The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/0263-5577.htm

Cybersecurity awareness training Cybersecurity

awareness
programs: a cost–benefit training
programs
analysis framework
Zuopeng (Justin) Zhang 613
Coggin College of Business, University of North Florida, Jacksonville,
Florida, USA, and Received 11 August 2020
Revised 4 November 2020
Wu He, Wenzhuo Li and M’Hammed Abdous 10 January 2021
Accepted 11 January 2021
Old Dominion University, Norfolk, Virginia, USA

Abstract
Purpose – Employees must receive proper cybersecurity training so that they can recognize the threats to
their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity
awareness training (CSAT) programs fall short due to their misaligned training focuses.
Design/methodology/approach – To help organizations develop effective CSAT programs, we have
developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We
differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their
costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their
benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a
company’s optimal degree of security.
Findings – Our findings indicate that the benefit of a CSAT program with different types of cost plays a
disparate role in keeping, upgrading or lowering a company’s existing security level. Ideally, a CSAT program
should spend more of its expenses on training employees to deal with the security threats at a lower security
level and to reduce more losses at a higher security level.
Originality/value – Our model serves as a benchmark that will help organizations allocate resources toward
the development of successful CSAT programs.
Keywords Awareness training, Benefit, Cost, Cybersecurity, Level of security
Paper type Research paper

1. Introduction
Cyberattacks, hacks and high-profile data breaches are part of the cybersecurity landscape.
As a result, cybersecurity has become an urgent priority, both for business organizations and
for government agencies (Shin, 2010; Ponnusamy et al., 2020). However, developing a robust
cybersecurity defense remains challenging given the evolution, the frequency and the
sophistication of cybersecurity attacks, particularly those that use social engineering
methods such as phishing and malware (Conteh and Schmick, 2016; Yaokumah et al., 2019).
Since people are often the weakest link in an organization’s cybersecurity chain (Teh et al.,
2015; De Maggio et al., 2019), organizations should not only provide sufficient security
training and resources to their employees (Chatterjee, 2019) but should also create and
maintain a culture of security awareness (Norris et al., 2019). Implementing the latest security
technologies is unlikely to prevent or to mitigate cyberattacks without the provision of
ongoing personnel training (Norris et al., 2019). A recent IBM (2019) report reiterated that
human errors continue to facilitate security breaches, as more employees fall for phishing
scams and misconfigured servers.
As security incidents continue to rise in frequency, sophistication and cost, adequate
Industrial Management & Data
personnel training regarding safe online behavior and security countermeasures remains the Systems
backbone of corporations’ cybersecurity strategy. Disparte and Furlow (2017) suggest that the Vol. 121 No. 3, 2021
pp. 613-636
best cybersecurity investment that an organization can make is stronger security training for © Emerald Publishing Limited
0263-5577
its employees. That is why organizations must invest in cybersecurity awareness training DOI 10.1108/IMDS-08-2020-0462
IMDS (CSAT) to enhance their employees’ awareness and readiness (Schmidt et al., 2008; He et al.,
121,3 2019). Despite this, CSAT programs are often underfunded (Aldawood and Skinner, 2019;
Mejia, 2019). Furthermore, many employees fail to comply with their organizations’ information
security policies (Li et al., 2019). This lack of compliance can lead to more security and data
breaches, even as it underscores the ineffectiveness of many CSAT programs (Kweon et al.,
2019). Hence, a good CSAT program must be designed in such a way that it not only improves
employees’ knowledge but also motivates them to develop compliant behaviors.
614 Thus, there is a pressing need to investigate the challenges and issues faced by CSAT
programs and to investigate ways in which organizations can make them more effective
(Chengalur-Smith and Abraham, 2019). Among the factors that undermine the effectiveness
of some current CSAT programs, He and Zhang (2019) have summarized several important
issues, including these:
(1) Employees feel bored with mandatory security training programs that force them to
watch uninspiring lectures about policies and procedures and to answer a few
multiple-choice questions at the end. According to Adams (2018), employees complete
training quickly, without paying much attention to the video content.
(2) Because of a lack of incentives and rewards, many employees lack interest and lack
the motivation to participate in their organizations’ security training programs
(Gross, 2018).
(3) Employees complain that security training programs are not tailored to their individual
and their specific organization’s security awareness needs. As a result, employees are
uninterested in closely following and getting involved in security awareness training
(Winkler, 2018; Adams, 2018).
(4) Security training programs are not designed to accommodate a variety of learning
styles and employee needs (Nadkarni, 2012).
(5) To stay ahead of the threats, security training programs require ongoing updates and
revision. Also, programs benefit from ongoing feedback from employees throughout
the organization to assess the relevance or the obsolescence of the training materials
(Pandasecurity, 2017; Adams, 2018).
Beyond the issues mentioned above, another pressing issue is related to the cost and the
benefit of implementing CSAT programs. To be effective, CSAT programs need to be
customized and sustained over a prolonged period (Khan and AlShare, 2019). As a result,
cybersecurity training requires ongoing funding for training resources; for consulting,
testing and advertising; for software/hardware and/or for professional services. One of the
main barriers to the implementation of effective information security awareness is the
organizations’ budgets (Aldawood and Skinner, 2019; Mejia, 2019; Shaw et al., 2009). Besides,
the potential benefit of such an investment is typically hard to justify when developing a
CSAT program.
Prior studies have explored the management of cybersecurity resources from a cost–benefit
perspective (e.g. Gordon and Loeb, 2006; Ekelund and Iskoujina, 2019; Gordon et al., 2020).
However, very few of them have analyzed CSAT programs from such an aspect. To address
this research gap, our study develops a framework to examine different CSAT programs based
on a cost–benefit analysis, guided by the synthesis of fragmented elements regarding
cybersecurity training in prior literature. Specifically, we address the following key research
questions in this paper: (1) what are the different types of CSAT programs in terms of their costs
and benefits? (2) how do different types of CSAT programs affect a company’s optimal degree of
security? and (3) how should companies effectively implement CSAT programs?
 To answer these research questions, our research applies an analytic approach to establish Cybersecurity
and analyze a model of CSAT programs that can help companies differentiate various types of awareness
CSAT programs, examines their impact on the optimal degree of security and prioritize the
areas of intervention needed for their implementation.
training
Our paper adopts the framework used by prior studies (He and Zhang, 2019; Piccoli and programs
Pigni, 2019) to explore different types of CSAT programs and then discuss their impact and
implementation. Piccoli and Pigni’s (2019) cybersecurity model shows that companies can
develop their optimal cybersecurity strategy by balancing the trade-offs between their desired 615
degree of security and their total cost to achieve it. Building on the model by Piccoli and Pigni
(2019), He and Zhang (2019) illustrate how the success of a company’s CSAT programs
significantly impacts its cybersecurity investment. They demonstrate that a successful CSAT
program should reduce a company’s failure cost to compensate for its cost of implementation.
Thus, the company can lower its total cybersecurity cost while maintaining or increasing its
optimal degree of security. However, their study has not differentiated specific types of CSAT
programs and explored their applicability. Extending the conceptual analysis by He and Zhang
(2019), we construct an analytical framework that highlights and investigates the costs and the
benefits associated with CSAT programs.
The remainder of the paper proceeds as follows. First, we review the literature related to
cybersecurity investment and resource allocation. Next, building on the findings from these
studies, we differentiate CSAT programs in terms of three types of costs (constant,
complementary and compensatory) and four types of benefits (ineffective, consistent,
increasing and diminishing). Third, we conduct a cost–benefit analysis to investigate how a
company’s optimal degree of security changes with different types of CSAT programs. Our
analytical model provides a foundation for companies to assess the effectiveness of their
investment in CSAT programs and expore their applicability. Finally, we offer several
actionable recommendations and conclude the study by highlighting our theoretical and
practical contributions as well as limitations and future research directions.

2. Literature
This section reviews prior literature by focusing on two major research streams relevant to
our study: (1) cybersecurity investment and resource allocation and (2) the cost of CSAT
programs. In addition, we highlight the focus of our research different from prior studies.

