EMPLOYEE CYBERSECURITY AWARENESS TRAINING PROGRAMS CUSTOMIZED FOR SME CONTEXTS TO REDUCE HUMAN-ERROR RELATED SECURITY INCIDENTS

Authors

  • Friday Ugbebor Independent Researcher, Information Technology, USA Author
  • Olushola Aina Independent Researcher, Nigeria. Author
  • Mayowa Abass Independent Researcher, Nigeria. Author
  • Dare Kushanu Independent Researcher, Nigeria. Author

DOI:

https://doi.org/10.60087/jklst.vol3.n3.p382-409

Abstract

Abstract

Introduction: Employee cybersecurity awareness training programs in Small and Mediumsized Enterprises (SMEs) have become increasingly critical as organizations face mounting cyber threats and security challenges. Studies have shown that human contribution is a major risk factor in security incidents hence the imperative need for proper training. SMEs are especially at risk since they are compared to large enterprises characterized by less resources and poorer technical knowledge and security equipment. Research has further shown that organisational context specific and targeted training programs could go a long way in enhancing the security awareness, and the overall incidence rates through modifications in behaviour and perceived security risks. Materials and Methods: A systematic literature review was conducted following the PRISMA protocol to analyze peer-reviewed articles, doctoral dissertations, and scholarly publications focusing on cybersecurity awareness training in SME contexts. In terms of inclusion criteria, only papers presenting empirical findings related to training program outcomes, practices, and assessment methodologies were chosen. Articles were screened on the basis the research method employed, their applicability to SMEs, and the efforts devoted to human factors in cybersecurity. Documents were analyzed for quantitative and qualitative data and an analysis of themes, successful training methods and challenges in implementation. To minimize missing potentially informative articles, multiple databases weresought andusedwithpredetermined search terms. Results: Analysis revealed that effective SME cybersecurity training programs share common characteristics: They are topicality, applicability, and the possibility of constant evaluation. The companies that adopted the corporate training programs that were tailored to their specific business environments realised an improvement of 45-65 percent reduction in security breaches that resulted from personnel mistakes. For management support internalization and frequent reminding of the security practices as key success factors were reported. The findings revealed that employee engagement levels of 72% was realized if training elements included CBT interactivity and realistic workplace simulations. The latter are applicable in resource-scarce environments and displayed a high potential for cost efficient training based on cloud-based platforms and gamification; the average implementation costs were 40%less than with traditional training approaches. Discussion: Evidence suggests that successful cybersecurity training programs must balance technical content with practical application while considering SME resource constraints. Applying principles of behavioural psychology in making lessons and trainings proved to be more effective in creating changes in the security behavioral patterns. These trends suggest increasing use of AI adapted student oriented learning and training in realistic ensembles. Some limitations exist when it comes to assessing behaviour change over a long term period and establishing constantly high security competencies across multiple organizational granularity levels. Cultural issues and employees’ resistance proved to be the main program implementation issues that could only be addressed with specific interventions to unmask implementation challenges. Conclusion: The synthesis of current research demonstrates that customized cybersecurity awareness training programs significantly impact security incident reduction in SME environments. Sources of competitive advantage have to do with having content germane to specific contexts, the focus on practical application, and presence of training reinforcement measures. This empirical research reveals that management commitment, resources, and employees’ participation are key success factors for the program success. Further research should focus on more effective approaches for delivering security messages, defining a suitable set of measures for recording behavior changes, and creating development plans for reliable security culture.

Downloads

Download data is not yet available.

References

References

Abu-Amara, F., & Tamimi, H. (2021). Cyber shield security awareness program. Proceedings of the 2021 8th International Conference on Computing for Sustainable Global Development, INDIACom 2021, 422–425. https://doi.org/10.1109/INDIACom51348.2021.00075

Adam, E. D. (2015). Knowledge management cloud-based solutions in small enterprises. https://www.diva-portal.org/smash/record.jsf?pid=diva2:867635

Adilia, F. (2023). Raising cybersecurity awareness of telecommunication company employee through Instagram campaign, case study: PT Media Telekomunikasi Mandiri (Master's thesis). https://repositorio.iscte-iul.pt/handle/10071/30432

Aigbefo, Q. A. (2018). Understanding SME employees' security behaviours when performing work tasks using BYOD from multiple work locations (Doctoral dissertation, Macquarie University). https://figshare.mq.edu.au/ndownloader/files/34543061

Arroyabe, I. F. D., & de Arroyabe, J. C. F. (2021). The severity and effects of Cyber-breaches in SMEs: A machine learning approach. Enterp. Inf. Syst, 1-27.

