Cybersecurity awareness training programs: a cost–benefit analysis framework

Document Type

Article

Publication Date

3-2-2021

Abstract

Purpose: Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses. Design/methodology/approach: To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security. Findings: Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level. Originality/value: Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

Publication Title

Industrial Management and Data Systems

Volume

121

Issue

3

First Page

613

Last Page

636

Digital Object Identifier (DOI)

10.1108/IMDS-08-2020-0462

ISSN

02635577

Link to Full Text

Share

COinS