2.1 Cybersecurity resource allocation

Intending to find the optimal level of cybersecurity investment, researchers have developed
several models for allocating resources. Each model entails a substantial investment in training,
software and hardware. Cybersecurity investment can pose both financial and operational
challenges for companies. As they seek to ensure a higher return on investment (ROI),
organizations are treading a fine line between overinvestment and underinvestment in their
CSAT programs. As summarized by Cordes (2011), the organizational level of cybersecurity
depends on both the economic payoff of strong cybersecurity and its financial cost. Over the
past decade, researchers have applied different investment models and methodologies for
cybersecurity (Fielder et al., 2016). Gordon and Loeb (2002) presented an economic model that
determines the optimal amount to invest in protecting a given set of information. According to
this model, the optimal level of cybersecurity investment does not always increase with the level
of vulnerability (Willemson, 2006). For their part, Bojanc and Jerman-Blazic (2008) assessed
security investment through the identification of assets and vulnerabilities by using three
methods (return on investment, net present value and internal rate of return) to quantify the
costs and the benefits of security investments. Game theories have been used to estimate
optimal investment for information security and the payoff from such investment (Cavusoglu
et al., 2008; Qian et al., 2018).
IMDS By using the expected utility theory to determine the optimal security investment level,
121,3 Huang et al. (2008) demonstrated how an organization could manage its security investment
based on the different characteristics of threat environments and system configurations.
Using the extreme value theory, Wang et al. (2008) measured the daily risk of an
organizational information system and modeled the probability distribution of the daily
losses and the time trends associated with the extreme behaviors of users. Along the same
line of thinking, Fagade et al. (2017) explored the use of the Monte Carlo predictive simulation
616 model in the allocation of cybersecurity resources. They concluded that a conventional risk
assessment approach, such as the budgeting process, is likely to result in significant over-
allocation or under-allocation of funds for cyber capabilities. Likewise, Njilla et al. (2017) used
the Markov decision process (MDPs) framework to allocate resources between the two end
layers of cybersecurity: agility and recovery. On the other hand, Cavusoglu et al. (2008)
compared the effects of game theory and decision theory approaches on security investment
and claimed that the traditional decision theory approaches were insufficient to determine
security investments. They considered game theory to be more appropriate in modeling
investments in security (Hua and Bapna, 2013).
Srinidhi et al. (2015) studied organizations’ allocation of resources to cybersecurity and
identified the effect of the misalignment of interest between managers and investors. They
recommended the incorporation of cyber-insurance, which would reduce managers’ over-
investment in specific security-enhancing assets. More recently, Jalali et al. (2019) developed a
management simulation game that allows managers to invest in building their organizational
cybersecurity capabilities as it monitors the effect of their investment decisions. This
approach has enabled managers to “learn from the complexities of allocating resources for
building cybersecurity capabilities” while understanding the impact of this investment
decision on their organizations. One of the key findings of this study is that offering proactive
training for managers, to help them to better understand the complexities of cybersecurity, is
critical for improving their decision-making processes.
Although these models and methodologies have different strengths and weaknesses,
they each indicate that it is challenging to achieve optimal resource allocation for
cybersecurity, since cybersecurity (1) is an ongoing process, (2) occurs in various forms and
(3) is often unpredictable. Knowing how difficult, if not impossible, it is to design a secure
system, enterprises should focus on achieving a security level that is acceptable (Jerman-
Bla
zi
c, 2012). To this end, Rue and Pfleeger (2009) provided three suggestions for
organizations to consider when making cybersecurity investment decisions: (1) understand
the key input variables related to cybersecurity; (2) measure input variables, such as the
effectiveness of security measures, the expected number of attacks, the probability of attack
success, the vulnerabilities and the costs and payoffs, etc. and (3) ensure that decision-
makers are well-informed about the relevant variables that influence the organization’s
cybersecurity.
Since the determination of the appropriate security level is a challenging task, different
organizations tend to make different resource allocation decisions, depending on their specific
needs and requirements. Moore et al. (2016) found that many firms do not even calculate their
expected ROI or use other outcome-based quantitative investment metrics when they make
cybersecurity investment decisions. Frequently, organizations rely on the experience and
judgment of the managers and/or experts to make investment decisions. Weish€aupl et al. (2018)
conducted a case study and found (1) that external environmental and industry-related factors
mostly drive organizational investments in security and (2) that many organizations do not
implement standardized decision processes for making investments in information security.
Although prior studies have explored the management of cybersecurity resources from various
aspects, very few of them have studied CSAT programs from a cost–benefit perspective, which
is the focus of our research.
2.2 Cost for CSAT Cybersecurity
To estimate the cost of CSAT programs, organizations must consider a variety of factors, awareness
including the number of employees, instructor staffing, the type of training needed, training goals
and approaches, training materials and activities, the number of training sessions and testing.
training
For example, a wide range of training methods, such as web-based training materials, contextual programs
training, gamification (Shin and Ahn, 2013; Jin et al., 2018) and embedded training (Abawajy,
2014) can be selected for CSAT. In terms of the content delivery format for the training, security
training can be classified into text-based, instructor-based, multimedia or hypermedia-based 617
(e.g. audios, videos, websites, blogs), game-based or simulation-based (Abawajy, 2014). Shaw
et al. (2009) classified security awareness into three levels: perception, comprehension and
projection. Their study found that students who attended hypermedia-based sessions performed
better on the three different security awareness levels than those who attended multimedia-based
training. Tschakertand Ngamsuriyaroj (2019) confirmed that different security training methods
offer different levels of effectiveness and that users have different preferences for security
awareness training methods. Abawajy (2014) found that combined delivery methods are better
than individual security awareness delivery methods in achieving training objectives. However,
mixed delivery methods do come at a higher cost. To be cost-effective, CSAT programs must
consider these different factors in the decision-making process. The budget for CSAT programs
should also reflect the potential risks caused by a lack of security awareness (Dimov and
Juzenaite, 2015). Thus, training costs may vary widely by organization.
It is challenging to directly calculate the ROI for an organization’s CSAT program since
some of the benefits are uncertain and intangible (Shao et al., 2020). For cybersecurity, the
better approach is to calculate the reduction in risk due to the CSAT implementation (Dimov
and Juzenaite, 2015). According to KnowBe4 (2019), the ROI of CSAT can be projected by
considering three main components, as summarized in Table 1.
The metrics used to measure the success of CSAT may vary by organization. Other
parameters can also be used to measure the ROI of CSAT, such as a reduction in successful
phishing attacks, a decrease in malware infections and an increase in the use of strong
passwords (Dimov and Juzenaite, 2015).
In summary, prior research has proposed different ways to estimate the cost and benefit of
a CSAT program. However, there lacks a systemic framework to evaluate different types of
CSAT programs with respect to how their costs and benefits change with the level of security
in companies. Our paper addresses this research gap by identifying different types of CSAT
programs and investigates how they impact a company’s level of security.

