Developing cybersecurity education and awareness programmes for Small and medium-sized enterprises (SMEs)

Purpose: An essential component of an organisation's cybersecurity strategy is building awareness and education of online threats, and how to protect corporate data and services. This research article focuses on this topic and proposes a high-level programme for cybersecurity education and awareness to be used when targeting Small-to-Medium-sized Enterprises/Businesses (SMEs/SMBs) at a city-level. We ground this programme in existing research as well as unique insight into an ongoing city-based project with similar aims. Findings: We find that whilst literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. On the other hand, existing programmes, such as the one we explored, have great potential but there can also be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities. Originality/value: The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, we engage in a reflection of literature in this space, and present insights into the advances and challenges faced by an on-going programme. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.

[1]  Salah Kabanda,et al.  Exploring SME cybersecurity practices in developing countries , 2018, J. Organ. Comput. Electron. Commer..

[2]  Hanan Hanna,et al.  Stop , 1877, The Dental register.

[3]  Omar Niamut,et al.  Social Telemedia: The Relationship between Social Information and Networked Media , 2016, Computer.

[4]  H. Arksey,et al.  Scoping studies: towards a methodological framework , 2005 .

[5]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[6]  Sharman Lichtenstein,et al.  Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia , 2007, ECIS.

[7]  Michael Taylor,et al.  SMEs and e‐business , 2004 .

[8]  Jason R. C. Nurse,et al.  Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR) , 2018, ArXiv.

[9]  Sadie Creese,et al.  Trustworthy and effective communication of cybersecurity risks: A review , 2011, 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST).

[10]  J. Whitney Case Study Research , 1999 .

[11]  Hisato Shima,et al.  Network security testing tools for SMEs (small and medium enterprises) , 2018, 2018 IEEE International Conference on Applied System Invention (ICASI).

[12]  Celia Paulsen,et al.  Cybersecuring Small Businesses , 2016, Computer.

[13]  S. Flowerday,et al.  Ignorance to Awareness: Towards an Information Security Awareness Process , 2013 .

[14]  Matthew P. Barrett,et al.  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Arabic translation) , 2018 .

[15]  Jason R. C. Nurse,et al.  Baiting the hook: factors impacting susceptibility to phishing attacks , 2016, Human-centric Computing and Information Sciences.

[16]  B. Berg Qualitative Research Methods for the Social Sciences , 1989 .

[17]  G. Strauss,et al.  Union Democracy , 2003 .

[18]  Elmarie Kritzinger,et al.  A Study into the Cybersecurity Awareness Initiatives for School Learners in South Africa and the UK , 2017, World Conference on Information Security Education.

[19]  Steven Furnell,et al.  Recognising and addressing ‘security fatigue’ , 2009 .

[20]  Eduardo Fernández-Medina,et al.  The Importance of the Security Culture in SMEs as Regards the Correct Management of the Security of Their Assets , 2016, Future Internet.

[21]  Karen Renaud,et al.  How smaller businesses struggle with security advice , 2016 .

[22]  Anas Tawileh,et al.  Managing Information Security in Small and Medium Sized Enterprises: A Holistic Approach , 2007, ISSE.

[23]  Leonid Smalov,et al.  On Information Security Guidelines for Small/Medium Enterprises , 2004, ICEIS.

[24]  D. Parker,et al.  Guidance for conducting systematic scoping reviews , 2015, International journal of evidence-based healthcare.

[25]  Michael N. Johnstone,et al.  Small to Medium Enterprise Cyber Security Awareness: An Initial Survey of Western Australian Business , 2014 .

[26]  Ioannis Agrafiotis,et al.  Reviewing National Cybersecurity Awareness in Africa: An Empirical Study , 2018 .

[27]  Steven Furnell,et al.  Approaches to IT Security in Small and Medium Enterprises , 2004, AISM.

[28]  Sharman Lichtenstein,et al.  Challenges in fostering an information security culture in Australian small and medium sized enterprises , 2006 .

[29]  S. Barber,et al.  Addressing global ID management challenges , 2009 .

[30]  Jason R. C. Nurse,et al.  Cyber Security Awareness Campaigns: Why do they fail to change behaviour? , 2014, ArXiv.

[31]  Ling Lin,et al.  Research Design and Methods , 2019, Corpora and Intercultural Studies.

[32]  Elmarie Kritzinger,et al.  Enhancing information security education and awareness: Proposed characteristics for a model , 2015, 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec).

[33]  Jason R. C. Nurse Cybercrime and You: How Criminals Attack and the Human Factors That They Seek to Exploit , 2018, The Oxford Handbook of Cyberpsychology.

[34]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[35]  Jean Hartley,et al.  Case study research , 2004 .

[36]  Sadie Creese,et al.  A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate , 2018, J. Cybersecur..

[37]  F. Bath-Hextall,et al.  Diagnostic test accuracy of nutritional tools used to identify undernutrition in patients with colorectal cancer: a systematic review , 2015, JBI database of systematic reviews and implementation reports.