{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,8]],"date-time":"2026-05-08T21:35:19Z","timestamp":1778276119267,"version":"3.51.4"},"reference-count":74,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2021,1,27]],"date-time":"2021-01-27T00:00:00Z","timestamp":1611705600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IMDS"],"published-print":{"date-parts":[[2021,1,27]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost\u2013benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.<\/jats:p><\/jats:sec>","DOI":"10.1108\/imds-08-2020-0462","type":"journal-article","created":{"date-parts":[[2021,2,12]],"date-time":"2021-02-12T10:04:53Z","timestamp":1613124293000},"page":"613-636","source":"Crossref","is-referenced-by-count":39,"title":["Cybersecurity awareness training programs: a cost\u2013benefit analysis framework"],"prefix":"10.1108","volume":"121","author":[{"given":"Zuopeng (Justin)","family":"Zhang","sequence":"first","affiliation":[]},{"given":"Wu","family":"He","sequence":"additional","affiliation":[]},{"given":"Wenzhuo","family":"Li","sequence":"additional","affiliation":[]},{"given":"M'Hammed","family":"Abdous","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"3","key":"key2021030210074832400_ref001","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1080\/0144929X.2012.708787","article-title":"User preference of cyber security awareness delivery methods","volume":"33","year":"2014","journal-title":"Behaviour and Information Technology"},{"key":"key2021030210074832400_ref002","doi-asserted-by":"crossref","unstructured":"Adams, R. (2018), \u201cOur approach to employee security training\u201d, March 20, available at: https:\/\/www.pagerduty.com\/blog\/security-training-at-pagerduty\/.","DOI":"10.1016\/S1353-4858(18)30047-3"},{"issue":"3","key":"key2021030210074832400_ref003","doi-asserted-by":"crossref","first-page":"73","DOI":"10.3390\/fi11030073","article-title":"Reviewing cyber security social engineering training and awareness programs \u2013 pitfalls and ongoing issues","volume":"11","year":"2019","journal-title":"Future Internet"},{"issue":"10","key":"key2021030210074832400_ref004","first-page":"26","article-title":"Cyber scorekeepers: a growing number of ratings firms aim to help companies and their insurers assess and manage cyber security risks","volume":"64","year":"2017","journal-title":"Risk Management"},{"issue":"5","key":"key2021030210074832400_ref005","doi-asserted-by":"crossref","first-page":"413","DOI":"10.1016\/j.ijinfomgt.2008.02.002","article-title":"An economic modelling approach to information security risk management","volume":"28","year":"2008","journal-title":"International Journal of Information Management"},{"key":"key2021030210074832400_ref006","unstructured":"Boston Consulting Group (2019), \u201cMastering cybersecurity with BCG\u201d, available at: https:\/\/www.bcg.com\/en-us\/capabilities\/technology-digital\/mastering-cybersecurity.aspx."},{"key":"key2021030210074832400_ref007","unstructured":"Carfagno, D. (2018), \u201cHow much should your company invest in cybersecurity?\u201d, November 4, available at: https:\/\/www.blackstratus.com\/how-much-should-your-company-invest-in-cybersecurity\/."},{"issue":"2","key":"key2021030210074832400_ref008","doi-asserted-by":"crossref","first-page":"281","DOI":"10.2753\/MIS0742-1222250211","article-title":"Decision-theoretic and game-theoretic approaches to IT security investment","volume":"25","year":"2008","journal-title":"Journal of Management Information Systems"},{"issue":"1","key":"key2021030210074832400_ref009","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1080\/10919392.2019.1568713","article-title":"Should executives go to jail over cyber security breaches?","volume":"29","year":"2019","journal-title":"Journal of Organizational Computing and Electronic Commerce"},{"key":"key2021030210074832400_ref010","article-title":"Evaluating the effectiveness of learner controlled information security training","volume":"87","year":"2019","journal-title":"Computers and Security"},{"issue":"23","key":"key2021030210074832400_ref011","doi-asserted-by":"crossref","first-page":"31","DOI":"10.19101\/IJACR.2016.623006","article-title":"Cyber security: risks, vulnerabilities and countermeasures