Sample Literature Review: The Impact of Cybersecurity Awareness Training on Employee Readiness for Combating Phishing Attacks in SMEs
1. Cybersecurity Awareness Training
Cybersecurity awareness is generally defined as an understanding of risks associated with specific cyber threats and the best practices that can be applied to mitigate these risks (Catal et al., 2022; Desolda et al., 2021; Sadiq et al., 2021). The latter can include a wide variety of preventive measures, as well as the measures that must be taken after potential attacks (Safi & Singh, 2023). As implied by established cybersecurity models, such as the NIST framework, awareness can include multiple core functions, such as Identification, Protection, Detection, Response, and Recovery (Argaw et al., 2019; Nair, 2023).
In this aspect, effective training in this sphere has to give employees enough information about the measures utilised by their organisations to avoid risks as well as the types of possible attacks. These preparations must ensure that every staff member understands their best course of action and area of responsibility in the case of cyber threat emergence and is prepared to undertake the required steps to identify, recognise, report, and mitigate it (Safi & Singh, 2023; Rama & Keevy, 2023). This provides a number of organisational benefits, including enhanced data security, better protection against potential attacks, higher levels of regulatory compliance, faster response and recovery from security breaches, continuous organisational learning, and improved integrity of critical infrastructures (Nair, 2023).
Cybersecurity awareness training exists in different formats, including classroom teaching, practical exercises, and online and offline simulations (Abrahams et al., 2024). These programmes aim to cover the basics of cyber hygiene (Vayansky & Kumar, 2018), the recognition of phishing attempts (Argaw et al., 2019), the understanding of key organisational software and hardware systems (Desolda et al., 2021), and the proper use of passwords and other instruments ensuring the confidentiality, integrity, and availability (CIA) of crucial data (Williams & Joinson, 2020).
With that being said, multiple authors highlight the fact that cybersecurity awareness should be viewed as a systemic process being an inseparable part of organisational cultures, rather than an isolated security practice. The rapidly evolving threat landscape leads to the emergence of new risks and attack types at an ever-increasing speed (Sumner et al., 2022). As a result, cybersecurity awareness training has to be provided on a regular basis to keep staff knowledge of these threats up to date. Additional challenges include diverse levels of competence and digital skills in modern companies (Pranggono & Arabo, 2021). For small and medium organisations (SMEs), this may pose a greater problem due to the smaller choice of candidates with specialised knowledge of cybersecurity and resource limitations reducing the ability to implement the most effective practices (Steves et al., 2020; Desolda et al., 2021).
This poses a number of problems from the standpoint of employee training and development policies in modern organisations (Montanez et al., 2020; Rama & Keevy, 2023; Vayansky & Kumar, 2018). While regular users are directly targeted by many attack types, including phishing, they do not possess the same levels of expertise as cybersecurity professionals. In this aspect, their levels of awareness always represent a compromise between the ideal amount of knowledge and skills necessary to recognise and prevent all threats and the actual levels of awareness that can be developed within the resources and employee spare time available to their organisations (Jampen et al., 2020). As noted by multiple studies, most organisations seek to achieve a balance between the perceived levels of risk they are exposed to and the minimal cyber resilience levels they can afford (Chiew et al., 2018; Frauenstein & Flowerday, 2020; Steves et al., 2020). With that being said, this approach may not always be effective, since modern hacking tools utilising artificial intelligence (AI) and other advanced technologies can target hundreds of firms looking for ‘easy prey’, which means that all of them share the same threat level irrespective of their size (Sumner et al., 2022; Williams & Joinson, 2020).
