Research Project

The impact of cyber security on the adoption of new digital technologies in UK’s SMEs

Principal Investigators
Dr Marta F Arroyabe
Professor Juan Carlos Fernandez De Arroyabe

Project overview

The Digital Security by Design (DSbD) Programme aims to radically update the digital infrastructure currently underpinning the global economy, making it secure against future threats. Discribe is one part of this wider initiative, with funding in place until 2024.

"Discribe is making a vital contribution to ensuring that the next generation of digital security technology is set up for success in our rapidly evolving digital world.”

Our project investigates the impact of cyber security on the decision-making process behind the adoption of new digital technologies in the UK small and medium enterprises (SMEs). Taking a strategic management perspective, our project considers that the decision to invest in new tools and technologies depends upon internal (firms’ capabilities in cyber security) and external factors (threats and attacks in the cyber environment). This project focuses on understanding (1) the impact of previous cyber security incidents on SMEs’ decision to invest in new digital technologies, and (2) the impact of SMEs’ current cyber security practices on the readiness to invest in new digital technologies. The project is expected to lead to several outputs: a policy guide targeted at policymakers, outlining our main results and recommendations, a good practice guide for the adoption of digital technologies in SMEs, targeted at managers and institutions, two peer-reviewed articles, an original dataset from a survey instrument.

Get in touch with us -

Learn more about the project

Background and relevance

  • The COVID-19 pandemic has accelerated the process of digitalisation with an increasing number of businesses relying on remote working and on the internet to sell products and to keep in contact with customers and suppliers.
  • Our project aligns with the UK’s government Digital Strategy and the DCMS’s Ten Tech Priorities, which seek to transform the UK into a world-leading digital economy. Digitalisation has been found to support businesses’ growth by increasing productivity and financial performance.
  • Our project focuses on SMEs, which are the backbone of the UK economy and which lag behind larger businesses in the adoption of all digital technologies (e.g. connectivity, cloud, big data, e-commerce, process digitalisation and automation, online presence and communication). In fact, the digital gap has been exacerbated with the COVID-19 crisis, with SMEs expected to reduce and large firms expected to increase their IT expenditures.
  • Compared to large firms, SMEs face substantial challenges in terms of the capability (e.g. knowledge and skills) and capacity (e.g. financial and time resources) to plan and implement their digital transformation, and in terms of cyber security. In particular, the risks and costs of cyber incidents, and the lack of cyber security strategies in SMEs make SMEs particularly vulnerable to cyber attacks. Cyber security is crucial for SMEs as cyber incidents are the number one technology threat to business, with a quarter of UK’s SMEs at risk of closing their businesses following a cyber attack.

Focus and goals

This project investigates the impact of cyber security on the decision-making process behind the adoption of new digital technologies in UK small and medium enterprises (SMEs) , contributing to the topic area of “Economics and Decision Making in Security” of the Discribe Hub+ commissioning call.

Despite the importance of SMEs, few studies have explored the role of cyber security (and its relative importance) in the decision-making process behind the adoption of new digital technologies in SMEs. Although existing studies offer valuable insights on firms’ digitalisation processes and on decisions around investment levels in cyber security, the empirical evidence is scant on the interrelation of these two, especially with regards to SMEs. Thus, this project proposes to investigate the impact of cyber security in SMEs’ decision-making process to adopt new digital technologies.

This project recognises the importance of understanding the nature of the management decision-process in digitalisation, and how decisions are contingent on previous and current cyber security experiences. Taking a strategic management perspective, our project assumes that firms’ decision-making processes reflect their previous experiences, their capabilities, and the influence of the external environment. In this context, our project considers that the decision to invest in new tools and technologies depends upon internal (firms’ capabilities in cyber security) and external factors (threats and attacks in the cyber environment). In particular, our project addresses two research questions, one relating to the internal factors and one relating to the external factors. For the internal factors, our research question (RQ1) is: how do SMEs’ current cyber security practices and strategies affect the readiness of firms to adopt and invest in new digital technologies?. For the external factors, our research question (RQ2) is: how does SMEs’ previous experience with cyber incidents both inside their own firm or in other firms in their industry environment affect the decision to adopt and invest in new digital technologies?

