Litcius/Paper detail

Cybersecurity awareness training programs: a cost–benefit analysis framework

Zuopeng Zhang, Wu He, Wenzhuo Li, M’hammed Abdous

2021Industrial Management & Data Systems55 citationsDOI

Abstract

Purpose Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses. Design/methodology/approach To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security. Findings Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level. Originality/value Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

Topics & Concepts

Benchmark (surveying)Computer securityComputer scienceOriginalityTraining (meteorology)BusinessPsychologySocial psychologyGeographyGeodesyPhysicsCreativityMeteorologyInformation and Cyber SecurityNetwork Security and Intrusion DetectionSoftware Reliability and Analysis Research
Cybersecurity awareness training programs: a cost–benefit analysis framework | Litcius