This study investigates the critical intersection of cyberpsychology and cybersecurity policy development in small and medium-sized enterprises (SMEs). Through a mixed-methods approach incorporating surveys of 523 employees across 78 SMEs, qualitative interviews, and case studies, the research examines how psychological factors influence cybersecurity behaviors and policy effectiveness. Key findings reveal significant correlations between psychological factors and security outcomes, including the relationship between self-efficacy and policy compliance (r = 0.42, p < 0.001) and the impact of social norms on security behavior (β = 0.37, p < 0.001). The study identifies critical challenges in risk perception, policy complexity, and organizational culture affecting SME cybersecurity implementation. Results demonstrate that successful cybersecurity initiatives require the integration of psychological principles with technical solutions. The research provides a framework for developing human-centric security policies that address both behavioral and technical aspects of cybersecurity in resource-constrained environments.
References
[1]
Debb, S.M. (2021) Keeping the Human in the Loop: Awareness and Recognition of Cybersecurity within Cyberpsychology. Cyberpsychology, Behavior, and Social Networking, 24, 581-583. https://doi.org/10.1089/cyber.2021.29225.sde
[2]
Furnell, S. and Clarke, N. (2012) Power to the People? The Evolving Recognition of Human Aspects of Security. Computers & Security, 31, 983-988. https://doi.org/10.1016/j.cose.2012.08.004
[3]
Ng, B., Kankanhalli, A. and Xu, Y. (2009) Studying Users’ Computer Security Behavior: A Health Belief Perspective. Decision Support Systems, 46, 815-825. https://doi.org/10.1016/j.dss.2008.11.010
[4]
Khera, V. (2023) Introduction to Cyberpsychology for Enhancing Cybersecurity. Journal of Energy and Environment Technology of Graduate School Siam Technology College, 10, 121-125.
[5]
Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. (2005) Analysis of End User Security Behaviors. Computers & Security, 24, 124-133. https://doi.org/10.1016/j.cose.2004.07.001
[6]
Hadlington, L. (2017) Human Factors in Cybersecurity; Examining the Link between Internet Addiction, Impulsivity, Attitudes towards Cybersecurity, and Risky Cybersecurity Behaviours. Heliyon, 3, e00346. https://doi.org/10.1016/j.heliyon.2017.e00346
[7]
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. and Jerram, C. (2014) Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42, 165-176. https://doi.org/10.1016/j.cose.2013.12.003
[8]
Herath, T. and Rao, H.R. (2009) Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. European Journal of Information Systems, 18, 106-125. https://doi.org/10.1057/ejis.2009.6
[9]
Siponen, M. and Vance, A. (2010) Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly, 34, 487-502. https://doi.org/10.2307/25750688
[10]
Bada, M., Sasse, M.A. and Nurse, J.R.C. (2015) Cyber Security Awareness Campaigns: Why Do They Fail to Change Behavior? Proceedings of the International Conference on Cyber Security for Sustainable Society, Coventry, 26-27 February 2015, 118-131.
[11]
Wilson, M. and Hash, J. (2003) Building an Information Technology Security Aware-ness and Training Program (NIST Special Publication 800-50). National Institute of Standards and Technology.
[12]
Wiederhold, B.K. (2014) The Role of Psychology in Enhancing Cybersecurity. Cyberpsychology, Behavior& Social Networking, 17, 131-132. https://doi.org/10.1089/cyber.2014.1502
[13]
Pfleeger, S.L. and Caputo, D.D. (2012) Leveraging Behavioral Science to Mitigate Cyber Security Risk. Computers & Security, 31, 597-611. https://doi.org/10.1016/j.cose.2011.12.010
[14]
Kirlappos, I., Parkin, S. and Sasse, M.A. (2014) Learning from “Shadow Security”: Why Understanding Non-Compliant Behaviors Provides the Basis for Effective Security. Proceedings 2014 Workshop on Usable Security, San Diego, 23-26 February 2014, 6-7.
[15]
Von Solms, R. and van Niekerk, J. (2013) From Information Security to Cyber Security. Computers & Security, 38, 97-102. https://doi.org/10.1016/j.cose.2013.04.004
[16]
Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010) Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34, 523-548. https://doi.org/10.2307/25750690
[17]
Ifinedo, P. (2012) Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory. Computers & Security, 31, 83-95. https://doi.org/10.1016/j.cose.2011.10.007
[18]
Slovic, P. (1987) Perception of Risk. Science, 236, 280-285. https://doi.org/10.1126/science.3563507
[19]
Ajzen, I. (1991) The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50, 179-211. https://doi.org/10.1016/0749-5978(91)90020-t
[20]
Bandura, A. (1977) Self-Efficacy: Toward a Unifying Theory of Behavioral Change. Psychological Review, 84, 191-215. https://doi.org/10.1037/0033-295x.84.2.191
[21]
Davis, F.D. (1989) Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. MIS Quarterly, 13, 319-339. https://doi.org/10.2307/249008
[22]
Rogers, R.W. (1983) Cognitive and Physiological Processes in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation. In: Cacioppo, J.T. and Petty, R., Eds., Social Psychophysiology: A Sourcebook, Guilford, 153-176.
[23]
Schein, E.H. (2017) Organizational Culture and Leadership. 5th Edition, Wiley.