3. Model of CSAT programs

This section presents an analytical model of CSAT programs by extending the cybersecurity
trade-off model in previous studies (He and Zhang, 2019; Piccoli and Pigni, 2019). Our model

Development cost How many working hours are needed to complete the CSAT in-house?
Direct loss of productivity and How many employee downtime and IT staff hours will it take to disinfect
revenue workstations and/or to restore them from backups, in case of a security
incident? Revenue loss per minute, per hour or per day can be significant
Loss of reputation Is there the possibility of a lost reputation caused by news of a data breach? Table 1.
(This consideration would involve the direct and indirect costs of having to Three main
deal with a security incident to customers, suppliers and stakeholders.) components of CSAT
Note(s): KnowBe4 (2019) programs
IMDS illustrates how the success of a CSAT program can significantly impact a company through
121,3 its investment in cybersecurity training.
Piccoli and Pigni (2019) show that companies can develop their optimal cybersecurity
strategies by balancing the trade-offs between their desired degree of security and their
total cost to achieve it. As Figure 1 exhibits, the total cost for the cybersecurity of a
company includes both the anticipation cost and the failure cost. The anticipation cost refers
to a company’s investment in cybersecurity to actively prevent expected cyber threats;
618 maintaining a higher degree of security requires a company to increase its anticipation cost.
Moreover, for every additional unit of the degree of security, a company will incur more
anticipation costs. So, the curve of anticipation cost is a convexly increasing curve relative
to the degree of security chosen by a company. The failure cost represents a company’s
financial loss due to unpredictable cybersecurity breaches and threats. The curve of the
failure cost decreases with the degree of security. Besides, each additional degree of
security will result in a more significant decrease in failure cost. Therefore, the total cost can
be represented by a U-shaped curve. A company should achieve its optimal degree of
security to minimize its total cost of cybersecurity.
When a company implements a CSAT program, its anticipation cost will increase. The red
dotted line in Figure 2 demonstrates the total anticipation costs, including the CSAT program.
The difference between the red and blue dotted lines represents the projected cost of the CSAT
program; this increases with the degree of security. The effectiveness of the CSAT program
determines how it will affect the failure cost. Figure 2 shows a specific type of CSAT program
that does not reduce any of the failure cost. In contrast, other kinds of CSAT programs may help
to significantly decrease a company’s failure cost. We explore the effects of the use of different
types of CSAT programs in Section 4 of this paper.
We define the anticipation0 cost as 00aðsÞ; in which s denotes0 the level of security, so
according to our assumption a0 ðsÞ > 0, a00 ðsÞ > 0; að0Þ ¼ 0; and a ð0Þ ¼ 0: The failure cost is
represented as f ðsÞ: Hence, f ðsÞ < 0, f ðsÞ > 0; and f ð0Þ ¼ F; where F is a constant that
represents the failure cost when there are no security measures implemented in a company.
The projected cost for implementing a CSAT program is tðsÞ; so the firm’s total projected
cybersecurity cost is CðsÞ ¼ aðsÞ þ f ðsÞ þ tðsÞ: Therefore, the firm determines s*–the
optimal degree of security–to minimize the total cost CðsÞ: See Table 2 for a summary of the
notation.
Cost
Failure Cost with
No Security

Anticipation Cost

Total Cost

Figure 1.
Trade-offs between
cost and degree of Failure Cost
security (Piccoli and
Pigni, 2019)
Optimal Degree of Security Degree of Security
 Cybersecurity
Cost
awareness
training
Failure Cost with

programs
No Security

Total Cost with a

Cybersecurity Anticipation Cost
Training Program
619
Total Cost Cost of Cybersecurity
Training Program
Figure 2.
The impact of a CSAT
Failure Cost program on the trade-
offs between cost and
degree of security
Optimal Degree of Security Degree of Security

Symbol Meaning

aðsÞ Anticipation cost

CðsÞ Total cybersecurity cost
f ðsÞ Failure cost
F Failure cost with no security
tðsÞ CSAT cost Table 2.
S Degree of security Summary of notation

4. Analysis and discussion

Following the proposed analytical model of CSAT programs, this section details our analysis
of the organizational decisions regarding the different types of CSAT programs. We first
investigate the optimal degree of security for companies without CSAT programs and then
we conduct a cost–benefit analysis for various types of CSAT programs, in terms of their
different costs and benefits.

4.1 Optimal degree of security without CSAT programs

First, we analyze a company’s optimal degree of security before it implements a CSAT
program. The following lemma demonstrates the existence of an optimal degree of security in
a company.
Lemma 1. A company’s optimal degree of security s* always exists.
Proof: Please see Appendix.
Lemma 1 indicates that there always exists an optimal degree of security for a company
to minimize its total cost of cybersecurity through balancing the trade-offs between the
anticipation and the failure costs. As Figure 1 shows, a higher anticipation cost for a
company typically corresponds to its lower failure cost, which implies that the company
adopts a “risk-reduction” strategy to invest in the safeguards designed to actively mitigate
security threats. By contrast, a higher failure cost for a company coincides with a lower
anticipation cost; this indicates the “risk-acceptance” strategy used by a company (i.e. not to
invest in countermeasures or to actively reduce its security risk but, rather, to accept its
existing cybersecurity status quo and the possible failure cost). However, in each strategy, a
IMDS company will incur a higher total cost than it would at its optimal degree of security; the
121,3 company will achieve a minimal cost by implementing a hybrid strategy that considers
both risk acceptance and risk reduction.
Having established the existence of an optimal degree of security, we next investigate how
it changes in different companies with varying natures of anticipation and failure costs.
These are summarized in the next two propositions.
0 0
620 Proposition 2. When FX ¼ FY between company X and Y, if fX ðsÞ > fY ðsÞ, ∀s ∈ ½0; ∞Þ,
then s*X < s*Y .
Proof: Please see Appendix.
Proposition 2 shows that when two companies (X and Y) each have the same anticipation
cost at every degree of security, but X has a higher failure cost than Y at every degree of
security, then company X’s optimal degree of security will be lower than that of company Y.
Figure 3 visually demonstrates the comparison between companies X and Y for this scenario.
The yellow and blue dotted lines represent the failure cost for companies X and Y,
respectively. Accordingly, the yellow and blue U-shaped curves represent the total cost for
companies X and Y. For each additional unit of the degree of security, company X reduces less
of its failure cost than does company Y. Therefore, company X’s optimal degree of security is
lower than that of company Y, whereas company X’s total security cost is higher than that
of Y.
0 0
Proposition 3. If aX ðsÞ > aY ðsÞ, ∀s ∈ ½0; ∞Þ, between company X and Y, then s*X < s*Y .
Proof: Please see Appendix.
Proposition 3 indicates that company X’s optimal degree of security is lower than that of
company Y when each company has the same amount of projected failure cost but different
anticipation costs. Figure 4 graphically demonstrates the scenario captured in this
proposition. The orange and blue dash-dot lines represent company X’s and company Y’s
anticipation costs, and the orange and blue U-shaped curves represent their total costs,
respectively. Since it is more costly for company X to reduce its anticipation cost for each
additional unit degree of security, company X’s optimal degree of security will be lower than
that of company Y; however, company X’s total cost will be higher than that of company Y.
Propositions 2 and 3 bear a similar insight; each shows that if it is more difficult for a
company to reduce its total cybersecurity cost, no matter whether it is anticipation or failure
cost, the company will have to lower its optimal degree of security to save its total cost.
Cost
Failure Cost with
No Security

Anticipation Cost

Total Cost for X

Total Cost for Y
Figure 3.
Optimal degree of Failure Cost for X
security for company X Failure Cost for Y
and Y with different
failure costs * *
SX SY Degree of Security
 Cybersecurity
Cost
Anticipation Cost
for X
awareness
training
Failure Cost with

programs
No Security

Anticipation Cost

Total Cost for X

for Y 621
Total Cost for Y
Figure 4.
Optimal degree of
Failure Cost security for company X
and Y with different
* * anticipation costs
SX SY Degree of Security

Therefore, if company X’s anticipation and failure costs are each higher than those of
company Y, company X’s optimal degree of security will be lower than that for company Y, as
shown in Figures 3 and 4. These two propositions also imply that investing more in
cybersecurity may not always make a company more secure (i.e. increasing its level of
security). If the cybersecurity investment does not help lower a company’s potential loss, the
company’s level of security may be reduced. In other words, if the anticipation cost does not
work as it is expected, the company will end up with a higher total cybersecurity cost and
become less secure.

