Cybersecurity Discourses in SMEs: From Synergistic Assets to Impractical Liabilities

A study by Yang Hoong and Davar Rezania from the University of Guelph, Canada explores how small and medium-sized enterprises (SMEs) in Canada perceive and approach cybersecurity. It presents a conceptual framework that examines the interaction between the discourse of agency, prevailing conditions, and the resulting discourse of strategy. The research identifies four strategic narratives in SMEs’ cybersecurity approaches: Synergistic Asset, Operational Pragmatism, Ambivalent Prospect, and Impractical Liability.

The Role of Cybersecurity in Business Objectives

Cybersecurity is framed as either a high-agency mechanism actively contributing to business objectives or a low-agency mechanism perceived as a passive burden. This perception is influenced by external pressures, internal motivations, and environmental support. The study’s findings offer insights into how these dynamics shape cybersecurity narratives and strategies in SMEs.

The literature review covers various aspects influencing technology acceptance and integration, particularly in cybersecurity. These aspects include technological perception, the Technology Acceptance Model (TAM), risk perception, self-efficacy, social constructivism, the Social Construction of Technology (SCOT), the Technology Readiness Index (TRI), and governance of socio-technical systems. It emphasizes the need for a comprehensive understanding of these factors to enhance cybersecurity practices.

Methodology and Key Findings

The methodology involves discourse analysis, purposive sampling, and semi-structured interviews with 35 SMEs from various sectors. The analysis identified three main themes: the discourse of agency, contextual factors, and the discourse of strategy. The study concludes that SMEs’ cybersecurity strategies are shaped by their perceptions of agency, influenced by financial capacity, technical proficiency, planning horizon, perceived risk, ethical integrity, and stakeholder demand. These perceptions interact with external pressures and environmental support, resulting in distinct strategic discourses.

Strategic Narratives in Cybersecurity Approaches

SMEs with a high-agency perspective see cybersecurity as an active contributor to their business, enhancing operations, trust, and competitive advantage. They invest in cybersecurity, regularly update protocols, and ensure employees are well-trained. Conversely, SMEs with a low-agency perspective perceive cybersecurity as a burden, necessary but not adding value. These SMEs may invest minimally in cybersecurity, maintain outdated protocols, and have a general lack of awareness among employees.

External pressures, such as regulatory mandates, industry benchmarks, and consumer demand, push SMEs towards adopting cybersecurity measures. These pressures act as compelling forces, making SMEs perceive the necessity and urgency of cybersecurity. Internal motivations, driven by an organization’s ethos, culture, and intrinsic belief in cybersecurity’s value, act as pull dynamics. These motivations shape SMEs’ proactive stance towards cybersecurity.

Environmental support plays a crucial role in shaping SMEs’ cybersecurity perceptions. A supportive environment, characterized by clear government guidelines, incentives, and societal backing, can facilitate SMEs’ cybersecurity journey. Conversely, an unsupportive environment can pose significant barriers, making cybersecurity seem more daunting and less attainable.

The study identifies four strategic discourses resulting from the interaction between the discourse of agency and prevailing conditions. SMEs that view cybersecurity as a Synergistic Asset see it as an active contributor to their success, driven by a strong organizational culture and a supportive environment. They perceive cybersecurity as a strategic differentiator and invest substantially in it. SMEs with an Operational Pragmatism view navigate the digital landscape pragmatically, driven by external pressures but balanced by a supportive environment. They address immediate needs while maintaining a baseline level of security.