Skip to main content
Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

We need to aim at the top: Factors associated with cybersecurity awareness of cyber and information security decision-makers

  • Simon Vrhovec ,

    Roles Conceptualization, Data curation, Formal analysis, Investigation, Methodology, Software, Validation, Writing – original draft, Writing – review & editing

    simon.vrhovec@um.si

    Affiliation Faculty of Criminal Justice and Security, University of Maribor, Ljubljana, Slovenia

  • Blaž Markelj

    Roles Conceptualization, Funding acquisition, Project administration, Validation

    Affiliation Faculty of Criminal Justice and Security, University of Maribor, Ljubljana, Slovenia

Abstract

Cyberattacks pose a significant business risk to organizations. Although there is ample literature focusing on why people pose a major risk to organizational cybersecurity and how to deal with it, there is surprisingly little we know about cyber and information security decision-makers who are essentially the people in charge of setting up and maintaining organizational cybersecurity. In this paper, we study cybersecurity awareness of cyber and information security decision-makers, and investigate factors associated with it. We conducted an online survey among Slovenian cyber and information security decision-makers (N = 283) to (1) determine whether their cybersecurity awareness is associated with adoption of antimalware solutions in their organizations, and (2) explore which organizational factors and personal characteristics are associated with their cybersecurity awareness. Our findings indicate that awareness of well-known threats and solutions seems to be quite low for individuals in decision-making roles. They also provide insights into which threats (e.g., distributed denial-of-service (DDoS) attacks, botnets, industrial espionage, and phishing) and solutions (e.g., security operation center (SOC), advanced antimalware solutions with endpoint detection and response (EDR)/extended detection and response (XDR) capabilities, organizational critical infrastructure access control, centralized device management, multi-factor authentication, centralized management of software updates, and remote data deletion on lost or stolen devices) are cyber and information security decision-makers the least aware of. We uncovered that awareness of certain threats and solutions is positively associated with either adoption of advanced antimalware solutions with EDR/XDR capabilities or adoption of SOC. Additionally, we identified significant organizational factors (organizational role type) and personal characteristics (gender, age, experience with information security and experience with information technology (IT)) related to cybersecurity awareness of cyber and information security decision-makers. Organization size and formal education were not significant. These results offer insights that can be leveraged in targeted cybersecurity training tailored to the needs of groups of cyber and information security decision-makers based on these key factors.

1 Introduction

The multitude of cyberattacks and increasing cybercrime is increasingly leading organizations to accept cybersecurity as a significant business risk that can cause major financial loses, damage to reputation and legal liabilities [14]. The boundaries between information security and cyber security are essentially blurred in a highly connected society, such as the one we live in, and one cannot be practically achieved without the other. Information and cyber security decision-makers include information technology (IT)/information security (IS) executive (e.g., chief information security officer (CISO), chief information officer (CIO)), non-IT/IS executive (e.g., chief executive officer (CEO), chief financial officer (CFO)) and non-executive (e.g., IT administrator, department head) decision-makers. Decision-makers who are tasked with managing these cyber-risks need to deal with the challenges of evaluating risks in an evolving threat landscape and with constantly emerging new technologies [5, 6]. It is already challenging how to determine the real causes of cyber-incidents [7] which makes identifying the right countermeasures before incidents happen, taking into account their cost-benefit relationships, an exceedingly difficult task [8, 9]. Although a systematic approach to cybersecurity seems imperial, there are ideas about less measuring cybersecurity and more communicating about it [10]. For example, organizational leaders, such as CIO, CISO, and chief technology officer (CTO), are at the core of supporting cybersecurity strategies by improving governance and integration as well as fostering a new cultural mindset for cyber-resiliency [11]. Nevertheless, decision-makers are primarily tasked with decisions on cybersecurity measures that can range from adopting cybersecurity standards, technical measures, such as advanced antimalware [12] and intrusion detection [13] solutions, and human-centric measures, such as various types of cybersecurity training [14, 15], to inter-organizational measures, such as cyberthreat intelligence [1619].

The human aspect of cybersecurity is a thriving research area. Studies focus on social engineering and phishing [20, 21], decision-making processes of security operation center (SOC) analysts [22], security concerns associated with adoption of social robots [23], effects of cyberattack proximity [24], fake and real news decision-making [25], information seeking [26], testing cyber soldiers [27], replacing aging and thus insecure smart devices [28], etc. These are just a few examples which paint the diversity of these studies. The published literature however seldom focuses on decision-makers even though they are among the key enablers of cybersecurity in organizations. For example, Bongiovanni et al. (2022) [29] investigated how decision-makers implement measures recommended by published cybersecurity guidelines. A study on adoption of cybersecurity standards in small and medium-sized enterprises (SMEs) found significant factors, such as demographics (organization size, intensity of IT usage, number of IT staff, number of IT security staff, investments in IT, investments in IT security), attitudes towards organizational cybersecurity risks and customer cybersecurity needs [30]. Triplett (2022) [31] studied how cybersecurity is promoted by organizational leaders. Studies indicate that unintentional human factors which facilitate cyberattacks, include lack of support by leaders, lack of knowledge and skills, being not aware of severity and damage cyberattacks can have, complacency and naivety coupled with reluctance to learn or seek help, and cybersecurity fatigue [32]. Some studies indicate a lack of awareness and cybersecurity education by decision-makers [33, 34]. It is especially worrisome that decision-makers are often unaware of what solutions can do to protect data [34]. Formal education and organization size were found to be contributing factors [34]. Nevertheless, we found a single study that suggests cyberthreat awareness among decision-makers is high [35] albeit it remains unclear how the researchers came to this conclusion since they did not report it in their work. The findings found in the literature are thus mixed at best. The literature also does not provide any insights into which factors may be associated with cybersecurity awareness of decision-makers. These insights may would to improve the awareness of cyber and information security decision-makers, e.g., with targeted cybersecurity training tailored to the needs of groups of decision-makers based on these key factors.