4.2 A cost–benefit analysis of CSAT programs

Next, we investigate the impact of different types of CSAT programs on a company’s optimal
degree of security. We first show three types of CSAT programs by noting their projected
costs and four types of CSAT programs in terms of their projected benefits, and then we
propose a formal cost–benefit framework to evaluate the impact of different CSAT programs
on the optimal degree of security.
4.2.1 Cost of CSAT programs. The cost of a CSAT program can be considered as part of a
company’s cybersecurity investment for providing cybersecurity training to employees,
including the expenses for recruiting security trainers, creating training curricula, developing
training materials, conducting social engineering tests and offering rewards for training
completion (and, subsequently, for proper security behavior). In this regard, CSAT programs
work as the “soft” safeguards employed by a company to mitigate potential cybersecurity
threats. Therefore, when a company implements a CSAT program, its total investment in the
program will add another portion to the existing anticipation cost. Figure 2 shows a specific type
of CSAT program–one that requires a larger investment to run the program but that projects a
higher degree of security. This type of CSAT program assumes that when a company’s
cybersecurity system gets more sophisticated, this may entail a lot more training of its
employees to help them understand both the intricacy of the system and the associated policies,
regulations and processes. In other words, this scenario shows that a more advanced security
system will require a complementary CSAT program that demands extra cybersecurity
training.
In addition, there are two other possible types (constant and compensatory) of CSAT
programs with respect to how the cost of a CSAT program changes with the existing
anticipation cost at different degrees of security. Figure 5 demonstrates all three types of
CSAT programs for their different costs. The red, brown and black dotted lines represent the
IMDS

Cost
Complementary
121,3 Cost of a CSAT Program

Failure Cost with

No Security
Compensatory Anticipation Cost
622

Constant

Figure 5.
The cost of a CSAT
program: three types
Degree of Security

total anticipation cost with the implementation of a complementary, compensatory and

constant CSAT program, respectively. The difference between these and the blue dotted line
denotes the actual projected cost of the CSAT program. As Figure 5 shows, the projected cost
increases with the degree of security for a complementary CSAT program, decreases for a
compensatory CSAT program and remains the same for a constant CSAT program.
The difference between the three types of CSAT programs in their costs indicates how
they work with the existing cybersecurity safeguards in a company. As mentioned above, a
complementary CSAT program provides extra cybersecurity training for security systems at
a higher degree of security. A constant CSAT program supports the same level of training no
matter what the degree of security is within a company, whereas the compensatory CSAT
program offers additional training at a lower degree of security to compensate for the
insufficient cybersecurity safeguards implemented in a company.
4.2.2 Benefit of CSAT programs. The benefit of a CSAT program can be shown by its
ability to reduce the potential failure cost when cyber threats and breaches occur. An effective
CSAT program can benefit a company by lowering its failure cost at every degree of security,
whereas a CSAT program with a negligible benefit does not decrease a company’s failure cost
(as can be seen in Figure 2).
We differentiate the following four types of a CSAT program based on how the projected
benefit changes with the degree of security, indicating how each one helps to reduce the
failure cost for a company.
(1) Negligible: The failure cost will remain the same.
(2) Consistent: The same amount of failure cost will be reduced at every degree of
security.
(3) Increasing: More failure cost will be reduced at a higher degree of security.
(4) Diminishing: Less failure cost will be reduced at a higher degree of security.
Figure 6 illustrates all four types of CSAT programs in terms of their different benefits. The
blue, orange, pink and purple dash lines represent the total failure costs with the
implementation of the four types (negligible, consistent, increasing and diminishing) of CSAT
programs, respectively. When there is a negligible benefit for a CSAT program, the failure
cost line is the same as that before the CSAT program is implemented; both are represented
by the blue dash line. Therefore, the vertical differences between the orange, pink and purple
dash lines and the blue dash line show the actual benefit of the CSAT program at a particular
degree of security. The consistent benefit of a CSAT program indicates that the use of such a
 Cybersecurity
Cost
awareness
training
Failure Cost with

Increasing
programs
No Security

Diminishing
Consistent

Benefit of a CSAT Program

623
Failure Cost: Negligible

Figure 6.
The benefit of a CSAT
program: four types
Degree of Security

training program will help to reduce the potential failure cost for a company at every degree
of security. The increasing benefit of a CSAT program shows that this type of training
program provides more benefits to a company that has more advanced safeguards in place
since the failure cost will decrease more at a higher degree of security. In contrast, the
diminishing benefit of a CSAT program implies that this kind of training program provides
more benefits to companies with less sophisticated cybersecurity safeguards because the
failure cost will be reduced at a lower degree of security.
4.2.3 A cost–benefit analysis. Combining the three cost types and the four benefit types, we
next conduct a cost–benefit analysis of CSAT programs and propose a formal framework
that summarizes how the optimal degree of security will change, depending upon the use of
the different types of CSAT programs with their projected costs and benefits.
Considering a CSAT program as an additional investment in a company’s cybersecurity
safeguards, we focus on how such a program will impact the company’s existing degree of
security. The next proposition shows the impact of CSAT programs with negligible or
consistent benefits on a company’s optimal degree of security.
Proposition 4. A CSAT program with a projected negligible or consistent benefit will
result in the same, a lower or a higher optimal degree of security if its
projected cost is constant, complementary or compensatory.
Proof: Please see Appendix.
Proposition 4 indicates that the cost of a CSAT program has the same impact on the
optimal degree of security when the CSAT program has either no or a consistent benefit.
When the projected cost of the CSAT program is constant at every degree of security, the total
cybersecurity cost curve will shift upward (or possibly downward if there is a consistent
benefit), so there is no change for the optimal degree of security. When the projected cost of
the CSAT program is complementary, it will be more costly for the company to implement the
CSAT program at a higher degree of security, while having no or the same benefit. Therefore,
it is better for the company to choose a lower optimal degree of security. In contrast, when the
projected cost of the CSAT program is compensatory, it will entail less cost for the CSAT
program for every unit increasing degree of security; hence, the company will result in a
higher optimal degree of security.
The following proposition summarizes how the CSAT programs with increasing benefits
influence a company’s optimal degree of security.
IMDS Proposition 5. A CSAT program with a projected increasing benefit will result in a higher
121,3 optimal degree of security if its projected cost is constant or compensatory;
however, the change in the optimal degree of security is undecided if the
CSAT program’s projected cost is complementary.
Proof: Please see Appendix.
Proposition 5 demonstrates that when a company chooses to implement a CSAT program
624 with the increasing benefit, the optimal degree of security will mostly increase, unless the
projected cost of the CSAT program is complementary, in which case the company needs to
balance the trade-off between the higher cost and the increasing benefit of the CSAT program
at a higher degree of security.
The last proposition demonstrates the influence of CSAT programs with diminishing
benefits on a company’s optimal degree of security.
Proposition 6. A CSAT program with a projected diminishing benefit will result in a
lower optimal degree of security if its projected cost is constant or
complementary; however, the change in the optimal degree of security is
undecided if the CSAT program’s projected cost is compensatory.
Proof: Please see Appendix.
Proposition 6 implies that when a company chooses to implement a CSAT program with
the diminishing benefit, the optimal degree of security will mostly decrease unless the cost of
the CSAT program is compensatory, in which case the company needs to balance the trade-
off between the higher cost and the larger benefit for the CSAT program at a lower degree of
security.
Based on three types of projected costs and the four types of projected benefits, a CSAT
program may belong to one of the twelve scenarios shown in Figure 7. We summarize the
major findings from our cost–benefit analysis in terms of how the optimal degree of security
will change for each of the 12 different CSAT programs. The two cells with a gray
background show that the implementation of such types of CSAT programs does not result in
any change for the optimal degree of security since the changing rates of the anticipation and
the failure costs remain the same both before and after these CSAT programs are
implemented. The four cells with a light orange background denote that a lowered optimal
degree of security will result from the use of these four types of CSAT programs. The
remaining four cells with a blue background and the two cells with a light blue background
represent the CSAT programs that may help companies shift to a higher optimal degree of
security. For the two “undecided” scenarios, although they may possibly lead to a lower
optimal degree of security, it should be noted that companies can strengthen the effects of
increasing benefit or compensatory cost to negate the impact of complementary cost or
diminishing benefit. In summary, a CSAT program with an increasing benefit or a

