A Study of Distinguishing Factors between SME Adopters versus Non-Adopters of Cybersecurity Standard

Abstract

Digital technology is a vital factor for driving digital business today. In parallel, cybersecurity-related threats are also increasing and may impact the operation of a business. So, the national government in each country may need to encourage digital enterprises to adopt a cybersecurity standard to reduce cybersecurity risks. However, Small and Medium Enterprises (SMEs) have a low rate of cybersecurity standard adoption due to their limitations. This study aims to identify distinguishing factors between SME adopters versus non-adopters of cybersecurity standards in Thailand and provide recommendations for policymakers to improve the adoption of cybersecurity standards in SMEs. A quantitative methodology was used to survey SME IT leaders in Thailand. The data were collected using online questionnaires. The 28 survey items assessed 11 factors in 2 main categories: (1.) demographics characteristics of SMEs and (2.) cybersecurity attitudes of SMEs. This study involved 312 participating SMEs. The major group of SMEs (65.4%) had not adopted any of the cybersecurity standards, and the other group of SMEs (34.6%) had adopted some cybersecurity standards. The Pearson’s Chi-Square Test was employed to test what factors were significant differences between responses of these two groups. The results revealed that the significant factors include the size of an organization, the intensity of IT usage, the number of IT staff, the number of IT security staff, the amount of investment in IT, the amount of investment in IT security, the awareness of organizational cybersecurity risks, the perceived cybersecurity needs of customers, and the intention to adopt a cybersecurity standard. Lastly, recommendations for policymakers are provided.