Unveiling the Impact of Ownership Structure on SMEs’ Cybersecurity Perceptions

doi:10.21203/rs.3.rs-4526358/v1

As we move towards a more digitalized and interconnected world, new cybersecurity challenges emerge. While most research focuses on large companies, this study aims to fill a gap in the existing literature by exploring cybersecurity issues in small and medium-sized enterprises (SMEs), particularly in relation to non-technical, soft-skill, and intellectual capital aspects. This study examines the interplay between cybersecurity awareness, perception, and ownership structure in SMEs in the Silesian Region of Poland. Unlike the majority of cybersecurity literature, our focus is on how ownership structure influences risk perception. We surveyed 200 SMEs and utilized hierarchical and simple linear regression analyses to assess the relationships between these factors and financial performance. Our results indicate that larger enterprises and those without a family-owned structure exhibit significantly higher levels of cybersecurity. Additionally, we found a positive correlation between cybersecurity and a firm's financial performance and overall health. These findings underscore the importance of cybersecurity awareness and practices for the growth and stability of SMEs.

Cybersecurity

SMEs

Family owned business

Intellectual capital

Survey

Companies, especially those that decide to engage in modern technology and enter the Industry 4.0 phase, must realize how important cybersecurity is for their smooth functioning. Although many citizens of the European Union declare that they have knowledge in the field of cybersecurity [1], the scale of attacks is large, and many of them are caused by human error or oversight. It should be remembered that when the internet was created in the 1960s, no one assumed that it would be popular and accessible. Therefore, the security of this network was not considered. Soon after, the rapid development of the internet in the following decades made it impossible to fix the gaps in network foundations [2]. Further development of technology was based on cores that have serious flaws that can be used by people who want to harm the company. Thus, each new technology potentially has vulnerabilities that constitute vulnerabilities in component systems.

The numbers that illustrate the scale of the cybersecurity problem can help imagine the potential implications for businesses. In 2008, the global costs of cyberattacks were 0.86 trillion USD and 11.5 trillion USD in 2023. The cost of cyberattacks could reach over 23 trillion USD in 2027 [3]. Most attacks remain undetected, or they are discovered many days after the incident, when the costs accrue because of the consequences. According to the report of the World Economic Forum entitled "The Global Risks Report 2020", only 0.05% of incidents are detected in the United States [4]. There is a popular belief that the problem of cybersecurity concerns only large companies; however, this is not true. It is estimated that approximately 43% of cyberattacks target small and medium-sized enterprises (SMEs) [5]. This may be because SMEs, due to their small operating budget, are often not prepared for self-defense. They are an easy target for an attack aiming to find, steal and disturb important information, organizational capital, intellectual property, or exploit vulnerabilities in new technology.

The omnipresent threat of cyberattacks casts a long shadow on businesses of all sizes, forcing them to constantly adapt and strengthen their cybersecurity posture. Compared with larger corporations, small and medium-sized enterprises (SMEs) are often perceived as particularly vulnerable due to their potentially limited resources, lower cybersecurity awareness, and less robust security infrastructure [6, 7].

The traditional emphasis in cybersecurity research has been on technical solutions and advancements, focusing on firewalls, intrusion detection systems, and vulnerability assessments [6]. A substantial body of research has been dedicated to exploring various technical aspects of cybersecurity, such as intrusion detection systems, encryption protocols, and blockchain-based security solutions [8–10]. While these are undoubtedly crucial for mitigating cyber threats, neglecting the human element – the awareness, perceptions, and behaviors of SME owners and employees – can leave significant vulnerabilities. Several studies emphasize the critical role of user education in mitigating cyber risks [11, 12]. Eliminating basic mistakes, incorporating best practices and constant education can increase the security of computer systems that are responsible for storing key business data and controlling production and other processes in enterprises. This can lead to an improvement in the functioning of enterprises, understood as financial savings for the company related to the incident itself, elimination of risk among employees, e.g., health damage due to malfunction of a machine or robots whose control has been taken over by a hacker, elimination of the risk of stopping production, the risk of production containing defect components and much more. Especially in the context of Industry 4.0, the security of systems in enterprises becomes the security of everything [2].

There is a crucial gap in our understanding of the nontechnical factors influencing cybersecurity practices within SMEs. This study aims to contribute to bridging this gap by investigating the interplay between ownership structure, cybersecurity awareness, and financial performance in SMEs. Ownership structure, encompassing factors such as family ownership versus venture-backed structures, has been largely overlooked in cybersecurity research despite its potential influence on decision-making processes and resource allocation within organizations [13]. Understanding how ownership structures shape SMEs’ perceptions of cybersecurity threats and their willingness to invest in mitigation strategies is critical for developing targeted interventions and promoting a more holistic approach to cybersecurity within this vital sector of the global economy.

Our research investigates the Silesian Region of Poland, focusing on how ownership structure relates to cybersecurity awareness and perceived risk levels among SMEs. By exploring these relationships, we hope to gain a more nuanced understanding of the complex factors shaping cybersecurity within the SME landscape. The findings can inform targeted strategies for promoting cybersecurity awareness, implementing cost-effective security measures, and ultimately improving cyber resilience among SMEs. By addressing the gap in research on the nontechnical aspects of cybersecurity in SMEs, this study contributes to a more comprehensive approach to safeguarding these vital economic actors from cyber threats and ensuring their continued growth and success. By incorporating these less-explored aspects, this study aims to provide a more holistic understanding of cybersecurity within the SME landscape.

