Sustainable Information Security Sensitization in SMEs: Designing Measures with Long-Term Effect

Abstract

This paper outlines an overall scenario for ongoing personnel development measures designed to increase information security awareness in small and medium-sized enterprises (SMEs) in Germany and to help small businesses improve their security levels and defenses. The three-year project combines different actors and a multitude of methods, with a focus on conducting interviews and online surveys with companies, developing customized game-based awareness trainings, tests, and on-site attacks, and creating measurements and evaluations as well as maturity statements, guidelines, and low-threshold security concepts. A mix of analog/digital serious games and operational trainings with reviews are of key importance here. Compared with the findings from the applied scientific literature on behavioral research and design, the ultimate goal at project’s end is to extrapolate statements on the success and efficacy of the measures and their long-term effect.