Abstract:
This study sought to explore cyber-risk perceptions that employees in South African
financial services perceive that they as individuals and their respective organisations are
exposed, the interventions implemented by organisations and the resultant cyber
behaviours. The role-played cyber-security awareness and training intervention in shaping
these cyber-risk perceptions and self-efficacy to mitigate such risks were explored in
depth. The concept and influence of relatedness were then explored by comparing cyber
behaviours within an individual cyber-risk perception context and organisational risk
perceptions context. The research took a cross-sectional approach in 2022 and was
conducted through a qualitative method, with data collected from 15 participants from nine
organisations in the South African financial services industry. Collected data were
analysed using thematic analysis, leveraging the Atlas.ti tool. Two of the four propositions
were confirmed, whereas the other two were expanded to align with the findings from the
study. The main implication of this study is for cyber-security managers to refine their
cyber-security awareness and training programmes to approach the specific needs of
each employee to keep them engaged and for them to keep benefiting from those
programmes. There is a potential that well-crafted employee cyber-security training
programmes could entice and attract more people into the cyber-security domain, which
could help to close the growing skill shortage in this domain. This study contributes to the
human cyber behaviour literature, particularly the protection motivation theory, by
distinguishing between individual and organisational cyber-risk. Earlier studies in this
domain focused on these contexts separately and not comparatively in a single study
similar to this research.
