle/10024/166509
Leffell, A. (2023). Strategies for Proper Security Practices in Small Financial Institutions (Doctoral dissertation, Walden University). https://search.proquest.com/openview/9e7b3d6a6d86db541cf951a6eb62ae13/1?pq- origsite=gscholar&cbl=18750&diss=y
Lejaka, T. (2021). A framework for cyber security awareness in small, medium and micro enterprises (SMMEs) in South Africa. University of South Africa. https://core.ac.uk/download/pdf/511699427.pdf
Lim, I. K., Park, Y. G., & Lee, J. K. (2016). Design of security training system for individual users. Wireless Personal Communications, 90(3), 1105-1120. https://doi.org/10.1007/s11277-016- 3380-z
Mazurchenko, A., Zelenka, M., & Maršíková, K. (2022). DEMAND FOR EMPLOYEES’DIGITAL SKILLS IN THE CONTEXT OF BANKING 4.0. E&M Ekonomie a Management, 25(2), 41-58.
https://dspace.tul.cz/bitstream/handle/15240/164985/EM_2_2022_03.pdf?sequence=1
McCrohan, K., Engel, K., & Harvey, J. (2010). Influence of awareness and training on cyber security. Journal of Internet Commerce, 9(1), 23-41.
https://doi.org/10.1080/15332861.2010.487415
McLilly, L. (2020). Exploring a Cost-Benefit Cloud-Based On-Demand Cybersecurity Service Solution for Small Businesses: A Quantitative Examination (Doctoral dissertation, Colorado Technical University).
https://search.proquest.com/openview/67aa97e6d3924deb7f4264e6dc33505e/1?pq- origsite=gscholar&cbl=18750&diss=y
Moher, D., Shamseer, L., Clarke, M., Ghersi, D., Liberati, A., Petticrew, M., Shekelle, P., Stewart, L.A., PRISMA-P Group. (2015). Preferred reporting items for systematic review and meta-analysis protocols (PRISMA-P) 2015 statement. Systematic Reviews, 4(1), 1.
Moore, K. E. (2023). Analyzing Small Business Strategies to Prevent External Cybersecurity Threats (Doctoral dissertation, Walden University). https://search.proquest.com/openview/24b000df9815986e704bad3d7e1076fc/1?pq- origsite=gscholar&cbl=18750&diss=y
Moschovitis, C. (2018). Cybersecurity program development for business: the essential planning guide. John Wiley & Sons.
Murthy, K. (2023). Organizational Policies to Control Cybersecurity Breaches by Employees: A Participative Action Research (Doctoral dissertation, University of Phoenix). https://search.proquest.com/openview/4be694bf870300ec89e2fe44038cdca5/1?pq- origsite=gscholar&cbl=18750&diss=y
Odujinrin, A. O. (2023). Promoting Effective Cybersecurity Policy Compliance in Small Businesses (Doctoral dissertation, Walden University). https://search.proquest.com/openview/f3fb5336a43112a4b4ca93a379ba76db/1?pq- origsite=gscholar&cbl=18750&diss=y
Orlikowski, W. J., & Baroudi, J. J. (1991). Studying information technology in organizations: Research approaches and assumptions. Information systems research, 2(1), 1-28. https://pubsonline.informs.org/doi/abs/10.1287/isre.2.1.1
Ozkaya, E., & Aslaner, M. (2019). Hands-On Cybersecurity for Finance: Identify vulnerabilities and secure your financial services from security breaches. Packt Publishing Ltd.
Page, M.J., McKenzie, J.E., Bossuyt, P.M., Boutron, I., Hoffmann, T.C., Mulrow, C.D., Shamseer, L., Tetzlaff, J.M., Akl, E.A., Brennan, S.E., Chou, R., Glanville, J., Grimshaw, J.M., Hrobjartsson, A., Lalu, M.M., Li, T., Loder, E.W., Mayo-Wilson, E., McDonald, S., Moher, D. (2021). The PRISMA 2020 statement: an updated guideline for reporting systematic reviews. International Journal of Surgery, 88, 105906.
