The Digital Security by Design (DSbD) Programme aims to radically update the digital infrastructure currently underpinning the global economy, making it secure against future threats. Discribe is one part of this wider initiative, with funding in place until 2024.
"Discribe is making a vital contribution to ensuring that the next generation of digital security technology is set up for success in our rapidly evolving digital world.”
Our project investigates the impact of cyber security on the decision-making process behind the adoption of new digital technologies in the UK small and medium enterprises (SMEs). Taking a strategic management perspective, our project considers that the decision to invest in new tools and technologies depends upon internal (firms’ capabilities in cyber security) and external factors (threats and attacks in the cyber environment). This project focuses on understanding (1) the impact of previous cyber security incidents on SMEs’ decision to invest in new digital technologies, and (2) the impact of SMEs’ current cyber security practices on the readiness to invest in new digital technologies. The project is expected to lead to several outputs: a policy guide targeted at policymakers, outlining our main results and recommendations, a good practice guide for the adoption of digital technologies in SMEs, targeted at managers and institutions, two peer-reviewed articles, an original dataset from a survey instrument.
Get in touch with us - dsbdsmes@essex.ac.uk
This project investigates the impact of cyber security on the decision-making process behind the adoption of new digital technologies in UK small and medium enterprises (SMEs) , contributing to the topic area of “Economics and Decision Making in Security” of the Discribe Hub+ commissioning call.
Despite the importance of SMEs, few studies have explored the role of cyber security (and its relative importance) in the decision-making process behind the adoption of new digital technologies in SMEs. Although existing studies offer valuable insights on firms’ digitalisation processes and on decisions around investment levels in cyber security, the empirical evidence is scant on the interrelation of these two, especially with regards to SMEs. Thus, this project proposes to investigate the impact of cyber security in SMEs’ decision-making process to adopt new digital technologies.
This project recognises the importance of understanding the nature of the management decision-process in digitalisation, and how decisions are contingent on previous and current cyber security experiences. Taking a strategic management perspective, our project assumes that firms’ decision-making processes reflect their previous experiences, their capabilities, and the influence of the external environment. In this context, our project considers that the decision to invest in new tools and technologies depends upon internal (firms’ capabilities in cyber security) and external factors (threats and attacks in the cyber environment). In particular, our project addresses two research questions, one relating to the internal factors and one relating to the external factors. For the internal factors, our research question (RQ1) is: how do SMEs’ current cyber security practices and strategies affect the readiness of firms to adopt and invest in new digital technologies?. For the external factors, our research question (RQ2) is: how does SMEs’ previous experience with cyber incidents both inside their own firm or in other firms in their industry environment affect the decision to adopt and invest in new digital technologies?
Digitalization and Cybersecurity in SMEs: A Bibliometric Analysis
This paper presents a bibliometric analysis on the topics of digitalization and cybersecurity in small and medium-sized enterprises (SMEs) using the R tool Bibliometrix. The analysis includes a total of 417 papers. Firstly, our paper contributes to the academic field by identifying four distinct clusters that represent different research areas: Industry 4.0 and Smart Factory, Industry 4.0 and SMEs, SMEs and Cybersecurity, and Digitalization, SMEs, and Entrepreneurship. This classification helps to categorize the existing research and provides an overview of the main research directions in this field.
Secondly, our paper contributes to the existing literature by emphasizing the existing research gaps. One significant finding is that the digital transformation of SMEs entails increased vulnerability to cyberattacks, which can be a determining factor of their digitalization efforts and the future of their businesses. We have identified that this particular aspect has not been adequately addressed, as existing research focuses on these issues individually without establishing connections between them.
Looking ahead, we anticipate that cybersecurity in SMEs will be a particular case of cybersecurity in firms, separated from research on digitalization in SMEs, which addresses issues such as smart factories and Industry 4.0 objectives in these enterprises.
The Effect of IT Security Issues on the Implementation of Industry 4.0 in SMEs: Barriers or Challenges?
In this paper, we investigate the impact of IT security issues on the implementation of Industry 4.0 in small and medium-sized enterprises (SMEs) operating in the manufacturing sector. To address this question, we conducted an empirical study utilizing survey data from 3,184 SMEs gathered through the "Flash Eurobarometer No. 486" (European Union). We employed a machine-learning methodology in our analysis. Our study aims to contribute to the existing literature on the obstacles faced by SMEs in their digital transformation efforts by examining the role played by IT security issues in this process.
Firstly, our results demonstrate that IT security issues have a positive influence on the digitalization of SMEs, as they are perceived as challenges that impulse their transformation. Secondly, our study reveals variations in the levels of digitalisation among SMEs. We observed a broad spectrum of digital adoption, ranging from companies integrating complex digital technologies like robots, cloud computing, and smart devices to a group of companies that are in the early stages of developing Industry 4.0 capabilities. Lastly, our research highlights the heterogeneity in the impact of IT security issues, with a parallel relationship observed between the degree of digitalization and the importance placed on IT security.
Overall, our findings shed light on the significance of addressing IT security concerns in facilitating the successful implementation of Industry 4.0 in SMEs, and emphasize the varying degrees of digital maturity across different companies.
