“Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises

Dominic Button; Jacques Ophoff; Alastair Irons; Sharon McDonald

doi:10.1007/978-3-031-72563-0_8

“Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises

Dominic Button^*, Jacques Ophoff, Alastair Irons, Sharon McDonald

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Citation (Scopus)

Abstract

Cyber-attacks are increasing at an exponential rate, targeting organisation irrespective of size. Small to medium sized enterprises (SMEs) are particularly vulnerable yet often lack cybersecurity awareness. This entails that an individual or organisation becomes aware of the cyber threats they face in addition to the protective actions and behaviours they can take. Despite the positive intentions of current cybersecurity awareness initiatives, there is a lack of adoption by SMEs. To better understand the situation this study explores SME owner or manager perceptions of cybersecurity awareness messages, leveraging psychological heuristics and message framing. Empirical data was collected through interviews with 16 participants representing SMEs in the North-East of England. Findings reflect that the framing of messages towards fear is more accepted by SMEs as opposed to positivity messages. Moreover, heuristics of self-efficacy and cost are seen to instil a desire to comply with cyber security behaviours. However, not all SMEs could agree on an approach thus suggesting that SMEs require bespoke messaging relating to the businesses and the owner.

Original language	English
Title of host publication	Human Aspects of Information Security and Assurance
Subtitle of host publication	18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, proceedings, part II
Editors	Nathan Clarke, Steven Furnell
Place of Publication	Cham
Publisher	Springer
Pages	101-115
Number of pages	15
ISBN (Electronic)	9783031725630
ISBN (Print)	9783031725623, 9783031725654
DOIs	https://doi.org/10.1007/978-3-031-72563-0_8
Publication status	Published - 28 Nov 2024
Event	18th International Symposium on Human Aspects of Information Security & Assurance - University of Skövde, Skövde, Sweden Duration: 9 Jul 2024 → 11 Jul 2024 Conference number: 18th

Publication series

Name	IFIP Advances in Information and Communication Technology (IFIPAICT)
Publisher	Springer
Volume	722
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	18th International Symposium on Human Aspects of Information Security & Assurance
Abbreviated title	HAISA 2024
Country/Territory	Sweden
City	Skövde
Period	9/07/24 → 11/07/24

Keywords

Cyber security
Awareness messaging
Small to medium enterprises

Access to Document

10.1007/978-3-031-72563-0_8

Embargoed Document

Ophoff_ProbablyPutSomeSortOfFearIn_Accepted_2024
Accepted author manuscript, 623 KB
Embargo ends: 28/11/25

Cite this

Button, D., Ophoff, J., Irons, A., & McDonald, S. (2024). “Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises. In N. Clarke, & S. Furnell (Eds.), Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, proceedings, part II (pp. 101-115). (IFIP Advances in Information and Communication Technology (IFIPAICT); Vol. 722). Springer. https://doi.org/10.1007/978-3-031-72563-0_8

Button, Dominic ; Ophoff, Jacques ; Irons, Alastair et al. / “Probably put some sort of fear in” : investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises. Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, proceedings, part II. editor / Nathan Clarke ; Steven Furnell. Cham : Springer, 2024. pp. 101-115 (IFIP Advances in Information and Communication Technology (IFIPAICT)).

@inproceedings{ac81b0dd3dc34b348145740e64e34219,

title = "“Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises",

abstract = "Cyber-attacks are increasing at an exponential rate, targeting organisation irrespective of size. Small to medium sized enterprises (SMEs) are particularly vulnerable yet often lack cybersecurity awareness. This entails that an individual or organisation becomes aware of the cyber threats they face in addition to the protective actions and behaviours they can take. Despite the positive intentions of current cybersecurity awareness initiatives, there is a lack of adoption by SMEs. To better understand the situation this study explores SME owner or manager perceptions of cybersecurity awareness messages, leveraging psychological heuristics and message framing. Empirical data was collected through interviews with 16 participants representing SMEs in the North-East of England. Findings reflect that the framing of messages towards fear is more accepted by SMEs as opposed to positivity messages. Moreover, heuristics of self-efficacy and cost are seen to instil a desire to comply with cyber security behaviours. However, not all SMEs could agree on an approach thus suggesting that SMEs require bespoke messaging relating to the businesses and the owner. ",

author = "Dominic Button and Jacques Ophoff and Alastair Irons and Sharon McDonald",

note = "{\textcopyright} 2025 IFIP International Federation for Information Processing Data availability statement: Not present.; 18th International Symposium on Human Aspects of Information Security \& Assurance, HAISA 2024 ; Conference date: 09-07-2024 Through 11-07-2024",