to prevent social engineering attacks","volume":"6","year":"2016","journal-title":"International Journal of Advanced Computer Research"},{"key":"key2021030210074832400_ref012","first-page":"1","article-title":"An overview of the economics of cybersecurity and cybersecurity policy","year":"2011"},{"key":"key2021030210074832400_ref013","first-page":"33","article-title":"How to improve the security awareness in complex organizations","volume":"4","year":"2019","journal-title":"European Journal of Scientific Research"},{"key":"key2021030210074832400_ref014","unstructured":"Dimov, D. and Juzenaite, R. (2015), \u201cBudgeting for security awareness: who \u2013 what \u2013 when \u2013 where \u2013 why \u2013 how much\u201d, available at: https:\/\/resources.infosecinstitute.com\/budgeting-for-security-awareness-who-what-when-where-why-how-much\/#gref."},{"key":"key2021030210074832400_ref015","article-title":"The best cybersecurity investment you can make is better training","year":"2017","journal-title":"Harvard Business Review"},{"key":"key2021030210074832400_ref016","first-page":"457","article-title":"Empirical benefits of training to phishing susceptibility","year":"2012"},{"issue":"5","key":"key2021030210074832400_ref017","doi-asserted-by":"crossref","first-page":"1318","DOI":"10.1108\/ITP-05-2018-0252","article-title":"Cybersecurity economics\u2013balancing operational security spending","volume":"32","year":"2019","journal-title":"Information Technology and People"},{"issue":"3","key":"key2021030210074832400_ref018","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1109\/MSP.2014.51","article-title":"Phishing our employees","volume":"12","year":"2014","journal-title":"IEEE Security and Privacy"},{"issue":"2-3","key":"key2021030210074832400_ref019","first-page":"152","article-title":"Towards effective cybersecurity resource allocation: the Monte Carlo predictive modelling approach","volume":"13","year":"2017","journal-title":"International Journal of Critical Infrastructures"},{"key":"key2021030210074832400_ref020","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1016\/j.dss.2016.02.012","article-title":"Decision support approaches for cyber security investment","volume":"86","year":"2016","journal-title":"Decision Support Systems"},{"key":"key2021030210074832400_ref021","volume-title":"Measuring and Managing Information Risk: A FAIR Approach","year":"2014"},{"issue":"4","key":"key2021030210074832400_ref022","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","year":"2002","journal-title":"ACM Transactions on Information and System Security"},{"key":"key2021030210074832400_ref023","volume-title":"Managing Cybersecurity Resources: A Cost-Benefit Analysis","year":"2006"},{"issue":"1","key":"key2021030210074832400_ref024","article-title":"Integrating cost\u2013benefit analysis into the NIST cybersecurity framework via the Gordon\u2013Loeb model","volume":"6","year":"2020","journal-title":"Journal of Cybersecurity"},{"key":"key2021030210074832400_ref025","unstructured":"Gross, A. (2018), \u201cEffective security training requires change in employee behavior\u201d, available at: https:\/\/www.hitechanswers.net\/effective-security-training-requires-change-in-employee-behavior\/."},{"issue":"2","key":"key2021030210074832400_ref026","doi-asserted-by":"crossref","first-page":"203","DOI":"10.1108\/JIC-05-2019-0112","article-title":"Improving employees' intellectual capacity for cybersecurity through evidence-based malware training","volume":"21","year":"2019","journal-title":"Journal of Intellectual Capital"},{"issue":"4","key":"key2021030210074832400_ref027","doi-asserted-by":"crossref","first-page":"249","DOI":"10.1080\/10919392.2019.1611528","article-title":"Enterprise cybersecurity training and awareness programs: recommendations for success","volume":"29","year":"2019","journal-title":"Journal of Organizational Computing and Electronic Commerce"},{"issue":"1","key":"key2021030210074832400_ref028","doi-asserted-by":"crossref","first-page":"72","DOI":"10.1080\/10580530903455247","article-title":"Balanced scorecard implementation of security strategies: a framework for IT security performance management","volume":"27","year":"2010","journal-title":"Information Systems