Cybersecurity Discourses in SMEs: From Synergistic Assets to Impractical Liabilities

A study by Yang Hoong and Davar Rezania from the University of Guelph, Canada explores how small and medium-sized enterprises (SMEs) in Canada perceive and approach cybersecurity. It presents a conceptual framework that examines the interaction between the discourse of agency, prevailing conditions, and the resulting discourse of strategy. The research identifies four strategic narratives in SMEs' cybersecurity approaches: Synergistic Asset, Operational Pragmatism, Ambivalent Prospect, and Impractical Liability.

The Role of Cybersecurity in Business Objectives

Cybersecurity is framed as either a high-agency mechanism actively contributing to business objectives or a low-agency mechanism perceived as a passive burden. This perception is influenced by external pressures, internal motivations, and environmental support. The study's findings offer insights into how these dynamics shape cybersecurity narratives and strategies in SMEs.

The literature review covers various aspects influencing technology acceptance and integration, particularly in cybersecurity. These aspects include technological perception, the Technology Acceptance Model (TAM), risk perception, self-efficacy, social constructivism, the Social Construction of Technology (SCOT), the Technology Readiness Index (TRI), and governance of socio-technical systems. It emphasizes the need for a comprehensive understanding of these factors to enhance cybersecurity practices.

Methodology and Key Findings

The methodology involves discourse analysis, purposive sampling, and semi-structured interviews with 35 SMEs from various sectors. The analysis identified three main themes: the discourse of agency, contextual factors, and the discourse of strategy. The study concludes that SMEs' cybersecurity strategies are shaped by their perceptions of agency, influenced by financial capacity, technical proficiency, planning horizon, perceived risk, ethical integrity, and stakeholder demand. These perceptions interact with external pressures and environmental support, resulting in distinct strategic discourses.

Strategic Narratives in Cybersecurity Approaches

SMEs with a high-agency perspective see cybersecurity as an active contributor to their business, enhancing operations, trust, and competitive advantage. They invest in cybersecurity, regularly update protocols, and ensure employees are well-trained. Conversely, SMEs with a low-agency perspective perceive cybersecurity as a burden, necessary but not adding value. These SMEs may invest minimally in cybersecurity, maintain outdated protocols, and have a general lack of awareness among employees.

External pressures, such as regulatory mandates, industry benchmarks, and consumer demand, push SMEs towards adopting cybersecurity measures. These pressures act as compelling forces, making SMEs perceive the necessity and urgency of cybersecurity. Internal motivations, driven by an organization's ethos, culture, and intrinsic belief in cybersecurity's value, act as pull dynamics. These motivations shape SMEs' proactive stance towards cybersecurity.

Environmental support plays a crucial role in shaping SMEs' cybersecurity perceptions. A supportive environment, characterized by clear government guidelines, incentives, and societal backing, can facilitate SMEs' cybersecurity journey. Conversely, an unsupportive environment can pose significant barriers, making cybersecurity seem more daunting and less attainable.

The study identifies four strategic discourses resulting from the interaction between the discourse of agency and prevailing conditions. SMEs that view cybersecurity as a Synergistic Asset see it as an active contributor to their success, driven by a strong organizational culture and a supportive environment. They perceive cybersecurity as a strategic differentiator and invest substantially in it. SMEs with an Operational Pragmatism view navigate the digital landscape pragmatically, driven by external pressures but balanced by a supportive environment. They address immediate needs while maintaining a baseline level of security.

Paving the Way Forward for Cybersecurity in SMEs

SMEs with an Ambivalent ProspCybersecurity Adoptionect view acknowledge the importance of cybersecurity but are hindered by an unsupportive environment. They struggle to fully commit to cybersecurity, leading to missed opportunities and challenges in leveraging its benefits. SMEs that see cybersecurity as an Impractical Liability view it as a burden, driven by low agency and an unsupportive environment. They perceive cybersecurity as an impractical investment and may avoid engaging with it altogether.

The study provides a comprehensive understanding of SMEs' cybersecurity perceptions and strategies. It highlights the importance of internal perceptions, external pressures, and environmental support in shaping these strategies. The study calls for further research to empirically test these contextual parameters and their impact on SMEs' cybersecurity practices. The insights gained can guide policymakers, industry associations, and technology providers in developing targeted interventions to enhance cybersecurity practices in SMEs.