Abstract
Small and medium-sized enterprises (SMEs) are considered the backbone of Europe’s economy. However, SMEs are often bounded by resource constraints that also limit their cybersecurity posture. In such circumstances, SMEs could potentially benefit from the free and inexpensive cybersecurity awareness (CSA) resources produced and distributed by various public and private entities. SMEs can utilize these affordable resources to elevate the knowledge and skills of employees and transform their cybersecurity attitudes and behavior. The security-conscious employees can serve as the organization’s first line of defense against cyber-attacks and -crimes. However, prior to employing such awareness resources, it would require answering the question “how abundance and well-suited are the (affordable) awareness resources for SMEs?” To address this concern, we used an exploratory approach and examined the awareness resources from 71 sources chosen after the review of 938 potential sources. Since the primary audience of the study was European SMEs, most of the sources analyzed come from European organizations. Based on our findings, while these affordable awareness resources could benefit SMEs, they do require some adjustment to better meet the requirements and situations of SMEs. Furthermore, the awareness resources exclusively targeting SMEs and the diverse business areas SMEs serve, are insufficient. As a result, all involved entities, at the national and European levels, are encouraged to produce and distribute more localized awareness resources that are affordable and best match the demands and business areas of SMEs. Finally, the awareness resources should also include appropriate features for interested users to submit their feedback.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
European Commission: What is an SME. https://ec.europa.eu/growth/smes/sme-definition_en. Accessed 22 June 2022
European Commission: Entrepreneurship and small and medium-sized enterprises (SMEs). https://ec.europa.eu/growth/smes_en. Accessed 22 June 2022
European Commission: Guide for training in SMEs. https://op.europa.eu/en/publication-detail/-/publication/1020b85f-dcc4-4c80-8d6e-65f4617aa3cd. Accessed 22 June 2022
Bada, M., Nurse, J.R.C.: Developing cybersecurity education and awareness programmers for small and medium-sized enterprises (SMEs). Inf. Comput. Secur. 27(3), 393–410 (2019)
U.S. Securities and Exchange Commission: The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses. https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html. Accessed 22 June 2022
Ponsard, C., Grandclaudon, J., Dallons, V.: Towards a cyber security label for SMEs: a European perspective. In: 4th International Conference on Information Systems Security and Privacy, Funchal, Madeira, Portugal, 24–26 January, pp. 426–431 (2018)
European Commission: Supporting specialized skills development: Big Data, Internet of Things and Cybersecurity for SMEs. https://op.europa.eu/en/publication-detail/-/publication/7bc063b9-5f5b-11ea-b735-01aa75ed71a1/language-en. Accessed 22 June 2022
OECD: Strengthening SMEs and Entrepreneurship for Productivity and Inclusive Growth: Key Issue Paper. https://www.oecd.org/cfe/smes/ministerial/documents/2018-SME-Ministerial-Conference-Key-Issues.pdf. Accessed 22 June 2022
Dojkovski, S., Lichtenstein, S., Warren, M.: Challenges in fostering an information security culture in Australian small and medium sized enterprises. In: European Conference on Information Warfare and Security, Helsinki, Finland (2006)