Management"},{"issue":"2","key":"key2021030210074832400_ref029","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1016\/j.jsis.2012.10.004","article-title":"The economic impact of cyber terrorism","volume":"22","year":"2013","journal-title":"The Journal of Strategic Information Systems"},{"issue":"2","key":"key2021030210074832400_ref030","doi-asserted-by":"crossref","first-page":"793","DOI":"10.1016\/j.ijpe.2008.04.002","article-title":"An economic analysis of the optimal information security investment in the case of a risk-averse","volume":"114","year":"2008","journal-title":"International Journal of Production Economics"},{"key":"key2021030210074832400_ref031","unstructured":"IBM (2019), \u201cIBM X-Force threat intelligence index 2019\u201d, available at: https:\/\/www.ibm.com\/downloads\/cas\/ZGB3ERYD."},{"issue":"1","key":"key2021030210074832400_ref501","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1016\/j.jsis.2018.09.003","article-title":"Decision-making and biases in cybersecurity capability development: evidence from a simulation game experiment","volume":"28","year":"2019","journal-title":"The Journal of Strategic Information Systems"},{"issue":"6","key":"key2021030210074832400_ref032","first-page":"276","article-title":"Quantitative model for economic analyses of information security investment in an enterprise information system","volume":"45","year":"2012","journal-title":"Organizacija"},{"key":"key2021030210074832400_ref033","first-page":"68","article-title":"Game based cybersecurity training for high school students","year":"2018"},{"issue":"1","key":"key2021030210074832400_ref034","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1080\/10919392.2019.1552743","article-title":"Violators versus non-violators of information security measures in organizations \u2013 a study of distinguishing factors","volume":"29","year":"2019","journal-title":"Journal of Organizational Computing and Electronic Commerce"},{"key":"key2021030210074832400_ref035","unstructured":"KnowBe4 (2019), \u201cThe return on investment (ROI) of security awareness training\u201d, available at: https:\/\/www.knowbe4.com\/resources\/security-awareness-training-roi\/."},{"key":"key2021030210074832400_ref036","first-page":"1","article-title":"The utility of information security training and education on cybersecurity incidents: an empirical evidence","year":"2019","journal-title":"Information Systems Frontiers"},{"key":"key2021030210074832400_ref037","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1016\/j.ijinfomgt.2018.10.017","article-title":"Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior","volume":"45","year":"2019","journal-title":"International Journal of Information Management"},{"key":"key2021030210074832400_ref038","unstructured":"Lucideus Incorporated (2020), \u201cSAFE security assessment framework for enterprise\u201d, available at: https:\/\/www.lucideus.com\/safe.html."},{"key":"key2021030210074832400_ref039","article-title":"Examining the impact of major security breaches on organizational performance: should investing in cybersecurity be a requirement for companies?","year":"2019"},{"key":"key2021030210074832400_ref040","unstructured":"Moore, T., Dynes, S. and Chang, F.R. (2016), \u201cIdentifying how firms manage cybersecurity investment\u201d, available at: https:\/\/cpb-us-w2.wpmucdn.com\/blog.smu.edu\/dist\/e\/97\/files\/2015\/10\/SMU-IBM.pdf."},{"key":"key2021030210074832400_ref502","unstructured":"Nadkarni, S. (2012), \u201cSecurity awareness training made easy\u201d, available at: https:\/\/www.computerweekly.com\/tip\/Security-awareness-training-made-easy."},{"key":"key2021030210074832400_ref041","first-page":"49","article-title":"Cyber security resource allocation: a Markov decision process approach","year":"2017"},{"issue":"6","key":"key2021030210074832400_ref042","doi-asserted-by":"crossref","first-page":"895","DOI":"10.1111\/puar.13028","article-title":"Cyberattacks at the grass roots: American local governments and the need for high levels of cybersecurity","volume":"79","year":"2019","journal-title":"Public Administration Review"},{"key":"key2021030210074832400_ref043","unstructured":"Pandasecurity (2017), \u201c3 ways to minimize \u2018security fatigue\u2019 among employees\u201d, available at: https:\/\/www.pandasecurity.com\/mediacenter\/tips\/minimize-security-fatigue\/."