2.1. Theoretical framework

The achievement of the full potential of new technologies is an opportunity to improve many people's quality of life or career due to almost unlimited value creation opportunities [14]. In businesses oriented toward production, the potential solutions for their problems might come with the development of digital technologies [15]. This is a great opportunity to introduce changes, especially in postcoal regions. However, the automation and digital connectivity introduced in Industry 4.0 also risks, e.g., cyberattacks, which can affect process stability and IT security [16]. Potential losses may also be the result of access to the data from third-party providers [17] and human errors, including primarily employees with access to the systems.

In the context of Industry 4.0, cybersecurity is mainly analyzed in the case of basic security functions: loss of confidentiality, integrity and availability of data associated with networked manufacturing machines [18–20]. The top threats related to Industry 4.0 are related to social engineering and phishing [21]. According to the Industry 4.0 paradigm, many firms have started connecting their plants and factories across the supply chain to the internet to improve their effectiveness and efficiency. However, this process is associated with cyber threats against networked systems and applications from organizations. According to Ramim and Hueca [22], the world’s dependence on information systems is increasing, and cybersecurity incidents are constantly growing. The risks related to cybersecurity and safety are recommended to be a priority for managers in Industry 4.0 environments [23]. According to Boletsis et al. [24], the cybersecurity strategies for SMEs are as follows: 1) mapping existing cybersecurity practices; 2) identifying potential threats to the business; and 3) suggesting solutions to mitigate those potential threats. Companies worldwide are facing problems related to cybersecurity and vulnerability to security threats. Cyberattacks were rated as one of the top risks in 2020 [4]. Additionally, the level of detection of cybersecurity issues according to reports and the literature is extremely low [4]. However, according to reports, companies are increasing their spending on cybersecurity annually [25]; thus, awareness of the importance of cybersecurity in organizations is growing.

Digitalization and processes related to implementing Industry 4.0 features come with processes possessing rather severe challenges from an employee's perspective. Only successful adaptation to new work-related responsibilities and activities should result in overall security of the data, money, know-how and personal information. Within large corporations, we can easily find whole departments devoted to such threat seeking and effectively countering them. SMEs, on the other hand, do not possess the financial resources of manpower dedicated only to such protection. In addition, almost half of SME employees use personally owned (private) devices to execute business-related activities [26]. Therefore, we consider assessing general knowledge of cybersecurity-related issues among companies, especially SMEs, as crucial in a highly dynamic environment of transition to a digital environment in the ongoing fourth industrial revolution.

According to the European Commission [26], 76% of the SMEs surveyed currently use an online bank account; the majority also have a website for their business (71%), followed by 55% who use internet-connected ‘smart’ devices. Almost four-tens (39%) use online payment (or ordering) systems of (for) business partners (30% have their own online payment or ordering customer services). Similarly, 38% of the surveyed SMEs reported using cloud computing or cloud storage, with 35% having web-based applications (payroll processing, e-signatures, etc.). All the abovementioned tools and features represent, first, a way to improve a company's processes to make them more effective or less costly. On the other hand, they also present a potential target for security breaches at the digital/virtual level. Only a minority of the SMEs (3%) surveyed replied that there was no usage of any of the online tools listed in the survey. This study further supports our concern, stating that, should we aggregate all types of cybercrimes, 28% of SMEs in the EU have faced at least some type of cybercrime during the last 12 months. Divided among the countries, Portugal (48%), Greece (41%), Slovakia (39%) and Czechia (38%) had the worst results. On average, in European Union countries, as many as 28% of enterprises declare that they have been victims of an attack. Poland obtained a result identical to the average of European Union countries, which makes the case of this country adequate for analysis.

However, important aspects of cyber protection include not only technical and technological security but also the quality of human capital [27]. Human error, or incompetence of employees, is a major threat in terms of cyber protection. Therefore, we conducted our research to analyze the current state of human capital and cyber protection, in particular, in connection with the already identified top vulnerabilities for Industry 4.0: social engineering and phishing [21].

We are witnessing an ever-growing gap in cybersecurity skill sets; therefore, it is essential to have a shared understanding of the current skills, to what those skills represent in the form of human capital both from an individual’s and a company’s perspective. Understanding the development of human capital to meet current and future needs in the field of cybersecurity is necessary for the continual online safety of individuals, governments and SMEs. If employees lack IT risk awareness, they pose a considerable potential threat.

According to Ponsard & Grandclaudon [28], raising awareness of SME employees is inevitable (e.g., employees had to answer a cybersecurity quiz composed of a set of questions dealing with managing passwords, performing backups, and electronic signatures to urge participants to engage in the cybersecurity improvement process). Nobles [29] argued that SMEs must turn their attention to the cybersecurity skills and literacy of their workforce because cybersecurity incidents impact not only individuals or governments [30] but also corporations and small businesses. The latter (SMEs) are very important because they are one of the most vital parts of a nation's economy. Moreover, SMEs are facing major cybersecurity challenges, mainly because of their low security budget, lack of cyber skills and possibility of cyberattacks, which can seriously impact their competitiveness. Due to these factors, SMEs are often easier targets for cyberattacks, and severe damage should the attack be successful. Even though some individuals understand the possibility of threats, there are still severe security shortcomings that make their information systems vulnerable.