Project findings

Digitalization and Cybersecurity in SMEs: A Bibliometric Analysis

This paper presents a bibliometric analysis on the topics of digitalization and cybersecurity in small and medium-sized enterprises (SMEs) using the R tool Bibliometrix. The analysis includes a total of 417 papers. Firstly, our paper contributes to the academic field by identifying four distinct clusters that represent different research areas: Industry 4.0 and Smart Factory, Industry 4.0 and SMEs, SMEs and Cybersecurity, and Digitalization, SMEs, and Entrepreneurship. This classification helps to categorize the existing research and provides an overview of the main research directions in this field.

Secondly, our paper contributes to the existing literature by emphasizing the existing research gaps. One significant finding is that the digital transformation of SMEs entails increased vulnerability to cyberattacks, which can be a determining factor of their digitalization efforts and the future of their businesses. We have identified that this particular aspect has not been adequately addressed, as existing research focuses on these issues individually without establishing connections between them.

Looking ahead, we anticipate that cybersecurity in SMEs will be a particular case of cybersecurity in firms, separated from research on digitalization in SMEs, which addresses issues such as smart factories and Industry 4.0 objectives in these enterprises.

The Effect of IT Security Issues on the Implementation of Industry 4.0 in SMEs: Barriers or Challenges?

In this paper, we investigate the impact of IT security issues on the implementation of Industry 4.0 in small and medium-sized enterprises (SMEs) operating in the manufacturing sector. To address this question, we conducted an empirical study utilizing survey data from 3,184 SMEs gathered through the "Flash Eurobarometer No. 486" (European Union). We employed a machine-learning methodology in our analysis. Our study aims to contribute to the existing literature on the obstacles faced by SMEs in their digital transformation efforts by examining the role played by IT security issues in this process.

Firstly, our results demonstrate that IT security issues have a positive influence on the digitalization of SMEs, as they are perceived as challenges that impulse their transformation. Secondly, our study reveals variations in the levels of digitalisation among SMEs. We observed a broad spectrum of digital adoption, ranging from companies integrating complex digital technologies like robots, cloud computing, and smart devices to a group of companies that are in the early stages of developing Industry 4.0 capabilities. Lastly, our research highlights the heterogeneity in the impact of IT security issues, with a parallel relationship observed between the degree of digitalization and the importance placed on IT security.

Overall, our findings shed light on the significance of addressing IT security concerns in facilitating the successful implementation of Industry 4.0 in SMEs, and emphasize the varying degrees of digital maturity across different companies.

Exploring Cyber Security and Resilience in SMEs: A Regression and Machine Learning Analysis

This study aims to examine the management of cyber security in small and medium-sized enterprises (SMEs) and its impact on their resilience. While SMEs play a critical role in the economy, previous research has predominantly focused on cyber security management in large companies. In an effort to address the limited literature on cyber security management in SMEs, we conducted an empirical study based on a survey of 214 SMEs in the UK. Our approach involved a cause-effect analysis using the protection motivation theory (PMT) as a theoretical framework. This study provides both theoretical and methodological contributions, offering valuable insights for managers.

Firstly, our findings shed light on the insufficient attention given by SMEs to the management of cyber security. We identified cyber security incidents as the most significant driver of resilience, surpassing the importance of cyber security management itself. Additionally, our study expands the PMT theory by emphasizing the significance of considering the interplay between factors influencing cyber security management in SMEs.

Secondly, this study demonstrates the potential of statistical methods, particularly machine learning techniques, in discerning cause-effect relationships among the factors impacting cyber security in SMEs.

The effect of cyber security standards on the digitalization of SMEs: A Machine Learning and Systems Dynamics approach

This research paper aims to examine the impact of cybersecurity standards, specifically ISO and Cyber Essentials, on the digital transformation of small and medium enterprises (SMEs). The existing literature has not sufficiently addressed the interconnectedness of digitalization, cybersecurity, and standards, highlighting a significant research gap in this area.

To provide a theoretical framework for our study, we will employ the Technology Adoption Model (TAM). This model is particularly relevant as it considers the adoption of diverse digital technologies as a crucial aspect of SMEs' digital transformation.

Our research methodology involves adopting the system dynamics approach to analyse how these factors influence the process of digitalisation. Our study is based on a survey of 214 SMEs in the UK and utilizes a cause-effect analysis approach. Additionally, we will integrate machine-learning techniques (ML) with regression models to enhance the accuracy and depth of our findings.

Our research outcomes reveal two noteworthy findings. Firstly, the utilization of cybersecurity standards among SMEs is notably low, suggesting a potential area for improvement in their digital transformation efforts. Secondly, we identified a dynamic interplay among digitalization, cybersecurity systems, and standards, which collectively reinforce the positive impact on the digital transformation of SMEs.