Change of the optimal degree of Projected Cost of CSAT Programs

Constant Complementary Compensatory
security
Negligible No change Lower Higher

Projected Consistent No change Lower Higher

Benefit of
Figure 7. CSAT Increasing Higher Undecided Higher
Summary of the impact Programs
of CSAT programs Diminishing Lower Lower Undecided
compensatory cost will require a company to implement stronger safeguards at a higher level Cybersecurity
of security, whereas a CSAT program with a diminishing benefit or a complementary cost awareness
will mostly decrease a company’s existing level of security.
The 12 combinations of a CSAT program exist only theoretically. In practice, some of the
training
scenarios may not be possible. For instance, it is very unlikely for a CSAT program to have programs
both an increasing benefit and an increasing compensatory cost, which we further discuss in
the following subsection.
4.2.4 Applicability of CSAT programs. The applicability of a CSAT program is next 625
explored based on the cost–benefit analysis in the previous subsection.
First of all, no matter what the cost is for a CSAT program, it should help a company
reduce its failure cost. Therefore, CSAT programs with negligible benefits should be avoided
unless they are implemented to just satisfy specific legal or environmental requirements. In
this case, as shown in the cell with gray background in Figure 8, companies should adopt the
compensatory type of CSAT programs; this helps increase their optimal security level even
though the failure cost is not reduced. Second, since the projected benefit of a CSAT program
is typically associated with the projected cost incurred by the program, some of the 12
combinations shown in Figure 7 are not very likely to exist. For instance, when the expense of
a CSAT program is the same across different degrees of security, it is hard to expect either an
increasing or diminishing benefit. Similarly, when a company spends more on its CSAT
program at a higher (lower) degree of security, it is less likely that the program’s benefit will
be nonincreasing (nondecreasing).
Figure 8 displays the four possible scenarios of the 12 cells from the perspective of
applicability. The three cells with the red background denote the CSAT programs with no
benefit; these should be avoided. The cells with the brown background indicate the situations
of those CSAT programs in which the projected benefits are not very likely to match the
projected costs and not desired as they lower a company’s optimal level of security. In
contrast, the three cells with the light blue background specify the possible CSAT programs,
while the three with the blue background are desired, although they are also less likely, as
they help upgrade the company’s level of security.
4.2.5 Implementing CSAT programs. Following up on different CSAT programs’
applicability, we finally discuss how they can be effectively implemented. Figure 9 visually
displays the strategies for implementing possible CSAT programs to enhance their efficacies.

Applicability of the Projected Cost of CSAT Programs

CSAT Programs Constant Complementary Compensatory
Legal or
Negligible Avoid Avoid environmental
requirements

Less likely and Less likely but

Consistent Possible
Projected undesired desired
Benefit of
CSAT
Programs Less likely but Less likely but
Increasing Possible
desired desired
Figure 8.
Applicability of
Less likely and Less likely and different types of
Diminishing Possible
undesired undesired CSAT programs
IMDS CSAT programs’ benefits
w.r.t. the level of security

121,3 Increasing B Compensatory

A C

CAST programs’ costs

Constant w.r.t. the level of security
626 H D
Consistent
C
Cons istent I

Figure 9.
Implementation of
CSAT programs G E
Complementary F Diminishing

In Figure 9, the horizontal and vertical axes denote how a CSAT program’s cost and benefit
changes with a company’s level of security. The dotted lines indicate the boundary of the
maximal changes allowed in the cost and benefit. The three possible, three less likely but
desired and three less likely and undesired CSAT programs are also represented in Figure 9.
Their matching parts are summarized in Table 3 as follows.
When a company implements CSAT programs (2) or (3), their level of security may not
always increase due to the trade-off between the opposite effects of the cost and benefit of the
program. The two triangular areas with gridlines represent the CSAT programs that have a
stronger effect on either its cost or benefit to help the company upgrade its security level.
Therefore, these two areas (ABI and IDE) stand for the CSAT programs that companies
should implement. The area BCDI and lines IB and ID denote the CSAT programs that
companies should aspire to implement; these programs are difficult for companies to match
their benefits with costs, but they help them increase their security level. In particular, point C
is the one that can maximally upgrade companies’ level of security; this implies that ideally, a
CSAT program should spend more of its expenses on training employees to deal with the
security threats at a lower level of security and to reduce more losses at a higher level of
security.
Researchers from both the industry and academia have developed several useful methods
and tools that can help assess a company’s level of security, for instance, BitSight (Bannam,
2017), SecurityScorecard (Herath et al., 2010), Value at Risk (Ekelund and Iskoujina, 2019),
Factor Analysis of Information Risk (Freund and Jones, 2014), SAFE (Security Assessment
Framework for Enterprise) platform (Lucideus Incorporated, 2020), and Cyber Doppler

CSAT programs
No Category Benefit Cost Matching parts in Figure 9

1 Possible Consistent Constant Point I

2 Increasing Complementary Area ABIH
3 Diminishing Compensatory Area IDEF
4 Less likely but desired Increasing Constant Line IB
5 Increasing Compensatory Area BCDI
Table 3. 6 Consistent Compensatory Line ID
Different CSAT 7 Less likely and undesired Consistent Complementary Line HI
programs represented 8 Diminishing Complementary Area HIFG
in Figure 9 9 Diminishing Constant Line IF
(Boston Consulting Group, 2019). These methods and tools can be employed to evaluate a Cybersecurity
company’s security level before and after implementing a CSAT program and thus quantify awareness
its benefit.
We next illustrate a specific example of how to find out the best security level and
training
implement a CSAT program accordingly based on our findings. When the SecurityScorecard programs
method is adopted by companies, they commonly employ phishing tests to test employees’
compliance with security policies (Epstine, 2014). When phishing tests are conducted,
phishing susceptibility rate (PSR), the total number of failures (i.e. the number of employees 627
who took the bait) divided by the total number of attempts, can be used to measure the failure
cost at a company’s current security level (Williams et al., 2018).
As we discussed early in the paper, a company determines its optimal security level by
minimizing the total of its anticipation cost and failure cost, shown in Figure 1. Phishing
tests can help companies estimate their failure costs at different security levels, but it is
impossible to test every level. Therefore, companies should identify several possible
security levels (e.g. high, middle and low) and perform pilot phishing tests on a small scale
(e.g. in a department) to estimate the anticipation cost and the failure cost of these levels.
Calculating the total of anticipation and failure costs, companies can determine the best
security level. Figure 10 summarizes these steps. It should be noted that the pilot tests
may not represent the actual outcomes in the entire company. A company-wide phishing
test can be performed before the best security level is decided and deployed in the whole
company.
According to our findings summarized in Figure 9, a CSAT program should spend its
expense more on training topics corresponding to security levels that are equal to or lower
than the current levels. Phishing tests can be performed again after the delivery of a CSAT
program to measure the benefit of the program (Dodge et al., 2012), i.e. the reduction of the
failure cost (represented by the possible decrease of PSR). Ideally, the PSR should be reduced
more at a higher security level; in this way, companies can move to a higher security level
after the completion of the CSAT program. From a long-term perspective, based on the
appraised benefit of a CSAT program and its expenses, companies can continuously adjust
the focus of their training program to upgrade their level of security.

5. Actionable recommendations
Following up on the findings from our cost–benefit analysis, we next make some actionable
recommendations to help companies invest wisely when choosing and developing effective
CSAT programs.

Idenfy several Conduct pilot phishing test for

possible security levels each of the security levels

Esmate the ancipataon Esmate the failure

cost for each level cost for each levels

Calculate the total cost

for each level

Figure 10.
Determine the best Determine the best
security level security level
IMDS 5.1 Investing wisely in CSAT programs
121,3 It is crucial to allocate appropriate investment in CSAT programs. When the budget for a
CSAT program is too low, companies are likely to suffer from security incidents and data
breaches and to incur a substantial loss. However, the allocation of a high budget for a CSAT
program is not a guarantee that security incidents will not happen to the company. Optimal
resource allocation for security is often affected by uncertain variables, which can lead to
disparities in resource allocation decisions. Companies must be realistic and develop a clear
628 strategy for funding CSAT programs with a focus on training their employees to handle the
most common security threats at a lower level of security.