Based on the current knowledge, research is primarily focused on the technological (software and hardware) area of cyber protection and risk assessment of cyberattack and defense strategies [31], understanding the security threats in cyber-physical systems [32], and determining the determinants of information and digital technology implementation for smart manufacturing [33]. In addition, most of the research that can be found concerns mainly large and well-established companies.

2.2. Hypothesis development

We generally expect our results to provide valuable insight into the current SME environment in terms of cybersecurity awareness, the perception of risks, and the relationships between the financial health of the company and the respective aspects. Based on the hypothesis clustering, we define 5 hypotheses. Existing research suggests a potential link between business size and cybersecurity posture [34, 35]. Compared with larger businesses, smaller businesses might have fewer resources to allocate to robust security measures [6]. Based on this, we propose the following:

H11: Medium-sized businesses will achieve a significantly greater level of cybersecurity than will small businesses.

The nature of the data handled by a business can significantly influence its cybersecurity risk profile [36]. For example, businesses in the financial services sector that handle sensitive financial data might prioritize cybersecurity more than a bakery with less sensitive data. We hypothesize:

H12: The performance of the service sector will achieve a statistically significant increase in cybersecurity compared with that of the industry sector.

The ownership structure of a business can potentially influence its approach to cybersecurity. Family-owned businesses might have different decision-making processes and risk tolerances than nonfamily businesses [37, 38]. We propose:

H13: Nonfamily businesses will achieve a significantly greater level of cybersecurity than family businesses.

By examining the relationships between business demographics (size, sector, ownership structure) and cybersecurity practices [39, 40], we aim to assess their combined predictive power. We hypothesize:

H21: There is a statistically significant predictive power of business demographic features on the level of cybersecurity.

Investing in cybersecurity can have a demonstrably positive impact on a company’s financial health by reducing the risk of costly data breaches and operational disruptions [41]. We propose:

H22: There is a mutually significant predictive relationship between the level of response in cybersecurity and financial performance and company health.

These additional hypotheses allow us to explore the influence of various business demographics on cybersecurity practices within SMEs.

This study uses survey research, as this is a suitable method for studying emerging topics in business [42], such as cybersecurity. Moreover, survey research is a suitable tool to narrow the gap between practice and theory, whereby practitioners are being asked by academics for their insights at scale and economically [43]. The questions were chosen according to Erdogan et al. [44]. Our survey focused on screening three categories of cybersecurity in SMEs in the Silesian region of Poland:

1. cybersecurity practices,

2. cybersecurity awareness,

3. risk perception.

The first category includes taking measures to protect their systems and sensitive data to prevent cyberattacks, identifying vulnerabilities in systems and production applications through various processes and tools, and assessing cyber risks within a cybersecurity framework. The second category includes the implementation of various activities dedicated to raising employee awareness of cybersecurity, creating job roles that are primarily dedicated to cybersecurity, and raising awareness of the possibility of using work tools for private purposes and vice versa. The second category is directly related to improving the quality of human capital. This includes preparing and training employees for the potential risks that are associated with cyberattacks. This represents a key factor in increasing the level of cybersecurity in SMEs. The third category is the risk perception of SMEs regarding the cyberattacks they have faced or could face. It also looks at the potential impact of such attacks on the functioning of the company. We also cover the typical business demographic features of SMEs. These are the following variables that the survey tracked:

1. Number of SMEs’ years on the market.

2. Size of SMEs (small companies with fewer than 50 employees or medium-sized companies with fewer than 249 employees).

3. Sector of the SME’s performance (three main sectors: industry, services, and trade).

4. Form of SME ownership (family owned and run enterprises and nonfamily owned and run).

5. Year-on-year growth in the number of employees in SMEs.

6. Market share.

7. Sales revenue.

8. Profitability.

9. Financial liquidity.

10. Overall financial situation.

11. Operating profit margin (difference between sales revenue and operating expenses).

We used the IBM SPSS tool, where we sequentially performed descriptive statistics, factor analysis and regression analysis. The results are described in the following subchapters.

3.1. Sample

A total of 200 small and medium-sized enterprises from the Silesia region (Poland) participated in the research. The data were collected by a professional external agency contracted by a project manager, which ensured standardized data collection. The descriptive statistics of the basic indicators are presented in Table 1. The sample included 124 (62%) small enterprises (0-49 employees) and 76 (38%) medium-sized enterprises (50-249 employees). The smallest firm had 10 employees, and the largest had 249 employees. The mean number of employees was 61 (SD=60). The firm with the shortest tenure had been in business for 3 years, and the longest had been in business for 125 years. On average, the firms had been in business for 29 years (SD=17). In general, 12 (6%) “Civil societies”, 113 (56.5%) Ltd. and 75 (37.5%) other companies participated in the present research. Of these firms, 122 (61%) perceived themselves as family businesses, and 78 (39%) did not perceive themselves as family businesses. According to the main business profile, the firms were divided into Trade 29 (14.5%), Production 79 (39.5%) and Services 92 (46%).

Table 1. Descriptive statistics of business demographic features. Source: ExCORE survey

Characteristics of companies	N (%)
Size of SME’s
Small enterprise (0-49 employees)	124 (62)
Medium enterprise (50-249 employees)	76 (38)
Sector of SME’s performance
Trade business	29 (14,5)
Production	79 (39.5)
Services	92 (46)
Form of SME’s ownership
Family business	122 (61)
Non-Family business	78 (39)

In the following sections, we present the procedures followed and the individual scales of cybersecurity and financial performance and company health.

