Abstract

With much effort being placed on the physical, procedural, and technological solutions for Information Systems (IS) cybersecurity, research studies tend to focus their efforts on large organizations while overlooking very smaller organizations (below 50 employees). This study addressed the failure to prevent data breaches in Very Small Enterprises (VSEs). VSEs contribute significantly to the economy, however, are more prone to cyber-attacks due to the limited risk mitigations on their systems and low cybersecurity skills of their employees. VSEs utilize Point-of-Sale (POS) systems that are exposed to cyberspace, however, they are often not equipped to prevent complex cybersecurity issues that can result in them being at risk to a data breach. In addition, the absence of federal laws that force VSEs to adhere to standards such as the Payment Card Industry Data Security Standard (PCI-DSS) leaves it up to the discretion of the VSEs to invest in cybersecurity countermeasures aimed at preventing a data breach. Therefore, this study investigated the role that cybersecurity social responsibility plays in motivating the owners of these companies to engage in cybersecurity measures geared at preventing data breaches.

This study developed and validated using Subject Matter Experts (SMEs) a cybersecurity risk-responsibility taxonomy using the constructs of VSEs’ owners’ perceived cybersecurity social responsibility (CySR) and risk of data breach (RDB) in order to better understand their level of exposure to a data breach. Exploratory Factor Analysis (EFA) using Principal Component Analysis (PCA) was conducted to extract the significant factors for CySR and RDB. The study also addressed whether there were significant differences in VSEs owners’ perceived RDB and perceived CySR based on three demographics: (1) type of industry, (2) implementation of chip technology, (3) compliance with PCI-DSS.

This study was conducted in three phases. Phase 1 utilized a panel of 13 information security SMEs and used the Delphi technique to review characteristics for RDB and CySR that were derived from literature. The results of the expert review were subjected to further validation by means of a pilot study using a small sample of the study population (Phase 2). The pilot study population included 20 organizations with number of employees ranging from less than five to 50 total employees across seven different industries.

Phase 3 of the study included the main data collection using the modified survey instrument from the pilot study. 105 VSEs anonymously participated in the main data collection phase of the study. The collected data was subjected data EFA which identified three factors comprised of 15 items for RDB and two factors comprised of 13 items for CySR. In addition, descriptive statistics was obtained and evaluated to determine if significant differences exist in VSEs owners’ perceived RDB based on type of industry, implementation of Europay, Mastercard and Visa (EMV) chip technology and, compliance with PCI-DSS. One-way Analysis of variance (ANOVA) was used to evaluate whether significant differences existed based on the VSEs demographics.

The results of the study indicated that there was a statistically significant difference in both RDB and CySR for industry, use of EMV Chip and, PCI-DSS compliance. This study demonstrates that there is a relationship between CySR and cybersecurity and that the CySR instrument could be used to assess cybersecurity practices in small businesses. In addition, this study may assist organizations in understanding and mitigating cybersecurity data breaches.