Developing Cybersecurity Awareness: A case study on Enhancing Employee Training in a Marine Manufacturing SME
Chaulagain, Niroj (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025060621172
https://urn.fi/URN:NBN:fi:amk-2025060621172
Tiivistelmä
The objective of this thesis project was to develop and implement a cybersecurity awareness training programme tailored to employees at Oceanvolt, a marine manufacturing SME. Commissioned by Oceanvolt, the project aimed to identify existing knowledge gaps and develop a comprehensive training solution designed to enhance cybersecurity awareness in employees.
The development task involved designing a practical, evidence-based training session obtained from the internal survey. The theoretical framework was based on NIST Cybersecurity Framework (CSF) 2.0 and the ADDIE instructional design model, which provided structured guidance for analysing needs, designing content and evaluating impact.
The research utilized mixed-methods approach, first by baselining cybersecurity awareness through the survey and then, through the design and delivery of a one-session live training including interactive demonstrations. A post training survey and qualitative feedback were then used to evaluate effectiveness.
Key findings showed that employees demonstrated strong individual cybersecurity behaviours in some respects. However, awareness of governance roles, recovery procedure, and formal security policy were limited. The training session significantly improved confidence and perceived relevance, as shown by the post training survey. Open feedback revealed strong employee engagement, calls for more company-specific context and support for monthly refreshers. The executive leadership requested the development of formal cybersecurity policy immediately following the session.
The thesis concludes that even a short, practical targeted training initiative supported by leadership and based on real-world context can enhance cybersecurity culture and procedural change within an SME.
The development task involved designing a practical, evidence-based training session obtained from the internal survey. The theoretical framework was based on NIST Cybersecurity Framework (CSF) 2.0 and the ADDIE instructional design model, which provided structured guidance for analysing needs, designing content and evaluating impact.
The research utilized mixed-methods approach, first by baselining cybersecurity awareness through the survey and then, through the design and delivery of a one-session live training including interactive demonstrations. A post training survey and qualitative feedback were then used to evaluate effectiveness.
Key findings showed that employees demonstrated strong individual cybersecurity behaviours in some respects. However, awareness of governance roles, recovery procedure, and formal security policy were limited. The training session significantly improved confidence and perceived relevance, as shown by the post training survey. Open feedback revealed strong employee engagement, calls for more company-specific context and support for monthly refreshers. The executive leadership requested the development of formal cybersecurity policy immediately following the session.
The thesis concludes that even a short, practical targeted training initiative supported by leadership and based on real-world context can enhance cybersecurity culture and procedural change within an SME.