SMBs may not have big budgets, but they are on the receiving end of many cyberattacks. A new study from Cleveland State University looked at how these companies could train staff without getting lost in the thousands of skills and tasks in the NICE Cybersecurity Workforce Framework. The result is a stripped-down, scenario-based curriculum that may hold lessons for security leaders in much larger enterprises.
Shrinking a giant framework
The research team asked a simple question: what if you only taught the parts of the framework that protect against the most common attacks on smaller businesses? Using data from Verizon, Ponemon Institute, CISA, Hiscox, and ENISA, they identified three threats that dominate SMB incidents: phishing and social engineering, malware and ransomware, and web-based attacks.
From there, they cut the framework down to 88 technical and 54 non-technical elements. The trimmed list still covers risk management, malware analysis, web services, privacy law, insider threat investigations, and supply chain risk management.
Learning through real attacks
With the short list in hand, the researchers built training around scenarios. Instead of walking through abstract concepts, learners run through simulations based on known attacks. These include ransomware delivered through EternalBlue, Spectre and Meltdown hardware flaws, PBX hacking, website fingerprinting, DDoS campaigns, and phishing linked to the Thallium group.
Each exercise pairs technical skills with legal knowledge. The EternalBlue scenario, for example, covers both operating system hardening and breach notification laws. PBX hacking explores access control along with the Computer Fraud and Abuse Act.
Virtual machine labs give learners the chance to carry out and defend against the attacks, while legal case studies highlight how regulations tie into technical response.
Lessons enterprise leaders can take from SMB training
For CISOs, the study shows two important things. First, it is possible to take a sprawling framework and distill it into something that matches actual risks. Many security leaders deal with training programs that are broad but lack focus. A selective approach like this can help keep training relevant.
Second, the model blends legal and technical work. Incident response in large enterprises always involves compliance and legal teams. Training that reflects that reality can prepare staff for the kind of cross-disciplinary work they will encounter in a real crisis.
Martin Walsh, Chief Legal Officer at Daon, told Help Net Security that he sees the same gap in smaller organizations. “SMBs typically don’t have experts internally or good external advisors,” he said. “Often these matters are handed off to a general IT employee without expertise or experience and with no support from management. These are big important problems that must be treated as such.”
Walsh also warned against siloed operations, noting that “you need to have cross functional cooperation, with security, IT, legal, regulatory, and privacy working as a joined up team. A siloed approach increases the risk of bad situations being made worse.”
A method worth adapting
Even though the project targets SMBs, larger organizations could apply the same process. CISOs could identify the most pressing threats in their own sector, map them back to the NICE Framework, and build targeted scenarios. That would give staff hands-on practice while keeping training anchored to actual business risks.
The scenario-driven approach may also help CISOs improve training engagement. Employees often tune out abstract policy discussions. Walking through a simulated attack that also shows the legal consequences can be far more memorable.
Walsh added that organizations can strengthen collaboration by building structured routines. “Set up a Security or Privacy Working Group and schedule monthly meetings without fail,” he advised. “Get key people involved such as your in-house lawyer, Head of IT or Head of Information Security, and you need senior management involved too. I also advise having an outside independent data protection officer to check your homework. A false sense of security does nobody any favors.”
He also recommended carrying out desk-based scenarios on a regular basis. “Describe a theoretical data breach and have a run through to see how you do and assess your strengths or weaknesses,” Walsh said.
Where this approach could go next
The research team notes that this method could be extended to other areas, including the IoT. As organizations adopt connected devices faster than they can train staff, a narrowed, scenario-based curriculum could help close the gap.
Frameworks are useful starting points, but the value comes from cutting them down to what matters most and connecting training to real-world events.
