Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs)

• Published in: Information and computer security Vol. 27; no. 3; pp. 393 - 410
• Main Authors: Bada, Maria, Nurse, Jason R.C
• Format: Journal Article
• Language: English
• Published: Bingley Emerald Publishing Limited 08.07.2019; Emerald Group Publishing Limited
• Subjects: CAI; Case studies; Computer assisted instruction; Consortia; Cybercrime; Cybersecurity; Distance learning; Literature reviews; Small & medium sized enterprises-SME; Small business; United Kingdom > UK; United States > US; Cybersecurity; Skills; Education; Small-to-medium-sized enterprises (SMEs); Awareness; Small-to-medium-sized businesses (SMBs)
• ISSN: 2056-4961; 2056-497X
• DOI: 10.1108/ICS-07-2018-0080

Purpose The purpose of this study is to focus on organisation’s cybersecurity strategy and propose a high-level programme for cybersecurity education and awareness to be used when targeting small- and medium-sized enterprises/businesses (SMEs/SMBs) at a city-level. An essential component of an organisation’s cybersecurity strategy is building awareness and education of online threats and how to protect corporate data and services. This programme is based on existing research and provides a unique insight into an ongoing city-based project with similar aims. Design/methodology/approach To structure this work, a scoping review was conducted of the literature in cybersecurity education and awareness, particularly for SMEs/SMBs. This theoretical analysis was complemented using a case study and reflecting on an ongoing, innovative programme that seeks to work with these businesses to significantly enhance their security posture. From these analyses, best practices and important lessons/recommendations to produce a high-level programme for cybersecurity education and awareness were recommended. Findings While the literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. However, existing programmes, such as the one explored in this study, have great potential, but there can be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities. Originality/value The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, literature in this space was examined and insights into the advances and challenges faced by an on-going programme were presented. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.