We need to aim at the top: Factors associated with cybersecurity awareness of cyber and information security decision-makers

TL;DR

This study investigates the cybersecurity awareness of decision-makers, revealing low awareness levels and identifying organizational and personal factors influencing their understanding, which can inform targeted training strategies.

Contribution

It is the first to analyze factors associated with cybersecurity awareness among organizational decision-makers, highlighting key personal and organizational influences.

Findings

Awareness of threats and solutions is generally low among decision-makers.

Adoption of advanced antimalware solutions and SOC correlates with higher awareness.

Organizational role, gender, age, and experience influence cybersecurity awareness.

Abstract

Cyberattacks pose a significant business risk to organizations. Although there is ample literature focusing on why people pose a major risk to organizational cybersecurity and how to deal with it, there is surprisingly little we know about cyber and information security decision-makers who are essentially the people in charge of setting up and maintaining organizational cybersecurity. In this paper, we study cybersecurity awareness of cyber and information security decision-makers, and investigate factors associated with it. We conducted an online survey among Slovenian cyber and information security decision-makers (N=283) to (1) determine whether their cybersecurity awareness is associated with adoption of antimalware solutions in their organizations, and (2) explore which organizational factors and personal characteristics are associated with their cybersecurity awareness. Our findings indicate that awareness of well-known threats and solutions seems to be quite low for individuals in decision-making roles. They also provide insights into which threats and solutions are cyber and information security decision-makers the least aware of. We uncovered that awareness of certain threats and solutions is positively associated with either adoption of advanced antimalware solutions with EDR/XDR capabilities or adoption of SOC. Additionally, we identified significant organizational factors (organizational role type) and personal characteristics (gender, age, experience with information security and experience with IT) related to cybersecurity awareness of cyber and information security decision-makers. Organization size and formal education were not significant. These results offer insights that can be leveraged in targeted cybersecurity training tailored to the needs of groups of cyber and information security decision-makers based on these key factors.