3.2. Variables & Measures – Cybersecurity

We surveyed cybersecurity using 10 items selected from the original Erdogan et al. questionnaire [44]. The items were selected based on their relevance to our research. The survey questions are divided into three dimensions based on the implemented factor analysis. All 10 questions were measured on a 7-point scale (1. Definitely No to 7. Definitely Yes). Due to the nonstandardized nature of the scale, we conducted reliability, validity and internal consistency analyses of the scale to strengthen the quality of the results of our statistical and econometric analyses. The final score of a given scale describes the degree of cybersecurity of firms.

The reliability of our adaptation of the Cybersecurity Scale was α=0.84. According to the factor analysis, the Kaiser–Meyer–Olkin measure of sampling adequacy was 0.8, and the results of Bartlett’s test of sphericity were significant (p<0.001). Three components had eigenvalues greater than 1, which was confirmed by a scree plot. The distribution of items into our components follows the item distribution of Erdogan et al. [44]. The reliability of the individual components ranged from α=0.56 to α=0.92. The total variance explained by all three components was 65.3%. Based on the literature review and the results of the factor analysis, we divided the items into the following three dimensions, which we characterized as follows:

1. Questions related to cybersecurity practices.

We used three questions focusing on the preparation and implementation of tools and processes to prevent and detect cyberattacks.

1.01 We have implemented certain processes or tools to assess risks associated with IT assets.

1.02 We have implemented certain processes or tools to identify cyber vulnerabilities.

1.03 We have implemented certain processes or tools to identify cyberattacks.

2. Questions related to cybersecurity awareness (quality of human capital).

We used four questions aimed at assessing the quality of human capital and its awareness, preparedness, and resilience to cyberattacks.

2.01 We offer courses or training to employees to increase their awareness of cybersecurity.

2.02. We have positions dedicated to cybersecurity at all levels of management.

2.03. We hold meetings or presentations internally on cybersecurity issues.

2.04 Employees can use company devices (e.g., laptops) and company applications at home.

3. Questions related to cybersecurity perception.

We use four questions aimed at assessing processes for detecting and evaluating real and potential cyberattacks.

3.01 We believe that our company is vulnerable to cyber attacks.

3.02 The impact of previous cyberattacks on our company's operations has been significant

3.03 The loss of data in the event of a cyberattack will cause serious disruptions to our business.

3.3. Variables & Measures – Financial performance and company health

Items tracking the financial performance and health of companies were measured using 7 items selected based on their relevance to our research. All 7 items were measured on a 7-point scale (1. Definitely No to 7. Definitely Yes). Due to the nonstandardized nature of the scale, we conducted reliability, validity, and internal consistency analyses of the scale to strengthen the quality of the results of our statistical and econometric analyses. The resulting scores from a given scale describe a measure of a firm’s financial performance and health.

The reliability of our adaptation of the Financial Performance and Business Health scale was α=0.83. In the factor analysis, the Kaiser‒Meyer‒Olkin measure of sampling adequacy was 0.81, and Bartlett’s test of sphericity was significant (p<0.001). Two components had eigenvalues greater than 1, which was confirmed by a scree plot. The reliability of the individual components ranged from α=0.75 to α=0.86. The total variance explained by the 2 components was 71.2%. Based on the literature review and the results of the factor analysis, we divided the items into the following two dimensions, which we characterized as follows.

4. Questions related to financial performance.

We use three questions aimed at identifying SMEs’ performance and growth in terms of number of employees, market share and sales growth.

4.01 We increased the number of employees.

4.02 We have increased our market share

4.03 Our sales revenue increased.

5. Questions related to the financial health of the company.

We use four questions aimed at identifying the financial health of companies. These are questions associated with profitability, liquidity, financial position, and operating margin.

5.01 Our company maintains profitability (profitability).

5.02 Our company maintains financial liquidity at a good and stable level (there is no payment stress—cash shortage).

5.03 The overall financial situation of our company is good (no risk of bankruptcy).

5.04 We are satisfied with the operating profit margin (the difference between sales revenue and operating costs).

The results of the descriptive analysis of Erdogan et al.’s [44] self-modification of the cybersecurity scale are shown in Table 2.

Table 2. Descriptive statistics of the cybersecurity scale according to IBM SPSS. Source: ExCORE survey

	Minimum	Maximum	Mean	Std. Deviation	Skewness	Kurtosis
Cybersecurity scale	10	67	38.60	11.05	-0.02	-0.17
Financial performance and company health	7	49	31.56	7.69	-0.36	0.39

We conclude that the average score on the scale is 38.60 out of 70, indicating a 55.14% level of cybersecurity. We observed the lowest score with a value of 10. The highest scoring firm scored 67 on the cybersecurity scale. Given the skewness and kurtosis, we used parametric methods of statistical analysis. Based on the results of Table 2, we can conclude that the average score of the financial performance and company health scale is 31.56 out of 49, which indicates a 64.40% level of financial performance in firms on average. The firm with the lowest score was 7, the firm with the highest score was 49, and hence, the maximum level of financial performance and company health was reached. Considering skewness and kurtosis and histogram, we used the scale used in parametric methods of statistical analysis.