Ascic, H. J. (2023). Effectiveness of cybersecurity awareness training in lowering the risks of email- borne attacks for Irish SME (Doctoral dissertation, Dublin, National College of Ireland). https://norma.ncirl.ie/7112/

Bada, M., & Nurse, J. R. C. (2019). Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs). Information and Computer Security, 27(3), 393–410. https://doi.org/10.1108/ICS-07-2018-0080

Bak, O., Shaw, S., Colicchia, C., & Kumar, V. (2020). A systematic literature review of supply chain resilience in small–medium enterprises (SMEs): A call for further research. IEEE Transactions on Engineering Management, 70(1), 328-341.

https://ieeexplore.ieee.org/abstract/document/9184862/

Beyer, R.E. and Brummel, B., 2015. Implementing effective cyber security training for end users of computer networks. Society for Human Resource Management and Society for Industrial and Organizational Psychology.

Blay, F. (2020). Cloud Adoption Decision-Making Processes by Small Businesses: A Multiple Case Study (Doctoral dissertation, Walden University). https://search.proquest.com/openview/825dfc8544056598193e098db20b94f7/1?pq- origsite=gscholar&cbl=18750&diss=y

Bokharee, M. N. (1993). Small business information security systems: A theoretical model and an interactive expert decision support system for management. The George Washington University. https://search.proquest.com/openview/63c60093fc2c5a486b336972c6e38648/1?pq- origsite=gscholar&cbl=18750&diss=y

Bush, L. (2020). Examining the Relationship Between Cybersecurity-Employee Vulnerabilities and Reduction of Security Breaches in Information Technology Organization (Doctoral dissertation, Colorado Technical University). https://search.proquest.com/openview/899c75705b381db7a2625c7e947f7941/1?pq- origsite=gscholar&cbl=44156

Byrne, R. (2020). The importance of cybersecurity awareness training on small corporations to reduce the risk of a social engineering attack (Master's thesis, Utica College). https://search.proquest.com/openview/8a0e93196ef8fc2a883d4524925f9f07/1?pq- origsite=gscholar&cbl=44156

Carías, J. F., Borges, M. R., Labaka, L., Arrizabalaga, S., & Hernantes, J. (2020). Systematic approach to cyber resilience operationalization in SMEs. IEEE access, 8, 174200-174221. https://ieeexplore.ieee.org/abstract/document/9204611/

Chapman, P. (2021). Defending against insider threats with network security's eighth layer.

Computer Fraud and Security, 2021(3), 8–13. https://doi.org/10.1016/S1361-3723(21)00029-4

Chaudhary, S., Gkioulos, V., & Katsikas, S. (2023). A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises. Computer Science Review, 50, 100592. https://www.sciencedirect.com/science/article/pii/S157401372300059X

Dahabiyeh, L. (2021). Factors affecting organizational adoption and acceptance of computer- based security awareness training tools. Information and Computer Security, 29(5), 836–849. https://doi.org/10.1108/ICS-12-2020-0200

Danzig, R. J. (2016). Cyber insecurity: navigating the perils of the next information age. Rowman & Littlefield.

Davis, K. (2020). Cybersecurity risk-responsibility taxonomy: The role of cybersecurity social responsibility in small enterprises on risk of data breach. Nova Southeastern University. https://search.proquest.com/openview/b0a239318b5182e8695f453a4676a991/1?pq- origsite=gscholar&cbl=51922&diss=y

Daengsi, T., Pornpongtechavanich, P., & Wuttidittachotti, P. (2021). Cybersecurity awareness enhancement: A study of the effects of age and gender of Thai employees associated with phishing attacks. Education and Information Technologies. https://doi.org/10.1007/s10639- 021-10806-7

Fagbule, O. (2023). Cyber Security Training in Small to Medium-sized Enterprises (SMEs): Exploring Organisation Culture and Employee Training Needs (Doctoral dissertation, Bournemouth University). http://eprints.bournemouth.ac.uk/39148/

