Wake up Calling: Impacting businesses by communicating cybersecurity risk

Episode Notes

• SMEs struggle with cybersecurity due to time, cost, and lack of expertise, despite recognizing its importance.
• An automated cybersecurity scan was developed to assess SME websites and email security without requiring them to opt-in.
• Physical reports were mailed instead of emailed to avoid phishing concerns and increase credibility.
• Reports included security ratings on ten key areas and recommendations for improvement.
• Businesses were encouraged to consult their existing IT providers for fixes rather than relying on external services.
• Different risk communication strategies were tested to encourage SMEs to act on the findings.
• “Anticipated Regret” messaging (“Fix it now or regret it later”) led to the highest cybersecurity improvements.
• All groups, including the control group, showed some improvement, suggesting broader awareness of cybersecurity issues.
• Engagement was low, with only a small number of businesses reaching out after receiving the report.
• Legal concerns about scanning businesses without consent were addressed—publicly available cybersecurity data can be legally assessed.
• Ethical approval confirmed the project was non-commercial and aimed solely at helping businesses improve security.
• A follow-up version of the project will introduce an opt-out option before scanning businesses.
• Industry associations may partner with the project to increase credibility and adoption.
• The intervention will be scaled up, with more businesses included and a longer time frame for assessing impact.
• Future plans include adapting the intervention internationally, using lessons learned to assist SMEs in other regions.

About Our Guest

Dr. Susanne van ’t Hoff-de Goede

https://www.linkedin.com/in/susanne-van-t-hoff-de-goede/

https://www.thuas.com/research/centre-expertise/team-cyber-security

Resources and Research Mentioned

Examining Ransomware Payment Decision-making Among SMEs

Matthijsse, S. R., Moneva, A., van ’t Hoff-de Goede, M. S., & Leukfeldt, E. R.

European Journal of Criminology.

Explaining Cybercrime Victimization Using a Longitudinal Population-based Survey Experiment

van ’t Hoff-de Goede, M. S., van de Weijer, S., & Leukfeldt, R.

Journal of Crime and Justice, 47(4), 472-491 (2024).

How Safely Do We Behave Online? An Explanatory Study into the Cybersecurity Behaviors of Dutch Citizens

van der Kleij, R., van ’t Hoff-de Goede, S., van de Weijer, S., & Leukfeldt, R.

In: International Conference on Applied Human Factors and Ergonomics (2021), pp. 238-246.

The Online Behaviour and Victimization Study

van ’t Hoff-de Goede, M. S., Leukfeldt, E. R., van der Kleij, R., …

In:Cybercrime in Context: The human factor in victimization, offending, and … (2021).

Other

Dutch Government Cybersecurity Resource

https://english.ncsc.nl

(English-language site for the Netherlands’ National Cyber Security Centre)

Secure Internetting (in Dutch)

https://veiliginternetten.nl/