Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs)

PurposeThe purpose of this study is to focus on organisation’s cybersecurity strategy and propose a high-level programme for cybersecurity education and awareness to be used when targeting small- and medium-sized enterprises/businesses (SMEs/SMBs) at a city-level. An essential component of an organisation’s cybersecurity strategy is building awareness and education of online threats and how to protect corporate data and services. This programme is based on existing research and provides a unique insight into an ongoing city-based project with similar aims.Design/methodology/approachTo structure this work, a scoping review was conducted of the literature in cybersecurity education and awareness, particularly for SMEs/SMBs. This theoretical analysis was complemented using a case study and reflecting on an ongoing, innovative programme that seeks to work with these businesses to significantly enhance their security posture. From these analyses, best practices and important lessons/recommendations to produce a high-level programme for cybersecurity education and awareness were recommended.FindingsWhile the literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. However, existing programmes, such as the one explored in this study, have great potential, but there can be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities.Originality/valueThe study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, literature in this space was examined and insights into the advances and challenges faced by an on-going programme were presented. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.</jats:sec

Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists

Developing a Cyber Security Culture: Current Practices and Future Needs

While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors across papers are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture

The Importance of the Security Culture in SMEs as Regards the Correct Management of the Security of Their Assets

The information society is increasingly more dependent on Information Security Management Systems (ISMSs), and the availability of these kinds of systems is now vital for the development of Small and Medium-Sized Enterprises (SMEs). However, these companies require ISMSs that have been adapted to their special features, and which are optimized as regards the resources needed to deploy and maintain them. This article shows how important the security culture within ISMSs is for SMEs, and how the concept of security culture has been introduced into a security management methodology (MARISMA is a Methodology for “Information Security Management System in SMEs” developed by the Sicaman Nuevas Tecnologías Company, Research Group GSyA and Alarcos of the University of Castilla-La Mancha.) for SMEs. This model is currently being directly applied to real cases, thus allowing a steady improvement to be made to its implementation

BYOD: Risk considerations in a South African organisation

In recent times, while numerous organisations have difficulty keeping abreast with the frequent year-on-year technology changes, their employees on the other hand, continue to bring their personal devices to work to more readily access organisational data. This concept is known as Bring Your Own Device (BYOD). Studies have demonstrated that the introduction of BYOD commonly has a positive effect on both organisation and employees: increased optimism, job satisfaction and productivity are some of the perceived positive effects. Furthermore, BYOD can improve employees’ opportunities for mobile working and assist with the work flexibility they seek. This phenomenon, however, is still not well understood. In the South African context, this refers particularly to an inadequate understanding of risks associated with the introduction of BYOD into organisations. Some of the risks associated with this phenomenon are, for instance, related to information security, legislation and privacy issues. Hence, the intention of this research was to investigate, determine and assess BYOD risk considerations in a South African organisation. Using the available literature on this subject and an interpretative exploratory case study approach, this research explored various facets of BYOD-related risks (e.g. implementational, technological, legislation, regulation and privacy risks, human aspects and organisational concerns) as well as the impact these risks may have on both employees and an organisation. The organisation under investigation – from this point onward referred to as “Organisation A” – is a South African based information technology (IT) security consulting and service management organisation, which has seen increased expansion in its business and thus an increase in the number of its employees utilising their personal devices at the workplace. Even so, Organisation A was uncertain regarding possible risks that might hinder benefits of BYOD. Hence, this researcher defined the main research question as “What are the risks of introducing the BYOD in the South African organisation and what is an effective approach to address identified risks?”. The main objective was to identify and describe BYOD-related risks and to propose an appropriate model for addressing these risks. To answer the main research question, this researcher reviewed the applicable literature on the BYOD, including the limited South African literature pertaining to the subject. The review elicited the most common BYOD-related risks but also some models, frameworks and standards that may be applied for addressing these risks. Based on these revelations, an applicable BYOD risk management model was created and proposed. The literature review findings were subsequently tested in the empirical setting (in Organisation A) by conducting comprehensive interviews with research participants. This research adopted a qualitative approach in general and a case study methodology in particular. The collected data were analysed using the interpretative phenomenological analysis (IPA), which aided in providing a comprehensive understanding of the interviewees’ responses regarding the BYOD risks. The interviewees were selected based on a purposeful (pre-defined) sampling. The results of this interpretative research suggest that the interviewees’ responses are closely aligned with the information on BYOD risks collected from the pertinent literature. The results show that successful introduction and usage of BYOD in the studied organisation requires the implementation of mixed risk management measures: technological (e.g. mobile device management and its additional components), non-technological (e.g. IT or BYOD security policies), the usage of general risk management frameworks (e.g. ISO 27001), the development of an organisational security culture and skilling of the human factor (e.g. employee awareness, training and education, for example). Additionally, it was found that participation of employees in the development of BYOD policies is an essential and effective tactic for transforming a fragile BYOD risk link (i.e. employees) into a strong risk prevention mechanism. Furthermore, this research also revealed that in the South African context, it is important that an organisation’s BYOD security policies are sound, preferably meeting the POPI Act requirements and thereby avoiding legislation risks. The contribution of this research is twofold: first academic, and second, practical. The academic contribution is realised by adding to the body of knowledge on the BYOD risks – most particularly in terms of understanding potential risks when introducing BYOD in the South African context. The practical contribution manifests through the provision of detailed risk considerations and mitigation guidelines for organisations wishing to introduce BYOD practices or considering ways to improve their current BYOD risk management strategy. It is acknowledged that this research has some limitations, particularly in regard to the limited generalisation of the findings due to the limited sample provided by only one organisation. Although the results are not necessarily applicable to other South African organisations, these limitations did not impact the relevance and validity of this research

