{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T19:48:31Z","timestamp":1774381711542,"version":"3.50.1"},"reference-count":74,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2023,4,26]],"date-time":"2023-04-26T00:00:00Z","timestamp":1682467200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2023,5,19]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to present the evaluation of a self-paced tool, CyberSecurity Coach (CYSEC), and discuss the adoption of CYSEC for cybersecurity capability improvement in small- and medium-sized enterprises (SMEs). Cybersecurity is increasingly a concern for SMEs. Previous literature has explored the role of tools for awareness raising. However, few studies validated the effectiveness and usefulness of cybersecurity tools for SMEs in real-world practices.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This study is built on a qualitative approach to investigating how CYSEC is used in SMEs to support awareness raising and capability improvement. CYSEC was placed in operation in 12 SMEs. This study first conducted a survey study and then nine structured interviews with chief executive officers (CEOs) and chief information security officers (CISO).<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results emphasise that SMEs are heterogeneous. Thus, one cybersecurity solution may not suit all SMEs. The findings specify that the tool\u2019s adoption varied quite widely. Four factors are primary determinants influencing the adoption of CYSEC: personalisation features, CEOs\u2019 or CISOs\u2019 awareness level, CEOs\u2019 or CISOs\u2019 cybersecurity and IT knowledge and skill and connection to cybersecurity expertise.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This empirical study provides new insights into how a self-paced tool has been used in SMEs. This study advances the understanding of cybersecurity activities in SMEs by studying the adoption of CYSEC. Moreover, this study proposes significant dimensions for future research.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-09-2021-0145","type":"journal-article","created":{"date-parts":[[2023,4,24]],"date-time":"2023-04-24T11:12:09Z","timestamp":1682334729000},"page":"244-262","source":"Crossref","is-referenced-by-count":6,"title":["Design and evaluation of a self-paced cybersecurity tool"],"prefix":"10.1108","volume":"31","author":[{"given":"Alireza","family":"Shojaifar","sequence":"first","affiliation":[]},{"given":"Samuel A.","family":"Fricker","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2023,4,26]]},"reference":[{"issue":"6","key":"key2023051713121365500_ref001","doi-asserted-by":"crossref","first-page":"1151","DOI":"10.1080\/0144929X.2020.1856928","article-title":"The influence of hardiness and habit on security behaviour intention","volume":"41","year":"2022","journal-title":"Behaviour and Information Technology"},{"key":"key2023051713121365500_ref002","first-page":"1","article-title":"Cybersecurity risk management in small and medium-sized enterprises: a systematic review of recent evidence","year":"2020"},{"issue":"4","key":"key2023051713121365500_ref003","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.cose.2006.11.004","article-title":"A qualitative study of users\u2019 view on information security","volume":"26","year":"2007","journal-title":"Computers and Security"},{"issue":"6","key":"key2023051713121365500_ref004","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.01.003","article-title":"The information security digital divide between information security managers and users","volume":"28","year":"2009","journal-title":"Computers and Security"},{"key":"key2023051713121365500_ref005","first-page":"72","article-title":"Enhancing information security education and awareness: proposed characteristics for a model","year":"2015"},{"key":"key2023051713121365500_ref006","first-page":"118","article-title":"Cyber security awareness campaigns: why do they fail to change behaviour?","year":"2015"},{"issue":"3","key":"key2023051713121365500_ref007","first-page":"7","article-title":"Information security in SMEs: determinants of CEOs\u2019 protective and supportive behaviors","volume":"24","year":"2019","journal-title":"Syst\u00e8mes D'information and Management"},{"key":"key2023051713121365500_ref008","unstructured":"Beyer, M., Ahmed, S., Doerlemann, K., Arnell, S., Parkin, S., Sasse, A.M. and