Skip to main content
SpringerLink
Log in

Guidelines and Tool Support for Building a Cybersecurity Awareness Program for SMEs

  • Conference paper
  • First Online:
Information Systems Security and Privacy (ICISSP 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1221))

Included in the following conference series:

Abstract

Nowadays companies have become highly dependent on digital technology for running their business, regardless their size or domain. Smaller organisations require a specific attention because of their lower level of protection, capability of reaction and recovery while they are increasingly being targeted by cyberattacks. In order to improve their level of cybersecurity and resilience, a first step is to raise awareness. It is however not an easy task because it is highly dependent on human factors, spread across the whole organisation, including managers, business users and IT staff. This paper aims at supporting the development of a cybersecurity awareness program for small and medium enterprises. In order to build the program on strong foundations, the current state of awareness of such companies is presented and a SWOT analysis carried out. Different instruments for efficiently supporting the deployment of the program are then presented. A practical experience carried out in Belgium to implement some of the proposed instruments is also presented and some lessons learned are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. ANSSI: SecNumacadémie (2017). https://secnumacademie.gouv.fr

  2. Ashford, W.: SMEs more vulnerable than ever to cyber attacks, survey shows, October 2017. http://bit.do/computer-weekly-SME-cybersecurity

  3. Ashik, M.: Building an effective cybersecurity program (2018). https://securereading.com/building-an-effective-cybersecurity-culture

  4. Bada, M., Nurse, J.R.C.: Developing cybersecurity education and awareness programmes for small and medium-sized enterprises (SMEs). CoRR abs/1906.09594 (2019)

    Google Scholar 

  5. Bada, M., Sasse, A.M., Nurse, J.R.C.: Cyber security awareness campaigns: why do they fail to change behaviour? (2019). http://arxiv.org/abs/1901.02672

  6. BBB: State of cybersecurity among small businesses in North America. Better Business Bureau (2017). http://bit.do/2017-state-of-cybersecurity

  7. BDO: Forte augmentation de la demande de services de cybersécurité suite au GDPR (2018). http://bit.do/bdo18-cyber-gdpr

  8. Ben-David, Y., et al.: Computing security in the developing world: a case for multidisciplinary research. In: Proceedings of the 5th ACM Workshop on Networked Systems for Developing Regions, pp. 39–44. ACM (2011)

    Google Scholar 

  9. BSI: Cyber security for SMEs (2018). https://www.bsigroup.com/en-GB/Cyber-Security/Cyber-security-for-SMEs

  10. CCB: Cyber security guide for SME (2016). http://www.ccb.belgium.be/en/guide-sme

  11. CIS: CIS Controls - Implementation guide for Small and Medium-Sized Enterprises (SMEs) (2017). https://www.cisecurity.org/wp-content/uploads/2017/09/CIS-Controls-Guide-for-SMEs.pdf

  12. CIS: CIS control - V7 (2018). https://www.cisecurity.org/controls

  13. Cooper, A.: The Inmates are Running the Asylum. Macmillan Publishing Company Inc., New York City (1999)

    Book  Google Scholar 

  14. Cyber Security Coalition: Cyber security KIT (2018). https://www.cybersecuritycoalition.be/resource/cyber-security-kit

  15. Cyber Security Coalition: SME security scan (2018). https://www.cybersecuritycoalition.be/sme-security-scan

  16. CybSafe: Enterprise IT leaders demanding more stringent cyber security from suppliers, July 2017. http://bit.do/cybsafe

  17. Dahslane: How secure is my password (2019). https://howsecureismypassword.net

  18. Davies, T.: Cybersecurity in Europe is improving: thank you GDPR? (2018). https://gdpr.report/news/2018/12/27/cybersecurity-in-europe

  19. Digital Wallonia: Keep IT secure (2018). https://www.digitalwallonia.be/keepitsecure

  20. Dlamini, Z., Modise, M.: Cyber security awareness initiatives in South Africa: a synergy approach. Case Stud. Inf. Warf. Secur. Res. Teach. Stud. 1 (2013)

    Google Scholar 

  21. EC: Proposal for a European cybersecurity competence network and centre (2017). https://ec.europa.eu/digital-single-market/en/proposal-european-cybersecurity-competence-network-and-centre