year = "2024",

month = nov,

day = "28",

doi = "10.1007/978-3-031-72563-0\_8",

language = "English",

isbn = "9783031725623",

series = "IFIP Advances in Information and Communication Technology (IFIPAICT)",

publisher = "Springer",

pages = "101--115",

editor = "Nathan Clarke and Steven Furnell",

booktitle = "Human Aspects of Information Security and Assurance",

}

Button, D , Ophoff, J, Irons, A & McDonald, S 2024, “Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises. in N Clarke & S Furnell (eds), Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, proceedings, part II. IFIP Advances in Information and Communication Technology (IFIPAICT), vol. 722, Springer, Cham, pp. 101-115, 18th International Symposium on Human Aspects of Information Security & Assurance, Skövde, Sweden, 9/07/24. https://doi.org/10.1007/978-3-031-72563-0_8

“Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises. / Button, Dominic ; Ophoff, Jacques; Irons, Alastair et al.
Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, proceedings, part II. ed. / Nathan Clarke; Steven Furnell. Cham: Springer, 2024. p. 101-115 (IFIP Advances in Information and Communication Technology (IFIPAICT); Vol. 722).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - “Probably put some sort of fear in”

T2 - 18th International Symposium on Human Aspects of Information Security & Assurance

AU - Button, Dominic

AU - Ophoff, Jacques

AU - Irons, Alastair

AU - McDonald, Sharon

N1 - Conference code: 18th

PY - 2024/11/28

Y1 - 2024/11/28

N2 - Cyber-attacks are increasing at an exponential rate, targeting organisation irrespective of size. Small to medium sized enterprises (SMEs) are particularly vulnerable yet often lack cybersecurity awareness. This entails that an individual or organisation becomes aware of the cyber threats they face in addition to the protective actions and behaviours they can take. Despite the positive intentions of current cybersecurity awareness initiatives, there is a lack of adoption by SMEs. To better understand the situation this study explores SME owner or manager perceptions of cybersecurity awareness messages, leveraging psychological heuristics and message framing. Empirical data was collected through interviews with 16 participants representing SMEs in the North-East of England. Findings reflect that the framing of messages towards fear is more accepted by SMEs as opposed to positivity messages. Moreover, heuristics of self-efficacy and cost are seen to instil a desire to comply with cyber security behaviours. However, not all SMEs could agree on an approach thus suggesting that SMEs require bespoke messaging relating to the businesses and the owner.

AB - Cyber-attacks are increasing at an exponential rate, targeting organisation irrespective of size. Small to medium sized enterprises (SMEs) are particularly vulnerable yet often lack cybersecurity awareness. This entails that an individual or organisation becomes aware of the cyber threats they face in addition to the protective actions and behaviours they can take. Despite the positive intentions of current cybersecurity awareness initiatives, there is a lack of adoption by SMEs. To better understand the situation this study explores SME owner or manager perceptions of cybersecurity awareness messages, leveraging psychological heuristics and message framing. Empirical data was collected through interviews with 16 participants representing SMEs in the North-East of England. Findings reflect that the framing of messages towards fear is more accepted by SMEs as opposed to positivity messages. Moreover, heuristics of self-efficacy and cost are seen to instil a desire to comply with cyber security behaviours. However, not all SMEs could agree on an approach thus suggesting that SMEs require bespoke messaging relating to the businesses and the owner.

U2 - 10.1007/978-3-031-72563-0_8

DO - 10.1007/978-3-031-72563-0_8

M3 - Conference contribution

SN - 9783031725623

SN - 9783031725654

T3 - IFIP Advances in Information and Communication Technology (IFIPAICT)

SP - 101

EP - 115

BT - Human Aspects of Information Security and Assurance

A2 - Clarke, Nathan

A2 - Furnell, Steven

PB - Springer

CY - Cham

Y2 - 9 July 2024 through 11 July 2024

ER -

Button D , Ophoff J, Irons A, McDonald S. “Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises. In Clarke N, Furnell S, editors, Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, proceedings, part II. Cham: Springer. 2024. p. 101-115. (IFIP Advances in Information and Communication Technology (IFIPAICT)). Epub 2024 Nov 28. doi: 10.1007/978-3-031-72563-0_8

“Probably put some sort of fear in”: investigating the role of heuristics in cyber awareness messaging for small to medium sized enterprises

Abstract

Publication series

Conference

Keywords

Access to Document

Embargoed Document

Fingerprint

Cite this