We used the parametric methods of ANOVA and the independent sample test to evaluate significant differences between the selected unbiased variables. Table 3 shows the descriptive statistics of the cybersecurity scale divided by the independent variables.

Table 3. Results of the descriptive statistics of the cybersecurity scale by the firms according to IBM SPSS.

	Form	N	Min	Max	Mean	St.D.
Size of SME’s	Small	124	10	67	36.12	10.62
Size of SME’s	Medium	76	10	63	42.62	10.60
Form of SME’s ownership (Family business)	No	78	10	67	41.51	11.27
Form of SME’s ownership (Family business)	Yes	122	10	63	36.72	10.53
Sector of SME’s performance	Trade	29	14	62	39.76	10.85
	Industry	79	10	61	38.81	10.56
	Services	92	10	67	38.03	11.60

We tested for differences in cybersecurity scores across enterprise sizes and family business levels using the independent samples test. Levene's test for equality of variances did not allow us to reject the null hypothesis in either case, so we assumed equal variances. The results of the independent samples test suggest that firms that identified themselves as family businesses had lower cybersecurity level scores. Based on this, we can conclude that firms that did not identify as family firms performed better in cybersecurity. The results suggest that larger firms (medium-sized enterprises) also perform better in terms of cybersecurity. Based on this, we can conclude that the greater the size of a firm is, the better its cybersecurity performance.

There was a significant difference in the mean cybersecurity scale score between small and medium-sized enterprises (t₁₉₈=-4.201, p<0.001). From Table 3. We can see that medium-sized businesses, on average, scored better on the cybersecurity scale. Thus, we can conclude that the larger the firm is, the better the cybersecurity level is. Additionally, there was a significant difference in the mean cybersecurity scale score between family businesses and nonfamily businesses (t₁₉₈=3.050, p=0.003). Table 3 shows that nonfamily businesses, on average, score better on the cybersecurity scale.

Differences in cybersecurity scores in the main business profile were verified using one-way ANOVA. Again, the results of Levene's test for equality of variances assume equal variances. Thus, the ANOVA results suggest that there are no statistically significant results. However, it is true that there are minimal differences in the sector in which they operate at the level of cybersecurity. Based on this, we can conclude that the sector of operation of SMEs does not affect the level of cybersecurity. It should be noted here that in the case of a more detailed breakdown by the NACE, we could identify companies operating in digital and technology-intensive sectors or those working with sensitive data of clients, production, etc.

There was no significant difference in the mean cybersecurity scale score between the main business profiles (t2.197=0,293, p=0.747). It is true that there is a difference in scores, but it is statistically insignificant; therefore, we reject hypothesis No. 2.

To predict the cybersecurity level achieved by a company through firm characteristics (size of enterprises, form of ownership and main business profile) and economic factors (financial profitability and health), we chose hierarchical linear regression. To test the ability of cybersecurity level to predict firm economic growth, we used simple linear regression. There are no outliers in the research sample after processing the research set. The variables used in the regression analysis are at least interval variables. When nominal variables are used, the variables are dichotomized. The necessary file size was sufficient to implement the models. Based on multicollinearity testing using VIF and tolerance for individual models, we can confirm that our regression models also meet this condition. Normality, linearity and homoscedasticity of the residuals were accepted after the regression analysis was performed by examining the histograms, Q‒Q plots, and scatter plots. Error independence - autocorrelation was tested using the Durbin–Watson test, where the value ranged from 1.5–2.5.

Table 4. Results of hierarchical linear regression analysis of the cybersecurity scale by IBM SPSS.

Predictor	Model 1 (R² = 0.12***)				Model 2 (ΔR² = 0.05**)
Predictor	B (CI)	SE (B)	b	p	B (CI)	SE (B)	b	p
Size of SME’s	6.36 (3.38;9.35)	1.52	0.28	0.000	6.21 (3.29;9.13)	1.48	0.27	0.000
Form of SME’s ownership	-4.61 (-7.58;-1.64)	1.51	-0.20	0.003	-4.59 (-7.49;-1.68)	1.47	-0.20	0.002
Financial performance and health					0.30 (0.12;0.48)	0.09	0.21	0.002
F	13.87***				13.11***

Note: B=nonstandardized regression coefficient, CI=95% confidence interval, SE=standard deviation, b=standardized regression coefficient, p=p value. *=p˂0.05; ***=p˂0.001

Table 4 summarizes the results of the hierarchical regression analysis for cybersecurity level. The first model including firm characteristics as predictors was statistically significant F(2.197)=13,87, p˂0.,000). The index of determination (R²=0.12) indicated that the first model explained 12% of the variability in cybersecurity level. A statistically significant comparison revealed that the size of the enterprise (B=6.36; b=0.28; p=0.000) and the form of ownership (B=-4.61; b=-0.20; p=0.003) were statistically significant predictors in the first model.

The second model examined the effect of adding economic growth characteristics as a predictor of cybersecurity level. The coefficient of determination increased by 5% (ΔR²=0.05), which is a significant change (F(1.196)=10.30, p˂0.002). The index of determination for the second model (R²=0.17) indicated that it explained 17% of the variability in cybersecurity level. The results indicated that all selected predictors used in the second hierarchical regression model were statistically significant: size of enterprises (B=6.21; b=0.27; p=0.000), form of ownership (B=-4.59; b=-0.20; p=0.002) and financial performance and company health (B=0.30; b=0.21; p=0.002). We confirmed the first hypothesis that the greater the company is, the better the level of cybersecurity. We also confirm that nonfamily businesses gain a greater level of cybersecurity than do family businesses (hypothesis No. 3). Based on the results presented in Table 4 and Table 5, we also confirm a mutually positive relationship between the level of cybersecurity and financial performance and company health (hypothesis No. 4).