Päivärinta, J. (2022). Strategic Management of the Organizations Cybersecurity: Conceptual Model of the Structure, Principles, and the Best Practices for Organizational Cybersecurity Excellence. https://osuva.uwasa.fi/handle/10024/14253
Parker, D. S. (2020). The implementation of the Internet of Things (IoT): A case study of the barriers that prevent implementation of IoT within small and medium enterprises (SME) (Doctoral dissertation, Northcentral University). https://search.proquest.com/openview/72ccec5205ecdb392777861ccf8e37d2/1?pq- origsite=gscholar&cbl=18750&diss=y
Puhakainen, P.P., Siponen, M. (2010). Improving employees' compliance through information systems security training: an action research study. MIS Quarterly, 34(4), 4.
Pyke, G. C. (2021). A Qualitative Exploratory Study on the Effects of Small Businesses and Cloud Computing in the Mid-West of America (Doctoral dissertation, Colorado Technical University). https://search.proquest.com/openview/b7f1661b4b56bedf148538dcb299c207/1?pq- origsite=gscholar&cbl=18750&diss=y
Rafique, S., & Mujawinkindi, F. (2023). How can Artificial Intelligence (AI) help SMEs development in emerging economies. https://www.diva- portal.org/smash/get/diva2:1771616/FULLTEXT01.pdf
Rawindaran, N. (2023). Impact of cyber security awareness in small, medium enterprises (SMEs) in Wales (Doctoral dissertation, Cardiff Metropolitan University). https://figshare.cardiffmet.ac.uk/articles/thesis/Impact_of_cyber_security_awareness_in_small_ medium_enterprises_SMEs_in_Wales/23599497/1
Rawindaran, N., Jayal, A., Prakash, E., & Hewage, C. (2021). Cost benefits of using machine learning features in NIDS for cyber security in UK small medium enterprises (SME). Future Internet, 13(8), 186. https://www.mdpi.com/1999-5903/13/8/186
Renvall, A. (2018). Improving cybersecurity through ISO/IEC 27001 information security standard in the context of SMEs. https://www.theseus.fi/handle/10024/157277
Robbins, M.S. (2020). Exploring the impact of information security awareness training on knowledge, attitude, and behavior: a K-12 study. ProQuest Dissertations and Theses. Northcentral University.
Sharma, S. (2023). AI for Small Business: Leveraging Automation to Stay Ahead. CSMFL Publications.
Sherchan, S. (2018). A study of the cyber security awareness and use of protective cyber security practices in defence settings (Doctoral dissertation). https://www.intechopen.com/chapters/1171513
Spanlang, C. A. (2023). Security awareness training: Impact of security awareness training on employee attitudes, behaviors, and organizational cybersecurity: A study in medium-sized companies. https://www.diva-portal.org/smash/record.jsf?pid=diva2:1779097
Stewart, H., & Jürjens, J. (2017). Information security management and the human aspect in organizations. Information and Computer Security, 25(5), 494–534. https://doi.org/10.1108/ICS-07-2016-0054
Thompson, J. (2023). Factors Influencing Cybersecurity Risk Among Minority-Owned Small Businesses. Reviews of Contemporary Business Analytics, 6(1), 29-42. https://researchberg.com/index.php/rcba/article/view/114
Udofot, M. P. (2019). Factors Relating to Small Business Cyber-attack Protection In the United States: A Predictive Correlational Quantitative Study (Doctoral dissertation, University of Phoenix).
https://search.proquest.com/openview/6a174efa25f7b473283f7457e21ceb00/1.pdf?pq- origsite=gscholar&cbl=18750&diss=y
Upfold, C. T., & Sewry, D. A. (2005). An investigation of information security in small and medium enterprises (SME's) in the Eastern Cape (Doctoral dissertation, Rhodes University). https://core.ac.uk/download/pdf/145045286.pdf
Weick, K. E. (1987). Organizational culture as a source of high reliability. California management review, 29(2), 112-127. https://journals.sagepub.com/doi/abs/10.2307/41165243
Yasin, A., Liu, L., Li, T., Wang, J., Zowghi, D. (2018). Design and preliminary evaluation of a cyber– Security Requirements Education Game (SREG). Information and Software Technology, 95, 179- 200.
Zhang, Z., He, W., Li, W., & Abdous, M. (2021). Cybersecurity awareness training programs: a cost–benefit analysis framework. Industrial Management and Data Systems, 121(3), 613–636. https://doi.org/10.1108/IMDS-08-2020-0462
Downloads
Published
Issue
Section
License
Copyright (c) 2024 Journal of Knowledge Learning and Science Technology ISSN: 2959-6386 (online)
This work is licensed under a Creative Commons Attribution 4.0 International License.
©2024 All rights reserved by the respective authors and JKLST.