Human Factors in Cybersecurity in Icelandic Small and Medium-sized Enterprises
Pith reviewed 2026-06-28 13:42 UTC · model grok-4.3
The pith
A survey of Icelandic managers finds human factors like training gaps and weak culture are the main barriers to cybersecurity in their organizations.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
From the management perspective, human factors were strongly noted as challenges and barriers to their organisations' security. These challenges include a lack of adequate training or awareness, hiring issues, poor cybersecurity culture, and time and/or financial resource constraints.
What carries the argument
Survey responses from 130 managers in Icelandic organizations that identify and rank human-factor challenges to cybersecurity.
Load-bearing premise
The 130 survey responses from managers accurately and representatively capture the human-factor challenges present in Icelandic organizations.
What would settle it
A larger or differently sampled survey of Icelandic managers that shows technical issues or external threats rated as bigger barriers than human factors such as training and culture.
Figures
read the original abstract
Cybersecurity threats are increasing in all aspects of society due to the integration of digital systems into modern-day life and a volatile geo-political landscape. Technical factors are an ongoing arms race; however, the threat surface from human and social factors is still present, often providing malicious actors the means to bypass complex technical security controls. Understanding human factors in light of technical evolution is essential to ensure security controls remain effective. This study presents the results of a survey on cybersecurity challenges within public and private sector organisations, including critical infrastructure providers, in Iceland (N = 130). From the management perspective, human factors were strongly noted as challenges and barriers to their organisations' security. These challenges include a lack of adequate training or awareness, hiring issues, poor cybersecurity culture, and time and/or financial resource constraints. Based on these findings, recommendations for mitigating threats from human factors are derived. These include: prioritising targeted over generic training to reduce employee fatigue, external government support for financially constrained organisations, and building a strong cybersecurity culture through constructive communication around shared responsibilities.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript reports results from a survey of N=130 managers in Icelandic public and private sector organizations (including critical infrastructure providers), concluding that human factors constitute major challenges and barriers to organizational cybersecurity; the specific challenges identified are lack of adequate training or awareness, hiring issues, poor cybersecurity culture, and time/financial resource constraints. From these, the authors derive recommendations including prioritizing targeted training, seeking external government support for constrained organizations, and building culture through communication of shared responsibilities.
Significance. If the survey methodology and sample can be shown to support the claims, the work would supply context-specific empirical data on human factors in cybersecurity for a small, developed economy, complementing technical security literature with management perspectives and actionable policy suggestions.
major comments (2)
- [Abstract] Abstract: The abstract states conclusions from N=130 responses but supplies no information on survey design, sampling frame, response rate, question wording, or statistical methods, preventing verification that the data support the listed challenges. This is load-bearing for the central empirical claim.
- [Survey description] Survey description (wherever the N=130 sample is introduced): No evidence is supplied of stratified sampling, response-rate calculation, or post-stratification weighting, so the assumption that the responses accurately and representatively capture human-factor challenges across Icelandic organizations remains untested and undermines generalizability of the strongest claim.
minor comments (1)
- [Title] Title vs. abstract: The title specifies Small and Medium-sized Enterprises, yet the abstract includes public-sector and critical-infrastructure organizations; this scope mismatch should be reconciled or explained.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback, which highlights opportunities to strengthen the methodological transparency of our survey-based study. We address each major comment below and will make corresponding revisions to improve clarity and address concerns about generalizability.
read point-by-point responses
-
Referee: [Abstract] Abstract: The abstract states conclusions from N=130 responses but supplies no information on survey design, sampling frame, response rate, question wording, or statistical methods, preventing verification that the data support the listed challenges. This is load-bearing for the central empirical claim.
Authors: We agree that the abstract would benefit from additional methodological context to allow readers to evaluate the claims. In the revised manuscript, we will expand the abstract to briefly note the survey design (online questionnaire targeting managers), the sampling frame (Icelandic public and private sector organizations including critical infrastructure providers), the achieved sample size of 130, and that analysis was primarily descriptive. This will be done without exceeding typical abstract length constraints while preserving the core findings. revision: yes
-
Referee: [Survey description] Survey description (wherever the N=130 sample is introduced): No evidence is supplied of stratified sampling, response-rate calculation, or post-stratification weighting, so the assumption that the responses accurately and representatively capture human-factor challenges across Icelandic organizations remains untested and undermines generalizability of the strongest claim.