In this paper, we focus on cybersecurity awareness of decision-makers by investigating their awareness of well-known threats and solutions. First, we investigate whether there are differences between cybersecurity awareness of decision-makers in organizations adopting advanced antimalware solutions, and in organizations that do not. We break down advanced antimalware solutions into (1) advanced antimalware solutions with endpoint detection and response (EDR)/extended detection and response (XDR) capabilities, and (2) SOC as two of the most common advanced antimalware solutions found on the market today. This enabled us to determine whether cybersecurity awareness might play an important role in their decisions on cybersecurity. Second, we explored which organizational factors and personal characteristics are associated with cybersecurity awareness of decision-makers. Based on this, we developed these research questions:

  1. RQ1: Are there differences in cybersecurity awareness of decision-makers across groups based on adoption of antimalware solutions in their organizations?
  2. RQ2a: Are there differences in cybersecurity awareness of decision-makers across groups based on organizational factors?
  3. RQ2b: Are there differences in cybersecurity awareness of decision-makers across groups based on their personal characteristics?

This paper is structured as follows. We present the research methodology in Section 2. The results of our study are presented in Section 3. We provide theoretical and practical implications as well as limitations and directions for future work in Section 4.

2 Methodology

2.1 Research design

We employed a cross-sectional research design to capture cybersecurity awareness of decision-makers and other variables at a specific time period. We conducted a survey among cyber and information security decision-makers in Slovenian organizations through the Cint platform (https://www.cint.com/). We included IT/IS executive (e.g., CISO, CIO), non-IT/IS executive (e.g., CEO, CFO) and non-executive (e.g., IT administrator, department head) decision-makers in the sample to cover the whole spectrum of cyber and information security decision-makers in organizations of different sizes, and enable comparison between them.

2.2 Ethical considerations

This study involved human participants. The study proposal was approved on 27 February 2023 by the Research Ethics Committee of the Faculty of Criminal Justice and Security at the University of Maribor [2702–2023]. We obtained written informed consent from the participants.

2.3 Measurement instrument

The survey questionnaire was designed to measure awareness of threats, awareness of solutions, adopted antimalware solution type and adopted SOC realization in addition to organizational factors (organizational role type and organization size) and personal characteristics (gender, formal education, age, experience with information security and experience with IT).

We developed a set of common cyber threats and a set of solutions for managing cyber-risks based on existing literature. We would like to note that both cyber threats and solutions are constantly evolving. Additionally, varying often conflicting taxonomies [36] make it exceedingly hard to capture all threats and solutions in manageable sets [37]. We thus opted to develop sets of threats and solutions that were common at the time the study was done [3840]. Awareness of threats included questions on nine common threats: loss of access to data (e.g., ransomware, locking of devices) [4144]; information system intrusion (e.g., hacking) [42, 44, 45]; theft of business-critical data (industrial espionage) [36, 45]; distributed denial of service (DDoS) attacks [41, 42, 45, 46]; takeover of devices (e.g., botnets) [42, 46]; malware infection (e.g., viruses, worms, Trojans, spyware) [42, 45]; phishing [41, 42, 45]; online fraud (e.g., CEO fraud, business email compromise) [42]; and internal threats (e.g., deliberate data deletion, unauthorized data access, unauthorized personal devices) [36, 4145]. Awareness of solutions included questions on 12 available solutions for managing cyber-risks: remote data deletion on lost or stolen devices [43]; advanced antimalware solutions (with EDR/XDR capabilities) [42, 45]; secure connection (e.g., virtual private network (VPN)) [42, 45]; cloud synchronization of data [42, 43]; data backup [43, 45]; centralized device management, including mobile device management (MDM) [43]; advanced firewalls (with IPS/IDS capabilities) [41, 42, 45]; training on secure use of devices [42, 43]; multi-factor authentication (e.g., two-factor authentication (2FA)) [42]; security operation center (SOC) 24/7 [42]; centralized management of software updates [41, 45]; and organizational critical infrastructure access control [41].

Awareness of threats and awareness of solutions were measured on 4-point ordinal scales adapted from [47]: 1—“I am very familiar with this [threat/solution] and what it is”; 2—“I have heard about this [threat/solution] previously and am somewhat familiar with it”; 3—“I have heard mention of this [threat/solution] before but am largely unfamiliar with it”; 4—“I was not aware of this [threat/solution] before today”.

Respondents were first shown a description of advanced antimalware solutions, including descriptions of EDR and XDR capabilities as well as SOC. Then, respondents were asked which types of antimalware solutions and SOC realizations were adopted in their respective organizations. Options for adopted antimalware solution type included an advanced antimalware solution with EDR/XDR capabilities, a standard antimalware solution, such as antivirus programs, and none. Options for adopted SOC realization included a dedicated 24/7 security team within a respondent’s organization, an external SOC (SOC-as-a-service model), and none (incidents handled by IT or information security department).