Strategies to Reduce Small Business Data Security Breaches

Organizations affected by data security breaches may experience reputational damage and remediation costs. Understanding the data security strategies needed to protect small businesses is vital to safeguard company data and protect consumers’ personal information. Grounded in systems theory, the purpose of this qualitative multiple case study was to explore the strategies small business owners use to reduce data security breaches. The participants were 4 small business owners located in the southern region of the United States: 2 franchise small business owners and 2 nonfranchise small business owners. Data were collected from semistructured interviews and organizational documents. Yin’s 5-step data analysis was used to analyze the data. Two themes emerged: information assurance and third-party dependencies. A key recommendation includes small business owners implementing a contingency plan to manage a data security breach. The implications of positive social change include the potential for small business owners to develop data security strategies to protect their organizations from experiencing a data breach. Protection from data breaches can, in turn, rebuild trust with small business owners and increase spending, increasing the local community’s tax base that may be used to improve social services in the local community

Factors Influencing Small Construction Businesses from Implementing Information Security: A Case Study

This qualitative study described the influence of small businesses’ failure to properly implement information security technologies resulting in the loss of sensitive and proprietary business information. A collective case study approach was used to determine the most effective way to gain a holistic picture of how small construction businesses make security technology implementation decisions to support their workforce. The theory guiding this study was the Unified Theory of Acceptance and Use of Technology (UTAUT) model which is related to the Theory of Planned Behavior and the Technology Acceptance Model which helped explain the intentions of individuals to use information systems. Security policies and threats (insider and cyber) were also looked at during this study. Data collection methods included questionnaires, interviews, document reviews, journaling, and webpage scans to provide insight into security information technology use. The results of this study indicated small construction businesses rely heavily on third-party information technology venders to perform security functions. This security model has led to several of the businesses experiencing cyber security incidents and the businesses being more reactive in responding to cyber-attacks. Deficiencies with planning for system implementations also impacted how employees thought and used the businesses’ security information systems. The study’s results indicated employee’s behavior intention and use behavior was highly impacted by the age moderator with older employees more likely to display a lower behavior intention and use behavior for using systems

A cloud business intelligence security evaluation framework for small and medium enterprises

Cloud business intelligence has practical importance in data management and decision-making, but the adoption and use among South African small and medium enterprises remain relatively low compared to large business enterprises. The low uptake persists irrespective of the awareness and acceptance of the benefits of Cloud business intelligence in the business domain. Cloud business intelligence depends on the cloud computing paradigm, which is susceptible to security threats and risks that decision-makers must consider when selecting what applications to use. The major objective of this study was to propose a security evaluation framework for Cloud business intelligence suitable for use by small and medium enterprises in small South African towns. The study utilised the exploratory sequential mixed-method research methodology with decision-makers from five towns in the Limpopo Province. Both qualitative and quantitative methods were used to analyse the data. The findings show that the level of adoption of Cloud business intelligence in the five selected towns was lower than reported in the literature, and decision-makers were eager to adopt and use safe Cloud business intelligence, but this was hindered by their inability to evaluate security in these applications. Factors preventing the adoption of Cloud business intelligence were decision-makers’ limited knowledge of the applications and security evaluation, the inability to use industry security frameworks and standards due to their complexities, mistrust of cloud service providers in meeting their obligations when providing agreed services, and lack of security specialists to assist in the evaluation process. Small and medium enterprises used unapproved security evaluation methods, such as relying on friends who were not information technology security specialists. A security evaluation framework and checklists were proposed based on the findings of the study and the best practices of the existing industry frameworks and standards. The proposed security evaluation framework was validated for relevance by information technology security specialists and acceptance by small and medium enterprise decision-makers. The study concluded that the adoption and use of Cloud business intelligence were hindered by the lack of a user-friendly security evaluation framework and limited security evaluation knowledge among decision-makers. Furthermore, the study concluded that the proposed framework and checklists were a relevant solution as they were accepted as useful to assist decision-makers to select appropriate Cloud business intelligence for their enterprises. The main contribution of this study is the proposed security evaluation framework and the checklists for Cloud business intelligence, for use by decision-makers in small and medium enterprises in small South African towns in the Limpopo Province.School of ComputingPh. D. (Information Systems