Table 5. Results of simple linear regression analysis of financial performance and company health level by IBM SPSS.

Predictor	Model 1 (R² = 0.05**)
Predictor	B (CI)	SE (B)	b	p
Cybersecurity level	0.15 (0.06;0.25)	0.05	0.22	0.002
F	10.02**

Note: B=nonstandardized regression coefficient, CI=95% confidence interval, SE=standard deviation, b=standardized regression coefficient, p=p value. *=p˂0.05; ***=p˂0.001

Table 5 shows the results of simple regression analysis for financial performance and company health. The model including cybersecurity level as a predictor was statistically significant (F(1.198)=10.02, p=0.002). The index of determination (R²=0.05) indicated that the model explained 5% of the variability in firms’ financial performance and company health. A statistically significant comparison revealed that cybersecurity level (B=0.15; b=0.22; p=0.002) was a statistically significant predictor. Therefore, we confirm that the greater the cybersecurity level is, the greater the financial performance and overall health of the company (hypothesis No. 4).

This study represents one of the few, bridging the ownership structure and the overall cybersecurity level of the respective company. We analyze a questionnaire consisting of 200 responses from SMEs in a historically coal-dependent and coal-transformation region in Poland. An important contribution is in the first step to standardizing the questions associated with the cybersecurity survey, as the original source [44] has not yet been implemented. We contribute to the literature by concluding the following:

(i) Three factors (predictors) influence the level of cybersecurity of the surveyed companies. These variables are the size of the SME, the form of the SME’s ownership, and the level of financial performance and company health.

(ii) The size of the SME is a statistically significant predictor of the level of cybersecurity, so we can conclude that the larger the enterprise is, the better its cybersecurity protection.

(iii) The level of cybersecurity is also influenced by the form of SME ownership. This means that family businesses have a worse level of cybersecurity than those that did not identify as family businesses in the survey. This may be because nonfamily firms may fill positions based not on family ties but on expertise. It may also be that nonfamily firms are more open to know-how.

In our survey, we assess the level of cybersecurity in SMEs and correlate it with their financial performance and overall health. Our findings indicate that SMEs with stronger financial performance and organizational health also exhibit higher levels of cybersecurity, which we consider in line with [45]. This suggests that financially healthier SMEs have the resources to invest in enhancing cybersecurity capabilities, improving human capital, and establishing effective processes to prevent and address cyber threats.

Furthermore, we conclude that risk perception and overall cybersecurity level are significantly affected by ownership structure, where the question of managerial level arises [46].

Our results suggest that investing in and establishing processes to improve cybersecurity can positively impact not only the protection of the business from cyberattacks but also its financial stability and performance, while we also find that other studies were more specifically oriented toward building training and programs to increase cybersecurity awareness [47, 48]. By avoiding cyberattacks, data loss, and disclosure, SMEs build better trust with customers and partners, leading to improved market share, profitability growth, and potential economies of scale, resulting in higher operating margins.

Therefore, it is crucial for SMEs to incorporate cybersecurity improvement into their strategic planning and risk management. This focus ultimately enhances their competitiveness (increasing market share), financial performance (profitability, headcount), and overall business health (liquidity, profitability, operating margin).

Our study is limited to the Silesian region of Poland, and the generalizability of the findings to other regions or countries may require further investigation. Additionally, a more detailed breakdown of the "service" sector could reveal variations in cybersecurity practices within different service industries. Future research could explore the specific cybersecurity challenges faced by different industry sectors and how ownership structures influence cybersecurity decision-making processes within SMEs. It would also be valuable to examine the role of government regulations and industry best practices in shaping cybersecurity awareness and practices within the SME landscape. The second limitation is the level of the survey, as it would be interesting to observe the structure of SMEs at a more detailed level of the NACE Rev. 4 classification and to analyze SMEs primarily in the service sector in more detail. In our research, we work with overall cybersecurity, although in the empirical part, we quantitatively defined three dimensions. However, in this paper, we used the overall questionnaire items.

Acknowledgment

This paper was written in connection with the scientific project International Center of Research Excellence in Transition of Coal Regions (ExCORE) - Project No. BPI/PST/2021/1/00007. Financial support from the NAWA scheme is gratefully acknowledged.

Data availability

The data that support the findings of this study are available from the corresponding author, [LS], upon reasonable request.

The authors hereby declare no conflicts of interest.

