Assessing Employees’ Knowledge and Skills in Cybersecurity: Quantitative Research in Slovakia

Introduction

Cybersecurity is an important aspect of the modern digital world that protects sensitive information from unauthorized access and cyber-attacks. Given the growing number of online threats, it is imperative that organizations and individuals invest in robust security measures. Ensuring cybersecurity helps prevent financial loss, protect privacy and maintain credibility. The importance of cybersecurity assurance is underscored by the fact that cybersecurity has become a focus of concern for responsible managers across the globe, both at the level of supranational and national governing bodies and institutions.

In 2020, the European Union presented 2020, a new EU cybersecurity strategy from which a number of regulations and rules have emerged. These include the updated Network and Information Systems Security Directive (NIS2 Directive), which was adopted in 2023 and aims to strengthen cyber resilience and harmonize regulations across member states (World Economic Forum, 2024). Member states were tasked with fully transposing and implementing the NIS2 Directive by 18 October 2024. However, the Directive only applies to companies with more than 50 employees, with a turnover greater than 10 mi. €10 million, providing services in selected critical infrastructure sectors. Other regulations according to the European Commission (2024) and Kost (2025) are the Cyber Resilience Act (mandatory cybersecurity requirements for all products connected directly or indirectly to another device or network) and the GDPR (General Data Protection Regulation).

In the Slovak Republic, the implementation of regulations related to cybersecurity is carried out through the amended Act on Cybersecurity 69/2018 Coll. 18/2018 Coll.) and the Electronic Communications Act (No. 351/2011 Coll.) (CMS, 2025).

In companies and organizations, cybersecurity means protecting information systems, networks and data from cyber threats and attacks (MIRRI, 2025). This process includes various activities and strategies e.g. for prevention, detection, response to cyber incidents, incident recovery, access control (strong password policies), securing cloud services, creating a culture of security in the company.

The issue of cybersecurity is also widely developed in the field of science and research. The intention of our paper is to contribute to cybersecurity research by examining the views of managers of companies operating in Slovakia on the level of knowledge and skills of employees in the field of cybersecurity. We will focus in more detail on the knowledge and skills that employees lack most in the area of cybersecurity, compare them with the knowledge and skills that are most valued in companies and identify the parameters in which the opinions on the examined knowledge and skills differ.

Literature Review

To ensure cybersecurity in a company, various activities and measures need to be implemented. This fact is also reflected in the professional and scientific literature, where a large number of scientific articles have been published that examine cybersecurity from different perspectives. For example, there are currently 25 252 scientific articles published in the Web of Science database under the heading ‘cybersecurity’. In most of the publications, among other aspects of cybersecurity, the influence of the human factor, which is also the focus of our paper, is present. We are inspired by the research studies of Reddy & Rao (2016), Suryotrisongko & Muhashi (2019), Wu & Zhang (2019), Lee & Kim (2023), Perala & Lehto (2024), Fatoki et al. (2024).

In addition, many electronic resources (electronic publications, websites, possibly blogs) dealing with cybersecurity and emphasizing the importance of the human factor are available (cybercompetence (2025), O2 Business Services (2025), MIRRI (2024), H&P Magazine (2025) …).

The complexity of cybersecurity issues and the importance of systematically examining them has been published by Suryotrisongko & Muhashi (2019), who developed a taxonomy of cybersecurity research, where they created 8 areas, namely: (1) Applied cybersecurity, (2) Cybersecurity data science, (3) Cybersecurity education and training, (4) Cybersecurity incidents, (5) Cybersecurity management and policy, (6) Cybersecurity technology, (7) Human and social cybersecurity and (8) Theories in cybersecurity. The focus on the human factor was evident in two areas, namely (3) Cybersecurity education and training and (7) Human and social cybersecurity. The taxonomy developed by the authors underlines the interdisciplinary nature of cybersecurity, i.e. it is not only technical cybersecurity, but also data, systems/technology and human/societal cybersecurity.

Reddy & Rao (2016) investigated user behaviour in the area of cyber security. They assumed that knowledge of cybersecurity issues is one of the predictors of adherence to security policies and procedures. The authors examined the impact of cybersecurity knowledge and skills on compliance, and, as a result, they argued that cybersecurity knowledge and skills can be a moderating factor in the relationship between awareness and compliance.

