Cyber Security Training in Small to Medium-sized Enterprises (SMEs): Exploring Organisation Culture and Employee Training Needs.

Abstract

Research shows that large businesses routinely provide cyber security training, to educate and train staff in readiness for a cyber threat. Contrary to this, small to medium enterprises (SMEs), are either unaware of risks and/or lack the financial resources for training and education. As a result, SMEs frequently fall victim to security breaches, and this can affect business reputation, access to private details, finance, and potential future business with clients. Although investments are sometimes made to train staff, there are still shortcomings with the design and delivery of cyber security training, that may impact learners' perceptions and attitudes towards learning. Rather than applying learning theories, adult learning principles, and fundamentals for developing business objectives, training approaches are typically technical and knowledge-based. Past research has primarily looked at this problem from a computing perspective, instead of a psychological lens, that explores the nature of human beings and what affects learning and transfer of knowledge in the workplace. The design of cyber training incorporates knowledge-based questions to address learning objectives, however, there is a lack of interrogation into the effectiveness of training, and this raises the question, how effective is cyber training? This thesis aims to evaluate learning theories and training evaluation methods by comparing them to the literature. The thesis will investigate the selection, development, and delivery of cyber security training and identify how, and if, these address employee training needs. The results will demonstrate the methods to derive cyber security training content compared to what the literature proposes, what training evaluation methods are used and how they address employees and the organisation’s needs. The thesis adopts a qualitative approach with one exception. Studies 1a and 1b are part of a larger project, study 1a collected quantitative data, through a knowledge survey, which provided background insight into participant knowledge. Study 1b involves a follow-up interview about the Study 1a survey. The interviews involved 14 SME business owners in Dorset and focused on perceptions, peer influence, and motivation. The results from Study 1b highlight that organisational culture influenced attitudes and perceptions from other colleagues and managers towards cyber security. The results showed that employees showed little to no attention to cyber security due to work priorities. Participants associated their poor learning and lack of behaviour change with limitations and style of the delivery and content of the training. The results acquired in Study 1b prompted reason to further investigate training development and organisational culture in a second study. The second study (Study 2) also adopted a qualitative approach and investigates the process of how cyber security training is selected, devised, and delivered to businesses. The interview participants are content developers, awareness professionals, and employees. In addition, one of the aims of Study 2 is to investigate how much employee training needs are evaluated in the process of training selection. There was a total of 27 interviews with content developers, employees, and awareness professionals. The results from Study 2 showed that employee training needs are not evaluated in the selection process. Employees discussed factors that influence their attitudes towards cyber security, such as internal and external motivation, training material and time constraints. The key conclusions from the studies demonstrate that content developers create arbitrary training because they neglect to investigate the needs of employees. In addition, awareness professionals neglect to support staff and outline training objectives, which leads to training that does not address employee challenges and, as a result, causes employees to feel disengaged, lose interest, and fail to apply what they have learned in training in the workplace. The findings from this research contribute to the cyber training and education community, as the thesis produced research-based guidance for developing training for SMEs. The current landscape fails to address security training from a psychological lens or established domains, like Education and Training. Key findings from this research demonstrate that consideration of employee training needs is vital for learning and transferring knowledge in the workplace.