},{"issue":"1","key":"key2021030210074832400_ref044","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1108\/ICS-01-2019-0022","article-title":"Matching training to individual learning styles improves information security awareness","volume":"28","year":"2019","journal-title":"Information and Computer Security"},{"key":"key2021030210074832400_ref045","volume-title":"Information Systems for Managers","year":"2019"},{"key":"key2021030210074832400_ref046","doi-asserted-by":"crossref","unstructured":"Ponnusamy, V., Selvam, L.M.P. and Rafique, K. (2020), \u201cCybersecurity governance on social engineering awareness\u201d, in Vasaki, P., Khalid, R. and Noor, Z. (Eds), Employing Recent Technologies for Improved Digital Governance, IGI Global, pp. 210-236.","DOI":"10.4018\/978-1-7998-1851-9.ch011"},{"issue":"12","key":"key2021030210074832400_ref047","doi-asserted-by":"crossref","first-page":"4069","DOI":"10.1080\/00207543.2017.1400704","article-title":"A new game of information sharing and security investment between two allied firms","volume":"56","year":"2018","journal-title":"International Journal of Production Research"},{"issue":"4","key":"key2021030210074832400_ref048","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1109\/MSP.2009.98","article-title":"Making the best use of cybersecurity economic models","volume":"7","year":"2009","journal-title":"IEEE Security and Privacy"},{"key":"key2021030210074832400_ref049","unstructured":"Santora, N. (2019), \u201cHow to buy a security awareness training program\u201d, January 11, available at: https:\/\/securityboulevard.com\/2019\/01\/how-to-buy-a-security-awareness-training-program\/."},{"issue":"2","key":"key2021030210074832400_ref050","doi-asserted-by":"crossref","first-page":"91","DOI":"10.4018\/jgim.2008040106","article-title":"A cross-cultural comparison of US and Chinese computer security awareness","volume":"16","year":"2008","journal-title":"Journal of Global Information Management"},{"key":"key2021030210074832400_ref051","article-title":"Shall we follow? Impact of reputation concern on information security managers' investment decisions","volume":"97","year":"2020","journal-title":"Computers and Security"},{"key":"key2021030210074832400_ref052","doi-asserted-by":"crossref","first-page":"92","DOI":"10.1016\/j.compedu.2008.06.011","article-title":"The impact of information richness on information security awareness training effectiveness","volume":"52","year":"2009","journal-title":"Computers and Education"},{"issue":"5","key":"key2021030210074832400_ref053","doi-asserted-by":"publisher","first-page":"428","DOI":"10.1016\/j.intcom.2010.05.001","article-title":"The effects of trust, security and privacy in social networking: a security-based approach to understand the pattern of adoption","volume":"22","year":"2010","journal-title":"Interacting with Computers"},{"issue":"8","key":"key2021030210074832400_ref054","doi-asserted-by":"publisher","first-page":"599","DOI":"10.1089\/cyber.2012.0639","article-title":"Associations between game use and cognitive empathy: a cross-generational study","volume":"16","year":"2013","journal-title":"Cyberpsychology, Behavior, and Social Networking"},{"key":"key2021030210074832400_ref055","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1016\/j.dss.2015.04.011","article-title":"Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors","volume":"75","year":"2015","journal-title":"Decision Support Systems"},{"issue":"1","key":"key2021030210074832400_ref056","doi-asserted-by":"publisher","first-page":"44","DOI":"10.4018\/jgim.2015010103","article-title":"What drives information security policy violations among banking employees?: insights from neutralization and social exchange theory","volume":"23","year":"2015","journal-title":"Journal of Global Information Management"},{"issue":"6","key":"key2021030210074832400_ref057","article-title":"Effectiveness of and user preferences for security awareness training methodologies","volume":"5","year":"2019","journal-title":"Heliyon"},{"issue":"6","key":"key2021030210074832400_ref058","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1016\/S1361-3723(06)70370-0","article-title":"Enhancing