2.4 Sample and data collection

The survey was conducted from 13 to 20 March 2023 through the Cint platform. We used organizational role as a screening question to ensure that all respondents were qualified to take the survey. A total of 356 respondents took the survey. After excluding unqualified respondents, such as decision-makers with no role in information and cyber security-related decisions (21), responses with over 10 percent missing values (5), and responses that indicated non-engagement bias (47), we were left with N = 283 useful responses. Table 1 presents the key sample characteristics.

Average respondent age was 36.7 years (SD = 12.1). Mean experience with IT was 10.4 years (SD = 8.5), and mean experience with information security was 9.9 years (SD = 8.1). Average employment duration was 10.4 years (SD = 9.1).

Decision-makers represented organization from various industries. Table 2 presents which industries were represented in the study.

2.5 Data analysis

We used R version 4.4.1 with packages psych version 2.4.6.26, dplyr version 1.1.4, FSA version 0.9.5, car version 3.1–2 and ltm version 1.2–0 for data analysis. We merged some categories and scores before data analysis. First, we merged categories for organizational role into categories IT/IS executive (e.g., CISO, CIO), non-IT/IS executive (e.g., CEO, CFO) and non-executive (e.g., IT administrator, department head). This enabled us to test whether the organizational role type according to IT/IS background and/or position within an organization is associated with cybersecurity awareness of decision-makers. Next, we tested the overall reliability of awareness of threats and awareness of solutions as theoretical constructs with Cronbach’s alpha (CA). CA was 0.876 and 0.884 for awareness of threats and awareness of solutions, respectively, indicating good reliability. Finally, we merged scores for awareness of threats and awareness of solutions to improve the reliability of measuring individual dimensions of these constructs. Measuring awareness with self-reported questionnaires is challenging as people do not tend to be very realistic about their own awareness of specific phenomena. We used a scale that adequately addresses this issue by describing four clearly distinct levels of awareness. We decided to further improve the reliability of the used scale by dividing respondents into those that are at least somewhat familiar with a threat/solution (aware) and those who are largely unfamiliar with it or heard about it for the first time during the survey (not aware). A beneficial side-effect of this mergence is an improved interpretability of the study results enabling the comparison of the awareness level of respondents in different groups.

Data analysis included non-parametric tests, such as Kruskal-Wallis test for determining differences between three or more groups with post-hoc Dunn’s tests with Bonferroni correction for determining differences between pairs of those groups. We used Wilcoxon tests to determine differences between two groups. We also used parametric tests when possible—we conducted independent samples t tests for determining differences in means across two groups. We used standard significance levels (α = 0.05, α = 0.01, and α = 0.001) for determining significance of all statistical test results.

3 Results

In this section, we present the results relevant for answering the posed research questions. We analyzed the data related to cybersecurity awareness of decision-makers separately for all research questions.

3.1 RQ1: Are there differences in cybersecurity awareness of decision-makers across groups based on adoption of antimalware solutions in their organizations?

We analyzed cybersecurity awareness of cyber and information security decision-makers separately for two of the most common advanced antimalware solutions found on the market today: (1) advanced antimalware solutions with EDR/XDR capabilities, and (2) security operation centers (SOC). Since the former is a technical solution, we compared it with other types of technical solutions (i.e., a standard antimalware solution and none). The latter is an organizational solution which can have varying realizations (i.e., internal SOC, external SOC, none).

3.1.1 Adopted antimalware solution type.

Table 3 presents the differences in respondents’ awareness of threats for groups based on their organization’s adopted antimalware solution type. The results indicate significant differences for awareness of six threats. However, there were only four threats with clearly distinguishable differences between different types of adopted antimalware solutions. For three of these threats (i.e., industrial espionage, botnets and phishing), there were significant differences between organizations that have either antimalware solution (EDR/XDR or standard) and those which do not. In all cases, respondents in the latter had a significantly lower awareness of these threats. Awareness of DDoS attacks was however significantly higher for respondents in organizations adopting advanced antimalware solutions with EDR/XDR capabilities than respondents in those adopting a standard antimalware solution or not adopting any at all.

thumbnail
Table 3. Differences in awareness of threats across adopted antimalware solution types.

https://doi.org/10.1371/journal.pone.0312266.t003

Table 4 presents the differences in respondents’ awareness of solutions for groups based on their organization’s adopted antimalware solution type. The results indicate significant differences for awareness of 10 solutions. There were however just eight clear differences between different types of adopted antimalware solutions. For six of these solutions (i.e., remote deletion, advanced firewalls, training, multi-factor authentication, SOC and centralized management of software updates), there were significant differences between respondents in organizations that have either antimalware solution (EDR/XDR or standard) and respondents in those which do not. In all cases, respondents in the latter had significantly lower awareness of these solutions. For two solutions (i.e., advanced antimalware solutions with EDR/XDR capabilities and centralized device management), there were clear differences among all three adopted antimalware solution type groups. In both cases, the most aware were respondents in organizations adopting advanced antimalware solutions with EDR/XDR capabilities, followed by respondents in those which adopted a standard antimalware solution, while the least aware were respondents in organizations that did not adopt any antimalware solution.

thumbnail
Table 4. Differences in awareness of solutions across adopted antimalware solution types.

