Introduction
In today’s global business environment, companies struggle to obtain and keep a sustainable competitive advantage on the market that, in return, requires being object to changes that need to be performed in the business. Most business organizations find a resort in some kind of information system (IS) to achieve this aim. However, implementing IS and information technology (IT) demands analyzing many important organizational aspects, and “as applications of information systems technology become wider and more complex, companies need more formal planning processes.” One of those essential organizational aspects represents the cyber security field (CS). According to Dhillon and Backhouse, business organizations are not any more valued only by their physical assets but also by networks that are created with other organizations where CS has been gaining significant growth in its importance and existence. Although there are no manuals for planning and implementing CS organizational measures, most business organizations worldwide use some tools or policies to cope with security in cyberspace to prevent external and internal cyber-attacks on their IS. However, even enterprises possessing very mature and advanced cyber security measures cannot avoid every attack in their system, especially if financial and time resources support the attackers. Despite this, all organizations need to have developed cyber security measures to decrease the possibilities of these attacks, big or small enterprises respectively.
The previous trends showed that from 1982 to 2000, 38% of internal security incidents and 31% of external ones. However, this trend changed from 2000 to 2003 by altering this ratio to 71% for external and 5% for internal incidents. Recent studies show an increasing number of cyber-attacks globally by each year and that this number will continue its growth. Moreover, cyber-criminals are becoming more and more sophisticated in using new methods and tools for cyber-attacks in economic activity areas by targeting businesses as the actual attacking methods are becoming less effective. . Despite being aware of the growing trend of cyber-attacks and their sophistication globally, official statistics are not able to identify the exact volume of cyber incidents due to organizations’ reluctance to report them. According to Choo (2011), this reluctance comes from three reasons. Firstly, organizations fear negative publicity and the weakening of competitive advantage. Secondly, disbelief in prosecuting the perpetrators and the lack of belief that the cyber-attack was not severe enough to be reported. The term “cyber security” started being mentioned in the early 1990s (Hansen & Nissenbaum, 2009), and since then, its popularity has grown in today’s contemporary business. However, the latest trends emphasize that most cyber-attack victims are SMEs or, to be more specific, the firms that employ 11 to 250 employees (Verizon Risk Team, 2012).
It is believed that the situation is not different in the Republic of Slovakia. Slovakia has received a significant rise in foreign direct investments (Investment in Slovakia, 2013) from big international companies that potentially increase the possibility of cyber-attacks from outside the country and therefore require careful consideration for the creation of effective cyber security measures. The volume of SMEs in Slovakia is 99.9%, and the rest are large enterprises, indicating that this country’s economy heavily depends on SMEs (European Commission, 2014). Additionally, SMEs are often in supply chains or partnerships with large enterprises, making them an attractive object of cyber-attacks (Verizon, 2012).
However, although several developments have been witnessed in the area of cyber-security, in particular from a practical point of view, organizations develop pre-cautions (Hu et al., 2007); governments develop new protection agendas (Choo, 2011); home users are more aware of cyber-attacks (Kritzinger & von Solms, 2010); there are still significant holes in cyber security that are SMEs object to experience through their business performance (Julisch, 2013).
Although most SMEs globally have implemented cyber security measures, those measures are, in many cases, minimal (Byres & Lowe, 2004). However, minimal cyber security measures are often insufficient and need to be re-evaluated and updated over time (Byres & Lowe, 2004; Kindervag et al., 2011) due to cyber threats developing and changing rapidly (Choo, 2011). In addition, many SMEs persistently invest their resources into cyber security measures, but their ISs are still weak and harmful to cyber-attacks (Julisch, 2013). The argumentation, as mentioned earlier, represents a challenging situation and raises a question of interest about how these organizations are led by when creating their cyber security measures, but their efforts remain unsuccessful.