Authors: We acknowledge that the current manuscript does not detail stratified sampling or post-stratification weighting, as the survey employed purposive sampling through professional networks, industry associations, and public registries to reach managers in relevant organizations. We will revise the methods section to explicitly describe the sampling frame, distribution method, any available response rate information, and question types. We will also add a dedicated limitations subsection clarifying that the sample is not statistically representative of all Icelandic organizations and that findings should be interpreted as insights from this specific cohort rather than generalizable national estimates. This addresses the concern without overstating the data's scope. revision: yes
Circularity Check
No circularity: descriptive survey with claims resting directly on respondent data
full rationale
This is a purely empirical survey paper reporting N=130 manager responses on human-factor challenges in Icelandic organizations. The central claims are direct summaries of the collected answers (lack of training, hiring issues, poor culture, resource constraints) with recommendations derived from those answers. No equations, fitted parameters, predictions, self-citations used as load-bearing uniqueness theorems, or ansatzes appear in the provided abstract or description. The derivation chain consists solely of reporting and interpreting survey data without any reduction of outputs to author-defined inputs by construction. The representativeness concern is a validity issue, not a circularity issue.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Survey responses from managers accurately reflect the human-factor cybersecurity challenges present in the sampled organizations.
Reference graph
Works this paper leans on
-
[1]
In: Twentieth Symposium on Usable Privacy and Security (SOUPS 24)
van Acken, J.P., Jansen, F., Jansen, S., Labunets, K.: Who is the IT department anyway: An evaluative case study of shadow IT mindsets among corporate employees. In: Twentieth Symposium on Usable Privacy and Security (SOUPS 24). USENIX Association (2024)
2024
-
[2]
John Wiley & Sons, Hoboken, NJ, 3rd edn
Agresti, A.: An Introduction to Categorical Data Analysis. John Wiley & Sons, Hoboken, NJ, 3rd edn. (2018)
2018
-
[3]
In: 2021 13th International Conference on Electronics, Computers and Artificial Intelligence (ECAI) (2021)
Alahmari, A.A., Duncan, R.A.: Investigating potential barriers to cybersecurity risk management investment in SMEs. In: 2021 13th International Conference on Electronics, Computers and Artificial Intelligence (ECAI) (2021)
2021
-
[4]
Computers & Security98, 102003 (2020)
Alshaikh, M.: Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security98, 102003 (2020)
2020
-
[5]
ATLAS.ti Scientific Software Development GmbH: ATLAS.ti (2026), https://atlasti. com
2026
-
[6]
Journal of Applied Security Research20(2), 244–292 (2025)
Birthriya, S.K., Ahlawat, P., Jain, A.K.: A comprehensive survey of social engineer- ing attacks: taxonomy of attacks, prevention, and mitigation strategies. Journal of Applied Security Research20(2), 244–292 (2025)
2025
-
[7]
To do this properly, you need more resources
Brunken, L., Buckmann, A., Hielscher, J., Sasse, M.A.: “To do this properly, you need more resources”: The hidden costs of introducing simulated phishing campaigns. In: 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association (2023)
2023
-
[8]
IEEE Access10, 85701–85719 (2022)
Chidukwani, A., Zander, S., Koutsakis, P.: A survey on the cyber security of small- to-medium businesses: Challenges, research focus and recommendations. IEEE Access10, 85701–85719 (2022)
2022
-
[9]
Comput- ers & Security145, 104026 (2024)
Chidukwani, A., Zander, S., Koutsakis, P.: Cybersecurity preparedness of small-to- medium businesses: A Western Australia study with broader implications. Comput- ers & Security145, 104026 (2024)
2024
-
[10]
Computers & Security97, 101963 (2020)
Chowdhury, N.H., Adam, M.T., Teubner, T.: Time pressure in human cybersecurity behavior: Theoretical framework and countermeasures. Computers & Security97, 101963 (2020)
2020
-
[11]
The Journal of Positive Psychology12(3), 297–298 (2017)
Clarke, V., Braun, V.: Thematic analysis. The Journal of Positive Psychology12(3), 297–298 (2017)
2017
-
[12]
Journal of Innovation & Knowledge10(3), 100695 (2025)