https://doi.org/10.1371/journal.pone.0312266.t004

These results indicate that awareness of certain threats and solutions is positively associated with adoption of antimalware solutions. Decision-makers in organizations adopting an advanced antimalware solution with EDR/XDR capabilities are more aware of one threat (i.e., DDoS attacks) and two solutions (i.e., advanced antimalware solutions with EDR/XDR capabilities and centralized device management) than decision-makers in organizations adopting a standard antimalware solution. Additionally, they are more aware of four threats (i.e., industrial espionage, botnets, phishing and DDoS attacks) and eight solutions (i.e., remote deletion, advanced firewalls, training, multi-factor authentication, SOC, centralized management of software updates, advanced antimalware solutions with EDR/XDR capabilities and centralized device management) than decision-makers in organizations which do not adopt any antimalware solution. Decision-makers in organizations adopting a standard antimalware solution are similarly more aware of three threats (i.e., industrial espionage, botnets and phishing) and eight solutions (i.e., remote deletion, advanced firewalls, training, multi-factor authentication, SOC, centralized management of software updates, advanced antimalware solutions with EDR/XDR capabilities and centralized device management) than decision-makers in organizations which do not adopt any antimalware solution.

3.1.2 Adopted SOC realization.

Table 5 presents the differences in respondents’ awareness of threats for groups based on adopted SOC realization in their organizations. The results indicate significant differences in awareness of five threats. A single threat (i.e., online fraud) had clearly distinguishable differences between different realizations of SOC. Respondents in organizations adopting an internal SOC were markedly more aware of this threat than respondents in organizations adopting an external SOC or not having a SOC.

thumbnail
Table 5. Differences in awareness of threats across adopted SOC realizations.

https://doi.org/10.1371/journal.pone.0312266.t005

Table 6 presents the differences in respondents’ awareness of solutions for groups based on adopted SOC realization in their organizations. The results indicate significant differences in awareness of five solutions, with clear differences between different realizations of SOC for two of them. For both SOC and critical infrastructure access control, there were significant differences between respondents in organizations that have either realization of SOC (internal or external) and respondents in those which do not. The latter had significantly lower awareness of both solutions.

thumbnail
Table 6. Differences in awareness of solutions across adopted SOC realizations.

https://doi.org/10.1371/journal.pone.0312266.t006

These results suggest that awareness of certain threats and solutions is positively associated with adoption of SOC albeit this association does not seem to be as diverse as its association with adoption of antimalware solutions. Decision-makers in organizations adopting an internal SOC are more aware of one threat (i.e., online fraud) than decision-makers in organizations adopting an external SOC. There are no differences in their awareness of any solutions. Also, they are more aware of one threat (i.e., online fraud) than decision-makers in organizations which do not have a SOC. Decision-makers in organizations adopting either realization of SOC (i.e., internal or external SOC) are more aware of two solutions (i.e., SOC and critical infrastructure access control) than decision-makers in organizations which do not have a SOC.

3.2 RQ2a: Are there differences in cybersecurity awareness of decision-makers across groups based on organizational factors?

3.2.1 Organizational role type.

Table 7 presents the differences in respondents’ awareness of threats for groups based on their organizational role type. The results indicate significant differences for awareness of six threats. However, a single threat (i.e., industrial espionage) had clearly distinguishable differences between different organizational role types. Non-IT/IS executive decision-makers were significantly less aware of this threat than IT/IS executive and non-executive decision-makers.

thumbnail
Table 7. Differences in awareness of threats across organizational role types.

https://doi.org/10.1371/journal.pone.0312266.t007

Table 8 presents the differences in respondents’ awareness of solutions for groups based on their organizational role type. The results suggest significant differences for awareness of all 12 solutions. Nevertheless, only six had clear differences between different organizational role types. For four solutions (i.e., training, multi-factor authentication, centralized management of software updates and critical infrastructure access control), non-IT/IS executive decision-makers were significantly less aware of these solutions than IT/IS executive and non-executive decision-makers. Perhaps a bit surprisingly, non-executive decision-makers were significantly more aware of remote data deletion and cloud synchronization of data than both IT/IS and non-IT/IS executive decision-makers.

thumbnail
Table 8. Differences in awareness of solutions across organizational role types.

https://doi.org/10.1371/journal.pone.0312266.t008

These results indicate some differences in decision-makers’ awareness of certain threats and solutions depending on their organizational role type. Non-IT/IS executive decision-makers are less aware of one threat (i.e., industrial espionage) and four solutions (i.e., training, multi-factor authentication, centralized management of software updates and critical infrastructure access control) than both IT/IS executive and non-executive decision-makers. They are also less aware of two solutions (i.e., remote data deletion and cloud synchronization of data) than non-executive decision-makers. IT/IS executive decision-makers are additionally less aware of these two solutions than non-executive decision-makers.

3.2.2 Organization size.

Table 9 shows the differences in respondents’ awareness of threats for groups based on organization size. The results indicate significant differences for awareness of a single threat. Post-hoc tests did not reveal any organization sizes that would be clearly distinguishable from others.

thumbnail
Table 9. Differences in awareness of threats across organization size groups.

https://doi.org/10.1371/journal.pone.0312266.t009

Table 10 presents the differences in respondents’ awareness of solutions for groups based on organization size. The results indicate significant differences for awareness of four solutions. Again, no organization size was clearly distinguishable from others for any of these solutions.

thumbnail
Table 10. Differences in awareness of solutions across organization size groups.

https://doi.org/10.1371/journal.pone.0312266.t010

Based on the above, we can conclude that organization size is not associated with awareness of neither threats nor solutions.