The continuity element of such training also implies the need for reminders such as posters, follow-up training sessions, and regular tests and inspections (Alabdan, 2020; Carroll et al., 2022; Nadeem et al., 2023a). The unique nature of cybersecurity threats frequently also means that up-to-date knowledge about them is possessed by a limited number of experts (Chiew et al., 2018). With many small and medium companies lacking specialised system administrators, this implies the need to use the services of third parties. This leads to additional costs and reduces the degree of control these firms maintain over their own infrastructures, since key functions are outsourced to external actors with vastly superior expertise (Chen et al., 2020; Taherdoost, 2024). The recent CrowdStrike failure demonstrates the potential adverse consequences of this approach, where substantial damage was incurred despite the strict observance of all cybersecurity practices. Additionally, the aspects of accountability present another serious problem in awareness training, since well-designed policies must clearly outline spheres of responsibility for all parties, which may be difficult to achieve in small and medium companies (Basit et al., 2021; Nadeem et al., 2023b). With regular staff members expecting punishment for their failures, they may not be willing to disclose potentially problematic behaviours to not suffer from consequences and prefer to keep such facts concealed from their superiors (Chen et al., 2020; Hijji & Alam, 2022).
2. Phishing Attacks
One of the main cybersecurity problems according to Alabdan (2020) and Basit et al. (2021) is associated with the fact that threats in this sphere have multiple attack vectors, including hardware, software, and organisational personnel members. While the first two dimensions can be addressed by system administrators by implementing zero-trust architectures, honeypots, and other passive and active defence measures, employee behaviours cannot be controlled by them to the same degree (Bartoli et al., 2018). Phishing attacks represent the greatest threat in this sphere due to their consequences and implications for modern organisations (Taherdoost, 2024). In such scenarios, hackers contact users while being disguised as long-term partners, state authorities, or other parties associated with high levels of trust (Nair, 2024; Williams & Joinson, 2020). They usually use stolen credentials and prior correspondence to share some details convincing their contacts that their identity has not been compromised. After they gain the trust of their communicants, they use it to send emails with dangerous links, compromised files, or other malware that can be installed on company systems or ask for some sensitive information that must not be disclosed to outsiders.
The threat of phishing attacks is usually addressed using such strategies as endpoint security (Rama & Keevy, 2023), policies for devices (Nair, 2024), access control management (Naqvi et al., 2023), separate security policies for different groups of users (Alkhalil et al., 2021), follow-up reminders for users (Thomopoulos et al., 2024), and the provision of cybersecurity awareness training (Naqvi et al., 2023). The aforementioned resource deficiencies are generally handled by setting different risk levels depending on the position of certain team members. In this scenario, the accounts of key company executives or specialists having access to highly sensitive data will be monitored more closely, with these practitioners receiving a greater amount of training in this sphere (Hijji & Alam, 2022).
With that being said, phishing attacks affected more than 80% of organisations in 2017-2020, with some experts expecting this trend to continue throughout the 2020s (Alkhalil et al., 2021). One of the possible developments in threat patterns can be related to artificial intelligence and text and voice generation technologies. Modern solutions in this sphere are already capable of imitating the speech or writing style of different persons, which greatly increases the risk of successful social engineering and phishing attempts (Frauenstein & Flowerday, 2020; Taherdoost, 2024).
These trends can create unique challenges for cybersecurity awareness training, since they substantially increase the effectiveness of hackers’ communication methods (Montanez et al., 2020; Thomopoulos et al., 2024; Williams & Joinson, 2020). While phishing schemes can be dated back to the 19th century, with electronic phishing being extensively used in cyber-attacks in the previous 20 years, modern technologies allow the attackers to generate unique strategies combining big data analysis, psychological analysis, and advanced ransomware and spyware solutions (Steves et al., 2020; Pranggono & Arabo, 2021).
In this aspect, cybersecurity awareness related to this type of threat may be most difficult to develop and maintain (Taherdoost, 2024). More specifically, it relies on both psychological and technological skills allowing employees to recognise potentially fraudulent behaviours in all communication with colleagues, customers, and other stakeholders. Specific techniques may include the use of a sense of urgency (Sumner et al., 2022), threatening language (Montanez et al., 2020), limited-time offers (Frauenstein & Flowerday, 2020), domain spoofing (Vayansky & Kumar, 2018), attachments (Pranggono & Arabo, 2021), and other elements imitating legitimate requests from firm partners, state authorities or prospective clients (Steves et al., 2020).