According to Julisch (2013), the answer lies in psychological, technological, and organizational aspects. These three aspects contain four anti-patterns. The first anti-pattern is under the psychological aspect and is called “Overreliance on intuition to make security decisions” (Julish, 2013). The main drawback of this anti-pattern occurs when decision makers make decisions about creating cyber security measures by over-relying on their intuition and experience but not on existing statistical trends and impacts of cyber-attacks. The technological aspect implies two anti-patterns. The first is called “Leaving cracks in the security foundation,” and the second is “Overreliance on knowledge versus intelligence” (Julish, 2013). While the first suggests that IT professionals frequently neglect security basics while creating cyber security measures, which “becomes the root cause of many cyber incidents,” the second emphasizes IT professionals’ overreliance on relatively static and universal knowledge of products such for instance antivirus software and internet firewalls (Julish, 2013). Finally, the organizational aspect presupposes that the ones who create cyber security measures are exposed to unclear and undefined decision processes and rights that lead to system vulnerabilities, representing the fourth anti-pattern called “Weak security governance” (Julish, 2013).
In summary, SMEs’ exposure to minimal cyber security measures, which are often insufficient and therefore require re-evaluation, places these organizations in a challenging situation and creates an urge to understand what SMEs are led by when creating their cyber security measures.
Small and Medium Enterprises
SMEs are the group of enterprises that need to fulfill two requirements. The first of these requirements is the number of employees, and the second is the financial balance. The number of employees must be less than 250, and the annual financial turnover must not exceed 50 million euros (European Commission, 2003). More specifically, the group of small enterprises belongs to the enterprises that employ less than 50 employees and with an annual financial turnover of fewer than 10 million euros, and the group of medium enterprises belongs to the enterprises that employ less than 250 employees. Their annual financial turnover does not exceed 50 million euros (European Commission, 2003). According to Ayyagari et al. (2007), SMEs are a core sector element for fostering economic growth, increasing employment, and alleviating poverty. On the global level, SMEs perform more than 90 percent of the worldwide business economy (Vives, 2006). Therefore, researching SMEs requires excellent attention since this group of enterprises represents the backbone of the global economy.
The Concept of Cyber Security
Although cyber security and its concepts have changed over time, it is worth saying that it was mentioned first time in Computer Science and Telecommunications Board’s report: “Computers at Risk: Safe Computing in the Information Age” (CSTB, 1991), which defined this term as: ‘‘protection against unwanted disclosure, modification, or destruction of data in a system and the safeguarding of systems themselves’’ (CSTB, 1991). When defining cyber security, Nissenbaum (2005) refers to three categories. Firstly, protection from dangerous, antisocial, and disruptive communications and organizations that come from computer networks; secondly, protection for societal infrastructures such as banks, healthcare, communication media, and government administration and lastly, protecting ISs from being wholly or partially disabled.
However, the term “cyber security” consists of two words, so the word “cyber” needs to be first explained. According to Hunton (2009), “cyber” describes a virtual environment strongly associated with the Internet. Guariniello and DeLaurentis (2014) to the word “cyber” add the word “space,” so they define cyberspace as “the interdependent network of information technology infrastructures and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.” From arguments as mentioned earlier, we can understand that the word “cyber” refers to the environment or space that can be “moved through” and accessed by the Internet. On the other hand word “security” can be generally referred to protection from something but Ng et al. (2009) refer to it as protective technologies.
Therefore, from the previous definitions, the conclusion can be drawn that the term “cyber security” is referred to in this study as protective measures created for the space that the Internet can access. Concerning protective or cyber security measures, this study considers how they are created towards organizational, technological, and psychological aspects (Julisch, 2013). According to Julisch (2013), the organizational aspect represents decisions about security priorities and roles. This study refers to national, international, and EU cyber security standards, written cyber security policy and their usage in practice, information value prioritization, system access permissions, cyber-attack measures, cyber-attack analysis, and informing stakeholders about cyber-attacks. The technological aspect of this study implies using cyber technology protection tools such as system logs analysis, hardware, and software inventory list, system backups, antivirus threat analysis, advanced password rules, and internet firewall rules. The psychological aspect considers taking in relation to productive work behavior with the level of guilt and shame in IT professionals and distinguishing guilt from shame proneness.
According to Von Solms and Van Niekerk (2013), it is essential to distinguish the terms information security and cyber security because information security is concerned with information availability, confidentiality, and integrity, while the term cyber security, besides information, encircles ICT infrastructure and humans as part of the society.
