Security Awareness in KMU
Tiefenpsychologische Grundlagenstudie im Projekt »Awareness Labor
KMU (ALARM) Informationssicherheit«
Foreword with an Introduction to and Summary of the Study “Added
Value for SMEs”
Managers and employees are proud to see themselves as a team identifying with their SME (small/medium-
sized enterprise) to which they feel a strong bond. High-quality products, flexible solutions, and continual
innovation are part of a strategy aimed at trying to survive together in the market. The “family culture” thrives
on a sense of mutual trust. But how does information security fare in German SMEs, and how aware are people
of it? The Technical University of Applied Sciences Wildau (TH Wildau) commissioned known_sense to submit a
baseline study, geared to depth psychology, that would shed light on the topic, while also producing
recommendations that would highlight added value for SMEs.
The study reveals that information security is still a vague concept for many people and is generally left to
experts and service providers. It is thus important that people develop a more active personal awareness going
forward with a sense of their own responsibility for information security in the workplace. In addition, the
relevant issues focused on by the interviewees make it clear that there is plenty of scope for increasing people’s
level of awareness: the well-known problems of password security and phishing attacks top the list. This shows
that SMEs require more awareness-raising in the area of information security. During the pandemic, however,
information security issues have been put on the back burner, with the primary focus shifted to health issues
and company survival. Even so, as repeated examples have shown, cyberattacks can also threaten the very
existence of an SME.
Notwithstanding, this study shows that SMEs increasingly regard information security as an important issue.
However, in their estimation, the predominant concerns are external risks such as cyberattacks, legal regulations,
and customer requirements. This is understandable given that regulations can represent a major challenge for
information security management in companies and that the entire organization is affected by the new
requirements brought in by the EU-wide General Data Protection Regulation. However, if information security
is to be ensured, internal factors must also be identified. SMEs have a balancing act to perform: they need to be
able to talk about mistakes and lapses (what is called “error culture” in companies) while at the same time
making sure that there are certain consequences if violations occur, which can, among other things, tarnish a
The manageable size of an SME, coupled with people’s knowledge of one another and personal dealings, means
that discursive awareness is intuitively in play so that incidents and risks are discussed in a timely manner. To
my mind, this is a key internal factor in establishing ongoing awareness. However, on its own this is not enough
to ensure the development of any real long-term awareness of the need for more information security. To date,
SMEs have tended to lack a strategy for establishing sustained information security awareness in all business
areas. Such a strategy would also underpin the necessary security culture in SMEs.
Knowledge Sharing Is Not Enough
The SMEs taking part in the study have so far generally not implemented any integrated awareness concepts—
of the kind envisaged in the BMWi-funded project Awareness Lab SME (ALARM) Information Security—or a
supporting programme of awareness with a documented strategy. The same goes for awareness measurements
and other evaluations as part of an effort to develop staff sensitivity to security issues. Activities to promote
greater awareness have so far often only been understood purely in terms of knowledge transfer. However,
research shows that this does not go far enough. The study therefore illustrates the tripartite principle according
to which information security awareness relies on knowledge, willingness, and competence and describes the
specific benefits to companies along with concrete starting points for focused personnel development in SMEs.
A few SMEs have purchased commercially available digital awareness training as a first step in establishing a
security culture. However, these SMEs have found that products of this kind that are not adapted to the
company are not very engaging. It is my opinion that awareness training only has any real impact if it has an
emotional effect on people and is integrated into an interactive experience with discursive participation.
To this end, the study offers a generalized typology with five prototypical strategies for dealing with the issue of
information security: IT Captain, Incident Expert, Sympathetic Consoler, IT Emergency Siren, and Full-On
Delegator. Even if this is a very rough classification, it still provides a clear gauge of weak spots and shows the
need for personalised training in SMEs. This is of great importance for companies if they are to develop
appropriate awareness-raising measures to suit employees and managers. It is also key to their ability to recruit
staff and managers as multipliers for training or as security ambassadors—which is a means of giving such
measures long-term efficacy. SMEs need to understand that this is a process and not a one-off event.
Experiential awareness training can now be enriched with game-based elements to create a sense of active
involvement in the learning scenario (“serious games”). The study shows that German SMEs still have
reservations about this: the idea of play should not be foregrounded if this kind of training is to gain acceptance.
The range of on-the-ground experience my research group has had with different target groups suggests that
such reservations are not uncommon in Germany and only when people actually run the experiential, interactive
learning scenarios do they see the added value they offer for achieving greater awareness and sustained
mindfulness of information security.
The results of this study are used in the project Awareness Lab SME (ALARM) Information Security as a starting
point for developing new awareness-raising measures tailored to SMEs. The goal here—and the added value for
SMEs—is the provision of integrated measures that mesh with one another to promote a systematic programme
of awareness-raising that actually helps to develop a security culture and is distinct from the classical training
methods that have been a failure in the past.
Prof. Dr. Margit C. Scholl