Lee & Kim (2023) also dealt with a similar issue, as well as Reddy & Rao (2016) explored an important task, namely the knowledge of cybersecurity issues. They conducted the study with respondents of multiple age groups and found that knowledge of cybersecurity issues and cybersecurity risks is positively related to cybersecurity behavior. In the multi-group analysis, the effect of cybersecurity risk on cybersecurity behavior was statistically significant.

Wu & Zhang (2019) focused on cybersecurity in companies and organizations where an important aspect is the employees themselves. The authors highlight the critical importance for the success of regular training programs and increasing cybersecurity awareness in organizations, identify best practices and provide actionable insights (linking cyber awareness to employees’ personal lives). They recommend regular cybersecurity training to help employees recognize threats (such as phishing attacks) and respond appropriately. The result of working with employees is the creation of a culture of security, which means that every employee understands their role in protecting data and information systems.

A study by Fatoki et al. (2024) examines the relationship between employees’ personal dispositions and their cybersecurity behaviors in companies and organizations. It examines how optimism bias influences attitudes (opinions) towards cybersecurity and consequently affects individuals’ behavior. In addition, it examines the moderating role of cognition (knowledge and skills) about cybersecurity in shaping the relationship between attitudes and risk-taking behavior in the domain under study.

Research Framework and Methodology

According to the research plan, the main objective of the paper is to investigate the opinions of managers of companies operating in Slovakia on the level of knowledge and skills of employees in the field of cyber security, to focus in more detail on the knowledge and skills that employees lack most in the field of cyber security, to compare them with the knowledge and skills that are most valued in companies and to identify the parameters in which the opinions on the examined knowledge and skills differ.

Research Hypotheses

For our research, 4 research hypotheses formulated as null (H₀) alternative hypotheses (H₁) were proposed:

1H₀: The assessment of the level of the most lacking and most valued knowledge and skills of employees does not differ statistically significantly depending on the size of the companies.

1H₁: The assessment of the level of the most lacking and most valued knowledge and skills of employees differs statistically significantly depending on the size of companies.

2H₀: The assessment of the level of the most lacking and most valued knowledge and skills of employees does not differ statistically significantly by company´s ownership.

2H₁: The assessment of the level of employees’ most lacking and most valued knowledge and skills differs statistically significantly by company´s ownership.

3H₀: The assessment of the level of the most lacking and most valued knowledge and skills of employees does not differ statistically significantly according to the number of computers in the company.

3H₁: The assessment of the level of the most lacking and most valued knowledge and skills of employees differs statistically significantly according to the number of computers in the company.

4H₀: The assessment of the level of the most lacking and most valued knowledge and skills of employees does not differ statistically significantly according to the person responsible for cyber security in the company.

4H₁: The assessment of the level of the most lacking and most valued knowledge and skills of employees differs statistically significantly by the person responsible for cybersecurity in the company.

Research Model

The research was conducted in 3 main stages (Figure 1).  In Stage 1, we focused on the study of scientific and professional literature with a focus on cybersecurity. In stage 2, the research hypotheses were formulated. At the same time, a research model (research variables model) was created to verify them. Stage 3 represented the statistical verification of the hypotheses and the formulation of conclusions.

Fig 1. Research framework

(Source: prepared by authors)

In addition to the standard methods of scientific work (analysis, synthesis, comparison), other methods were used in the paper, namely the method of data collection and the method of evaluation of results. The source data were obtained from a questionnaire survey conducted in the months of January to June 2024 in companies operating in Slovakia. The questionnaire was conducted in electronic form, and the respondents were managers of companies whose competence included the area of cybersecurity. A total of 357 respondents were involved in the survey, divided into groups according to the size of the company, its ownership, number of computers and the person responsible for cybersecurity.

Methods of evaluation of research variables: data were processed in Excel and statistical verification of hypotheses in Jamovi. These were the following statistical tests, tools and coefficients: descriptive statistics, Cronbach’s α and McDonald’s w, Shapiro Wilk’s test of normality and Levene’s test of homogeneity of the research sample, and the non-parametric alternative of the ANOVA test (Kruskal – Wallis test).

Results and Discussion

This chapter presents the results of the questionnaire survey in the following structure: the reliability of the research tool, the research sample, the results of the evaluation of individual indicators according to the research model and the results of the statistical verification of the hypotheses.