Exploring Cyber Security and Resilience in SMEs: A Regression and Machine Learning Analysis
This study aims to examine the management of cyber security in small and medium-sized enterprises (SMEs) and its impact on their resilience. While SMEs play a critical role in the economy, previous research has predominantly focused on cyber security management in large companies. In an effort to address the limited literature on cyber security management in SMEs, we conducted an empirical study based on a survey of 214 SMEs in the UK. Our approach involved a cause-effect analysis using the protection motivation theory (PMT) as a theoretical framework. This study provides both theoretical and methodological contributions, offering valuable insights for managers.
Firstly, our findings shed light on the insufficient attention given by SMEs to the management of cyber security. We identified cyber security incidents as the most significant driver of resilience, surpassing the importance of cyber security management itself. Additionally, our study expands the PMT theory by emphasizing the significance of considering the interplay between factors influencing cyber security management in SMEs.
Secondly, this study demonstrates the potential of statistical methods, particularly machine learning techniques, in discerning cause-effect relationships among the factors impacting cyber security in SMEs.
The effect of cyber security standards on the digitalization of SMEs: A Machine Learning and Systems Dynamics approach
This research paper aims to examine the impact of cybersecurity standards, specifically ISO and Cyber Essentials, on the digital transformation of small and medium enterprises (SMEs). The existing literature has not sufficiently addressed the interconnectedness of digitalization, cybersecurity, and standards, highlighting a significant research gap in this area.
To provide a theoretical framework for our study, we will employ the Technology Adoption Model (TAM). This model is particularly relevant as it considers the adoption of diverse digital technologies as a crucial aspect of SMEs' digital transformation.
Our research methodology involves adopting the system dynamics approach to analyse how these factors influence the process of digitalisation. Our study is based on a survey of 214 SMEs in the UK and utilizes a cause-effect analysis approach. Additionally, we will integrate machine-learning techniques (ML) with regression models to enhance the accuracy and depth of our findings.
Our research outcomes reveal two noteworthy findings. Firstly, the utilization of cybersecurity standards among SMEs is notably low, suggesting a potential area for improvement in their digital transformation efforts. Secondly, we identified a dynamic interplay among digitalization, cybersecurity systems, and standards, which collectively reinforce the positive impact on the digital transformation of SMEs.
These research findings offer valuable insights for both managers and policymakers involved in facilitating and promoting the digitalization process within SMEs. It is essential to leverage these insights to develop effective strategies and policies that foster successful digital transformation in this sector.
The workshop, which took place at the Southend Campus of the University of Essex, explained the relationship between cyber security and digital adoption of technologies in SMEs, and provided best cyber security practices for SMEs that will enable them to have a successful digital translation.
An in-person event at De Vere Grand Connaught Rooms in London. The event featured updates from current projects, and had some networking opportunities. We also attended workshops aimed at supporting the impact and dissemination of our projects and engagement opportunities with the Government.
An in-person event at the Grand Station (Wolverhampton). The event introduced new stakeholders, we heard updates from current projects, and had some networking opportunities. We also attended different workshops in the afternoon regarding the socio-technical aspects of Digital Security by Design.
In person event at the Institute of Directors (Pall Mall, London). The event consisted of a networking and poster sessions to update and introduce all the projects under the DSbD challenge. The event also held workshops to bring the DSbD community together, focusing on synergies and specific themes that run through DSbD.
Cyber security is how individuals and organisations reduce the risk of cyber attack. The core function of cyber security is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access - both online and at work - from theft or damage.
This means assessing the types of potential and more frequent risks to the business. A basic risk management exercise would involve identification, evaluation, and prioritisation of risks. Steps to then mitigate and deal with these factors can be efficiently implemented.
This can be ensured by firewalls as a shield against external attacks. Most modern computers come with built-in firewalls (e.g. Windows Defender). Always install the latest updates or security patches for all software and systems.
Inform users regularly on the latest cyber attacks. Train users on how to access systems securely by using strong passwords, multi0factor authentication and visiting secure sites only.
Anti-virus software scans computer systems for malware and helps keep it out. Ensure that devices are updated with the latest operating system, application version and security patches. Encourage employees to exercise caution when online by refraining from downloading unverified applications and clicking on suspicious links especially in emails.
Put measures in place that control the use of removable media such as USBs and memory cards to use removable media controls. All removable media should be scanned for malware before being given access to the organisation system, and this can be handled by an anti-virus software.
To ensure security configuration that the latest security patches are installed on all systems as soon as they are available to reduce vulnerabilities. Routinely maintain security configuration of systems by removing inactive user accounts (e,g. guest accounts).
Limit the number of user accounts with administrative privileges to restrict users from installing and running software programs.
This involves placing measures in place to manage incident reporting and response. Create a culture where employees actively participate in reporting incidents without fear of punishment. Regularly train employees on how to identify threats and report incidents.
Monitoring user activity and network traffic using tools such as SplunkFree, Sagan, Snort to detect suspicious behaviour (e.g. unusual login attempts, massive spikes in network traffic).
Employees should use Virtual Private Network (VPN) such as NordVPN, OpenVPN, etc. to securely connect to organisation network. Employees should use public Wi-Fi to access sensitive data.
This work is funded by the Economic and Social Research Council (UKRI) and in collaboration with Discribe DSbD.