Directorate-General for Communication European Commission: Special Eurobarometer 499 : Europeans’ attitudes towards cyber security (cybercrime) - Data Europa EU. Directorate-General for Communication European Commission (2020).
Schneier, B.: Kliknij tutaj, aby zabić wszystkich. Bezpieczeństwo i przetrwanie w hiperpołączonym świecie. Wydawnictwo Helion, Gliwice (2019).
was a big year for cybercrime – here’s how we prepare for the future, https://www.weforum.org/agenda/2024/01/cybersecurity-cybercrime-system-safety/, last accessed 2024/05/13.
Granados Franco, E.: The Global Risks Report 2020. Insight Report 15th Edition. World Economic Forum (2020).
Accenture: State of Cybersecurity Resilience 2021. How aligning security and the business creates cyber resilience. Accenture (2021).
Gupta, J., Barzotto, M., Khorasgani, A.: Does size matter in predicting SMEs failure? Int. J Fin Econ. 23, 571–605 (2018). https://doi.org/10.1002/ijfe.1638.
Ponemon Institute: The 2023 Global Study on Closing the IT Security Gap: Addressing Cybersecurity Gaps from Edge to Cloud. Ponemon Institute (2023).
Hu, Q., Asghar, M.R., Brownlee, N.: Evaluating network intrusion detection systems for high-speed networks. In: 2017 27th International Telecommunication Networks and Applications Conference (ITNAC). pp. 1–6. IEEE, Melbourne, Australia (2017). https://doi.org/10.1109/ATNAC.2017.8215374.
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton, FL (1997).
Casino, F., Dasaklis, T.K., Patsakis, C.: A systematic literature review of blockchain-based applications: Current status, classification and open issues. Telematics and Informatics. 36, 55–81 (2019). https://doi.org/10.1016/j.tele.2018.11.006.
Rahman, N.A.A., Sairi, I.H., Zizi, N.A.M., Khalid, F.: The Importance of Cybersecurity Education in School. IJIET. 10, 378–382 (2020). https://doi.org/10.18178/ijiet.2020.10.5.1393.
Li, L., He, W., Xu, L., Ash, I., Anwar, M., Yuan, X.: Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management. 45, 13–24 (2019). https://doi.org/10.1016/j.ijinfomgt.2018.10.017.
Chen, J., Henry, E., Jiang, X.: Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach. J Bus Ethics. 187, 199–224 (2023). https://doi.org/10.1007/s10551-022-05107-z.
Thames, L., Schaefer, D.: Industry 4.0: An Overview of Key Benefits, Technologies, and Challenges. In: Thames, L. and Schaefer, D. (eds.) Cybersecurity for Industry 4.0. pp. 1–33. Springer International Publishing, Cham (2017). https://doi.org/10.1007/978-3-319-50660-9_1.
Raamets, T., Karjust, K., Hermaste, A., Mahmood, K.: Planning and Acquisition of Real-Time Production Data Through the Virtual Factory in Chemical Industry. In: Volume 2B: Advanced Manufacturing. p. V02BT02A017. American Society of Mechanical Engineers, Virtual, Online (2021). https://doi.org/10.1115/IMECE2021-73080.
Kutzler, T., Wolter, A., Kenner, A., Dassow, S.: Boosting Cyber-Physical System Security. IFAC-PapersOnLine. 54, 976–981 (2021). https://doi.org/10.1016/j.ifacol.2021.08.117.
Morozova, O., Nicheporuk, A., Tetskyi, A., Tkachov, V.: Methods and technologies for ensuring cybersecurity of industrial and web-oriented systems and networks. Radioelectronic and Computer Systems. 145–156 (2021). https://doi.org/10.32620/reks.2021.4.12.
Corallo, A., Lazoi, M., Lezzi, M.: Cybersecurity in the context of industry 4.0: A structured classification of critical assets and business impacts. Computers in Industry. 114, 103165 (2020). https://doi.org/10.1016/j.compind.2019.103165.
Stallings, W., Brown, L.: Bezpieczeństwo systemów informatycznych: zasady i praktyka. Helion, Gliwice (2019).
International Organization for Standardization: Information security, cybersecurity and privacy protection — Information security management systems — Requirements (ISO/IEC 27001:2022), https://www.iso.org/standard/82875.html.
Shaabany, G., Anderl, R.: Designing an Effective Course to Improve Cybersecurity Awareness for Engineering Faculties. In: Ahram, T.Z. and Nicholson, D. (eds.) Advances in Human Factors in Cybersecurity. pp. 203–211. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-319-94782-2_20.
Ramim, M.M., Hueca, A.: Cybersecurity capacity building of human capital: Nations supporting nations. OJAKM. 9, 65–85 (2021). https://doi.org/10.36965/OJAKM.2021.9(2)65-85.
Pandey, S., Singh, R.K., Gunasekaran, A.: Supply chain risks in Industry 4.0 environment: review and analysis framework. Production Planning & Control. 34, 1275–1302 (2023). https://doi.org/10.1080/09537287.2021.2005173.
Boletsis, C., Halvorsrud, R., Pickering, J., Phillips, S., Surridge, M.: Cybersecurity for SMEs: Introducing the Human Element into Socio-technical Cybersecurity Risk Assessment. In: Proceedings of the 16th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications. pp. 266–274. SCITEPRESS - Science and Technology Publications (2021). https://doi.org/10.5220/0010332902660274.
Asen, A., Bohmayr, W., Deutscher, S., González, M., Mkrtchian, D.: Are you spending enough on cybersecurity? Boston Consulting Group (2019).