Colabianchi, S., Costantino, F., Nonino, F., Palombi, G.: Transforming threats into opportunities: The role of human factors in enhancing cybersecurity. Journal of Innovation & Knowledge10(3), 100695 (2025)
2025
-
[13]
In: Building a cybersecurity culture in organizations: how to bridge the gap between people and digital technology, pp
Corradini, I.: Building a cybersecurity culture. In: Building a cybersecurity culture in organizations: how to bridge the gap between people and digital technology, pp. 63–86. Springer (2020)
2020
-
[14]
Personal and ubiquitous computing25(5), 941–955 (2021)
Creese, S., Dutton, W.H., Esteve-González, P.: The social and cultural shaping of cybersecurity capacity building: a comparative study of nations and regions. Personal and ubiquitous computing25(5), 941–955 (2021)
2021
-
[15]
ENISA: Cybersecurity for SMEs: Challenges and recommendations. Tech. rep., European Union Agency for Cybersecurity, Athens, Greece (2021), https://www. enisa.europa.eu/publications/enisa-report-cybersecurity-for-smes
2021
-
[16]
Furnell, S., Vasileiou, I.: Security education and awareness: just let them burn? Network Security2017(12), 5–9 (2017)
2017
-
[17]
In: Loftsdóttir, K., Hafsteinsson, S.B., Skap- tadóttir, U.D
Guðmundsdóttir, S., Guðmundsdóttir, Á.E., Ísleifsdóttir, A.I.: An expatriate in Iceland: Adjusting to the new culture. In: Loftsdóttir, K., Hafsteinsson, S.B., Skap- tadóttir, U.D. (eds.) Mobility and Transnational Iceland: Current Transformations and Global Entanglements, pp. 83–95. Háskólaútgáfan, Reykjavik, Iceland (2020) 18 G. Cic˙ enait˙ e et al
2020
-
[18]
MIS Quarterly Executive23(4), 5 (2024)
Haag, S., Eckhardt, A.: Dealing effectively with shadow IT by managing both cybersecurity and user needs. MIS Quarterly Executive23(4), 5 (2024)
2024
-
[19]
Computers & Security73, 102–113 (2018)
Hatfield, J.M.: Social engineering in cybersecurity: The evolution of a concept. Computers & Security73, 102–113 (2018)
2018
-
[20]
Information Systems Frontiers21(6), 1285–1305 (2019)
Heidt, M., Gerlach, J.P., Buxmann, P.: Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Information Systems Frontiers21(6), 1285–1305 (2019)
2019
-
[21]
In: 2025 IEEE Symposium on Security and Privacy (SP)
Ho, G., Mirian, A., Luo, E., Tong, K., Lee, E., Liu, L., Longhurst, C.A., Dameff, C., Savage, S., Voelker, G.M.: Understanding the efficacy of phishing training in practice. In: 2025 IEEE Symposium on Security and Privacy (SP). pp. 37–54 (2025)
2025
-
[22]
International Telecommunication Union: Measuring digital development: ICT de- velopment index 2024. Tech. rep., International Telecommunication Union (ITU), Geneva (2024), https://www.itu.int/hub/publication/d-ind-ict_mdd-2024-3/
2024
-
[23]
Journal of organizational computing and electronic commerce 28(3), 269–282 (2018)
Kabanda, S., Tanner, M., Kent, C.: Exploring sme cybersecurity practices in developing countries. Journal of organizational computing and electronic commerce 28(3), 269–282 (2018)
2018
-
[24]
Procedia Computer Science 225, 3631–3640 (2023)
Kappe, M., Härting, R.C., Karg, C., Deffner, D.: Cybersecurity in smes–drivers of cybercrime, insufficient equipment and prevention. Procedia Computer Science 225, 3631–3640 (2023)
2023
-
[25]
International Journal of Information Security24(3), 119 (2025)
Khadka, K., Ullah, A.B.: Human factors in cybersecurity: an interdisciplinary review and framework proposal. International Journal of Information Security24(3), 119 (2025)
2025
-
[26]
Information and Computer Security (2025)
Khan, N., Furnell, S., Bada, M., Nurse, J.R., Rand, M.: The hidden barriers to cyber security adoption amongst small and medium-sized enterprises. Information and Computer Security (2025)
2025
-
[27]
Computers & Security154, 104448 (2025)
Khan, N., Furnell, S., Bada, M., Rand, M., Nurse, J.R.: Investigating the experi- ences of providing cyber security support to small-and medium-sized enterprises. Computers & Security154, 104448 (2025)
2025
-
[28]
In: 2022 IEEE Symposium on Security and Privacy (SP)
Lain, D., Kostiainen, K., Čapkun, S.: Phishing in organizations: Findings from a large-scale and long-term study. In: 2022 IEEE Symposium on Security and Privacy (SP). IEEE (2022)
2022
-
[29]
In: Benson, V., McAlaney, J
McAlaney, J., Benson, V.: Cybersecurity as a social phenomenon. In: Benson, V., McAlaney, J. (eds.) Cyber influence and cognitive threats, pp. 1–8. Elsevier (2020)
2020
-
[30]
Journal of Workplace Behavioral Health pp