the employee security awareness model","volume":"2006","year":"2006","journal-title":"Computer Fraud and Security"},{"issue":"1","key":"key2021030210074832400_ref059","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1287\/isre.1070.0143","article-title":"A value-at-risk approach to information security investment","volume":"19","year":"2008","journal-title":"Information Systems Research"},{"key":"key2021030210074832400_ref060","doi-asserted-by":"crossref","first-page":"807","DOI":"10.1016\/j.cose.2018.02.001","article-title":"Information security investments: an exploratory multiple case study on decision-making, evaluation and learning","volume":"77","year":"2018","journal-title":"Computers and Security"},{"key":"key2021030210074832400_ref061","article-title":"On the Gordon and Loeb model for information security investment","volume-title":"The Fifth Workshop on Economics of Information Security (WEIS)","year":"2006"},{"key":"key2021030210074832400_ref062","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.ijhcs.2018.06.004","article-title":"Exploring susceptibility to phishing in the workplace","volume":"120","year":"2018","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2021030210074832400_ref063","volume-title":"The Fundamental Flaw in Security Awareness Programs","year":"2018"},{"issue":"2","key":"key2021030210074832400_ref064","doi-asserted-by":"publisher","first-page":"102","DOI":"10.4018\/JGIM.2019040106","article-title":"SETA and security behavior: mediating role of employee relations, monitoring, and accountability","volume":"27","year":"2019","journal-title":"Journal of Global Information Management"},{"key":"key2021030210074832400_fur1","article-title":"Response to the office of personnel management data breaches: a conceptual exploration","year":"2016"},{"key":"key2021030210074832400_fur2","unstructured":"Dobran, B. (2018), \u201cStart a security awareness training program your staff can't ignore\u201d, available at: https:\/\/phoenixnap.com\/blog\/security-awareness-training-program."},{"key":"key2021030210074832400_fur3","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.dss.2013.10.011","article-title":"Optimal information security investment in a healthcare information exchange: an economic analysis","volume":"61","year":"2014","journal-title":"Decision Support Systems"},{"key":"key2021030210074832400_fur4","unstructured":"IBM (2014), \u201cIBM security services 2014 cyber security intelligence index\u201d, available at: http:\/\/media.scmagazine.com\/documents\/82\/ibm_cyber_security_intelligenc_20450.pdf."},{"key":"key2021030210074832400_fur5","unstructured":"Katz, I. (2017), \u201cCybersecurity awareness training: how to improve employee security behavior\u201d, available at: https:\/\/blog.dashlane.com\/cybersecurity-awareness-training-how-to\/."},{"key":"key2021030210074832400_fur6","article-title":"I am fine but you are not: optimistic bias and illusion of control on information security","year":"2005"},{"issue":"3","key":"key2021030210074832400_fur8","doi-asserted-by":"crossref","first-page":"161","DOI":"10.1080\/08870449408407475","article-title":"Optimism, vulnerability, and self-beliefs as health-related cognitions: a systematic overview","volume":"9","year":"1994","journal-title":"Psychology and Health"},{"key":"key2021030210074832400_fur9","article-title":"Security training is useless unless it changes behaviours","author":"Stilgherrian","year":"2018"}],"container-title":["Industrial Management &amp; Data Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMDS-08-2020-0462\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMDS-08-2020-0462\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:53:08Z","timestamp":1753393988000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/imds\/article\/121\/3\/613-636\/180219"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,27]]},"references-count":74,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,1,27]]}},"alternative-id":["10.1108\/IMDS-08-2020-0462"],"URL":"https:\/\/doi.org\/10.1108\/imds-08-2020-0462","relation":{},"ISSN":["0263-5577"],"issn-type":[{"value":"0263-5577","type":"print"}],"subject":[],"published":{"date-parts":[[2021,1,27]]}}}