Cyber Security Standards
Regarding international cyber security standards, it would be hard not to mention International Organization for Standardization (ISO). This organization has published numerous security standards since the 1980s, but the most famous publications related to cyber security are marked as ISO 27001, followed by ISO 27002 and ISO 27005 (Infosec & ISO, 2013). These three standards belong to the family of information security management standards and are under the general title of Information technology – Security techniques (ISO/IEC, 2014). ISO 27001 encompasses the requirements for information security management systems, ISO 27002 relates to the code of practice for information security controls, and ISO 27005 emphasizes information security risk management (Infosec & ISO, 2013). Although these three ISO standards refer to information security, ISO 27032 encompasses cyber security guidance. It covers four domains: information security, network security, internet security, and critical information infrastructure protection (ISO/IEC, 2012).
European Council adopted a directive to confront cyber-attacks against information systems as a part of the Digital Agenda for Europe in 2020 initiative (European Commission, 2014). This directive emphasizes the importance of information systems in the European Union (EU) and points out that cyber-attacks can be critical to both private and public sectors in the EU (European Parliament, 2013). Besides this directive EU also established a European cybercrime platform, works with global stakeholders against computer-based security attacks, and supports EU-wide cyber security preparedness exercises (European Commission, 2013).
According to Rezek et al. (2012), “no state-sponsored institution in Slovakia specialized exclusively in the whole spectrum of cyber security issues .”They explain that cyber security is dispersed among Slovak National Accreditation Service, National Security Authority, Ministry of Interior, Ministry of Defense, Ministry of Finance, andPersonalDataProtectionOffice.
Cyber Security Trends
While reports from 2011 and 2012 showed that SMEs were targeted for 50% of all cyber attacks, the report from 2013 shows that this number increased to 61% (Symantec Team, 2014). One of the reasons that attacks in cyberspace are concentrated on SMEs in this proportion is that the majority of big organizations have already developed and implemented advanced cyber security measures for their ISs, which is not the case with SMEs, so attacking them represents a lower risk for cyber attackers to be revealed in their actions (Verizon Risk Team, 2012). According to Verizon Risk Team (2012), there is a possibility that SMEs more often object to cyber-attacks because they are a part of the supply chain or are business partners of big enterprises. Hence, perpetrators find it easier to get to the big organizations through the small ones less well-protected. This is why some large organizations approach SMEs and offer them help to deal with cyber security (Gostev, 2012).
However, as previously mentioned, despite awareness of for increasing trends of cyber-attacks on the global level, it is not easy to verify their number through accurate statistics due to firms’ reluctance to report them for fear of compromising themselves either in front of their clients or disbelieving these attacks are enough serious and dangerous (Byres & Lowe, 2004; Choo, 2011).
Conclusions
In the world of business, it is well known that SMEs represent the backbone of the global economy, but at the same time, we know that they are much more vulnerable to cyber attacks than big enterprises are. In order to decrease their vulnerability, the theoretical framework that focuses on cyber security decision-making by IT professionals was created with the overall aim.
The overall aim of this master’s dissertation is on the organizational level. It was to bring new insights about organizational, technological, and psychological aspects of cyber security and to understand their influence on cyber security on SMEs. It must be admitted that no new insights were brought to the technological aspect except that at least the cyber security foundation must be met to decrease the success of cyber perpetrators in their harmful aims. However, two new insights into organizational aspects were brought to the surface. The first one is that any cyber security national, EU, or international standards are highly recommended to be applied because they represent a helpful security guide for IT professionals, even if only partly adopted. The second insight is that the organizational aspect can be divided into three phases to be easier to tackle: pre, during, and post-cyber-attack decision-making. When looking from an organizational perspective, these three aspects have a significant influence on cyber security in SMEs due to they take into consideration organizational tasks that tackle cyber security in three different phases, as mentioned above; technology which is the tool for tackling the cyberspace; and psychology that tackles IT professionals’ traits that come into play when making cyber security decisions.
