Cybersecurity awareness training programs: a cost-benefit analysis framework

Purpose - Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses. Design/methodology/approach - To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost-benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security. Findings - Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level. Originality/value - Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

Automated summary

Through a cost-benefit analysis, the study classifies different types of CSAT programs to help organizations develop effective cybersecurity awareness training. Findings show that CSAT programs with different costs play a differing role in maintaining, upgrading or lowering a company's existing security level. Ideally, CSAT programs should allocate more expenses towards training employees to deal with security threats at lower security levels and reducing more losses at higher security levels.