[24]
Tversky, A. and Kahneman, D. (1982) Judgment under Uncertainty: Heuristics and Biases. In: Kahneman, D., Slovic, P. and Tversky, A., Eds., Judgment under Uncertainty: Heuristics and Biases, Cambridge University Press, 3-20. https://doi.org/10.1017/cbo9780511809477.002
[25]
Cram, W.A., D’Arcy, J. and Proudfoot, J.G. (2019) Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance. MIS Quarterly, 43, 525-554. https://doi.org/10.25300/misq/2019/15117
[26]
Herte, D.A., Dianu, D., Ciucos, M., Badulescu, D. and Badulescu, A. (2021) SMEs and Innovation in the European Context. Journal of Innovation Management in Small and Medium Enterprises, 2021, Article ID: 238722. https://doi.org/10.5171/2021.238722
[27]
Hossan, D., Dato’Mansor, Z. and Jaharuddin, N.S. (2023) Research Population and Sampling in Quantitative Study. International Journal of Business and Technopreneurship (IJBT), 13, 209-222. https://doi.org/10.58915/ijbt.v13i3.263
[28]
Rahman, M.M., Tabash, M.I., Salamzadeh, A., Abduli, S. and Rahaman, M.S. (2022) Sampling Techniques (Probability) for Quantitative Social Science Researchers: A Conceptual Guidelines with Examples. SEEU Review, 17, 42-51. https://doi.org/10.2478/seeur-2022-0023
[29]
Sun, M., Barry Danfa, J. and Teplitskiy, M. (2021) Does Double‐Blind Peer Review Reduce Bias? Evidence from a Top Computer Science Conference. Journal of the Association for Information Science and Technology, 73, 811-819. https://doi.org/10.1002/asi.24582
[30]
Johnston, A.C. and Warkentin, M. (2010) Fear Appeals and Information Security Behaviors: An Empirical Study. MIS Quarterly, 34, 549-566. https://doi.org/10.2307/25750691
[31]
DeVellis, R.F. and Thorpe, C.T. (2021) Scale Development: Theory and Applications. Sage Publications.
[32]
Fowler Jr., F.J. (2013) Survey Research Methods. Sage Publications.
[33]
Braun, V. and Clarke, V. (2006) Using Thematic Analysis in Psychology. Qualitative Research in Psychology, 3, 77-101. https://doi.org/10.1191/1478088706qp063oa
[34]
Yin, R.K. (2018) Case Study Research and Applications: Design and Methods. 6th Edition, Sage Publications.
[35]
Creswell, J.W. and Clark, V.L.P. (2017) Designing and Conducting Mixed Methods Research. Sage Publications.
[36]
Lincoln, Y.S. and Guba, E.G. (1985) Naturalistic Inquiry. SAGE Publications.
[37]
Nunnally, J.C. and Bernstein, I. (1978) Psychometric Theory. MacGraw Hill.
[38]
Weinstein, N.D. (1980) Unrealistic Optimism about Future Life Events. Journal of Personality and Social Psychology, 39, 806-820. https://doi.org/10.1037/0022-3514.39.5.806
[39]
Nielsen, J. (1994) Usability Engineering. Morgan Kaufmann.
Sasse, M.A., Brostoff, S. and Weirich, D. (2001) Transforming the “Weakest Link”—A Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal, 19, 122-131. https://doi.org/10.1023/a:1011902718709
[42]
Kotter, J.P. (2007) Leading Change: Why Transformation Efforts Fail. In: Museum Management and Marketing, Routledge, 20-29.
[43]
Tajfel, H. and Turner, J.C. (1979) An Integrative Theory of Intergroup Conflict. In: Austin, W.G. and Worchel, S., Eds., The Social Psychology of Intergroup Relations, Brooks/Cole, 33-47.
[44]
West, R. (2008) The Psychology of Security. Communications of the ACM, 51, 34-40. https://doi.org/10.1145/1330311.1330320
Zimmerman, B.J. (2000) Self-Efficacy: An Essential Motive to Learn. Contemporary Educational Psychology, 25, 82-91. https://doi.org/10.1006/ceps.1999.1016
[47]
Anderson, C.L. and Agarwal, R. (2010) Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34, 613-643.
[48]
Guo, K.H. (2013) Security-Related Behavior in Using Information Systems in the Workplace: A Review and Synthesis. Computers & Security, 32, 242-251. https://doi.org/10.1016/j.cose.2012.10.003
[49]
Karlsson, F., Karlsson, M. and Åström, J. (2017) Measuring Employees’ Compliance—The Importance of Value Pluralism. Information & Computer Security, 25, 279-299. https://doi.org/10.1108/ics-11-2016-0084
[50]
Moallem, A. (2018) Human-Computer Interaction and Cybersecurity Handbook. CRC Press.
[51]
Deterding, S., Dixon, D., Khaled, R. and Nacke, L. (2011) From Game Design Elements to Gamefulness: Defining “Gamification”. Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, Tampere, 28-30 September 2011, 9-15. https://doi.org/10.1145/2181037.2181040
[52]
Schatz, D., Bashroush, R. and Wall, J. (2017) Towards a More Representative Definition of Cyber Security. The Journal of Digital Forensics, Security and Law, 12, 53-74. https://doi.org/10.15394/jdfsl.2017.1476