5.2 Making CSAT programs effective

Companies are concerned about the effectiveness of their investments in CSAT programs.
Companies should collect time-series data related to security incidents (such as phishing
attacks and malware infections) to see if there is a reduction in trend for those types of
security incidents. Also, companies can track whether there is an increase in employees’ use
of strong passwords (Dimov and Juzenaite, 2015) to measure the benefits of their CSAT
programs.

5.3 Identifying CSAT focuses properly

Studies show that traditional CSAT programs that utilize a “one-size-fits-all” approach do not
work well for all employees, since employees have different job functions or knowledge levels
(Valentine, 2006; Pattinson et al., 2019). Companies should invent and prioritize assets and
then should determine the strength of the cybersecurity protection required at each level.
Accordingly, CSAT programs need to identify workers who have access to assets at different
protection levels and offer them differentiated training based on their job requirements/
functions or their knowledge levels. According to our findings, the focus of a CSAT program’s
expenses needs to be on lower levels of security and its benefits should help companies to
avoid losses at higher levels of security.

5.4 Developing CSAT programs jointly

A budget plan should be developed by involving representatives from all of the related
departments, such as the IT department, the human resource (HR) department and the
training department. The budget of the CSAT programs can be shared across all of the
related departments by their roles and responsibilities since a CSAT program will benefit all
of them (Santora, 2019). Some organizations may have an annual training budget for
employees, and it might also be possible to allocate a portion of that training budget for CSAT
programs. Organizations need to consider CSAT as a long-term investment instead of as an
expense (Carfagno, 2018) since security risks are evolving and are continuously becoming
more sophisticated. It is necessary to have a regular budget for CSAT that can be committed
to keeping the training content and the delivery method of the CSAT program up-to-date.

