Developing cybersecurity education and awareness programmes for small and medium-sized enterprises (SMEs)

An essential component of an organisation’s cybersecurity strategy is building awareness and education of online threats, and how to protect corporate data and services. This research article focuses on this topic and proposes a high-level programme for cybersecurity education and awareness to be used when targeting Small-to-Medium-sized Enterprises/Businesses (SMEs/SMBs) at a city-level. We ground this programme in existing research as well as unique insight into an ongoing city-based project with similar aims. To structure our work, we begin by conducting a scoping review of the literature in cybersecurity education and awareness, particularly for SMEs/SMBs. This theoretical analysis is then complemented by using a case study and reflecting on an ongoing, innovative programme that seeks to work with these businesses to significantly enhance their security posture. From these analyses, we extract best practice and important lessons/recommendations to produce a high-level programme for cybersecurity education and awareness. We find that whilst literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. On the other hand, existing programmes, such as the one we explored, have great potential but there can also be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities. The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, we engage in a reflection of literature in this space, and present insights into the advances and challenges faced by an on-going programme. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.