Exploring Cybersecurity Awareness and Resilience of SMEs amid the Sudden Shift to Remote Work during the Coronavirus Pandemic: A Pilot Study

Abstract

The COVID-19 pandemic has caused a rapid shift to remote working, creating new challenges to cyber security, especially for SMEs, which are exposed to various cyber security risks such as phishing attacks, malware, and ransomware. To enhance SMEs' resilience to cyber-attacks, cyber security awareness is essential. Resilience refers to the capacity to adapt and recover from significant disruptions or adversities, both for individuals and organizations (Masten 2018, Norris et al. 2007). It enables organizations to cope effectively with unexpected events, bounce back from crises, and foster future success (Duchek 2020, Lengnick-Hall et al. 2011). Resilience includes an adaptation aspect that allows firms to come out of a crisis stronger than before, which distinguishes it from robustness (Madni and Jackson 2009). Looking back at the peaks of the health crisis, it can be argued that the pandemic can be perceived as a "stress test" of unprecedented dimensions, challenging the resilience of business models, interconnected systems, societal institutions, and even entire economies (Tressel and Ding 2021). In the context of SMEs during the latter, resilience was perceived as their ability to face these challenges, such as supply chain disruptions, changes in consumer behavior, and government-imposed restrictions, etc. (Klein and Todesco 2021). Cybersecurity is a broadly used term, whose definitions are variable, often subjective and uninformative. One of the most comprehensive definitions refers to cybersecurity as “the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights” (Craigen et al. 2014). Cybersecurity Awareness refers to the understanding and knowledge of these risks and the measures to mitigate them, which is considered as a crucial factor in protecting against cyber-attacks. Studies confirm that cyber awareness training can improve knowledge and skills of employees, thereby reducing the risk of cyber-attacks and leading to more informed decisions (Hijji and Alam 2022) Several models have explored the relationship between resilience and cybersecurity awareness, providing insight and useful lenses into the ways in which resilience may influence cybersecurity awareness and behaviors; two of these models are the Protection Motivation Theory (PMT) and the Dynamic Capabilities Theory (DCT). The PMT was initially developed by Rogers (1975), to describe how individuals are motivated to react in a self-protective way towards a perceived health threat. Adapted to cybersecurity, this theory proposes that individuals with higher levels of resilience are more likely to engage in protective behaviors in response to perceived cyber threats, due to increased threat appraisal and coping skills. (Li et al. 2022). On the other hand, the definition of dynamic capabilities as originally defined by Teece et al. (1997) is the ability of the firm to combine, develop and reconfigure external and internal expertise to respond to speedily changing environment. The DCT can be applied to the field of cybersecurity risk management to enhance organizational capabilities and improve response to emerging threats. (Barreto 2010, Naseer et al. 2018) It is within this context that the present working paper scope aims at exploring the resilience of SMEs and the impact of their cybersecurity awareness amid the abrupt shift towards mass remote work during the pandemic and the subsequent increased cybersecurity risks and exposures. Accordingly, the outcomes of the observations and deductions from the literatures suggest the following proposition / belief statement: P1: In time of crisis and abrupt challenges; the most practical model would be a combination of both Protection Motivation Theory (PMT) and Dynamic Capabilities Theory (DCT); as such, the relationship between cybersecurity awareness and resilience is critical, as promoting awareness can enhance the resilience of SMEs. the most practical model would be a combination of both Protection Motivation Theory (PMT) and Dynamic Capabilities Theory (DCT); as such, the relationship between cybersecurity awareness and resilience is critical, as promoting awareness can enhance the resilience of SMEs. A pilot study was conducted to test the feasibility and effectiveness of the research design and data collection methods. The pilot was based on a qualitative research design drawing on data collection through an in-depth interview with conversational style approach as described by Schober and Conrad (1997), and data analysis based on the Braun and Clarke (2006) thematic qualitative analysis. A purposive sampling was used to interview three SMEs managing owners from Beirut - Lebanon, between Dec’ 22 and Jan’ 23. The preliminary results of the pilot study provide initial insights of a practical model for SMEs based on a combination of the PMT and DCT which can help them develop a proactive approach to cybersecurity that incorporates both motivation and capability-building. Hence, four main themes emerged for developing the said approach. The 1st theme is conducting a thorough “risk assessment” of cybersecurity posture by identifying and assessing the level of potential threats and vulnerabilities using the PMT model. The 2nd theme is using DCT model to develop the “dynamic capabilities” necessary to respond to those risks, which includes investing in new technologies, training employees, and establishing a culture of awareness. The 3rd theme is “building motivation” among employees to take cybersecurity seriously, which can be achieved through the PMT model by highlighting potential impacts and rewarding good practices. Finally, the 4th theme is “continuous improvement”, which involves ongoing monitoring, risk assessment, capability-building, and motivation-building using a combination of PMT and DCT models. This work is a preliminary stage that requires further elaborations and generalizations. Yet, the findings from the pilot showed the potentials from integrating PMT and DCT models to enhance SMEs' cybersecurity posture and suggest that such approach could enable more proactive stance towards cybersecurity by fostering a culture of awareness, preparedness, and continuous improvement. These insights could be valuable for SMEs seeking to mitigate the risks associated with the increasing prevalence of cyber threats and attacks.