One of the additional problems of phishing attack prevention is associated with the high flexibility and diversity of instruments used by such attackers, including vishing (Alabdan, 2020), smishing (Basit et al., 2021), whaling (Chen et al., 2020), and other formats (Nadeem et al., 2023b). If a hacker gains access to the account of a high-level company executive, they can simultaneously attempt to download sensitive internal data while also requesting additional information from other colleagues and subordinates (Carroll et al., 2022). Since few people expect internal attacks, their requests may be granted if no internal zero trust architecture and/or training was provided to regular staff members previously (Sadiq et al., 2021; Safi & Singh, 2023).
This challenge could be further intensified by the increasing adoption of remote work and the problems of formal and informal communication between workers (Carroll et al., 2022; Chen et al., 2020). Many organisations lack strict codes of conduct and monitoring systems related to inter-employee collaboration where sensitive data frequently gets transferred without proper security procedures. In the case of a breach, such practices can be further abused to gain access to important company information via informal requests (Desolda et al., 2021; Pranggono & Arabo, 2021). If company executives frequently refer to their subordinates with such demands, a hacker using their stolen account can easily use this to their advantage.
3. Employee Readiness
Employee readiness is generally defined as the ability of staff members to identify, report, prevent, and respond to emerging cyber threats, including phishing attacks (Argaw et al., 2020; Miranda, 2018; Thomopoulos et al., 2024). However, the practical realisation of this concept is frequently complicated by a number of potential barriers. First, employee readiness has to be clearly described in organisational codes of conduct and best practices, as well as measurable key performance indicators (Naqvi et al., 2023). The absence of these measures can lead to the inability to appraise the actual level of staff preparedness and ability to withstand real threats. Second, such practices as reporting and response may overlap with personal fears and organisational culture issues (Rama & Keevy, 2023; Taherdoost, 2024). If some security breach is linked with an honest mistake or inability to recognise social engineering or phishing, employees may be reluctant to openly discuss their perceived failures with security specialists and managers due to the fear of consequences. The absence of cultures based on open communication and perceived risks of punishment lead to situations where attacks are not recognised and addressed in a timely manner (Nadeem et al., 2023a).
Third, another employee readiness issue may be related to the fact that the implementation of cybersecurity awareness training programmes can be met with employee resistance to change (Argaw et al., 2019; Jampen et al., 2020; Nair, 2024). This effect can be caused by additional workloads (Pranggono & Arabo, 2021), the lack of motivation and perceived personal gains from new practices (Vayansky & Kumar, 2018), or other factors. With SMEs generally lacking substantial resources, the introduction of cybersecurity awareness training programmes may not always be supported by tangible and intangible rewards (Steves et al., 2020).
As a result, staff members may not be willing to fully adopt new ideas and focus on threat identification and the development of new skills and competencies in this sphere. This limits the effectiveness of such instruments as security culture development (Williams & Joinson, 2020), cybersecurity training (Frauenstein & Flowerday, 2020), follow-up assessments (Desolda et al., 2021), and responsibility allocation (Sadiq et al., 2021), since employees may be lacking time, resources, and motivation to implement cybersecurity concepts (Catal et al., 2022; Rama & Keevy, 2023). At the same time, phishing attacks utilise complex schemes involving psychological pressure and advanced technological means (Safi & Singh, 2023), which implies that their prevention largely depends on staff competencies and readiness to recognise such threats and effectively mitigate them (Montanez et al., 2020).