Reliability of the research tool

The scale reliability of the A1 and A2 groups of variables reached α = 0.929, w = 0.930 (overall). Reliability of individual variables reached α values ranging from 0.924 to 0.928, w ranging from 0.925 to 0.929.

Although the above reliability values of our research instrument meet the required values of Cronbach’s α > 0.7 (Hanak (2016), Kolarcik (2013), Marko (2016)), nevertheless, the calculation was supplemented with the McDonald’s w coefficient, whose values confirm sufficient internal consistency of the questionnaire used in the survey (Ullah, 2018; Marko, 2016).

Results of the questionnaire survey – research sample

The research sample was characterized based on the size of the company (P1), ownership (P2), total number of computers in the company (P3), and the person responsible for cybersecurity in the company (P4). The structure of the research sample is detailed in Table 1.

Table 1: Research sample

(Source: prepared by authors)

Results of the evaluation of the examined variables

Respondents’ opinions were measured by two groups of variables. Both groups were rated on a 5-point Likert scale ranging from 0 to 4, with 0 meaning disagree not at all and 4 meaning agree completely. The first group consisted of variables A1.1, A1. 2.. A1.11, which characterized the knowledge and skills of employees in the field of cybersecurity that the company lacks most. The second group were variables A2.1, A2. 2…A2.11, which characterized the knowledge and skills in this area that the company values most. The variables of both groups had the same textual description that characterized their importance.

Table 2: Meaning of variables

(Source: prepared by authors)

Table 3: Percentages of A1 variable group scores

(Source: prepared by authors)

Table 3 shows that the variables rated with the highest percentages (indicating that it is cybersecurity knowledge and skills that the company is most lacking) include:

• Flexibility and Constructive Approach to Problem Solving (A1.8), mean 2.85, with 68.07% of the ratings being at level 3 or 4, indicating that the majority of respondents are aware of a deficiency in this area.
• Ability to communicate effectively with management (A1.9), mean 2.85, with 70.03% of the ratings being at levels 3 or 4. This indicates the importance and relatively low level of this skill.
• Management Skills (A1.11), mean 2.81, with 66.66% of the assessments at level 3 or 4, indicating some

The variables rated with the lowest percentages, the knowledge and skills that respondents rated as least lacking, were:

• IS/IT Technology Knowledge (A1.1), mean 2.55. Only 54.62% gave them a high rating of 3 or 4, the lowest of all variables. The highest percentage rating of 1 (14.29%) means that a large proportion of respondents are satisfied with their level.
• Subject matter knowledge of cybersecurity issues (A1.3), mean 2.50. The lowest mode (2) means that a rating of 2 was most common, indicating that more respondents identified these skills as least lacking.

Table 4: Percentages of A2 variable group scores

(Source: prepared by authors)

Table 4 shows the cybersecurity knowledge and skills that are most valued in companies. Variable A2.8 – Flexibility and constructive approach to problem solving had the highest mean score of 3.18, with 47.90% of respondents giving the highest score of 4 and only 1.40% giving a score of 0. This was followed by IS/IT Technological Knowledge (A2.1), which achieved an average value of 3.08. At the same time, up to more than 50% of the respondents reported the highest score of 4 followed by A2.9 – Ability to communicate effectively with the management, with an average of 3.07, 76.19% of the respondents reported ratings of 4 and 3, indicating that the respondents attach great importance to effective communication in the companies.

The lowest ratings, i.e. the knowledge and skills that respondents consider least valued, are given for A2.4 – Knowledge of financial management and budgeting (lowest mean of 2.62), followed by A2.10 – Presentation skills (mean of 2.76) and A2.11 – Managerial skills (mean of 2.84). Although these scores are the lowest, they are all above average.

Table 5: Comparison of evaluation results

(Source: prepared by authors)

Table 5 contains comparisons of the variables under study A1 (most lacking knowledge and skills), A2 (most valued knowledge and skills), calculated actual knowledge and skills (based on a set maximum score), and the difference between the most valued and actual knowledge and skills, which determines the gap between what is valued and what employees actually possess.

The largest difference between valued and actual knowledge and skills was for the variables A1.8, A2.8 Flexibility and constructive approach to problem solving (difference of 2.03), with a value of 1.15 for actual knowledge being very low, despite the valued knowledge value of 3.18 being the highest in the table. We conclude that employees do not feel sufficiently prepared to solve problems and adapt to change.