Foo, A. (2021). How Can Employee Retention Be Improved? A Quantitative Study of Cybersecurity Professionals. California Southern University. https://search.proquest.com/openview/0b594cea1730cf9168bf3b41cb1f6f05/1?pq- origsite=gscholar&cbl=18750&diss=y

Griffin, L. (2021). The Effectiveness of Cybersecurity Awareness Training in Reducing Employee Negligence Within Department of Defense (DoD) Affiliated Organizations-Qualitative Exploratory Case Study (Doctoral dissertation, Capella University). https://search.proquest.com/openview/3f9ba5f2497720820c5c758bc6118a2e/1?pq- origsite=gscholar&cbl=18750&diss=y

Gundu, T. (2013). Towards an information security awareness process for engineering SMEs in emerging economies (Doctoral dissertation, University of Fort Hare). https://core.ac.uk/download/pdf/145047872.pdf

Harris Jr, J. (2023). Exploring Small Business Cybersecurity Perceptions and Preparedness (Doctoral dissertation, Northcentral University). https://search.proquest.com/openview/e2c5a9f134afdb628cea606d6c063300/1?pq- origsite=gscholar&cbl=18750&diss=y

Hatzivasilis, G., Ioannidis, S., Smyrlis, M., Spanoudakis, G., Frati, F., Goeke, L., ... & Koshutanski, H. (2020). Modern aspects of cyber-security training and continuous adaptation of programmes to trainees. Applied Sciences, 10(16), Article 5702. https://doi.org/10.3390/app10165702

Hendrix, M., Al-Sherbaz, A., & Bloom, V. (2016). Game based cyber security training: Are serious games suitable for cyber security training? International Journal of Serious Games, 3(1), 53-61. https://doi.org/10.17083/ijsg.v3i1.107

Idahosa, M. D. (2020). Strategies for implementing successful IT security systems in small businesses (Doctoral dissertation, Walden University). https://search.proquest.com/openview/34facf5429c83e988c6e4f9c55e9b06e/1?pq- origsite=gscholar&cbl=18750&diss=y

Jenkins, J. L., Durcikova, A., & Burns, M. B. (2013). Simplicity is bliss: Controlling extraneous cognitive load in online security training to promote secure behavior. Journal of Organizational End User Computing, 25(3), 52-66. https://doi.org/10.4018/joeuc.2013070104

Karim, A., & Törnqvist, A. (2023). Guardians at the Gate: The Influence of Senior Management on Cybersecurity Culture and Awareness Training: A Qualitative Multiple Case Study. https://www.diva-portal.org/smash/record.jsf?pid=diva2:1821441

Kessler, W. A. (2016). Effectiveness of the protection motivation theory on small business employee security risk behavior. Northcentral University. https://search.proquest.com/openview/0dca0c5fe0c22110ab7f28d0ecd11b40/1?pq- origsite=gscholar&cbl=18750

Kholoanyane, M. E. (2020). Security awareness and training policy guidelines to minimise the risk of BYOD in a South African SME (Doctoral dissertation, North-West University (South Africa)). https://repository.nwu.ac.za/handle/10394/36906

Korpela, K. (2015). Improving cyber security awareness and training programs with data analytics. Information Security Journal: A Global Perspective, 24(1-3), 72-77. https://doi.org/10.1080/19393555.2015.1051676

Korpinen, M. (2023). Cyber insurance: case: a qualitative study of Finnish cyber insurance products offering for SMEs. https://lutpub.lut.fi/handle/10024/166509

Leffell, A. (2023). Strategies for Proper Security Practices in Small Financial Institutions (Doctoral dissertation, Walden University). https://search.proquest.com/openview/9e7b3d6a6d86db541cf951a6eb62ae13/1?pq- origsite=gscholar&cbl=18750&diss=y

Lejaka, T. (2021). A framework for cyber security awareness in small, medium and micro enterprises (SMMEs) in South Africa. University of South Africa. https://core.ac.uk/download/pdf/511699427.pdf

Lim, I. K., Park, Y. G., & Lee, J. K. (2016). Design of security training system for individual users. Wireless Personal Communications, 90(3), 1105-1120. https://doi.org/10.1007/s11277-016- 3380-z