ZyXel, T.K.: The SME security challenge. Comput. Fraud Secur. 2015(3), 5–7 (2015)
FireEye: Stopping Cyber Crime Against Small and Midsize Enterprises: Enterprise Security to Protect Budget-conscious Organizations from Disruptive Attacks. https://www.fireeye.com/offers/stop-cyber-crime-against-small-medium-enterprises.html. Accessed 31 Jan 2021
Kaspersky: The Human Factor in IT security: How Employees are Making Businesses Vulnerable from Within. https://www.kaspersky.com/blog/the-human-factor-in-it-security/. Accessed 22 June 2022
KPMG: Cyber security: it’s not just about technology. https://assets.kpmg/content/dam/kpmg/pdf/2014/05/cyber-security-not-just-technology.pdf. Accessed 22 June 2022
Harvard Business Review: Cybersecurity Is Not (Just) a Tech Problem. https://hbr.org/2021/01/cybersecurity-is-not-just-a-tech-problem. Accessed 22 June 2022
Siponen, M.: Five dimensions of information security awareness. Comput. Soc. 31(2), 24–29 (2001)
Bada, M., Sasse, A., Nurse, J.R.C.: Cyber security awareness campaigns: why do they fail to change behaviour? In: International Conference on Cyber Security for Sustainable Society, Coventry, UK (2015)
SANS: 2019 Security Awareness Report: The Rising Era of Awareness Training. https://adcg.org/wp-content/uploads/2020/02/SANS-Security-Awareness-Report-2019.pdf. Accessed 22 June 2022
NIST: SP 800-50 Building an Information Technology Security Awareness and Training Program. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-50.pdf. Accessed 22 June 2022
European Union: Institutions, Bodies & Agencies – Contact & Visit Details. https://europa.eu/european-union/contact/institutions-bodies_en. Accessed 27 Aug 2021
Cyberwatching.eu: R&I Project Hub. https://www.cyberwatching.eu/projects. Accessed 27 Aug 2021
Cyberwiser.eu: Cartography - EU National Strategies. https://www.cyberwiser.eu/cartography. Accessed 27 Aug 2021
AALEP: Top industry associations in the EU. http://www.aalep.eu/top-industry-associations-eu. Accessed 27 Aug 2021
AALEP: Top 200 EU trade associations. http://www.aalep.eu/top-industry-associations-eu. Accessed 27 Aug 2021
ENISA: European Cybersecurity Month. https://www.enisa.europa.eu/topics/cybersecurity-education/european-cyber-security-month. Accessed 21 June 2022
ENISA: International Cybersecurity Challenge. https://www.enisa.europa.eu/topics/cybersecurity-education/international-cybersecurity-challenge-icc. Accessed 21 June 2022
APWG: Symposium on Global Cybersecurity Awareness. https://apwg.org/symposium-on-global-cybersecurity-awareness/. Accessed 21 June 2022
ENISA: 1st Transport Cybersecurity Conference. https://www.enisa.europa.eu/events/first-transport-cyber-security-conference. Accessed 21 June 2022
Gattiker, U.E.: Can an early warning system for home users and SMEs make a difference? A field study. In: Lopez, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 112–127. Springer, Heidelberg (2006). https://doi.org/10.1007/11962977_10
Pattinson, M., et al.: Adapting cyber security training to your employees. In: 12th International Symposium on Human Aspects of Information Security & Assurance, Dundee, Scotland, UK, 29–31 August (2018)
CyberSec4Europe: D9.11 SME cybersecurity awareness program 2. https://cybersec4europe.eu/wp-content/uploads/2021/05/D9.11-SME-cybersecurity-awareness-program-2-FINAL-submitted-1.pdf. Accessed 22 June 2022
Acknowledgement
The authors would like to thank Panayiotis Kotzanikolaou (UPRC, Greece), Jozef Vyskoc (VaF, Slovak Republic), and Christine Jamieson (TDL, Belgium) for reviewing and providing feedback on the deliverable report submitted to the CyberSec4Europe.