References
Abrahams, T., Farayola, O., Kaggwa, S., Uwaoma, P., Hassan, A., & Dawodu, S. (2024). Cybersecurity awareness and education programs: a review of employee engagement and accountability. Computer Science & IT Research Journal, 5(1), 100-119. https://doi.org/10.51594/csitrj.v5i.708
Alabdan, R. (2020). Phishing attacks survey: Types, vectors, and technical approaches. Future Internet, 12(10), 168-186. https://doi.org/10.3390/fi12100168
Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3(1), 1-17. https://doi.org/10.3389/fcomp.2021.563060
Argaw, S., Bempong, N., Eshaya-Chauvin, B., & Flahault, A. (2019). The state of research on cyberattacks against hospitals and available best practice recommendations: a scoping review. BMC Medical Informatics and Decision Making, 19(1), 1-11. https://doi.org/10.1186/s12911-018-0724-5
Argaw, S., Troncoso-Pastoriza, J., Lacey, D., Florin, M., Calcavecchia, F., Anderson, D., & Flahault, A. (2020). Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks. BMC Medical Informatics and Decision Making, 20(1), 1-10. https://doi.org/10.1186/s12911-020-01161-7
Bartoli, A., De Lorenzo, A., Medvet, E., & Tarlao, F. (2018). How phishing pages look like?. Cybernetics and Information Technologies, 18(4), 43-60. https://doi.org/10.2478/cait-2018-0047
Basit, A., Zafar, M., Liu, X., Javed, A., Jalil, Z., & Kifayat, K. (2021). A comprehensive survey of AI-enabled phishing attacks detection techniques. Telecommunication Systems, 76(1), 139-154. https://doi.org/10.1007/s11235-020-00733-2
Carroll, F., Adejobi, J., & Montasari, R. (2022). How good are we at detecting a phishing attack? Investigating the evolving phishing attack email and why it continues to successfully deceive society. SN Computer science, 3(2), 1-22. https://doi.org/10.1007/s42979-022-01069-1
Catal, C., Giray, G., Tekinerdogan, B., Kumar, S., & Shukla, S. (2022). Applications of deep learning for phishing detection: a systematic literature review. Knowledge and Information Systems, 64(6), 1457-1500. https://doi.org/10.1007/s10115-022-01672-x
Chen, R., Gaia, J., & Rao, H. (2020). An examination of the effect of recent phishing encounters on phishing susceptibility. Decision Support Systems, 133(1), 1-20. https://doi.org/10.1016/j.dss.2020.113287
Chiew, K., Yong, K., & Tan, C. (2018). A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems with Applications, 106(1), 1-20. https://doi.org/10.1016/j.eswa.2018.03.050
Desolda, G., Ferro, L., Marrella, A., Catarci, T., & Costabile, M. (2021). Human factors in phishing attacks: a systematic literature review. ACM Computing Surveys (CSUR), 54(8), 1-35. http://dx.doi.org/10.1145/3469886
Frauenstein, E., & Flowerday, S. (2020). Susceptibility to phishing on social network sites: A personality information processing model. Computers & Security, 94(1), 1-21. https://doi.org/10.1016/j.cose.2020.101862
Hijji, M., & Alam, G. (2022). Cybersecurity Awareness and Training (CAT) framework for remote working employees. Sensors, 22(1), 8663-8692. https://doi.org/10.3390/s22228663
Jampen, D., Gür, G., Sutter, T., & Tellenbach, B. (2020). Don’t click: towards an effective anti-phishing training. A comparative literature review. Human-centric Computing and Information Sciences, 10(1), 33-51. https://doi.org/10.1186/s13673-020-00237-7
Miranda, M. (2018). Enhancing cybersecurity awareness training: A comprehensive phishing exercise approach. International Management Review, 14(2), 5-10. https://doi.org/10.1093/cybsec/tyaa009