Another pair of variables with a high difference between valued and actual knowledge and skills is Ability to communicate effectively with management (A1.9, A2.9), where the difference is 1.92, actual knowledge 1.15, valued knowledge 3.07. This difference may indicate the fact that employees lack the ability to effectively present and argue their propositions to the company management.

The third pair of variables in order is Subject matter knowledge of the organization’s operations (A1.2, A2.2), the difference of valued and actual knowledge and skills is 1.80, actual knowledge 1.19, valued knowledge 2.99. This means that employees do not know the processes and structure of the organization well enough, which can cause problems in the coordination of teams.

Results of statistical significance of the hypotheses

Statistical verification of relationships between ordinal variables (P1, P2, P3, P4) and scale-type variables (A1, A2) was conducted using the ANOVA statistical test. To verify the assumptions for using the ANOVA test, two tests were used: the Shapiro-Wilk test (to verify the normality of the research sample) and Levene’s test (to verify the homogeneity of the research sample). Since normality and homogeneity of the research sample were not confirmed, we used the non-parametric Kruskal-Wallis test for testing. The results of the verification are presented in Tables 6 to 9. Statistically significant values of the Kruskal-Wallis test are marked with an asterisk (*).

Testing the statistical significance of hypothesis 1

Table 6: Results of statistical verification of the difference of variable A1 according to P1

(Source: prepared by authors)

Note: p values of the Kruskal Wallis test *p<0.05 **p<0.001 ***p<0.0001

Table 7: Results of statistical verification of the difference of variable A2 according to P1

Note: p values of the Kruskal Wallis test *p<0.05 **p<0.001 ***p<0.0001

(Source: prepared by authors)

 Testing the statistical significance of hypothesis 2

Table 8: Results of statistical verification of the difference of variable A1 according to P2

Note: p values of the Kruskal Wallis test *p<0.05 **p<0.001 ***p<0.0001

(Source: prepared by authors)

Table 9: Results of statistical verification of the difference of variable A2 according to P2

Note: p values of the Kruskal Wallis test *p<0.05 **p<0.001 ***p<0.0001

(Source: prepared by authors)

The other two hypotheses were tested in the same way. In the case of hypothesis 3 (difference of variable A1, A2 according to P3), 6 out of 11 sub-variables for variable A1 and 7 out of 11 sub-variables for variable A2 were statistically significant.

A similar situation occurred in the verification of hypothesis 4 (difference of variable A1, A2 according to P4). In this case, 5 out of 11 sub-variables (for A1) and 4 out of 11 (for A2) were statistically significant.

In neither case was significance shown for all the sub-variables, but only for some of them, so we have to reject the alternative hypotheses 1H₁, 2H₁, 3H₁ a 4H₁ and accept the null hypotheses 1H₀, 2H₀, 3H₀ a 4H₀.

Conclusion

The main objective of the paper was to examine the opinions of managers of companies operating in Slovakia on the level of knowledge and skills of employees in the field of cybersecurity. To focus in more detail on the knowledge and skills that employees lack most in the field of cybersecurity, to compare them with the knowledge and skills that are most valued in companies and to identify the parameters in which the assessments of each group of respondents on the surveyed knowledge and skills differ. The results are detailed in the text of the paper and in Tables 3 to 5. Interestingly, however, the most lacking and at the same time the most valued knowledge and skills are Flexibility and constructive approach to problem solving and Ability to communicate effectively with the management of the company. In contrast, IS/IT technology skills, which are also among the most valued, were ranked as the least lacking by respondents.

No statistical significance could be shown for the differences in responses by size of the company, structure of owners, total number of computers in the company, or by the person responsible for cyber security, although several of the sub-variables are statistically significant.

The analyzed literature as well as our results show that companies should conduct regular training aimed at improving employees’ soft skills (e.g. effective communication) in addition to learning about cyber security issues and their development. In order to achieve the goal of creating a culture of security in the company, the personal dispositions and characteristics of the employees should not be forgotten.

Suggestions for further research are seen in a repeated survey on either the same sample of companies or an extension of the research sample.