Mazurchenko, A., Zelenka, M., & Maršíková, K. (2022). DEMAND FOR EMPLOYEES’DIGITAL SKILLS IN THE CONTEXT OF BANKING 4.0. E&M Ekonomie a Management, 25(2), 41-58.

https://dspace.tul.cz/bitstream/handle/15240/164985/EM_2_2022_03.pdf?sequence=1

McCrohan, K., Engel, K., & Harvey, J. (2010). Influence of awareness and training on cyber security. Journal of Internet Commerce, 9(1), 23-41.

https://doi.org/10.1080/15332861.2010.487415

McLilly, L. (2020). Exploring a Cost-Benefit Cloud-Based On-Demand Cybersecurity Service Solution for Small Businesses: A Quantitative Examination (Doctoral dissertation, Colorado Technical University).

https://search.proquest.com/openview/67aa97e6d3924deb7f4264e6dc33505e/1?pq- origsite=gscholar&cbl=18750&diss=y

Moher, D., Shamseer, L., Clarke, M., Ghersi, D., Liberati, A., Petticrew, M., Shekelle, P., Stewart, L.A., PRISMA-P Group. (2015). Preferred reporting items for systematic review and meta-analysis protocols (PRISMA-P) 2015 statement. Systematic Reviews, 4(1), 1.

Moore, K. E. (2023). Analyzing Small Business Strategies to Prevent External Cybersecurity Threats (Doctoral dissertation, Walden University). https://search.proquest.com/openview/24b000df9815986e704bad3d7e1076fc/1?pq- origsite=gscholar&cbl=18750&diss=y

Moschovitis, C. (2018). Cybersecurity program development for business: the essential planning guide. John Wiley & Sons.

Murthy, K. (2023). Organizational Policies to Control Cybersecurity Breaches by Employees: A Participative Action Research (Doctoral dissertation, University of Phoenix). https://search.proquest.com/openview/4be694bf870300ec89e2fe44038cdca5/1?pq- origsite=gscholar&cbl=18750&diss=y

Odujinrin, A. O. (2023). Promoting Effective Cybersecurity Policy Compliance in Small Businesses (Doctoral dissertation, Walden University). https://search.proquest.com/openview/f3fb5336a43112a4b4ca93a379ba76db/1?pq- origsite=gscholar&cbl=18750&diss=y

Orlikowski, W. J., & Baroudi, J. J. (1991). Studying information technology in organizations: Research approaches and assumptions. Information systems research, 2(1), 1-28. https://pubsonline.informs.org/doi/abs/10.1287/isre.2.1.1

Ozkaya, E., & Aslaner, M. (2019). Hands-On Cybersecurity for Finance: Identify vulnerabilities and secure your financial services from security breaches. Packt Publishing Ltd.

Page, M.J., McKenzie, J.E., Bossuyt, P.M., Boutron, I., Hoffmann, T.C., Mulrow, C.D., Shamseer, L., Tetzlaff, J.M., Akl, E.A., Brennan, S.E., Chou, R., Glanville, J., Grimshaw, J.M., Hrobjartsson, A., Lalu, M.M., Li, T., Loder, E.W., Mayo-Wilson, E., McDonald, S., Moher, D. (2021). The PRISMA 2020 statement: an updated guideline for reporting systematic reviews. International Journal of Surgery, 88, 105906.

Päivärinta, J. (2022). Strategic Management of the Organizations Cybersecurity: Conceptual Model of the Structure, Principles, and the Best Practices for Organizational Cybersecurity Excellence. https://osuva.uwasa.fi/handle/10024/14253

Parker, D. S. (2020). The implementation of the Internet of Things (IoT): A case study of the barriers that prevent implementation of IoT within small and medium enterprises (SME) (Doctoral dissertation, Northcentral University). https://search.proquest.com/openview/72ccec5205ecdb392777861ccf8e37d2/1?pq- origsite=gscholar&cbl=18750&diss=y

Puhakainen, P.P., Siponen, M. (2010). Improving employees' compliance through information systems security training: an action research study. MIS Quarterly, 34(4), 4.

