Employee error causes most cybersecurity breaches, yet small and medium-sized enterprises (SMEs) often lack the means to address the human factor systematically. This thesis investigates how service-design thinking, behavioural science and gamification can work together to curb employee-driven cyber incidents in Estonian SMEs. An interpretivist Grounded-Theory study underpins the four-phase Double Diamond process. Desk research, an eight-respondent SME survey, two expert interviews and a three-person focus group revealed six persistent obstacles.The result is KAIRO, a web-based micro-learning prototype that placesusers in SME-specific roles and presents branching phishing, business-email-compromise and ransomware scenarios. Points, tiered badges, live feedback and a behaviour-mapping debrief tackle overconfidence, alert fatigue and related biases in real time.