Acknowledgment

The paper was elaborated within VEGA No. 1/0662/23 – Digital transformation of companies and their readiness to integrate the elements of Industry 5.0 – proportion 50 % and VEGA No. 1/0520/24 – Aspects of building an ambient enterprise ecosystem – proportion 50 %.

References

• (2025.) ‘Data protection and cybersecurity laws in Slovakia’, [Online], [Retrieved February 15, 2025] https://cms.law/en/int/expert-guides/cms-expert-guide-to-data-protection-and-cyber-security-laws/slovakia.
• (2025). ‘Cyber security competence and certification centre. Courses and workshops’, [Online], [Retrieved February 20, 2025] https://cybercompetence.sk/kurzy-a-workshopy/.
• European Commission. 2024). ‘A safer digital future: new cyber rules become law ‘, [Online], [Retrieved February 05, 2025] https://commission.europa.eu/news/safer-digital-future-new-cyber-rules-become-law-2024-12-10_en.
• Fatoki, J. G., Shen, Z., & Mora-Monge, C. A. (2024). ‘Optimism amid risk: How non-IT employees’ beliefs affect cybersecurity behavior’, Computers & Security, 141, 103812.
• H&P Magazine. (2025). ‘Cybersecurity obligations extend to a wider range of companies’, [Online], [Retrieved February 21, 2025] https://magazin.havelpartners.cz/2025-01/bezpecne-a-podla-pravidiel.html.
• Hanak, R. (2016). ‘Data analysis for the social sciences’. Bratislava: Ekonóm. [Online], [Retrieved February 20, 2025] https://statistikapspp.sk/ucebnica/datova-analyza-pre-socialne-vedy/.
• He, W. & Zhang, Z. (2019). ‘Enterprise cybersecurity training and awareness programs: Recommendations for success’, Journal of Organizational Computing and Electronic Commerce, 29(4), 249-257.
• Kolarcik, P. (2013). ‘Statistical data processing’, [Online], [Retrieved February 20, 2025] http://sodezz.upol.cz/soubory/2013_kvantita/sodezzkvantita2_zamcene.pdf.
• Kost, E. (2025) ‘Ultimate Guide to Cybersecurity Reports in 2025’, [Online], [Retrieved February 05, 2025] https://www.upguard.com/blog/cyber-security-reports .
• Lee, C. S. & Kim, D. (2023). ‘Pathways to cybersecurity awareness and protection behaviors in South Korea’. Journal of Computer Information Systems, 63(1), 94-106.
• Marko, M. (2016). The use and misuse of Cronbach’s alpha in the evaluation of psychodiagnostic instruments’, Testfórum, (7), 99-107.
• (2024). ‘Central Cyber Security Portal. Acquisition, development and maintenance: Key aspects of cyber security’, [Online], [Retrieved February 18, 2025] https://kyberportal.slovensko.sk/aktuality/akvizicia-vyvoj-a-udrzba-klucove-aspekty-kybernetickej-bezpecnosti/.
• (2025). ‘Central Cyber Security Portal. Basic information’, [Online], [Retrieved February 20, 2025] https://kyberportal.slovensko.sk/znalostna-baza/zakladne-informacie/.
• O2 Business Services .(2025). ‘5 tips on how to train your employees in cybersecurity’, [Online], [Retrieved February 20, 2025] https://business.o2.sk/blog/5-tipov-ako-skolit-vasich-zamestnancov-v-oblasti-kyberbezpecnosti.
• Reddy, D., & Rao, V. (2016). ‘Cybersecurity skills: The moderating role in the relationship between cybersecurity awareness and compliance’.
• Suryotrisongko, H. & Musashi, Y. (2019). ‘Review of cybersecurity research topics, taxonomy and challenges: Interdisciplinary perspective’, In 2019 IEEE 12th conference on service-oriented computing and applications (SOCA) (pp. 162-167). IEEE.
• Ullah, I. M. (2018). ‘Cronbach’s Alpha Reliability Analysis of Measurement Scales’, [Online], [Retrieved February 14, 2025] https://itfeature.com/stat-soft/spss/cronbachs-alpha-reliability/.
• World Economic Forum. (2024). ‘Cybersecurity rules saw big changes in 2024. Here’s what to know ‘ ,[Online], [Retrieved February 10, 2025] https://www.weforum.org/stories/2024/10/cybersecurity-regulation-changes-nis2-eu-2024/