  22. EC: Supporting specialised skills development: big data, Internet of Things and cybersecurity for SMEs. EASME/COSME/2017/007 Interim Report, March 2019

    Google Scholar 

  23. ECSM: European cyber security month quiz (2018). https://cybersecuritymonth.eu/references/quiz-demonstration

  24. ECSO: European Cyber Security Organisation (2016). https://ecs-org.eu

  25. ECSO: European Cyber Security Certification: a meta - scheme approach v1.0 (2017). https://www.ecs-org.eu/documents/publications/5a3112ec2c891.pdf

  26. ENISA: Indispensable baseline security requirements for the procurement of secure ICT products and services (2016). http://bit.do/ENISA-baseline-security

  27. ENISA: Posters for organisations (2019). https://www.enisa.europa.eu/media/multimedia/material/awareness-raising-posters

  28. Fricker, S.: D2.3 security awareness plan report (2017). https://www.smesec.eu/doc/SMESEC_D2.3_Security_Awareness_Plan_Report_v1.0.pdf

  29. Ghobadian, A., Gallear, D.: Total quality management and organization size. Int. J. Oper. Prod. Manag. 17(2), 121–163 (1997)

    Article  Google Scholar 

  30. Global Cyber Alliance: GCA cybersecurity toolkit for small businesses (2019)

    Google Scholar 

  31. GoPhish: Open-source phishing framework (2019). https://getgophish.com

  32. Grudin, J.: Why personas work: the psychological evidence. In: The Persona Lifecycle: Keeping People in Mind Throughout Product Design, January 2006

    Google Scholar 

  33. Heat, E.: How to improve phishing awareness by 300% in 18 Months. In: RSA Conference, San Francisco, 13–17 February 2017

    Google Scholar 

  34. Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)

    Article  Google Scholar 

  35. Interreg: Regional policies for competitive cybersecurity SMEs (2018). https://www.interregeurope.eu/cyber

  36. ISF: Effective security awareness. Information Security Forum, April 2002

    Google Scholar 

  37. Juul, J.: The game, the player, the world: looking for a heart of gameness. In: Digital Games Research Conference, 4–6 November 2003, University of Utrecht, The Netherlands (2003)

    Google Scholar 

  38. Kabanda, S., Tanner, M., Kent, C.: Exploring SME cybersecurity practices in developing countries. J. Organ. Comput. Electron. Comm. 28, 269–282 (2018). https://doi.org/10.1080/10919392.2018.1484598

    Article  Google Scholar 

  39. Kapp, K.M.: The Gamification of Learning and Instruction: Game-Based Methods and Strategies for Training and Education, 1st edn. Pfeiffer & Company, Ablar (2012)

    Google Scholar 

  40. Kasperski: Secure password check (2019). https://password.kaspersky.com

  41. Keeper Security: 2018 state of cybersecurity in small and medium size businesses study (2018). https://start.keeper.io/2018-ponemon-report

  42. Ki-Aries, D., Faily, S.: Persona-centred information security awareness. Comput. Secur. 70, 663–674 (2017)

    Article  Google Scholar 

  43. LimeSurvey: The online survey tool - open source surveys (2017). https://www.limesurvey.org

  44. Lockheed Martin: Are you a cybersecurity ninja or n00b? (2018). http://bit.do/lookheedmartin-quiz

  45. Mead, N., Woody, C.: Cyber Security Engineering: A Practical Approach for Systems and Software Assurance. Pearson Education, London (2016)

    Google Scholar 

  46. Muller, P., et al.: Annual report on European SMEs 2014/2015. European Commission (2015)

    Google Scholar 

  47. NCSA: stay safe online - cybersecurity awareness toolkit for SMB. National Cyber Security Alliance (2018)

    Google Scholar 

  48. NIST: Cybersecurity framework (2014). https://www.nist.gov/cyberframework

  49. O’Flaherty, K.: How gamification can boost cyber security (2019). https://www.information-age.com/gamification-can-boost-cyber-security-123479658/

  50. Osborn, E., et al.: Business versus tech: sources of the perceived lack of cyber security in SMEs. In: 1st International Conference on Cyber Security for Sustainable Society, Feburary 2015

