Investigating the experiences of providing cyber security support to small- and medium-sized enterprises

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-16 DOI:10.1016/j.cose.2025.104448

Neeshe Khan , Steven Furnell , Maria Bada , Matthew Rand , Jason R.C. Nurse

{"title":"Investigating the experiences of providing cyber security support to small- and medium-sized enterprises","authors":"Neeshe Khan , Steven Furnell , Maria Bada , Matthew Rand , Jason R.C. Nurse","doi":"10.1016/j.cose.2025.104448","DOIUrl":null,"url":null,"abstract":"<div><div>Small- and Medium-Sized Enterprises or SMEs comprise of 99.9 % of all businesses in the UK and make a significant contribution the overall economy. In UK's path to digitalisation, ensuring the cyber security and resilience of SMEs becomes an integral element that must be adequately safeguarded to protect national interests. Despite playing a crucial role, there is limited research on SMEs adopting cyber security practices, becoming cyber secure or improving their resilience to attacks. To examine this journey, a qualitative study was designed to learn from the experiences of organisations that provide cyber security advice or solutions. The three aims of the study were to: (1) understand the various types of support offered by providers; (2) topics for which support is sought and the circumstances that trigger the need for assistance; and (3) the perceived effectiveness of the support provided, associated challenges and opportunities to improve from the lived experiences of providers. Following semi-structured interviews with 12 participants, findings confirm results presented in earlier literature and provides new insights. Each participant had exposure to numerous SMEs, in some instances hundreds, at a regional or national level due to their roles at their respective organisations. The inherent knowledge gained from this exposure results in each participant's experience representing the cumulative experience of several SMEs as opposed to a singular view of one. We conclude that there is a vast amount of cyber security related content aimed at SMEs and our findings reveal providers are playing an assistive role in the understanding, education and implementation of cyber security defences. Despite significant efforts being made, cyber hygiene amongst SMEs remains low and they are unlikely to proactively reach out for support. Additionally, SMEs have low knowledge levels and are hampered in their efforts due to comprehension, capability, attitudes, and resources whilst providers face numerous internal and external challenges when delivering this support. Insights from data reveal several opportunities for improvement can be realised through the creation of security focused communities that can provide support, collaboration and learning.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104448"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001373","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Small- and Medium-Sized Enterprises or SMEs comprise of 99.9 % of all businesses in the UK and make a significant contribution the overall economy. In UK's path to digitalisation, ensuring the cyber security and resilience of SMEs becomes an integral element that must be adequately safeguarded to protect national interests. Despite playing a crucial role, there is limited research on SMEs adopting cyber security practices, becoming cyber secure or improving their resilience to attacks. To examine this journey, a qualitative study was designed to learn from the experiences of organisations that provide cyber security advice or solutions. The three aims of the study were to: (1) understand the various types of support offered by providers; (2) topics for which support is sought and the circumstances that trigger the need for assistance; and (3) the perceived effectiveness of the support provided, associated challenges and opportunities to improve from the lived experiences of providers. Following semi-structured interviews with 12 participants, findings confirm results presented in earlier literature and provides new insights. Each participant had exposure to numerous SMEs, in some instances hundreds, at a regional or national level due to their roles at their respective organisations. The inherent knowledge gained from this exposure results in each participant's experience representing the cumulative experience of several SMEs as opposed to a singular view of one. We conclude that there is a vast amount of cyber security related content aimed at SMEs and our findings reveal providers are playing an assistive role in the understanding, education and implementation of cyber security defences. Despite significant efforts being made, cyber hygiene amongst SMEs remains low and they are unlikely to proactively reach out for support. Additionally, SMEs have low knowledge levels and are hampered in their efforts due to comprehension, capability, attitudes, and resources whilst providers face numerous internal and external challenges when delivering this support. Insights from data reveal several opportunities for improvement can be realised through the creation of security focused communities that can provide support, collaboration and learning.

查看原文本刊更多论文

调查为中小型企业提供网络安全支持的经验

中小型企业占英国所有企业的99.9%，对整体经济做出了重大贡献。在英国的数字化道路上，确保中小企业的网络安全和弹性成为一个不可或缺的因素，必须得到充分保障，以保护国家利益。尽管发挥着至关重要的作用，但关于中小企业采用网络安全实践、变得网络安全或提高抵御攻击能力的研究有限。为了检验这一过程，我们设计了一项定性研究，以了解提供网络安全建议或解决方案的组织的经验。研究的三个目的是：(1)了解服务提供者提供的各种支援；(2)寻求支持的主题和触发援助需求的情况；(3)所提供支持的感知有效性、相关的挑战和从提供者的生活经验中改进的机会。在对12名参与者进行半结构化访谈后，研究结果证实了早期文献中提出的结果，并提供了新的见解。由于每个与会者在各自组织中的作用，他们在区域或国家一级接触了许多中小企业，在某些情况下接触了数百家。从这种接触中获得的固有知识导致每个参与者的经验代表了几个中小企业的累积经验，而不是一个单一的观点。我们的结论是，有大量针对中小企业的网络安全相关内容，我们的研究结果表明，供应商在理解、教育和实施网络安全防御方面发挥着辅助作用。尽管政府作出了重大努力，但中小企业的网络卫生水平仍然很低，他们不太可能主动寻求支持。此外，中小企业的知识水平较低，由于理解、能力、态度和资源的限制，阻碍了他们的努力，而供应商在提供这种支持时面临许多内部和外部的挑战。从数据中得出的见解表明，通过创建能够提供支持、协作和学习的以安全为重点的社区，可以实现若干改进机会。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.