Pyke, G. C. (2021). A Qualitative Exploratory Study on the Effects of Small Businesses and Cloud Computing in the Mid-West of America (Doctoral dissertation, Colorado Technical University). https://search.proquest.com/openview/b7f1661b4b56bedf148538dcb299c207/1?pq- origsite=gscholar&cbl=18750&diss=y

Rafique, S., & Mujawinkindi, F. (2023). How can Artificial Intelligence (AI) help SMEs development in emerging economies. https://www.diva- portal.org/smash/get/diva2:1771616/FULLTEXT01.pdf

Rawindaran, N. (2023). Impact of cyber security awareness in small, medium enterprises (SMEs) in Wales (Doctoral dissertation, Cardiff Metropolitan University). https://figshare.cardiffmet.ac.uk/articles/thesis/Impact_of_cyber_security_awareness_in_small_ medium_enterprises_SMEs_in_Wales/23599497/1

Rawindaran, N., Jayal, A., Prakash, E., & Hewage, C. (2021). Cost benefits of using machine learning features in NIDS for cyber security in UK small medium enterprises (SME). Future Internet, 13(8), 186. https://www.mdpi.com/1999-5903/13/8/186

Renvall, A. (2018). Improving cybersecurity through ISO/IEC 27001 information security standard in the context of SMEs. https://www.theseus.fi/handle/10024/157277

Robbins, M.S. (2020). Exploring the impact of information security awareness training on knowledge, attitude, and behavior: a K-12 study. ProQuest Dissertations and Theses. Northcentral University.

Sharma, S. (2023). AI for Small Business: Leveraging Automation to Stay Ahead. CSMFL Publications.

Sherchan, S. (2018). A study of the cyber security awareness and use of protective cyber security practices in defence settings (Doctoral dissertation). https://www.intechopen.com/chapters/1171513

Spanlang, C. A. (2023). Security awareness training: Impact of security awareness training on employee attitudes, behaviors, and organizational cybersecurity: A study in medium-sized companies. https://www.diva-portal.org/smash/record.jsf?pid=diva2:1779097

Stewart, H., & Jürjens, J. (2017). Information security management and the human aspect in organizations. Information and Computer Security, 25(5), 494–534. https://doi.org/10.1108/ICS-07-2016-0054

Thompson, J. (2023). Factors Influencing Cybersecurity Risk Among Minority-Owned Small Businesses. Reviews of Contemporary Business Analytics, 6(1), 29-42. https://researchberg.com/index.php/rcba/article/view/114

Udofot, M. P. (2019). Factors Relating to Small Business Cyber-attack Protection In the United States: A Predictive Correlational Quantitative Study (Doctoral dissertation, University of Phoenix).

https://search.proquest.com/openview/6a174efa25f7b473283f7457e21ceb00/1.pdf?pq- origsite=gscholar&cbl=18750&diss=y

Upfold, C. T., & Sewry, D. A. (2005). An investigation of information security in small and medium enterprises (SME's) in the Eastern Cape (Doctoral dissertation, Rhodes University). https://core.ac.uk/download/pdf/145045286.pdf

Weick, K. E. (1987). Organizational culture as a source of high reliability. California management review, 29(2), 112-127. https://journals.sagepub.com/doi/abs/10.2307/41165243

Yasin, A., Liu, L., Li, T., Wang, J., Zowghi, D. (2018). Design and preliminary evaluation of a cyber– Security Requirements Education Game (SREG). Information and Software Technology, 95, 179- 200.

Zhang, Z., He, W., Li, W., & Abdous, M. (2021). Cybersecurity awareness training programs: a cost–benefit analysis framework. Industrial Management and Data Systems, 121(3), 613–636. https://doi.org/10.1108/IMDS-08-2020-0462

Downloads

Published

25-09-2024

How to Cite

Ugbebor, F., Aina, O., Abass, M., & Kushanu, D. (2024). EMPLOYEE CYBERSECURITY AWARENESS TRAINING PROGRAMS CUSTOMIZED FOR SME CONTEXTS TO REDUCE HUMAN-ERROR RELATED SECURITY INCIDENTS. Journal of Knowledge Learning and Science Technology ISSN: 2959-6386 (online), 3(3), 382-409. https://doi.org/10.60087/jklst.vol3.n3.p382-409

Most read articles by the same author(s)

1 2 3 4 5 6 7 8 9 10 > >>