6. Conclusion
Cybersecurity risks that result in a data breach are business risks that damage organizations’
finances and reputations. As a result of increasing breaches, many organizations are
prepared to make substantial investments in cybersecurity, and cybersecurity budgets have
generally been growing in many organizations (Moore et al., 2016).
 Since workers are often the weakest link in an organization’s cybersecurity chain, Cybersecurity
organizations must develop an effective CSAT program that can motivate their employees to awareness
stay alert and to avoid breaches. To that end, an adequate annual budget for CSAT programs
needs to include funding for training resources, consulting, testing, advertising, software/
training
hardware and/or professional services costs. However, providing adequate resources to build programs
and to maintain an effective CSAT program is not an easy task, since cybersecurity
prevention is constantly changing as it learns to keep up with new cybersecurity breaches.
Companies must understand the costs and benefits associated with CSAT programs and 629
must develop a clear strategy for funding such programs.
Our research makes significant contributions to the existing literature by establishing a
formal framework for conducting a cost–benefit analysis of CSAT programs with different
projected costs and benefits. In particular, we differentiate three types of CSAT programs
(constant, complementary and compensatory) in terms of their costs and four types (ineffective,
consistent, increasing and diminishing) of CSAT programs with respect to their benefits. In
our framework, the projected cost increases with the degree of security for a complementary
CSAT program, decreases for a compensatory CSAT program, and remains the same for a
constant CSAT program. In terms of the projected benefit, a CSAT program with an
ineffective benefit does not reduce any failure cost, a CSAT program with a consistent benefit
reduces the same amount of failure cost at every degree of security, a CSAT program with an
increasing benefit reduces more of a company’s failure cost at a higher degree of security, and
a CSAT program with a diminishing benefit decreases more of the failure cost at a lower
degree of security.
In addition, we investigate the impact of CSAT programs with different costs and benefits
on a company’s optimal degree of security. Our findings indicate that the benefit of a CSAT
program with different types of cost plays a disparate role in helping companies keep,
upgrade or lower their existing degrees of security. If a company is to implement a CSAT
program with a projected consistent cost and a constant benefit, the optimal degree of
security will remain the same. A CSAT program with a compensatory cost will help a
company move to a higher level of security since the company can take advantage of such a
program to incur a lower cost at a higher security level, whereas a CSAT program with a
complementary cost can significantly reduce a company’s willingness to move to a higher
security level as the company would have to spend additional expenses on cybersecurity
training at a higher level.
Although our research makes valuable contributions to the literature and provides
useful insights to the practitioners, it is limited by its theoretical basis. Our cost–benefit
analysis does not consider the impact of CSAT programs on a company’s total
cybersecurity cost because companies with different sizes, or in diverse settings, may vary
significantly in their anticipation and failure costs. Although anticipation costs may be
measured based on companies’ investment in cybersecurity systems or other safeguards, it
is difficult to objectively assess the failure costs of different companies. Depending on the
actual amount of the failure and anticipation costs, the total cybersecurity cost may either
increase or decrease after a CSAT program is implemented. Future research should
contact both large and small organizations to conduct detailed case studies related to their
investment in CSAT programs, to generate managerial insights that can be widely
applicable for the budgeting of enterprise CSAT programs. Such case studies will help to
provide decision support and will help to identify policies that would optimize expected
returns from investments in CSAT programs. Future research should also take into
account the legal and environmental requirements while studying the costs incurred by
implementing personalized CSAT programs to match an individual’s security knowledge,
experience, learning style and learning preferences.
IMDS References
121,3 Abawajy, J. (2014), “User preference of cyber security awareness delivery methods”, Behaviour and
Information Technology, Vol. 33 No. 3, pp. 237-248.
Adams, R. (2018), “Our approach to employee security training”, March 20, available at: https://www.
pagerduty.com/blog/security-training-at-pagerduty/.
Aldawood, H. and Skinner, G. (2019), “Reviewing cyber security social engineering training and
630 awareness programs – pitfalls and ongoing issues”, Future Internet, Vol. 11 No. 3, p. 73.
Bannam, R. (2017), “Cyber scorekeepers: a growing number of ratings firms aim to help companies
and their insurers assess and manage cyber security risks”, Risk Management, Vol. 64 No. 10,
pp. 26-30.
Bojanc, R. and Jerman-Blazic, B. (2008), “An economic modelling approach to information security risk
management”, International Journal of Information Management, Vol. 28 No. 5, pp. 413-422.
Boston Consulting Group (2019), “Mastering cybersecurity with BCG”, available at: https://www.bcg.
com/en-us/capabilities/technology-digital/mastering-cybersecurity.aspx.
Carfagno, D. (2018), “How much should your company invest in cybersecurity?”, November 4,
available at: https://www.blackstratus.com/how-much-should-your-company-invest-in-
cybersecurity/.
Cavusoglu, H., Raghunathan, S. and Yue, W.T. (2008), “Decision-theoretic and game-theoretic
approaches to IT security investment”, Journal of Management Information Systems, Vol. 25
No. 2, pp. 281-304.
Chatterjee, D. (2019), “Should executives go to jail over cyber security breaches?”, Journal of
Organizational Computing and Electronic Commerce, Vol. 29 No. 1, pp. 1-3.
Chengalur-Smith, I. and Abraham, S. (2019), “Evaluating the effectiveness of learner controlled
information security training”, Computers and Security, Vol. 87, 101586.
Conteh, N.Y. and Schmick, P.J. (2016), “Cyber security: risks, vulnerabilities and countermeasures to
prevent social engineering attacks”, International Journal of Advanced Computer Research,
Vol. 6 No. 23, p. 31.
Cordes, J.J. (2011), “An overview of the economics of cybersecurity and cybersecurity policy”, George
Washington University, Cybersecurity Policy Research Institute Report, pp. 1-18.
De Maggio, M.C., Mastrapasqua, M., Tesei, M., Chittaro, A. and Setola, R. (2019), “How to improve the
security awareness in complex organizations”, European Journal of Scientific Research, Vol. 4,
pp. 33-49.
Dimov, D. and Juzenaite, R. (2015), “Budgeting for security awareness: who – what – when – where –
why – how much”, available at: https://resources.infosecinstitute.com/budgeting-for-security-
awareness-who-what-when-where-why-how-much/#gref.
Disparte, D. and Furlow, C. (2017), “The best cybersecurity investment you can make is better
training”, Harvard Business Review, available at: https://hbr.org/2017/05/the-best-cybersecurity-
investment-you-can-make-is-better-training.
Dodge, R., Coronges, K. and Rovira, E. (2012), “Empirical benefits of training to phishing
susceptibility”, IFIP International Information Security Conference, June, Springer, Berlin,
Heidelberg, pp. 457-464.
Ekelund, S. and Iskoujina, Z. (2019), “Cybersecurity economics–balancing operational security
spending”, Information Technology and People, Vol. 32 No. 5, pp. 1318-1342.
Epstein, J. (2014), “Phishing our employees”, IEEE Security and Privacy, Vol. 12 No. 3, pp. 3-4.
Fagade, T., Maraslis, K. and Tryfonas, T. (2017), “Towards effective cybersecurity resource allocation:
the Monte Carlo predictive modelling approach”, International Journal of Critical
Infrastructures, Vol. 13 Nos 2-3, pp. 152-167.
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C. and Smeraldi, F. (2016), “Decision support Cybersecurity
approaches for cyber security investment”, Decision Support Systems, Vol. 86, pp. 13-23.
awareness
Freund, J. and Jones, J. (2014), Measuring and Managing Information Risk: A FAIR Approach,
Butterworth-Heinemann, Oxford.
training
Gordon, L.A. and Loeb, M.P. (2002), “The economics of information security investment”, ACM
programs
Transactions on Information and System Security, Vol. 5 No. 4, pp. 438-457.
Gordon, L.A. and Loeb, M.P. (2006), Managing Cybersecurity Resources: A Cost-Benefit Analysis, Vol. 1, 631
McGraw-Hill, New York.
Gordon, L.A., Loeb, M.P. and Zhou, L. (2020), “Integrating cost–benefit analysis into the NIST cybersecurity
framework via the Gordon–Loeb model”, Journal of Cybersecurity, Vol. 6 No. 1, tyaa005.
Gross, A. (2018), “Effective security training requires change in employee behavior”, available at:
https://www.hitechanswers.net/effective-security-training-requires-change-in-employee-
behavior/.
He, W., Ash, I., Anwar, M., Li, L., Yuan, X., Xu, L. and Tian, X. (2019), “Improving employees’
intellectual capacity for cybersecurity through evidence-based malware training”, Journal of
Intellectual Capital, Vol. 21 No. 2, pp. 203-213.
He, W. and Zhang, Z. (2019), “Enterprise cybersecurity training and awareness programs:
recommendations for success”, Journal of Organizational Computing and Electronic
Commerce, Vol. 29 No. 4, pp. 249-257.
Herath, T., Herath, H. and Bremser, W.G. (2010), “Balanced scorecard implementation of security
strategies: a framework for IT security performance management”, Information Systems
Management, Vol. 27 No. 1, pp. 72-81.
Hua, J. and Bapna, S. (2013), “The economic impact of cyber terrorism”, The Journal of Strategic
Information Systems, Vol. 22 No. 2, pp. 175-186.
Huang, C.D., Hu, Q. and Behara, R.S. (2008), “An economic analysis of the optimal information security
investment in the case of a risk-averse”, International Journal of Production Economics, Vol. 114
No. 2, pp. 793-804.
IBM (2019), “IBM X-Force threat intelligence index 2019”, available at: https://www.ibm.com/
downloads/cas/ZGB3ERYD.
Jalali, M.S., Siegel, M. and Madnick, S. (2019), “Decision-making and biases in cybersecurity capability
development: evidence from a simulation game experiment”, The Journal of Strategic
Information Systems, Vol. 28 No. 1, pp. 66-82.
Jerman-Bla
zi
c, B. (2012), “Quantitative model for economic analyses of information security
investment in an enterprise information system”, Organizacija, Vol. 45 No. 6, pp. 276-288.
Jin, G., Tu, M., Kim, T.H., Heffron, J. and White, J. (2018), “Game based cybersecurity training for high
school students”, Proceedings of the 49th ACM Technical Symposium on Computer Science
Education, pp. 68-73.
Khan, H.U. and AlShare, K.A. (2019), “Violators versus non-violators of information security measures
in organizations – a study of distinguishing factors”, Journal of Organizational Computing and
Electronic Commerce, Vol. 29 No. 1, pp. 4-23.
KnowBe4 (2019), “The return on investment (ROI) of security awareness training”, available at:
https://www.knowbe4.com/resources/security-awareness-training-roi/.
Kweon, E., Lee, H., Chai, S. and Yoo, K. (2019), “The utility of information security training and education
on cybersecurity incidents: an empirical evidence”, Information Systems Frontiers, pp. 1-13.
Li, L., He, W., Xu, L., Ash, I., Anwar, M. and Yuan, X. (2019), “Investigating the impact of
cybersecurity policy awareness on employees’ cybersecurity behavior”, International Journal of
Information Management, Vol. 45, pp. 13-24.
Lucideus Incorporated (2020), “SAFE security assessment framework for enterprise”, available at:
https://www.lucideus.com/safe.html.
IMDS Mejia, G. (2019), “Examining the impact of major security breaches on organizational performance:
should investing in cybersecurity be a requirement for companies?”, Doctoral dissertation,
121,3 Utica College.
Moore, T., Dynes, S. and Chang, F.R. (2016), “Identifying how firms manage cybersecurity
investment”, available at: https://cpb-us-w2.wpmucdn.com/blog.smu.edu/dist/e/97/files/2015/10/
SMU-IBM.pdf.
Nadkarni, S. (2012), “Security awareness training made easy”, available at: https://www.
632 computerweekly.com/tip/Security-awareness-training-made-easy.
Njilla, L.L., Kamhoua, C.A., Kwiat, K.A., Hurley, P. and Pissinou, N. (2017), “Cyber security resource
allocation: a Markov decision process approach”, 2017 IEEE 18th International Symposium on
High Assurance Systems Engineering (HASE), January, IEEE, pp. 49-52.
Norris, D.F., Mateczun, L., Joshi, A. and Finin, T. (2019), “Cyberattacks at the grass roots: American
local governments and the need for high levels of cybersecurity”, Public Administration Review,
Vol. 79 No. 6, pp. 895-904.
Pandasecurity (2017), “3 ways to minimize ‘security fatigue’ among employees”, available at: https://
www.pandasecurity.com/mediacenter/tips/minimize-security-fatigue/.
Pattinson, M., Butavicius, M., Lillie, M., Ciccarello, B., Parsons, K., Calic, D. and McCormac, A. (2019),
“Matching training to individual learning styles improves information security awareness”,
Information and Computer Security, Vol. 28 No. 1, pp. 1-14.
Piccoli, G. and Pigni, F. (2019), Information Systems for Managers, Prospect Press, Burlington, VT.
Ponnusamy, V., Selvam, L.M.P. and Rafique, K. (2020), “Cybersecurity governance on social
engineering awareness”, in Vasaki, P., Khalid, R. and Noor, Z. (Eds), Employing Recent
Technologies for Improved Digital Governance, IGI Global, pp. 210-236.
Qian, X., Liu, X., Pei, J. and Pardalos, P.M. (2018), “A new game of information sharing and security
investment between two allied firms”, International Journal of Production Research, Vol. 56
No. 12, pp. 4069-4086.
Rue, R. and Pfleeger, S.L. (2009), “Making the best use of cybersecurity economic models”, IEEE
Security and Privacy, Vol. 7 No. 4, pp. 52-60.
Santora, N. (2019), “How to buy a security awareness training program”, January 11, available at:
https://securityboulevard.com/2019/01/how-to-buy-a-security-awareness-training-program/.
Schmidt, M.B., Johnston, A.C., Arnett, K.P., Chen, J.Q. and Li, S. (2008), “A cross-cultural comparison of
US and Chinese computer security awareness”, Journal of Global Information Management,
Vol. 16 No. 2, pp. 91-103.
Shao, X., Siponen, M. and Liu, F. (2020), “Shall we follow? Impact of reputation concern on information
security managers’ investment decisions”, Computers and Security, Vol. 97, 101961.
Shaw, R.S., Chen, C.C., Harris, A.L. and Huang, H.J. (2009), “The impact of information richness on
information security awareness training effectiveness”, Computers and Education, Vol. 52,
pp. 92-100.
Shin, D. (2010), “The effects of trust, security and privacy in social networking: a security-based
approach to understand the pattern of adoption”, Interacting with Computers, Vol. 22 No. 5,
pp. 428-438, doi: 10.1016/j.intcom.2010.05.001.
Shin, D. and Ahn, D. (2013), “Associations between game use and cognitive empathy: a cross-
generational study”, Cyberpsychology, Behavior, and Social Networking, Vol. 16 No. 8,
pp. 599-603, doi: 10.1089/cyber.2012.0639.
Srinidhi, B., Yan, J. and Tayi, G.K. (2015), “Allocation of resources to cyber-security: the effect of
misalignment of interest between managers and investors”, Decision Support Systems, Vol. 75,
pp. 49-62.
Teh, P., Ahmed, P.K. and D’Arcy, J. (2015), “What drives information security policy violations among Cybersecurity
banking employees?: insights from neutralization and social exchange theory”, Journal of Global
Information Management, Vol. 23 No. 1, pp. 44-64, doi: 10.4018/jgim.2015010103. awareness
Tschakert, K.F. and Ngamsuriyaroj, S. (2019), “Effectiveness of and user preferences for security
training
awareness training methodologies”, Heliyon, Vol. 5 No. 6, e02010. programs
Valentine, J.A. (2006), “Enhancing the employee security awareness model”, Computer Fraud and
Security, Vol. 2006 No. 6, pp. 17-19.
633
Wang, J., Chaudhury, A. and Rao, H.R. (2008), “A value-at-risk approach to information security
investment”, Information Systems Research, Vol. 19 No. 1, pp. 106-120.
Weish€aupl, E., Yasasin, E. and Schryen, G. (2018), “Information security investments: an exploratory
multiple case study on decision-making, evaluation and learning”, Computers and Security,
Vol. 77, pp. 807-823.
Willemson, J. (2006), “On the Gordon and Loeb model for information security investment”, in The
Fifth Workshop on Economics of Information Security (WEIS), University of Cambridge,
available at: http://www.econinfosec.org/archive/weis2006/docs/12.pdf.
Williams, E.J., Hinds, J. and Joinson, A.N. (2018), “Exploring susceptibility to phishing in the
workplace”, International Journal of Human-Computer Studies, Vol. 120, pp. 1-13.
Winkler, I. (2018), The Fundamental Flaw in Security Awareness Programs, July 19, InformationWeek
IT Network, available at: https://www.darkreading.com/endpoint/the-fundamental-flaw-in-
security-awareness-programs/a/d-id/1332301.
Yaokumah, W., Walker, D.O. and Kumah, P. (2019), “SETA and security behavior: mediating role of
employee relations, monitoring, and accountability”, Journal of Global Information
Management, Vol. 27 No. 2, pp. 102-121, doi: 10.4018/JGIM.2019040106.