3.3 RQ2b: Are there differences in cybersecurity awareness of decision-makers across groups based on their personal characteristics?

3.3.1 Gender.

Table 11 shows the differences in respondents’ awareness of threats for groups based on their gender. The results indicate significant differences in awareness of five threats. Male respondents were significantly more aware of loss of access to data, industrial espionage, DDoS attacks, botnets and phishing than female respondents.

thumbnail
Table 11. Differences in awareness of threats across genders.

https://doi.org/10.1371/journal.pone.0312266.t011

Table 12 shows the differences in respondents’ awareness of solutions for groups based on their gender. The results indicate significant differences for awareness of six solutions. Male respondents were significantly more aware of advanced antimalware solutions with EDR/XDR capabilities, centralized device management, training, multi-factor authentication, centralized management of software updates and critical infrastructure access control than female respondents.

thumbnail
Table 12. Differences in awareness of solutions across genders.

https://doi.org/10.1371/journal.pone.0312266.t012

These results suggest that male decision-makers are more aware of certain threats and solutions than their female counterparts. To be more specific, male decision-makers were more aware of five out of nine threats (55.6%), and six out of 12 solutions (50.0%).

3.3.2 Formal education.

Table 13 shows the differences in respondents’ awareness of threats for groups based on formal education. The results do not suggest any significant differences in awareness of threats among these groups.

thumbnail
Table 13. Differences in awareness of threats across formal education groups.

https://doi.org/10.1371/journal.pone.0312266.t013

Table 14 shows the differences in respondents’ awareness of solutions for groups based on formal education. These results also do not suggest any significant differences in awareness of solutions among these groups.

thumbnail
Table 14. Differences in awareness of solutions across formal education groups.

https://doi.org/10.1371/journal.pone.0312266.t014

Based on the above, we can conclude that formal education is not associated with cybersecurity awareness of decision-makers.

3.3.3 Age.

Table 15 shows the differences in respondents’ age for groups based on awareness of threats. The results reveal significant differences in average age for awareness of three threats (i.e., industrial espionage, malware infection and phishing). Respondents who were aware of these threats were significantly older than those who were not.

thumbnail
Table 15. Differences in age across groups based on awareness of threats.

https://doi.org/10.1371/journal.pone.0312266.t015

Table 16 shows the differences in respondents’ age for groups based on awareness of solutions. The results reveal significant differences in average age for awareness of two solutions (i.e., cloud synchronization of data and data backup). Respondents who were aware of these solutions were significantly older than those who were not.

thumbnail
Table 16. Differences in age across groups based on awareness of solutions.

https://doi.org/10.1371/journal.pone.0312266.t016

These results indicate that decision-makers who are aware of certain threats and solutions are older than decision-makers who are not. However, this is true only for a minority of threats (33.3%) and solutions (16.7%) included in our study.

3.3.4 Experience with information security.

Table 17 presents the differences in respondents’ experience with information security for groups based on awareness of threats. The results show significant differences in average experience with information security for awareness of four threats (i.e., loss of access to data, DDoS attacks, malware infection and phishing). Respondents who were aware of these threats had significantly more experience with information security than those who were not.

thumbnail
Table 17. Differences in experience with information security across groups based on awareness of threats.

https://doi.org/10.1371/journal.pone.0312266.t017

Table 18 presents the differences in respondents’ experience with information security for groups based on awareness of solutions. The results show significant differences in average experience with information security for awareness of seven solutions (i.e., remote data deletion, advanced antimalware solutions with EDR/XDR capabilities, secure connection, cloud synchronization of data, centralized device management, advanced firewalls and training). Respondents who were aware of these solutions had significantly more experience with information security than those who were not.

thumbnail
Table 18. Differences in experience with information security across groups based on awareness of solutions.

https://doi.org/10.1371/journal.pone.0312266.t018

These results indicate that decision-makers who are aware of approximately a half of threats (44.4%) and solutions (58.3%) included in our study have more experience with information security than decision-makers who are not.

3.3.5 Experience with IT.

Table 19 shows the differences in respondents’ experience with IT for groups based on awareness of threats. The results indicate significant differences in average experience with IT for awareness of six threats (i.e., loss of access to data, industrial espionage, DDoS attacks, botnets, malware infection and phishing). Respondents who were aware of these threats had significantly more experience with IT than those who were not.

thumbnail
Table 19. Differences in experience with IT across groups based on awareness of threats.

https://doi.org/10.1371/journal.pone.0312266.t019

Table 20 presents the differences in respondents’ experience with IT for groups based on awareness of solutions. The results show significant differences in average experience with IT for awareness of eight solutions (i.e., remote data deletion, advanced antimalware solutions with EDR/XDR capabilities, secure connection, cloud synchronization of data, data backup, centralized device management, advanced firewalls and training). Respondents who were aware of these solutions had significantly more experience with IT than those who were not.

thumbnail
Table 20. Differences in experience with IT across groups based on awareness of solutions.

https://doi.org/10.1371/journal.pone.0312266.t020

These results indicate that decision-makers who are aware of two thirds of threats (66.7%) and solutions (66.7%) included in our study have more experience with IT than decision-makers who are not.

4 Discussion

In this section, we first provide theoretical and practical implications of this study. Next, we discuss its limitations and put forward directions for future research.