The organizational, technological, and psychological aspects have low awareness of SMEs when looking at it from an IT professional’s perspective. This argument can be supported by the fact that only two out of six IT professionals fulfilled all the aspects’ components. The rest of the IT professionals were most aware of the technology; then, there was a medium awareness of the organization. Lastly, the lowest awareness level was about the psychological aspect. This is quite a disturbing finding because, according to Julisch (2013), these three cyber security aspects must be treated equally to minimize the dangers that come from cyberspace.
The first is the lack of financial investments in cyber security in SMEs (Rodriguez & Martinez, 2013), and the second is that IT professionals often do not satisfy the cyber security foundation of the technological aspect (Julisch, 2012; Verizon, 2012). However, there are additional reasons found in this study. First, only two out of six organizations fully comply with all of the components of the three cyber security aspects. These two organizations employ specifically cyber security experts, i.e., the employees. They are educated in the field of cyber security. Additionally, these two employees are strictly responsible for and dedicated to cyber security but not any other tasks.
SMEs should employ educated people in the first place in cyber or at least information security to improve their cyber security level. Suppose it would be difficult to find these experts in the labor market. In that case, these organizations could motivate their general IT professionals to improve their knowledge in this field by attending some cyber security certifications. Second, SMEs are not fully aware that any of the organizational, technological, or psychological cyber security aspects must not be overemphasized. However, all three aspects must be treated equally and considered with the same attention due it leaves additional gaps that open a gate for cyber perpetrators to achieve their aims. Third, there is a certain level of negligence of IT professionals, which was found when certain IT professionals were aware that cyber security could be improved in their organization by employing some particular actions. However, they did not do anything about it. Moreover finally, it is found in some organizations that the absence of cyber security standards comes directly from management decisions, so despite the IT professionals’ awareness of this issue, these standards cannot be deployed.
References
Anderson, E., (2015). SMEs failing to guard against cyber attacks, Government warns. The Telegraph, [online] Available at:< http://www.telegraph.co.uk/finance/businessclub/11430701/SMEs-failing-to-guard-against-cyber-attacks-Government-warns.html> [Accessed 22 September 2022].
Ashford, W., (2014). SMEs believes they are immune to cyber attack. Computer Weekly, [online] Available at: < http://www.computerweekly.com/news/2240216202/SMEs-believes-it-is-immune-to-cyber-attack-study-shows> [Accessed 22 September 2022].
Atoum, I., Otoom, A., and Amer, A. A., 2014. A holistic cyber security implementation framework. Information Management & Computer Security, pp. 251-264.
Ayyagari, M., Beck, T. and Demirguc-Kunt, A., 2007. Small and medium enterprises across the globe. Small Business Economics, 29(4), 415-434.
Baheti, R. and Gill, H., (2011). Cyber-physical systems. The Impact of Control Technology, pp. 161–166.
Ban, L. Y. and Heng, G. M., 1995. Computer security issues in small and medium-sized enterprises. Singapore Management Review, 17(1), pp. 15-29.
Batsell, S. G., Rao, N. S. and Shankar, M., 2005. Distributed intrusion detection and attack containment for organizational cyber security. Available at:
<http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.105.9322&rep=rep1&type=pdf> [Accessed 22 September 2022].
Berg, B. L., (2004). Qualitative research methods for the social sciences (5th ed.). Boston: Pearson.
Bernard, H.R., (2002). Research Methods in Anthropology: Qualitative and quantitative methods. 3rd edition. AltaMira Press, Walnut Creek, California.
Bernard, H. R., 1988. Research methods in cultural anthropology. Newbury Park, CA: Sage.
Berry, C. M., Carpenter, N. C. and Barratt, C. L., (2012). Do other reports of counterproductive work behavior provide an incremental contribution over self-reports? A meta-analytic comparison. Journal of Applied Psychology, 97(3), 1–24.
Borbás, L., (2014). Supporting SMEs in Central-Eastern Europe. The volume of Management, Enterprise and Benchmarking in the 21st Century, pp. 87–106.
Bradley, M., and Vaizey, E., (2015). Cyber security ‘myths’ putting a third of SME revenue at risk. UK Government, [online] Available at:
< https://www.gov.uk/government/news/cyber-security-myths-putting-a-third-of-sme-revenue-at-risk>.
write