Wake up Calling: Impacting businesses by communicating cybersecurity risk
Episode NotesSMEs struggle with cybersecurity due to time, cost, and lack of expertise, despite recognizing its importance.An automated cybersecurity scan was developed to assess SME websites and email security without requiring them to opt-in.Physical reports were mailed instead of emailed to avoid phishing concerns and increase credibility.Reports included security ratings on ten key areas and recommendations for improvement.Businesses were encouraged to consult their existing IT providers for fixes rather than relying on external services.Different risk communication strategies were tested to encourage SMEs to act on the findings.“Anticipated Regret” messaging (“Fix it now or regret it later”) led to the highest cybersecurity improvements.All groups, including the control group, showed some improvement, suggesting broader awareness of cybersecurity issues.Engagement was low, with only a small number of businesses reaching out after receiving the report.Legal concerns about scanning businesses without consent were addressed—publicly available cybersecurity data can be legally assessed.Ethical approval confirmed the project was non-commercial and aimed solely at helping businesses improve security.A follow-up version of the project will introduce an opt-out option before scanning businesses.Industry associations may partner with the project to increase credibility and adoption.The intervention will be scaled up, with more businesses included and a longer time frame for assessing impact.Future plans include adapting the intervention internationally, using lessons learned to assist SMEs in other regions. About Our GuestDr. Susanne van ’t Hoff-de Goedehttps://www.linkedin.com/in/susanne-van-t-hoff-de-goede/https://www.thuas.com/research/centre-expertise/team-cyber-security Resources and Research MentionedExamining Ransomware Payment Decision-making Among SMEsMatthijsse, S. R., Moneva, A., van ’t Hoff-de Goede, M. S., & Leukfeldt, E. R.European Journal of Criminology.Explaining Cybercrime Victimization Using a Longitudinal Population-based Survey Experimentvan ’t Hoff-de Goede, M. S., van de Weijer, S., & Leukfeldt, R.Journal of Crime and Justice, 47(4), 472-491 (2024).How Safely Do We Behave Online? An Explanatory Study into the Cybersecurity Behaviors of Dutch Citizensvan der Kleij, R., van ’t Hoff-de Goede, S., van de Weijer, S., & Leukfeldt, R.In: International Conference on Applied Human Factors and Ergonomics (2021), pp. 238-246.The Online Behaviour and Victimization Studyvan ’t Hoff-de Goede, M. S., Leukfeldt, E. R., van der Kleij, R., …In:Cybercrime in Context: The human factor in victimization, offending, and … (2021). OtherDutch Government Cybersecurity Resourcehttps://english.ncsc.nl(English-language site for the Netherlands’ National Cyber Security Centre)Secure Internetting (in Dutch)https://veiliginternetten.nl/