These research findings offer valuable insights for both managers and policymakers involved in facilitating and promoting the digitalization process within SMEs. It is essential to leverage these insights to develop effective strategies and policies that foster successful digital transformation in this sector.

Past events and presentations

Workshop with SME Managers - 28 September 2023

The workshop, which took place at the Southend Campus of the University of Essex, explained the relationship between cyber security and digital adoption of technologies in SMEs, and provided best cyber security practices for SMEs that will enable them to have a successful digital translation.


People gathered at the table attending a workshop delivered by Dr Marta)
People gathered at the table attending a workshop delivered by Dr Marta

DSbD All hands event - 27 April 2023

An in-person event at De Vere Grand Connaught Rooms in London. The event featured updates from current projects, and had some networking opportunities. We also attended workshops aimed at supporting the impact and dissemination of our projects and engagement opportunities with the Government.

DSbD All hands event - 11 and 12 October 2022

An in-person event at the Grand Station (Wolverhampton). The event introduced new stakeholders, we heard updates from current projects, and had some networking opportunities. We also attended different workshops in the afternoon regarding the socio-technical aspects of Digital Security by Design.

Dr Marta F Arroyabe at the DSbD All hands event- 11th & 12th October 2022
Dr Marta F Arroyabe at the DSbD All hands event- 11th & 12th October 2022
Dr Marta F Arroyabe at the DSbD All hands event- 11th & 12th October 2022)
Dr Marta F Arroyabe at the DSbD All hands event- 11th & 12th October 2022

DSbD All hands event - 7 April 2022

In person event at the Institute of Directors (Pall Mall, London). The event consisted of a networking and poster sessions to update and introduce all the projects under the DSbD challenge. The event also held workshops to bring the DSbD community together, focusing on synergies and specific themes that run through DSbD.

Presentation at the Discribe event)
Presentation at the Discribe event

Guide for Cyber Security

Cyber Security

Cyber security is how individuals and organisations reduce the risk of cyber attack. The core function of cyber security is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access - both online and at work - from theft or damage. 

Types of Cyber Attacks

  • Phishing Attacks
  • Malware Attacks
  • Ransomware Attacks
  • Password Related Attacks
  • Insider Threat
  • Denial-of-Service
  • Social Engineering
  • SQL Injection

10 Best Practices to protect you from Cyber Attacks

  • Set up your Risk Management Regime

This means assessing the types of potential and more frequent risks to the business. A basic risk management exercise would involve identification, evaluation, and prioritisation of risks. Steps to then mitigate and deal with these factors can be efficiently implemented. 

  • Network security

This can be ensured by firewalls as a shield against external attacks. Most modern computers come with built-in firewalls (e.g. Windows Defender). Always install the latest updates or security patches for all software and systems.

  • User education and awareness on the signs and dangers of cyber attacks

Inform users regularly on the latest cyber attacks. Train users on how to access systems securely by using strong passwords, multi0factor authentication and visiting secure sites only. 

  • Malware prevention

Anti-virus software scans computer systems for malware and helps keep it out. Ensure that devices are updated with the latest operating system, application version and security patches. Encourage employees to exercise caution when online by refraining from downloading unverified applications and clicking on suspicious links especially in emails.

  • Removable media controls

Put measures in place that control the use of removable media such as USBs and memory cards to use removable media controls. All removable media should be scanned for malware before being given access to the organisation system, and this can be handled by an anti-virus software.

  • Secure configuration

To ensure security configuration that the latest security patches are installed on all systems as soon as they are available to reduce vulnerabilities. Routinely maintain security configuration of systems by removing inactive user accounts (e,g. guest accounts).

  • Manager user privileges

Limit the number of user accounts with administrative privileges to restrict users from installing and running software programs.

  • Incident management

This involves placing measures in place to manage incident reporting and response. Create a culture where employees actively participate in reporting incidents without fear of punishment. Regularly train employees on how to identify threats and report incidents.

  • Monitoring

Monitoring user activity and network traffic using tools such as SplunkFree, Sagan, Snort to detect suspicious behaviour (e.g. unusual login attempts, massive spikes in network traffic).

  • Home and mobile working

Employees should use Virtual Private Network (VPN) such as NordVPN, OpenVPN, etc. to securely connect to organisation network. Employees should use public Wi-Fi to access sensitive data.


This work is funded by the  Economic and Social Research Council (UKRI) and in collaboration with Discribe DSbD.

A person on a sofa using a laptop to browse online.
Get in touch
Discribe logo