Funding
This work has financially been supported by the CyberSec4Europe project (Proposal No. 830929). This paper is a revised and shortened version of the deliverable report D9.11 [30] from CyberSec4Europe’s WP9: Dissemination, Outreach, Spreading of Competence, Raising Awareness.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
S.N. | Sources |
---|---|
European Agencies and Organizations (refer to [19] to get the list of European agencies and organizations) | |
1 | European Union Agency for Cybersecurity (ENISA) |
2 | European Union Agency for Law Enforcement Cooperation (EUROPOL) |
3 | European Maritime Safety Agency (EMSA) |
4 | European Cybersecurity Organization (ECSO) |
5 | European Digital SME Alliance |
EU-Funded and National Projects (refer to [20] to get the list of EU-funded and national projects) | |
6 | Cyberwatching.eu |
7 | Cyberwiser.eu |
8 | SMESEC Project |
9 | GEIGER Project |
10 | Cyber-MAR Project |
11 | SecureHospitals Project |
12 | DOGANA Project |
13 | FORTIKA Project |
14 | CyberSec4Europe Project |
15 | PUZZLE Project |
National Organizations (refer to [21] to get the list of national organizations working in cybersecurity) | |
16 | Cyber Security Austria |
17 | Cyber Security Coalition - Belgium |
18 | Centre for Cyber security Belgium |
19 | Safeonweb - Belgium |
20 | Computer Emergency Response Team Bulgaria |
21 | CARNet’s National Computer Emergency Response Team - Croatia |
22 | Cyprus Cybercrime Centre of Excellence |
23 | National Cyber and Information Security Agency - Czech Republic |
24 | The National Computer Security Incident Response Team of the Czech Republic |
25 | Danish Centre for Cyber Security |
26 | Republic of Estonia Information System Authority |
27 | Finnish Transport and Communication Agency National Cyber Security Centre |
28 | The National Cybersecurity Agency of France |
29 | Federal Office for Information Security - Germany |
30 | Hellenic Computer Security Incident Response Team |
31 | Gov Computer Emergency Response Team Hungary |
32 | Computer Emergency Response Team-Iceland |
33 | Irish Reporting and Information Security Service |
34 | Computer Security Incident Response Team-Italia |
35 | Information Technology Security Incident Response Institution, Republic of Latvia |
36 | National Cyber Security Centre of Lithuania |
37 | Computer Emergency Response Team, Luxembourg |
38 | Cyber Security Malta |
39 | National Cyber Security Centrum - Netherlands |
40 | Norwegian National Security Authority |
41 | The Norwegian Centre for Information Security |
42 | Computer Emergency Response Team Polska |
43 | Centro Nacional de Cibersegurança - Portugal |
44 | Cyber Security Research Centre - Romania |
45 | Centrul Național de Răspuns la Incidente de Securitate Cibernetică - Romania |
46 | Computer Security Incident Response Team Slovakia |
47 | Slovenian Computer Emergency Response Team |
48 | The Spanish National Cybersecurity Institute - Computer Emergency Response Team |
49 | Centro Criptológico Nacional Computer Emergency Response Team - Spain |
50 | Computer Emergency Response Team Sweden |
51 | SWITCH’s Computer Emergency Response Team |
52 | The National Cyber Security Centre - UK |
European Trade Associations and Federations (refer to [22] and [23] to get the list of European trade associations and federations) | |
53 | Federation of Small Businesses - UK |
54 | The Software Alliance |
55 | The Association of the Swedish Engineering Industries |
56 | Investment Company Institute Global |
57 | Europe’s Distribution System Operators |
58 | The Luxembourg Banker’s Association |
59 | Association of Mutual Insurers and Insurance Cooperatives in Europe |
60 | GSMA Europe |
61 | Confederation of British Industry |
62 | Insurance Europe |
63 | European Banking Federation |
Private Organizations | |
64 | SANS Institute |
65 | InfoSec Institute |
66 | Cyber Safe Work |
67 | STOP.THINK. CONNECT |
68 | Proofpoint |
69 | CybeReady |
70 | KnowBe4 |
71 | Global Knowledge |
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chaudhary, S., Gkioulos, V., Goodman, D. (2023). Cybersecurity Awareness for Small and Medium-Sized Enterprises (SMEs): Availability and Scope of Free and Inexpensive Awareness Resources. In: Katsikas, S., et al. Computer Security. ESORICS 2022 International Workshops. ESORICS 2022. Lecture Notes in Computer Science, vol 13785. Springer, Cham. https://doi.org/10.1007/978-3-031-25460-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-25460-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25459-8
Online ISBN: 978-3-031-25460-4
eBook Packages: Computer ScienceComputer Science (R0)