Cybersecurity awareness training programs: a cost–benefit analysis framework
Industrial Management & Data Systems
ISSN: 0263-5577
Article publication date: 27 January 2021
Issue publication date: 2 March 2021
Abstract
Purpose
Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.
Design/methodology/approach
To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.
Findings
Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.
Originality/value
Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.
Keywords
Citation
Zhang, Z.(J)., He, W., Li, W. and Abdous, M. (2021), "Cybersecurity awareness training programs: a cost–benefit analysis framework", Industrial Management & Data Systems, Vol. 121 No. 3, pp. 613-636. https://doi.org/10.1108/IMDS-08-2020-0462
Publisher
:Emerald Publishing Limited
Copyright © 2021, Emerald Publishing Limited