Abstract
Purpose
Small to medium-sized enterprises (SMEs) are particularly vulnerable to cyber-attacks, often due to limited cyber security awareness. While traditional messaging frequently uses fear-based strategies, positive reinforcement has also been proposed. However, research remains inconclusive on the most effective approach. This study aims to explore perceptions of fear-based versus positive cyber security messaging within this context. In addition, it examines the alignment between SME perceptions of cyber security and those of cyber security experts (CSEs), providing insights into potential gaps and opportunities for more effective cyber security communication.
Design/methodology/approach
A qualitative exploratory approach was used, developing cyber security awareness messages incorporating self-efficacy, social norms or cost, framed either fearfully or positively. Data was collected through 20 semi-structured interviews with SME owners or managers and CSEs, using the messages as focal points. Thematic analysis was conducted on the interview data, resulting in the development of thematic maps.
Findings
Both SMEs and CSEs advocated the need for messaging that includes fear and realism. However, CSEs noted that SMEs often lack awareness of specific cyber threats. Self-efficacy and cost were highlighted by both groups, reflecting a degree of alignment in their perspectives. Despite this, findings indicate that tailored messaging is crucial, as a one-size-fits-all approach is ineffective.
Originality/value
This study advances theoretical understanding of cyber security messaging by identifying effective heuristics and framing strategies for SMEs. In addition, its insights have broader applications in cyber security education, aiding the development of more effective training materials.
Small to medium-sized enterprises (SMEs) are particularly vulnerable to cyber-attacks, often due to limited cyber security awareness. While traditional messaging frequently uses fear-based strategies, positive reinforcement has also been proposed. However, research remains inconclusive on the most effective approach. This study aims to explore perceptions of fear-based versus positive cyber security messaging within this context. In addition, it examines the alignment between SME perceptions of cyber security and those of cyber security experts (CSEs), providing insights into potential gaps and opportunities for more effective cyber security communication.
Design/methodology/approach
A qualitative exploratory approach was used, developing cyber security awareness messages incorporating self-efficacy, social norms or cost, framed either fearfully or positively. Data was collected through 20 semi-structured interviews with SME owners or managers and CSEs, using the messages as focal points. Thematic analysis was conducted on the interview data, resulting in the development of thematic maps.
Findings
Both SMEs and CSEs advocated the need for messaging that includes fear and realism. However, CSEs noted that SMEs often lack awareness of specific cyber threats. Self-efficacy and cost were highlighted by both groups, reflecting a degree of alignment in their perspectives. Despite this, findings indicate that tailored messaging is crucial, as a one-size-fits-all approach is ineffective.
Originality/value
This study advances theoretical understanding of cyber security messaging by identifying effective heuristics and framing strategies for SMEs. In addition, its insights have broader applications in cyber security education, aiding the development of more effective training materials.
| Original language | English |
|---|---|
| Number of pages | 15 |
| Journal | Information and Computer Security |
| Early online date | 26 Jun 2025 |
| DOIs | |
| Publication status | E-pub ahead of print - 26 Jun 2025 |
Keywords
- Cyber security awareness
- SME
- Experts
- Heuristics