European Commission: EUROBAROMETER No. 2280 / FL496 SMEs and cybercrime report. European Commission Publications Office, Luxembourg (2022).
Alshboul, Y., Streff, K.: Beyond Cybersecurity Awareness: Antecedents and Satisfaction. In: Proceedings of the 2017 International Conference on Software and e-Business. pp. 85–91. ACM, Hong Kong (2017). https://doi.org/10.1145/3178212.3178218.
Ponsard, C., Grandclaudon, J.: Guidelines and Tool Support for Building a Cybersecurity Awareness Program for SMEs. In: Mori, P., Furnell, S., and Camp, O. (eds.) Information Systems Security and Privacy. pp. 335–357. Springer International Publishing, Cham (2020). https://doi.org/10.1007/978-3-030-49443-8_16.
Nobles, C.: Stress, Burnout, and Security Fatigue in Cybersecurity: A Human Factors Problem. HOLISTICA – Journal of Business and Public Administration. 13, 49–72 (2022). https://doi.org/10.2478/hjbpa-2022-0003.
Levy, Y., Gafni, R.: Introducing the concept of cybersecurity footprint. ICS. 29, 724–736 (2021). https://doi.org/10.1108/ICS-04-2020-0054.
Süzen, A.A.: A Risk-Assessment of Cyber Attacks and Defense Strategies in Industry 4.0 Ecosystem. IJCNIS. 12, 1–12 (2020). https://doi.org/10.5815/ijcnis.2020.01.01.
Walker-Roberts, S., Hammoudeh, M., Aldabbas, O., Aydin, M., Dehghantanha, A.: Threats on the horizon: understanding security threats in the era of cyber-physical systems. J Supercomput. 76, 2643–2664 (2020). https://doi.org/10.1007/s11227-019-03028-9.
Ghobakhloo, M.: Determinants of information and digital technology implementation for smart manufacturing. International Journal of Production Research. 58, 2384–2405 (2020). https://doi.org/10.1080/00207543.2019.1630775.
Bada, M., Furnell, S., Nurse, J.R.C., Dymydiuk, J.: Supporting Small and Medium-Sized Enterprises in Using Privacy Enhancing Technologies. In: Moallem, A. (ed.) HCI for Cybersecurity, Privacy and Trust. pp. 274–289. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-35822-7_19.
Bhattacharya, D.: Evolution of Cybersecurity Issues In Small Businesses. In: Proceedings of the 4th Annual ACM Conference on Research in Information Technology. p. 11. ACM, Chicago, IL (2015). https://doi.org/10.1145/2808062.2808063.
PwC: CEE findings from the 2023 Global Digital Trust Insights, https://www.pwc.com/c1/en/2023-cee-digital-trust-insights.html, last accessed 2024/05/13.
Chen, J., Henry, E., Jiang, X.: Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach. J Bus Ethics. 187, 199–224 (2023). https://doi.org/10.1007/s10551-022-05107-z.
Brustbauer, J.: Enterprise risk management in SMEs: Towards a structural model. International Small Business Journal. 34, 70–85 (2016). https://doi.org/10.1177/0266242614542853.
Culot, G., Fattori, F., Podrecca, M., Sartor, M.: Addressing Industry 4.0 Cybersecurity Challenges. IEEE Eng. Manag. Rev. 47, 79–86 (2019). https://doi.org/10.1109/EMR.2019.2927559.
Chaudhary, S.: Driving behaviour change with cybersecurity awareness. Computers & Security. 142, 103858 (2024). https://doi.org/10.1016/j.cose.2024.103858.
Morgan Stanley: Megatrends: Opportunities on the Front Lines of Cybersecurity, https://www.morganstanley.com/articles/investing-in-cybersecurity-long-term-guide, last accessed 2024/05/13.
Ehret, M., Kashyap, V., Wirtz, J.: Business models: Impact on business markets and opportunities for marketing research. Industrial Marketing Management. 42, 649–655 (2013). https://doi.org/10.1016/j.indmarman.2013.06.003.
Kent Baker, H., Mukherjee, T.K.: Survey research in finance: views from journal editors. International Journal of Managerial Finance. 3, 11–25 (2007). https://doi.org/10.1108/17439130710721635.
Erdogan, G., Halvorsrud, R., Boletsis, C., Tverdal, S., Pickering, J.: Cybersecurity Awareness and Capacities of SMEs. In: Proceedings of the 9th International Conference on Information Systems Security and Privacy. pp. 296–304. SCITEPRESS - Science and Technology Publications, Lisbon, Portugal (2023). https://doi.org/10.5220/0011609600003405.
Lloyd, G.: The business benefits of cyber security for SMEs. Computer Fraud & Security. 2020, 14–17 (2020). https://doi.org/10.1016/S1361-3723(20)30019-1.
Alahmari, A., Duncan, B.: Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. In: 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). pp. 1–5. IEEE, Dublin, Ireland (2020). https://doi.org/10.1109/CyberSA49311.2020.9139638.
Yamin, M.M., Katt, B., Gkioulos, V.: Cyber ranges and security testbeds: Scenarios, functions, tools and architecture. Computers & Security. 88, 101636 (2020). https://doi.org/10.1016/j.cose.2019.101636.
Bada, M., Nurse, J.R.C.: Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs). ICS. 27, 393–410 (2019). https://doi.org/10.1108/ICS-07-2018-0080.

The authors declare no competing interests.

Unveiling the Impact of Ownership Structure on SMEs’ Cybersecurity Perceptions

Status:

Version 1

Abstract

1. Introduction

2. Theoretical framework and hypothesis development

3. Materials & Methods

4. Results

5. Discussion and conclusions

6. Limitations and further research

Declarations

References

Additional Declarations

Status:

Version 1