4.1 Theoretical implications

This study makes a number of theoretical contributions to the literature. First, awareness of well-known threats and solutions seems to be quite low for cyber and information security decision-makers. The results of this study indicate that about a third of decision-makers are not aware of DDoS attacks and botnets, and about a quarter are not aware of industrial espionage and phishing. This is especially surprising since these threats are among the currently most prevalent ones [38, 40]. Awareness of solutions does not appear to be much better. A quarter or more decision-makers are not aware of seven out of 12 solutions included in our study. More than a third of decision-makers were unaware of two of these solutions, namely SOC and advanced antimalware solutions with EDR/XDR capabilities, and a quarter or more decision-makers were unaware of further five solutions (i.e., organizational critical infrastructure access control, centralized device management, including mobile device management (MDM), multi-factor authentication (e.g., 2FA), centralized management of software updates, remote data deletion on lost or stolen devices). Even though cyber and information security decision-makers are the primary enablers of cybersecurity in organizations, the results of our study suggest they are insufficiently aware of both threats and solutions. This lack of decision-makers’ cybersecurity awareness may significantly impact their ability to make adequate decisions regarding cybersecurity, which is a challenging task to start with [9]. Additionally, this may hinder their ability to lead their organizations towards cyber-resilient culture [11, 31]. These findings are in line with most published literature (e.g., [33, 34]). This study makes a contribution to the literature on awareness of decision-makers by breaking down cybersecurity awareness into various kinds of threats and solutions. This break-down view shows that cybersecurity awareness may not be a monolithic construct thus future studies may incorporate its different dimensions in their research designs.

Second, this study suggests that there are differences in cybersecurity awareness of decision-makers across groups based on adoption of antimalware solutions in their organizations. The results of our study indicate that awareness of certain but not all threats and solutions is positively associated with either adoption of antimalware solution types or adoption of SOC realizations. These findings contribute to the literature on awareness of decision-makers in organizations adopting different types of advanced antimalware solutions. We need to note that we did not search for causal relationships in our study. Therefore, it remains unclear whether higher awareness of decision-makers in organizations adopting advanced antimalware solutions with EDR/XDR capabilities or organizations adopting either an internal or external SOC is the consequence of this adoption or vice versa. Future studies may thus focus on investigating this causal relationship.

Third, the results of our study indicate that there are differences in cybersecurity awareness of decision-makers across their organizational role types. Non-IT/IS executive decision-makers had the least awareness which may be the consequence of their background, and appears to be in line with existing literature [48]. Next, non-executive decision-makers seem to be more aware of certain solutions than other decision-makers which may be a consequence of their more operational involvement in ensuring cybersecurity. This adds to the literature as one of the first studies to investigate the importance of organizational role types. The results of our study however do not support the role of organizational size as suggested by published literature [29, 34]. The reason for this divergence could be found in our target population which included decision-makers at both executive and non-executive levels, and with varying backgrounds (i.e., IT/IS and non-IT/IS). Future studies may focus on each type of organizational role type individually.

Fourth, our study identifies several personal characteristics of decision-makers associated with their cybersecurity awareness. Gender seems to be the most important demographic associated with cybersecurity awareness of decision-makers. Similarly to the published literature [48], male decision-makers were more aware than their female counterparts. Age was also associated with cybersecurity awareness although for a much lower share of threats and solutions. Contrary to the published literature [34], formal education was not a significant factor in cybersecurity awareness of decision-makers. Experience with IT was the most seminal personal characteristic associated with cybersecurity awareness of decision-makers, surpassing the share of significant threats and solutions compared to experience with information security. Although this is somewhat surprising, the importance of IT has been emphasized in the literature before [30]. These findings contribute to the literature on the relation between personal characteristics of decision-makers and their cybersecurity awareness. Future works may consider incorporating these characteristics in their research models.

4.2 Practical implications

This paper provides some practical implications for increasing the ability to achieve higher levels of cyber-resilience in organizations. Since cyber and information security decision-makers are the main drivers and enablers of the cybersecurity mindset in organizations, understanding and improving their cybersecurity awareness has the potential to further improve the overall cybersecurity of organizations. First, this study provides insights into which threats and solutions are less known among cyber and information security decision-makers. Therefore, it provides straight-forward guidance on which threats and solutions need to be better promoted among cyber and information security decision-makers.

Second, the results of our study identify which decision-makers are more likely to be less aware of threats and solutions—i.e., especially decision-makers in organizations not adopting a malware solution, decision-makers in organizations not adopting a SOC, non-IT/IS executive decision-makers, female and younger decision-makers, and decision-makers with less experience with IT or information security. These characteristics can help to target the most needy decision-makers with cybersecurity awareness interventions. Detailed insights from this study may additionally help to adapt such interventions to the needs of a specific subgroup of decision-makers.