Passingham, N. (2015), \u201cAwareness is only the first step: a framework for progressive engagement of staff in cyber security\u201d, techreport, Hewlett Packard Enterprise, available at: www.slideshare.net\/HPBVEx\/awareness-is-only-the-first-step"},{"issue":"2","key":"key2023051713121365500_ref009","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1191\/1478088706qp063oa","article-title":"Using thematic analysis in psychology","volume":"3","year":"2006","journal-title":"Qualitative Research in Psychology"},{"key":"key2023051713121365500_ref010","first-page":"483","article-title":"Introduction of a tool-based continuous information security management system: an exploratory case study","year":"2018"},{"issue":"3","key":"key2023051713121365500_ref011","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"6","key":"key2023051713121365500_ref012","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/S1361-3723(15)30046-4","article-title":"Making security awareness training work","volume":"2016","year":"2016","journal-title":"Computer Fraud and Security"},{"issue":"1","key":"key2023051713121365500_ref013","doi-asserted-by":"crossref","first-page":"209","DOI":"10.2308\/isys-50704","article-title":"Understanding compliance with bring your own device policies utilizing protection motivation theory: bridging the intention-behavior gap","volume":"28","year":"2014","journal-title":"Journal of Information Systems"},{"issue":"10","key":"key2023051713121365500_ref014","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1145\/1290958.1290971","article-title":"Deterring internal information systems misuse","volume":"50","year":"2007","journal-title":"Communications of the ACM"},{"key":"key2023051713121365500_ref015","volume-title":"Elementary Principles of the Statistical Control of Quality: A Series of Lectures","year":"1951"},{"key":"key2023051713121365500_ref016","article-title":"Enabling information security culture: influences and challenges for Australian SMEs","volume-title":"Proceedings of the 21st Australasian Conference on Information Systems, (AISeL)","year":"2010"},{"key":"key2023051713121365500_ref017","first-page":"81","article-title":"The use and non-use of cybersecurity tools among consumers: do they want help?","year":"2019"},{"key":"key2023051713121365500_ref018","unstructured":"ENISA (2017), \u201cCybersecurity culture in organisations\u201d, European Union Agency for Network and Information Systems, available at: www.enisa.europa.eu\/publications\/cyber-security-culture-in-organisations"},{"key":"key2023051713121365500_ref019","unstructured":"ENISA (2020), \u201cEuropean SMEs facing increased cyber threats in changing digital landscape\u201d, 23 Nov., available at: www.enisa.europa.eu\/news\/enisa-news\/european-smes-facing-increased-cyber-threats-in-a-changing-digital-landscape"},{"key":"key2023051713121365500_ref074","unstructured":"European Commission (2019), \u201cSupporting specialised skills development: big data, internet of things and cybersecurity for SMEs\u201d, EASME\/COSME\/2017\/007 Interim Report, available at: www.digitalsme.eu\/digital\/uploads\/March-2019_Skills-for-SMEs_Interim_Report_final-version.pdf"},{"key":"key2023051713121365500_ref01900","unstructured":"European Commission (2003), \u201cWhat is an SME?\u201d, available at: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX:32003H0361"},{"key":"key2023051713121365500_ref020","article-title":"Self-endorsed cybersecurity capability improvement for SMEs","volume-title":"Proceedings of the 28th annual Americas Conference on Information Systems (AMCIS 2022)","year":"2022"},{"key":"key2023051713121365500_ref021","first-page":"67","article-title":"Organisational security culture: embedding security awareness, education, and training","year":"2005"},{"issue":"5\/6","key":"key2023051713121365500_ref022","doi-asserted-by":"crossref","first-page":"352","DOI":"10.1108\/09576050210447037","article-title":"A prototype tool for information security awareness and training","volume":"15","year":"2002","journal-title":"Logistics Information Management"},{"key":"key2023051713121365500_ref023","volume-title":"Building an Information Security Awareness Program: Defending against Social Engineering and Technical