To read the full version of this content please select one of the options below:

Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs)

Maria Bada (Computer Laboratory, University of Cambridge, Cambridge, UK)
Jason R.C. Nurse (School of Computing, University of Kent, Canterbury, UK)

Information and Computer Security

ISSN: 2056-4961

Publication date: 8 July 2019

Abstract

Purpose

The purpose of this study is to focus on organisation’s cybersecurity strategy and propose a high-level programme for cybersecurity education and awareness to be used when targeting small- and medium-sized enterprises/businesses (SMEs/SMBs) at a city-level. An essential component of an organisation’s cybersecurity strategy is building awareness and education of online threats and how to protect corporate data and services. This programme is based on existing research and provides a unique insight into an ongoing city-based project with similar aims.

Design/methodology/approach

To structure this work, a scoping review was conducted of the literature in cybersecurity education and awareness, particularly for SMEs/SMBs. This theoretical analysis was complemented using a case study and reflecting on an ongoing, innovative programme that seeks to work with these businesses to significantly enhance their security posture. From these analyses, best practices and important lessons/recommendations to produce a high-level programme for cybersecurity education and awareness were recommended.

Findings

While the literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. However, existing programmes, such as the one explored in this study, have great potential, but there can be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities.

Originality/value

The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, literature in this space was examined and insights into the advances and challenges faced by an on-going programme were presented. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.

Keywords

Acknowledgements

The authors would like to thank the London Digital Security Centre (now referred to as Police Digital Security Centre) for their time in participating in the research and their assistance during the data collection, as well as the SMEs who participated in this study.

Citation

Bada, M. and Nurse, J.R.C. (2019), "Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs)", Information and Computer Security, Vol. 27 No. 3, pp. 393-410. https://doi.org/10.1108/ICS-07-2018-0080

Publisher

:

Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited