Investigating the experiences of providing cyber security support to small- and medium-sized enterprises

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-16 DOI:10.1016/j.cose.2025.104448

Neeshe Khan , Steven Furnell , Maria Bada , Matthew Rand , Jason R.C. Nurse

{"title":"Investigating the experiences of providing cyber security support to small- and medium-sized enterprises","authors":"Neeshe Khan , Steven Furnell , Maria Bada , Matthew Rand , Jason R.C. Nurse","doi":"10.1016/j.cose.2025.104448","DOIUrl":null,"url":null,"abstract":"<div><div>Small- and Medium-Sized Enterprises or SMEs comprise of 99.9 % of all businesses in the UK and make a significant contribution the overall economy. In UK's path to digitalisation, ensuring the cyber security and resilience of SMEs becomes an integral element that must be adequately safeguarded to protect national interests. Despite playing a crucial role, there is limited research on SMEs adopting cyber security practices, becoming cyber secure or improving their resilience to attacks. To examine this journey, a qualitative study was designed to learn from the experiences of organisations that provide cyber security advice or solutions. The three aims of the study were to: (1) understand the various types of support offered by providers; (2) topics for which support is sought and the circumstances that trigger the need for assistance; and (3) the perceived effectiveness of the support provided, associated challenges and opportunities to improve from the lived experiences of providers. Following semi-structured interviews with 12 participants, findings confirm results presented in earlier literature and provides new insights. Each participant had exposure to numerous SMEs, in some instances hundreds, at a regional or national level due to their roles at their respective organisations. The inherent knowledge gained from this exposure results in each participant's experience representing the cumulative experience of several SMEs as opposed to a singular view of one. We conclude that there is a vast amount of cyber security related content aimed at SMEs and our findings reveal providers are playing an assistive role in the understanding, education and implementation of cyber security defences. Despite significant efforts being made, cyber hygiene amongst SMEs remains low and they are unlikely to proactively reach out for support. Additionally, SMEs have low knowledge levels and are hampered in their efforts due to comprehension, capability, attitudes, and resources whilst providers face numerous internal and external challenges when delivering this support. Insights from data reveal several opportunities for improvement can be realised through the creation of security focused communities that can provide support, collaboration and learning.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104448"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001373","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Small- and Medium-Sized Enterprises or SMEs comprise of 99.9 % of all businesses in the UK and make a significant contribution the overall economy. In UK's path to digitalisation, ensuring the cyber security and resilience of SMEs becomes an integral element that must be adequately safeguarded to protect national interests. Despite playing a crucial role, there is limited research on SMEs adopting cyber security practices, becoming cyber secure or improving their resilience to attacks. To examine this journey, a qualitative study was designed to learn from the experiences of organisations that provide cyber security advice or solutions. The three aims of the study were to: (1) understand the various types of support offered by providers; (2) topics for which support is sought and the circumstances that trigger the need for assistance; and (3) the perceived effectiveness of the support provided, associated challenges and opportunities to improve from the lived experiences of providers. Following semi-structured interviews with 12 participants, findings confirm results presented in earlier literature and provides new insights. Each participant had exposure to numerous SMEs, in some instances hundreds, at a regional or national level due to their roles at their respective organisations. The inherent knowledge gained from this exposure results in each participant's experience representing the cumulative experience of several SMEs as opposed to a singular view of one. We conclude that there is a vast amount of cyber security related content aimed at SMEs and our findings reveal providers are playing an assistive role in the understanding, education and implementation of cyber security defences. Despite significant efforts being made, cyber hygiene amongst SMEs remains low and they are unlikely to proactively reach out for support. Additionally, SMEs have low knowledge levels and are hampered in their efforts due to comprehension, capability, attitudes, and resources whilst providers face numerous internal and external challenges when delivering this support. Insights from data reveal several opportunities for improvement can be realised through the creation of security focused communities that can provide support, collaboration and learning.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.