Organizational Decisions about Cyber Security in Small to Mid-Sized Businesses: A Qualitative Study

Managers at small and midsized businesses (SMBs) may believe they are immune against cyber-attacks and assume that attackers have no interest in them. Due to the intertwining of computer networks in a fashion that represents a complex system where emergent behaviors are rarely fully understood, vulnerabilities common to a major percentage of all SMBs may pose a threat to the nation's economic base. Therefore, if one of these SMBs within the system has a flaw in its security, it could have a triggering effect for all organizations it does business with. The purpose of this qualitative, phenomenological study was to explore the perceptions of SMB owners about their vulnerability to cyber-attacks and the measures they take to safeguard their organizations. The sample size for this research study was 20 participants. The results indicated that only a small number of SMBs were using even the basic virus software and firewall configurations for cyber security protection. Bring your own devices (BYOD) were an issue that has become a growing trend among companies and is not fully supported. Many SMBs do not have the personnel with the expertise within their organizations. Additionally, they suffer from the lack resources to implement solutions regarding cyber security to adequately protect their data/assets. They also are faced by challenges as a result of difficulties to fully understand and cope with the entire scope of cyber threats. Therefore, it is recommended that decision makers at these organizations obtain better understanding of the human factor of cyber security. Due to the increase of flexible work practices at businesses and employees using (BYOD), businesses must have a policy for processing sensitive information for employees that use their personal devices. The results in this study may be used to aid promoting a better understanding of how these threats interface and affect the network infrastructures at SMBs. Further research is recommended to support or expand upon the findings of this study utilizing other methodologies and theoretical frameworks.