Molek-Winiarska, D., Drzewiecki, J., Juhász, Á.: What is the current state of stress management in small and medium-sized enterprises? A review of practices, approaches, and impact. Journal of Workplace Behavioral Health pp. 1–26 (2026)
2026
-
[31]
OECD Economics Depart- ment Working Papers 1582, OECD Publishing, Paris (2019)
OECD: Fostering strong and relevant skills in Iceland. OECD Economics Depart- ment Working Papers 1582, OECD Publishing, Paris (2019)
2019
-
[32]
International Journal of Business Research17(1), 17–29 (2017)
Óladóttir, Á.D., Aðalsteinsson, G.D.: Nordic management: Icelandic managers in Nordic comparison. International Journal of Business Research17(1), 17–29 (2017)
2017
-
[33]
In: 2024 International Conference on Intelligent Systems for Cybersecurity (ISCS)
Parkar, S., Mishra, D.K.: Cybersecurity workforce development and training: A comprehensive review on the significance, strategies, opportunities and challenges. In: 2024 International Conference on Intelligent Systems for Cybersecurity (ISCS). IEEE (2024)
2024
-
[34]
Posit Software, PBC (2026), https://posit.co/
Posit Team: RStudio: Integrated Development Environment for R. Posit Software, PBC (2026), https://posit.co/
2026
-
[35]
Journal of Information Systems Education34(1), 94–105 (2023) Human Factors in Cybersecurity in Icelandic SMEs 19
Ramezan, C.A.: Examining the cyber skills gap: An analysis of cybersecurity positions by sub-field. Journal of Information Systems Education34(1), 94–105 (2023) Human Factors in Cybersecurity in Icelandic SMEs 19
2023
-
[36]
International Journal of Information Management Data Insights3(2), 100191 (2023)
Rawindaran, N., Jayal, A., Prakash, E., Hewage, C.: Perspective of small and medium enterprise (SME’s) and their relationship with government in overcoming cybersecurity challenges and barriers in Wales. International Journal of Information Management Data Insights3(2), 100191 (2023)
2023
-
[37]
Scientific Journal of Bielsko-Biala School of Finance and Law29(4) (2025)
Sapiński, A., Hlynskyy, N., Binda, J., Lisun, Y., et al.: Cyber stress manage- ment among employees as part of cybersecurity and psychological resilience in organisations. Scientific Journal of Bielsko-Biala School of Finance and Law29(4) (2025)
2025
-
[38]
In: 33rd USENIX Security Symposium (USENIX Security 24)
Schöps, M., Gutfleisch, M., Wolter, E., Sasse, M.A.: Simulated stress: A case study of the effects of a simulated phishing campaign on employees’ perception, stress and self-efficacy. In: 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association (2024)
2024
-
[39]
Organizational Cybersecurity Journal: Practice, Process and People3(2), 100–126 (2023)
Singh, T., Johnston, A.C., D’Arcy, J., Harms, P.D.: Stress in the cybersecurity profession: a systematic review of related literature and opportunities for future research. Organizational Cybersecurity Journal: Practice, Process and People3(2), 100–126 (2023)
2023
-
[40]
https://www.statice.is/publications/news-archive/inhabitants/ population-1-january-2026/ (2025), accessed: 28 March 2026
Statistics Iceland: Iceland’s population was 394,324 at the beginning of 2026. https://www.statice.is/publications/news-archive/inhabitants/ population-1-january-2026/ (2025), accessed: 28 March 2026
2026
-
[41]
In: 2024 11th International Conference on Social Networks Analysis, Management and Security (SNAMS)
Stefánsson, B., Helgadóttir, A.G., Nizon-Deladoeuille, M., Neukirchen, H., Welsh, T.: Understanding trust in authentication methods for Icelandic digital public services. In: 2024 11th International Conference on Social Networks Analysis, Management and Security (SNAMS). IEEE (2024)
2024
-
[42]
Doctoral dissertation, Dakota State University (2022), https://scholar.dsu.edu/theses/374
Vuggumudi, S.R.: A False Sense of Security: Organizations Need a Paradigm Shift on Protecting Themselves against APTs. Doctoral dissertation, Dakota State University (2022), https://scholar.dsu.edu/theses/374
2022
-
[43]
Do not know
World Economic Forum: Strategic cybersecurity talent framework. Tech. rep., World Economic Forum (WEF), Geneva, Switzerland (2024), https://www.weforum.org/ publications/strategic-cybersecurity-talent-framework/ A Statistical Significance Based on Chi-Square Analysis of Survey Data This appendix provides details on the statistical significance of the surv...
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.