Montanez, R., Golob, E., & Xu, S. (2020). Human cognition through the lens of social engineering cyberattacks. Frontiers in Psychology, 11(1), 1755-1774. https://doi.org/10.3389/fpsyg.2020.01755
Nadeem, M., Arshad, A., Riaz, S., Zahra, S., Band, S., & Mosavi, A. (2023b). Two Layer Symmetric Cryptography Algorithm for Protecting Data from Attacks. Computers, Materials & Continua, 74(2), 2625-2640. https://doi.org/10.32604/cmc.2023.030899
Nadeem, M., Zahra, S., Abbasi, M., Arshad, A., Riaz, S., & Ahmed, W. (2023a). Phishing attack, its detections and prevention techniques. International Journal of Wireless Security and Networks, 1(2), 13-25. https://doi.org/10.37591/IJWSN
Nair, P. (2023). Enhancing Cybersecurity Awareness Training through the NIST Framework. International Journal of Advanced Research in Computer and Communication Engineering, 12(12), 1-5. http://dx.doi.org/10.17148/IJARCCE.2023.121203
Nair, S. (2024). Securing Against Advanced Cyber Threats: A Comprehensive Guide to Phishing, XSS, and SQL Injection Defense. Journal of Computer Science and Technology Studies, 6(1), 76-93. https://doi.org/10.32996/jcsts.2024.6.1.9
Naqvi, B., Perova, K., Farooq, A., Makhdoom, I., Oyedeji, S., & Porras, J. (2023). Mitigation strategies against the phishing attacks: A systematic literature review. Computers & Security, 1(1), 1-13. https://doi.org/10.1016/j.cose.2023.103387
Pranggono, B., & Arabo, A. (2021). COVID‐19 pandemic cybersecurity issues. Internet Technology Letters, 4(2), 247-268. https://doi.org/10.1002/itl2.247
Rama, P., & Keevy, M. (2023). Public cybersecurity awareness good practices on government-led websites. International Journal of Research in Business and Social Science, 12(7), 94-104. https://doi.org/10.20525/ijrbs.v12i7.2840
Sadiq, A., Anwar, M., Butt, R., Masud, F., Shahzad, M., Naseem, S., & Younas, M. (2021). A review of phishing attacks and countermeasures for internet of things‐based smart business applications in industry 4.0. Human Behavior and Emerging Technologies, 3(5), 854-864. https://doi.org/10.1002/hbe2.301
Safi, A., & Singh, S. (2023). A systematic literature review on phishing website detection techniques. Journal of King Saud University-Computer and Information Sciences, 35(2), 590-611. https://doi.org/10.1016/j.jksuci.2023.01.004
Steves, M., Greene, K., & Theofanos, M. (2020). Categorizing human phishing difficulty: a Phish Scale. Journal of Cybersecurity, 6(1), 1-16. https://doi.org/10.1093/cybsec/tyaa009
Sumner, A., Yuan, X., Anwar, M., & McBride, M. (2022). Examining factors impacting the effectiveness of anti-phishing trainings. Journal of Computer Information Systems, 62(5), 975-997. https://doi.org/10.1080/08874417.2021.1955638
Taherdoost, H. (2024). A Critical Review on Cybersecurity Awareness Frameworks and Training Models. Procedia Computer Science, 235(1), 1649-1663. https://doi.org/10.1016/j.procs.2024.04.156
Thomopoulos, G., Lyras, D., & Fidas, C. (2024). A systematic review and research challenges on phishing cyberattacks from an electroencephalography and gaze-based perspective. Personal and Ubiquitous Computing, 1(1), 1-22. https://doi.org/10.1007/s00779-024-01794-9
Vayansky, I., & Kumar, S. (2018). Phishing–challenges and solutions. Computer Fraud & Security, 1(1), 15-20. https://doi.org/10.1016/S1361-3723(18)30007-1
Williams, E., & Joinson, A. N. (2020). Developing a measure of information seeking about phishing. Journal of Cybersecurity, 6(1), 1-19. https://doi.org/10.1093/cybsec/tyaa001