Threats","year":"2014"},{"key":"key2023051713121365500_ref024","first-page":"279","article-title":"Risk communication design: video vs text","volume-title":"International Symposium on Privacy Enhancing Technologies Symposium","year":"2012"},{"issue":"2","key":"key2023051713121365500_ref025","doi-asserted-by":"crossref","first-page":"183","DOI":"10.2307\/258770","article-title":"Self-efficacy: a theoretical analysis of its determinants and malleability","volume":"17","year":"1992","journal-title":"The Academy of Management Review"},{"issue":"2","key":"key2023051713121365500_ref026","doi-asserted-by":"crossref","first-page":"69","DOI":"10.23919\/SAIEE.2013.8531867","article-title":"Ignorance to awareness: towards an information security awareness process","volume":"104","year":"2013","journal-title":"SAIEE Africa Research Journal"},{"key":"key2023051713121365500_ref027","first-page":"1","article-title":"Antecedents of employees\u2019 information security awareness \u2013 review, synthesis, and directions for future research","volume-title":"European Conference on Information Systems","year":"2017"},{"issue":"5","key":"key2023051713121365500_ref028","first-page":"338","article-title":"Effects on employees\u2019 information security abilities by e\u2010learning","volume":"17","year":"2009","journal-title":"Information Management and Computer Security"},{"issue":"3","key":"key2023051713121365500_ref029","doi-asserted-by":"crossref","first-page":"369","DOI":"10.1016\/j.ibusrev.2011.04.002","article-title":"International strategy and performance\u2014clustering strategic types of SMEs","volume":"21","year":"2012","journal-title":"International Business Review"},{"issue":"6","key":"key2023051713121365500_ref030","doi-asserted-by":"crossref","first-page":"1285","DOI":"10.1007\/s10796-019-09959-1","article-title":"Investigating the security divide between SME and large companies: how SME characteristics influence organizational IT security investments","volume":"21","year":"2019","journal-title":"Information Systems Frontiers"},{"issue":"1","key":"key2023051713121365500_ref031","doi-asserted-by":"crossref","first-page":"75","DOI":"10.2307\/25148625","article-title":"Design science in information systems research","volume":"28","year":"2004","journal-title":"MIS Quarterly"},{"key":"key2023051713121365500_ref032","article-title":"Cyber essentials scheme: requirements for basic technical protection from cyber attacks","volume-title":"Guidance, Business and Management","author":"HM Government UK","year":"2014"},{"key":"key2023051713121365500_ref033","article-title":"Research questions guiding selection of an appropriate research method","volume-title":"Proceedings of the 8th Information Security Management and Small Systems Security Conference","year":"2001"},{"issue":"3","key":"key2023051713121365500_ref034","doi-asserted-by":"crossref","first-page":"269","DOI":"10.1080\/10919392.2018.1484598","article-title":"Exploring SME cybersecurity practices in developing countries","volume":"28","year":"2018","journal-title":"Journal of Organizational Computing and Electronic Commerce"},{"issue":"2","key":"key2023051713121365500_ref035","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1016\/S0268-4012(02)00105-6","article-title":"An integrative study of information systems security effectiveness","volume":"23","year":"2003","journal-title":"International Journal of Information Management"},{"key":"key2023051713121365500_ref036","article-title":"One size does not fit all: different cultures require different information systems security interventions","year":"2013"},{"key":"key2023051713121365500_ref037","article-title":"The last line of defense: motivating employees to follow corporate security guidelines","volume-title":"Proceedings of the International Conference on Information Systems","year":"2007"},{"issue":"1","key":"key2023051713121365500_ref038","doi-asserted-by":"crossref","first-page":"67","DOI":"10.2307\/249410","article-title":"A set of principles for conducting and evaluating interpretive field studies in information systems","volume":"23","year":"1999","journal-title":"MIS Quarterly"},{"issue":"3","key":"key2023051713121365500_ref039","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1361-3723(15)30017-8","article-title":"The SME security challenge","volume":"2015","year":"2015","journal-title":"Computer