Further reading
Chen, R., Rao, H.R. and Valecha, R. (2016), “Response to the office of personnel management data
breaches: a conceptual exploration”, The 2016 Americas Conference on Information
Systems, 2016.
Dobran, B. (2018), “Start a security awareness training program your staff can’t ignore”, available at:
https://phoenixnap.com/blog/security-awareness-training-program.
Huang, C.D., Behara, R.S. and Goo, J. (2014), “Optimal information security investment in a healthcare
information exchange: an economic analysis”, Decision Support Systems, Vol. 61, pp. 1-11.
IBM (2014), “IBM security services 2014 cyber security intelligence index”, available at: http://media.
scmagazine.com/documents/82/ibm_cyber_security_intelligenc_20450.pdf.
Katz, I. (2017), “Cybersecurity awareness training: how to improve employee security behavior”,
available at: https://blog.dashlane.com/cybersecurity-awareness-training-how-to/.
Rhee, H.S., Ryu, Y. and Kim, C.T. (2005), “I am fine but you are not: optimistic bias and illusion of
control on information security”, ICIS 2005 Proceedings, Vol. 32.
Schwarzer, R. (1994), “Optimism, vulnerability, and self-beliefs as health-related cognitions: a
systematic overview”, Psychology and Health, Vol. 9 No. 3, pp. 161-180.
Stilgherrian (2018), “Security training is useless unless it changes behaviours”, ZDNet, April 3, available
at: https://www.zdnet.com/article/security-training-is-useless-unless-it-changes-behaviours/.
IMDS Appendix
121,3
A. Proof of Lemma 1
Proof: The total cost of cybersecurity for a company with no cybersecurity training and awareness
0 0 0
program is CðsÞ ¼ aðsÞ þ f ðsÞ. The first derivative of CðsÞ with respect to s is C ðsÞ ¼ a ðsÞ þ f ðsÞ.
0 0
* *
Since a ðsÞ > 0 and f ðsÞ < 0, there exists an optimal degree s of security which makes Cðs Þ ¼ 0.

634 B. Proof of Proposition 2

0 0 0 0
Proof: When FX ¼ FY between company X and Y, if fX ðsÞ > fY ðsÞ, ∀s ∈ ½0; ∞Þ, then −fX ðsÞ < − fY ðsÞ,
* *
so sX < sY , as shown in Figure A1.
Derivative

a' (s)

–fY' (s)

–fX' (s)
Figure A1.
Proof of Proposition 2
S*X S*Y Degree of Security

C. Proof of Proposition 3
0 0
Proof: If aX ðsÞ > aY ðsÞ, ∀s ∈ ½0; ∞Þ, between company X and Y, then s*X < s*Y , as shown in Figure A2.
Derivative

dY(S)

dX(S)

f '(s)

Figure A2.
S*Y
Proof of Proposition 3
S*X Degree of Security
D. Proof of Proposition 4 Cybersecurity
0
Proof: For a CSAT program with an ineffective or consistent benefit, the −f ðsÞ line does not change in
Figure A3 after the CSAT program is implemented. When the CSAT program has a constant, awareness
0
complementary, or compensatory cost, the a ðsÞ line will remain unchanged, shift upward, or shift training
downward, so the optimal degree of security will remain unchanged, decrease, or increase. programs

635
Derivative

a' (s) complementary

a' (s) constant

a' (s) compensatory

f ' (s)

Degree of Security Figure A3.

Proof of Proposition 4
S*

E. Proof of Proposition 5 0
Proof: For a CSAT program with an increasing benefit, the −f ðsÞ line will shift upward, as shown in
Figure A4, after the CSAT 0
program is implemented. When the CSAT program has a constant or
compensatory cost, the a ðsÞ line will remain unchanged or will shift downward, resulting in an
0
increased optimal degree of security. When the CSAT program has a complementary cost, the a ðsÞ line
will shift upward, so the optimal degree of security may remain the same, increase, or decrease,
0 0
depending on the changes of the −f ðsÞ and a ðsÞ lines.
Derivative

a' (s) complementary

a' (s) constant

a' (s) compensatory

–f ' (s) increasing

–f ' (s)
Figure A4.
Proof of Proposition 5
S* Degree of Security

F. Proof of Proposition 6
0
Proof: For a CSAT program with a diminishing benefit, the −f ðsÞ line will shift downward, as shown in
Figure A5, after the CSAT program is implemented. When the CSAT program has a constant or
0
complementary cost, the a ðsÞ line will remain unchanged or will shift upward, resulting in a decreased
 0

IMDS optimal degree of security. When the CSAT program has a compensatory cost, the a ðsÞ line will shift
downward, so the optimal degree of security may remain the same, increase or decrease, depending on
121,3 0 0
the changes of the −f ðsÞ and a ðsÞ lines.

Derivative
636
a' (s) complementary

a' (s) constant

a' (s) compensatory

f ' (s)

–f ' (s) diminishing

Figure A5.
Proof of Proposition 6 Degree of Security
S*

Corresponding author
Zuopeng (Justin) Zhang can be contacted at: justin.zhang@unf.edu

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com