Are We Ready for the Next Attack? Empirical Findings on Cybersecurity Awareness and Training
DOI:
https://doi.org/10.59297/18t97q38Keywords:
cybersecurity, awareness, security training, preparedness, supply chain, employee security perceptionAbstract
This paper examines how cybersecurity training and awareness building contribute to organizational preparedness against cyberattacks, particularly in organizations where cyber-physical and supply-chain interdependencies amplify cascading impacts. Building on the evolving threat landscape reported by ENISA and CrowdStrike and policy drivers such as the EU NIS2 Directive, we report findings from a representative empirical study of $n = 1014$ employees in Austrian companies. The results show that basic technical safeguards (e.g., antivirus, firewalls, access control) are widely implemented, while organizational preparedness remains uneven as emergency plans and clear incident procedures are often missing or unknown to staff. Cyber threat knowledge is largely limited to common terms (e.g., phishing), and awareness of supply-chain cybersecurity is particularly underdeveloped. Training is not systematic, since only about half participated in trainings over the last 12 months, and content retention declines sharply if it has been over one year since the training took place. We discuss implications for preparedness and recommend recurring, practical training cycles, including tabletop and simulation-based exercises that make incident response and supply-chain dependencies actionable for employees.
Downloads