4.3 Limitations and future research

This study has some limitations that the readers should note. First, the study was conducted in a single cultural context. Since cultural contexts may be an important factor when studying cybersecurity awareness, the findings of this study may not be generalized to other cultural contexts. Future studies comparing our findings to or investigating the influence of different cultural contexts would help to further generalize the findings of our study. Second, the questionnaire included single items for measured constructs, such as dimensions of threats and solutions. This significantly affects the ability to check reliability and validity of the measurement instrument. Although we addressed this issue by merging scores for both awareness constructs, future studies may be needed to further confirm our findings. Third, we are unsure whether there were cases of more than one respondent from a single organization since we did not ask respondents to name organizations in which they were employed. If there were several such cases, it may partially influence the results related to organizational factors, such as adopted antimalware solution type, adopted SOC realization, and organization size. Even though the possibility of this are relatively low, future studies would be beneficial for confirming the findings of our study. Fourth, this study focuses on a single countermeasure (i.e., antimalware solutions). Future studies may explore differences in cybersecurity awareness of decision-makers based on adoption of other countermeasures (e.g., [45]). Fifth, we opted for a cross-sectional survey research design to reach more respondents than with alternatives. This enabled us to get a broader overview of the studied topic albeit at the cost of the depth of insights for each respondent. Alternative research designs employing other research methods, such as interviews or focus groups, may provide deeper insights for each respondent.