Fraud and Security"},{"issue":"12","key":"key2023051713121365500_ref040","doi-asserted-by":"crossref","first-page":"1049","DOI":"10.1108\/MRR-04-2013-0085","article-title":"Information security awareness and behaviour: a theory-based literature review","volume":"37","year":"2014","journal-title":"Management Research Review"},{"issue":"50","key":"key2023051713121365500_ref041","first-page":"752","article-title":"The technology acceptance model: past, present and future","volume":"12","year":"2003","journal-title":"Communication of the Association of Information Systems"},{"issue":"3","key":"key2023051713121365500_ref042","doi-asserted-by":"crossref","first-page":"221","DOI":"10.1287\/isre.14.3.221.16560","article-title":"Generalising generalisability in information systems research","volume":"14","year":"2003","journal-title":"Information Systems Research"},{"issue":"2","key":"key2023051713121365500_ref043","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1057\/ejis.2009.11","article-title":"Threat or coping appraisal: determinants of SMB executives\u2019 decision to adopt anti-malware software","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"6","key":"key2023051713121365500_ref044","doi-asserted-by":"crossref","first-page":"707","DOI":"10.1016\/j.im.2003.08.008","article-title":"An integrative model of computer abuse based on social control and general deterrence theories","volume":"41","year":"2004","journal-title":"Information and Management"},{"key":"key2023051713121365500_ref045","article-title":"Cybersecurity information sharing: a framework for information security management in UK SME supply chains","year":"2014"},{"key":"key2023051713121365500_ref046","unstructured":"Lloyd, G. (2020), \u201cExpert view: five steps to cyber-safety\u201d, SME Guidance for Business Growth, 6 May, available at: www.smeweb.com\/2020\/05\/06\/expert-view-five-steps-to-cyber-safety\/"},{"key":"key2023051713121365500_ref047","volume-title":"Qualitative Data Analysis: An Expanded Sourcebook","year":"1994","edition":"2nd ed."},{"key":"key2023051713121365500_ref048","first-page":"1","article-title":"An analysis of assessment approaches and maturity scales used for evaluation of information security and cybersecurity user awareness and training programs: a scoping review","volume-title":"2019 Conference on Next Generation Computing Applications","year":"2019"},{"issue":"1","key":"key2023051713121365500_ref049","first-page":"42","article-title":"We want to do it our way: the neutralisation approach to managing information systems security by small businesses","volume":"8","year":"2016","journal-title":"The African Journal of Information Systems"},{"key":"key2023051713121365500_ref050","article-title":"Enhancing the contributions of SMEs in a global and digitalised economy","author":"OECD","year":"2017"},{"key":"key2023051713121365500_ref051","first-page":"49","article-title":"A questionnaire model for cybersecurity maturity assessment of critical infrastructures","volume-title":"International Workshop on Information and Operational Technology Security Systems","year":"2018"},{"key":"key2023051713121365500_ref052","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1016\/j.cose.2017.01.004","article-title":"The human aspects of information security questionnaire (HAIS-Q): two further validation studies","volume":"66","year":"2017","journal-title":"Computers and Security"},{"key":"key2023051713121365500_ref053","volume-title":"Qualitative Evaluation and Research Methods","year":"1990"},{"issue":"3","key":"key2023051713121365500_ref054","first-page":"45","article-title":"A design science research methodology for information systems research","volume":"24","year":"2008","journal-title":"Journal of Management Information Systems"},{"key":"key2023051713121365500_ref055","first-page":"1","article-title":"Information security and people: a conundrum for compliance","volume":"21","year":"2017","journal-title":"Australasian Journal of Information Systems"},{"key":"key2023051713121365500_ref056","unstructured":"Ponemon Institute (2019), \u201cExclusive research report: 2019 global state of cybersecurity in small and medium-sized businesses\u201d, Keeper&Ponemon, available at: https:\/\/start.keeper.io\/2019-ponemon-report"},{"key":"key2023051713121365500_ref057","article-title":"Survey