Högskolan i Skövde

Small and Medium-sized Enterprises (SMEs) play a pivotal role in Sweden’s economic landscape, yet they often face distinct challenges in adapting to evolving cybersecurity demands. As digital transformation accelerates, maintaining effective cybersecurity awareness training has become increasingly important, especially given that human error remains a leading cause of cybersecurity incidents. This thesis investigates how cybersecurity awareness training is implemented and experienced within Swedish SMEs, aiming to identify structural barriers, behavioral patterns, and organizational practices that shape training outcomes. The study employs a qualitative methodology involving semi-structured interviews with representatives from 12 SMEs across various industries. Using thematic and comparative analysis, the research highlights several recurring challenges, including resource limitations, informal training cultures, limited managerial engagement, and fragmented implementation strategies. By comparing empirical insights with established frameworks such as NIST Cybersecurity Framework, ISO/IEC 27001, and ENISA guidelines, the findings reveal both consistencies and contextual divergences, particularly among micro-enterprises. The study also compares the findings with prior research on Swedish SMEs to uncover recurring patterns, confirm previously observed concerns, and identify less-explored challenges specific to the Swedish SME context. It also examines cybersecurity training effectiveness in SMEs through a comparison across organizational and sectoral contexts. The results suggest that while SMEs recognize the importance of cybersecurity, awareness training often remains underdeveloped due to resource constraints, inconsistent strategic planning, and misperceptions of risk, especially in organizations that have not yet experienced a major incident. The study seeks to contribute to existing research by offering a context-sensitive analysis of how Swedish SMEs approach awareness training and by identifying adaptive practices that may inform more sustainable and scalable training strategies.