References

  1. 1. Batrachenko T, Lehan I, Kuchmenko V, Kovalchuk V, Mazurenko O. Cybercrime in the context of the digital age: analysis of threats, legal challenges and strategies. Multidisciplinary Science Journal. 2024;6:e2024ss0212.
  2. 2. Naseer A, Naseer H, Ahmad A, Maynard SB, Siddiqui AM. Moving towards agile cybersecurity incident response: A case study exploring the enabling role of big data analytics-embedded dynamic capabilities. Computers & Security. 2023;135:103525.
  3. 3. Prebot B, Du Y, Gonzalez C. Learning about simulated adversaries from human defenders using interactive cyber-defense games. Journal of Cybersecurity. 2023;9(1):tyad022.
  4. 4. Yin Y, Hsu C, Zhou Z. Employees’ in-role and extra-role information security behaviors from the P-E fit perspective. Computers & Security. 2023;133:103390.
  5. 5. Parkin S, Kuhn K, Shaikh SA. Executive decision-makers: a scenario-based approach to assessing organizational cyber-risk perception. Journal of Cybersecurity. 2023;9(1):tyad018.
  6. 6. Roman R, Alcaraz C, Lopez J, Sakurai K. Current Perspectives on Securing Critical Infrastructures’ Supply Chains. IEEE Security & Privacy. 2023;21(4):29–38.
  7. 7. Ebert N, Schaltegger T, Ambuehl B, Schöni L, Zimmermann V, Knieps M. Learning from safety science: A way forward for studying cybersecurity incidents in organizations. Computers & Security. 2023;134:103435.
  8. 8. Kianpour M, Kowalski SJ, Øverby H. Systematically Understanding Cybersecurity Economics: A Survey. Sustainability. 2021;13(24):136771:1–28.
  9. 9. Liu X, Ahmad SF, Anser MK, Ke J, Irshad M, Ul-Haq J, et al. Cyber security threats: A never-ending challenge for e-commerce. Frontiers in psychology. 2022;13:927398. pmid:36337532
  10. 10. Thornton-Trump I. GOOD, BETTER & THE BEST SECURITY. EDPACS. 2023;68(2):21–27.
  11. 11. Loonam J, Zwiegelaar J, Kumar V, Booth C. Cyber-resiliency for digital enterprises: a strategic leadership perspective. IEEE Transactions on Engineering Management. 2020;69(6):3757–3770.
  12. 12. Smmarwar SK, Gupta GP, Kumar S. Android malware detection and identification frameworks by leveraging the machine and deep learning techniques: A comprehensive review. Telematics and Informatics Reports. 2024;14:100130.
  13. 13. Song X, Ma Q. Intrusion detection using federated attention neural network for edge enabled internet of things. Journal of Grid Computing. 2024;22(1):1–17.
  14. 14. Fujs D, Vrhovec S, Vavpotič D. Balancing software and training requirements for information security. Computers & Security. 2023;134:103467:1–13.
  15. 15. Tian CA, Jensen ML, Durcikova A. Phishing susceptibility across industries: The differential impact of influence techniques. Computers & Security. 2023;135:103487.
  16. 16. Preuveneers D, Joosen W. Privacy-preserving correlation of cross-organizational cyber threat intelligence with private graph intersections. Computers & Security. 2023;135:103505.
  17. 17. Turner AB, McCombie S, Uhlmann AJ. Ransomware-Bitcoin Threat Intelligence Sharing Using Structured Threat Information Expression. IEEE Security & Privacy. 2023;21(3):47–57.
  18. 18. Dykstra J, Gordon LA, Loeb MP, Zhou L. Maximizing the benefits from sharing cyber threat intelligence by government agencies and departments. Journal of Cybersecurity. 2023;9(1):tyad003.
  19. 19. Piazza A, Vasudevan S, Carr M. Cybersecurity in UK Universities: mapping (or managing) threat intelligence sharing within the higher education sector. Journal of Cybersecurity. 2023;9(1):tyad019.
  20. 20. Cuchta T, Blackwood B, Devine TR, Niichel RJ. Human risk factors in cybersecurity: Experimental assessment of an academic human attack surface. Interaction Studies. 2023;24(3):437–463.
  21. 21. Crgol A, Vrhovec S. Recognition of genuine and phishing emails may not be associated with response to phishing attacks. Journal of Universal Computer Science. 2024;accepted for publication.
  22. 22. Reeves A, Ashenden D. Understanding decision making in security operations centres: building the case for cyber deception technology. Frontiers in Psychology. 2023;14:1165705. pmid:37292498
  23. 23. Žvanut Boštjan and Mihelič Anže. Qualitative study on domestic social robot adoption and associated security concerns among older adults in Slovenia. Frontiers in Psychology. 2024;15:1343077. pmid:38333061
  24. 24. Gomez MA, Shandler R. Trust at Risk: The Effect of Proximity to Cyberattacks. Journal of Global Security Studies. 2024;9(2):ogae002.
  25. 25. Brockinton A, Hirst S, Wang R, McAlaney J, Thompson S. Utilising online eye-tracking to discern the impacts of cultural backgrounds on fake and real news decision-making. Frontiers in Psychology. 2022;13:999780. pmid:36582319
  26. 26. Vrhovec S, Bernik I, Markelj B. Explaining information seeking intentions: Insights from a Slovenian social engineering awareness campaign. Computers & Security. 2023;125:103038:1–12.
  27. 27. Lif P, Sommestad T, Albinsson PA, Valassi C, Eidenskog D. Validation of Cyber Test for Future Soldiers: A Test Battery for the Selection of Cyber Soldiers. Frontiers in Psychology. 2022;13:868311. pmid:35496198
  28. 28. Lenz J, Bozakov Z, Wendzel S, Vrhovec S. Why People Replace their Aging Smart Devices: A Push–Pull–Mooring Perspective. Computers & Security. 2023;130:103258:1–22.
  29. 29. Bongiovanni I, Renaud K, Brydon H, Blignaut R, Cavallo A. A quantification mechanism for assessing adherence to information security governance guidelines. Information & Computer Security. 2022;30(4):517–548.
  30. 30. Auyporn W, Piromsopa K, Chaiyawat T. A Study of Distinguishing Factors between SME Adopters versus Non-Adopters of Cybersecurity Standard. International Journal of Computing and Digital Systems. 2023;13(1):189–198.
  31. 31. Triplett WJ. Addressing Human Factors in Cybersecurity Leadership. Journal of Cybersecurity and Privacy. 2022;2(3):573–586.
  32. 32. Mikuletič S, Vrhovec S, Skela-Savić B, Žvanut B. Security and privacy oriented information security culture (ISC): Explaining unauthorized access to healthcare data by nursing employees. Computers & Security. 2024;136:103489:1–14.
  33. 33. Drape T, Magerkorth N, Sen A, Simpson J, Seibel M, Murch RS, et al. Assessing the Role of Cyberbiosecurity in Agriculture: A Case Study. Frontiers in Bioengineering and Biotechnology. 2021;9:737927. pmid:34490231
  34. 34. Rawindaran N, Jayal A, Prakash E. Exploration of the impact of cybersecurity awareness on small and medium enterprises (SMEs) in Wales using intelligent software to combat cybercrime. Computers. 2022;11(12):174.
  35. 35. Moyo M, Loock M. Conceptualising a Cloud Business Intelligence Security Evaluation Framework for Small and Medium Enterprises in Small Towns of the Limpopo Province, South Africa. Information. 2021;12(3):128:1–27.
  36. 36. Asha S, Shanmugapriya D. Understanding insiders in cloud adopted organizations: A survey on taxonomies, incident analysis, defensive solutions, challenges. Future Generation Computer Systems. 2024;.
  37. 37. Kern M, Landauer M, Skopik F, Weippl E. A logging maturity and decision model for the selection of intrusion detection cyber security solutions. Computers & Security. 2024;141:103844.
  38. 38. CERT-EU. Threat Landscape Report 2023—Year Review. CERT-EU; 2024.
  39. 39. SI-CERT. Poročilo o kibernetski varnosti za 2022. SI-CERT; 2023.
  40. 40. ENISA. ENISA Threat Landscape 2023. ENISA; 2023.
  41. 41. Sánchez-García ID, Gilabert TSF, Calvo-Manzano JA. Countermeasures and their taxonomies for risk treatment in cybersecurity: A systematic mapping review. Computers & Security. 2023;128:103170.
  42. 42. Darem AA, Alhashmi AA, Alkhaldi TM, Alashjaee AM, Alanazi SM, Ebad SA. Cyber threats classifications and countermeasures in banking and financial sector. IEEE Access. 2023;11:125138–125158.
  43. 43. Ewoh P, Vartiainen T. Vulnerability to cyberattacks and sociotechnical solutions for health care systems: systematic review. Journal of medical internet research. 2024;26:e46904. pmid:38820579
  44. 44. Rodrigues GAP, Serrano ALM, Vergara GF, Albuquerque RdO, Nze GDA. Impact, Compliance, and Countermeasures in Relation to Data Breaches in Publicly Traded US Companies. Future Internet. 2024;16(6):201.
  45. 45. Lezzi M, Lazoi M, Corallo A. Cybersecurity for Industry 4.0 in the current literature: A reference framework. Computers in Industry. 2018;103:97–110.
  46. 46. Achaal B, Adda M, Berger M, Ibrahim H, Awde A. Study of smart grid cyber-security, examining architectures, communication networks, cyber-attacks, countermeasure techniques, and challenges. Cybersecurity. 2024;7(1):10. pmid:38707764
  47. 47. Cochran JD, Napshin SA. Deepfakes: awareness, concerns, and platform accountability. Cyberpsychology, Behavior, and Social Networking. 2021;24(3):164–172. pmid:33760667
  48. 48. Sapanca HF, Kanbul S. Risk management in digitalized educational environments: Teachers’ information security awareness levels. Frontiers in Psychology. 2022;13:986561. pmid:36160587