The function of cyber-security awareness and training in shaping cyber-risk perceptions and resultant cyber behaviours

Abstract

This study sought to explore cyber-risk perceptions that employees in South African financial services perceive that they as individuals and their respective organisations are exposed, the interventions implemented by organisations and the resultant cyber behaviours. The role-played cyber-security awareness and training intervention in shaping these cyber-risk perceptions and self-efficacy to mitigate such risks were explored in depth. The concept and influence of relatedness were then explored by comparing cyber behaviours within an individual cyber-risk perception context and organisational risk perceptions context. The research took a cross-sectional approach in 2022 and was conducted through a qualitative method, with data collected from 15 participants from nine organisations in the South African financial services industry. Collected data were analysed using thematic analysis, leveraging the Atlas.ti tool. Two of the four propositions were confirmed, whereas the other two were expanded to align with the findings from the study. The main implication of this study is for cyber-security managers to refine their cyber-security awareness and training programmes to approach the specific needs of each employee to keep them engaged and for them to keep benefiting from those programmes. There is a potential that well-crafted employee cyber-security training programmes could entice and attract more people into the cyber-security domain, which could help to close the growing skill shortage in this domain. This study contributes to the human cyber behaviour literature, particularly the protection motivation theory, by distinguishing between individual and organisational cyber-risk. Earlier studies in this domain focused on these contexts separately and not comparatively in a single study similar to this research.