Cybersecurity awareness training programs: a cost–benefit analysis framework
Purpose: Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses. Design/methodology/approach: To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security. Findings: Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level. Originality/value: Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.
Industrial Management and Data Systems
Digital Object Identifier (DOI)
Zhang, Z.(J)., He, W., Li, W. and Abdous, M. (2021), "Cybersecurity awareness training programs: a cost–benefit analysis framework", Industrial Management & Data Systems, Vol. 121 No. 3, pp. 613-636. https://doi.org/10.1108/IMDS-08-2020-0462