and lessons learned on raising SME awareness about cybersecurity","volume-title":"5th Int. Conf. on Information Systems Security and Privacy","year":"2019"},{"issue":"4","key":"key2023051713121365500_ref058","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: an action research study 2","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"8","key":"key2023051713121365500_ref059","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1016\/S1361-3723(16)30062-8","article-title":"How smaller businesses struggle with security advice","volume":"2016","year":"2016","journal-title":"Computer Fraud and Security"},{"key":"key2023051713121365500_ref060","first-page":"137","article-title":"Cybersecurity and the unbearability of uncertainty","volume-title":"IEEE Cybersecurity and Cyberforensics Conference","year":"2016"},{"key":"key2023051713121365500_ref061","volume-title":"Case Study Research in Software Engineering: Guidelines and Examples","year":"2012"},{"issue":"3","key":"key2023051713121365500_ref062","doi-asserted-by":"crossref","first-page":"467","DOI":"10.1108\/ICS-01-2019-0010","article-title":"It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs","volume":"28","year":"2020","journal-title":"Information and Computer Security"},{"key":"key2023051713121365500_ref063","unstructured":"Smith, M. (2016), \u201cHuge rise in hacker attacks as cyber-criminals target small businesses\u201d, The Guardian, 8 Feb, available at: www.theguardian.com\/small-business-network\/2016\/feb\/08\/huge-rise-hack-attacks-cyber-criminals-target-small-businesses"},{"key":"key2023051713121365500_ref064","first-page":"243","article-title":"The password life cycle: user behaviour in managing passwords","year":"2014"},{"key":"key2023051713121365500_ref065","article-title":"The EU cybersecurity act and the role of standards for SMEs","author":"The European Digital SME Alliance","year":"2020"},{"issue":"4","key":"key2023051713121365500_ref066","doi-asserted-by":"crossref","first-page":"183","DOI":"10.1108\/09685220110401254","article-title":"Embedding security practices in contemporary information systems development approaches","volume":"9","year":"2001","journal-title":"Information Management and Computer Security"},{"issue":"3","key":"key2023051713121365500_ref067","doi-asserted-by":"crossref","first-page":"327","DOI":"10.1108\/09593841211254358","article-title":"Analysing trajectories of information security awareness","volume":"25","year":"2012","journal-title":"Information Technology and People"},{"key":"key2023051713121365500_ref068","unstructured":"UK Gov (2018), \u201cCyber essentials self-assessment\u201d, available at: www.cyberessentials.ie\/self-assessment"},{"issue":"2","key":"key2023051713121365500_ref069","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1057\/ejis.1995.9","article-title":"Interpretive case studies in is research: nature and method","volume":"4","year":"1995","journal-title":"European Journal of Information Systems"},{"issue":"4","key":"key2023051713121365500_ref070","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1145\/1330311.1330320","article-title":"The psychology of security","volume":"51","year":"2008","journal-title":"Communications of the ACM"},{"key":"key2023051713121365500_ref071","volume-title":"Building an Information Technology Security Awareness and Training Program","year":"2003"},{"issue":"2022","key":"key2023051713121365500_ref072","first-page":"102520","article-title":"The role of cybersecurity and policy awareness in shifting employee compliance attitudes: building supply chain capabilities","volume":"66","year":"2022","journal-title":"International Journal of Information Management"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2021-0145\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2021-0145\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:12Z","timestamp":1753406592000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/31\/2\/244-262\/113583"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,4,26]]},"references-count":74,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2023,4,26]]},"published-print":{"date-parts":[[2023,5,19]]}},"alternative-id":["10.1108\/ICS-09-2021-0145"],"URL":"https:\/\/doi.org\/10.1108\/ics-09-2021-0145","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,4,26]]}}}