    Google Scholar 

  51. PhishingBox: Phishing simulator and test (2019). https://www.phishingbox.com/phishing-test

  52. Ponsard, C.: Cybersecurity quizz (Google Play Store) (2018). http://bit.do/QuizzCyberSecurity

  53. Ponsard, C., Grandclaudon, J., Bal, S.: Survey and lessons learned on raising SME awareness about cybersecurity. In: Proceedings of the 5th ICISSP, Prague, Czech Republic, 23–25 February, pp. 558–563 (2019)

    Google Scholar 

  54. Ponsard, C., Grandclaudon, J., Dallons, G.: Towards a cyber security label for SMEs: a European perspective. In: Proceedingsthe 4th ICISSP, Funchal, Madeira, pp. 426–431 (2018)

    Google Scholar 

  55. PwC: Game of threats (2017)

    Google Scholar 

  56. SafeOnWeb: Test your digital health (2018). https://campagne.safeonweb.be/en

  57. Sánchez, L.E., Santos-Olmo, A., Fernández-Medina, E., Piattini, M.: Security culture in small and medium-size enterprise. In: Quintela Varajão, J.E., Cruz-Cunha, M.M., Putnik, G.D., Trigo, A. (eds.) CENTERIS 2010. CCIS, vol. 110, pp. 315–324. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16419-4_32

    Chapter  Google Scholar 

  58. SANS: Computer security training and certification (1989). https://www.sans.org

  59. SANS: 10 tactics for rolling out a successful awareness program (2018). https://www.sans.org/sites/default/files/2019-04/poster_10-tactics.pdf

  60. SANS: Security awareness posters (2018). https://www.sans.org/security-awareness-training/resources/posters

  61. SBDC, M.: Small business, big threat (2018). https://smallbusinessbigthreat.com

  62. SPARTA: Strategic programs for advanced research and technology in Europe (2019). https://www.sparta.eu

  63. UK Government: Cyber essentials (2016). https://www.cyberaware.gov.uk/cyberessentials

  64. UK Government: Cyber essentials self assessment (2018). https://www.cyberessentials.ie/self-assessment

  65. VDS: A brief assessment for SMEs - quick check for cyber security (2017). http://vds-quick-check.de

  66. Veseli, I.: Measuring the effectiveness of information security awareness program. Msc., Department of Computer Science and Media Technology Gjovik University College, South Africa (2011)

    Google Scholar 

  67. Yeboah-Boateng, E.O.: Cyber-Security Challenges with SMEs in Developing Economies: Issues of Confidentiality, Integrity & Availability (CIA). Institut for Elektroniske Systemer, Aalborg Universitet, Aalborg (2013)

    Google Scholar 

  68. Yunos, Z., Hamid, R.S.A., Ahmad, M.: Development of a cyber security awareness strategy using focus group discussion. In: 2016 SAI Computing Conference (SAI), pp. 1063–1067, July 2016

    Google Scholar 

  69. Zurich Inusrance Group: SMEs’ cyber risk awareness is on the rise (2016). https://www.zurich.com/en/media/news-releases/2016/2016-1123-01

Download references

Acknowledgements

This research was partly supported by Digital Wallonia and the DIGITRANS project (grant nr. 7618). We thank Infopole and the companies of the cybersecurity cluster for their support and feedback.

Author information

Authors and Affiliations

  1. CETIC Research Center, Charleroi, Belgium

    Christophe Ponsard & Jeremy Grandclaudon

Authors
  1. Christophe Ponsard
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jeremy Grandclaudon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christophe Ponsard .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Paolo Mori

  2. Plymouth University, Plymouth, UK

    Steven Furnell

  3. MODESTE/ESEO, Angers Cedex 2, France

    Olivier Camp

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ponsard, C., Grandclaudon, J. (2020). Guidelines and Tool Support for Building a Cybersecurity Awareness Program for SMEs. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2019. Communications in Computer and Information Science, vol 1221. Springer, Cham. https://doi.org/10.1007/978-3-030-49443-8_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-49443-8_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-49442-1

  • Online ISBN: 978-3-030-49443-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation