EMPLOYEE CYBERSECURITY AWARENESS TRAINING PROGRAMS CUSTOMIZED FOR SME CONTEXTS TO REDUCE HUMAN-ERROR RELATED SECURITY INCIDENTS
Friday Ugbebor, Olushola Aina, Mayowa Abass, Dare Kushanu
Abstract
Abstract Introduction: Employee cybersecurity awareness training programs in Small and Mediumsized Enterprises (SMEs) have become increasingly critical as organizations face mounting cyber threats and security challenges. Studies have shown that human contribution is a major risk factor in security incidents hence the imperative need for proper training. SMEs are especially at risk since they are compared to large enterprises characterized by less resources and poorer technical knowledge and security equipment. Research has further shown that organisational context specific and targeted training programs could go a long way in enhancing the security awareness, and the overall incidence rates through modifications in behaviour and perceived security risks. Materials and Methods: A systematic literature review was conducted following the PRISMA protocol to analyze peer-reviewed articles, doctoral dissertations, and scholarly publications focusing on cybersecurity awareness training in SME contexts. In terms of inclusion criteria, only papers presenting empirical findings related to training program outcomes, practices, and assessment methodologies were chosen. Articles were screened on the basis the research method employed, their applicability to SMEs, and the efforts devoted to human factors in cybersecurity. Documents were analyzed for quantitative and qualitative data and an analysis of themes, successful training methods and challenges in implementation. To minimize missing potentially informative articles, multiple databases weresought andusedwithpredetermined search terms. Results: Analysis revealed that effective SME cybersecurity training programs share common characteristics: They are topicality, applicability, and the possibility of constant evaluation. The companies that adopted the corporate training programs that were tailored to their specific business environments realised an improvement of 45-65 percent reduction in security breaches that resulted from personnel mistakes. For management support internalization and frequent reminding of the security practices as key success factors were reported. The findings revealed that employee engagement levels of 72% was realized if training elements included CBT interactivity and realistic workplace simulations. The latter are applicable in resource-scarce environments and displayed a high potential for cost efficient training based on cloud-based platforms and gamification; the average implementation costs were 40%less than with traditional training approaches. Discussion: Evidence suggests that successful cybersecurity training programs must balance technical content with practical application while considering SME resource constraints. Applying principles of behavioural psychology in making lessons and trainings proved to be more effective in creating changes in the security behavioral patterns. These trends suggest increasing use of AI adapted student oriented learning and training in realistic ensembles. Some limitations exist when it comes to assessing behaviour change over a long term period and establishing constantly high security competencies across multiple organizational granularity levels. Cultural issues and employees’ resistance proved to be the main program implementation issues that could only be addressed with specific interventions to unmask implementation challenges. Conclusion: The synthesis of current research demonstrates that customized cybersecurity awareness training programs significantly impact security incident reduction in SME environments. Sources of competitive advantage have to do with having content germane to specific contexts, the focus on practical application, and presence of training reinforcement measures. This empirical research reveals that management commitment, resources, and employees’ participation are key success factors for the program success. Further research should focus on more effective approaches for delivering security messages, defining a suitable set of measures for recording behavior changes, and creating development plans for reliable security culture.