Computers & Security 141 (2024) 103826

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

Revealing the realities of cybercrime in small and medium enterprises:

Understanding fear and taxonomic perspectives
Marta F. Arroyabe a, Carlos F.A. Arranz b, Ignacio Fernandez De Arroyabe c, d, Juan Carlos
Fernandez de Arroyabe a, *
a
Essex Business School. University of Essex, UK
b
Greenwich Business School, University of Greenwich, UK
c
Computer Science Department, Loughborough University, UK
d
Data Services, Commercial Banking, Lloyds Banking Group, London, UK

A R T I C L E I N F O A B S T R A C T

Keywords: This paper investigates cybercrime in Small and Medium Enterprises (SMEs) using Cyberspace Theory as a
Cybercrime theoretical framework for a comprehensive analysis. Cyberspace Theory enables a thorough examination of
SMEs cybercrime in SMEs, covering motives and consequences of cyber incidents, and identifying existing gaps. The
Cyberspace Theory
study also delves into SMEs’ perception of cybercrime fear, interpreting fear as their concern for cybercrime risk
Fear
Taxonomy
and its potential consequences. Drawing from a robust European Union database comprising 12,863 SMEs across
member countries, our research contributes by establishing a taxonomy based on SMEs’ perceptions of cyber­
crime fear. Understanding SMEs’ views on cybercrime is crucial for enhancing cybersecurity measures and
comprehending the broader economic and social implications of cybercrime.

1. Introduction sector, exposure to confidential files remains extensive, and financial

organizations take an average of 233 days to detect and contain
In the current digitally-driven landscape, the widespread threat of breaches. Furthermore, 74% of cyberattacks compromise clients’ data,
cybercrime emerges over businesses of all sizes, starting a new era of highlighting the magnitude of the risk. Educational institutions face
challenges and vulnerabilities (Babiceanu and Seker, 2019; Choo, 2011). relentless cyber-attacks: phishing campaigns and vulnerability exploi­
As organizations increasingly rely on interconnected technologies and tation account for 29% and 30% of attacks, respectively (Moody, 2024).
online platforms to conduct business, the potential impact of cyber in­ Within an era characterized by technological advancement and the
cidents develops (Corllo et al., 2020; Deloitte, 2020). Cybercrime en­ extensive influence of digital transformation, small and medium enter­
compasses a spectrum of malicious activities, ranging from sophisticated prises (SMEs) assume a pivotal role in the economic landscape. These
hacking and data breaches to social engineering and ransomware attacks entities serve as focal points for innovation, job creation, and economic
(Fernandez de Arroyabe and Fernandez de Arroyabe, 2023). According expansion, contributing significantly to global economic development,
to Fox (2024), the annual global cost of cybercrime is projected to reach representing approximately 90% of businesses worldwide and ac­
9.5 trillion dollars in 2024, with expectations that it will rise to 10.5 counting for over 50% of global employment (Fernandez de Arroyabe
trillion dollars in 2025. More in detail, in the healthcare industry, the et al., 2023a), However, as SMEs increasingly integrate digital tech­
increase in cyber breaches is surprising, with a 239% rise in large nologies into their operations to reinforce competitiveness, they face an
breaches involving hacking over the last four years, leading to an increasing threat: cybercrime. Cybersecurity breaches not only expose
average financial loss of nearly $11 million per breach (Chief Healthcare the confidentiality, integrity, and availability of sensitive data but also
Executive, 2024). Similarly, the manufacturing sector faces an escala­ have far-reaching implications for SMEs’ operational and financial sta­
tion of cyber threats, constituting 20% of all extortion campaigns bility, as well as their reputations (Boswell, 2023). While cybersecurity
globally, with ransomware incidents alone representing 65% of indus­ discourse often revolves around large corporations, Horváth and Szabó
trial breaches in 2022 (Poireault, 2024). In the finance and insurance (2019) emphasize that SMEs present attractive targets for

* Corresponding author.
E-mail address: [email protected] (J.C.F. de Arroyabe).

https://doi.org/10.1016/j.cose.2024.103826
Received 20 February 2024; Received in revised form 20 March 2024; Accepted 25 March 2024
Available online 5 April 2024
0167-4048/© 2024 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

cybercriminals due to perceived vulnerabilities, resource constraints, 2. Literature review and research framework
and sometimes, inadequate cybersecurity measures. These enterprises
encounter unique challenges in addressing cybersecurity, lacking the 2.1. Theoretical framework: cybercrime and cyberspace theory
resources and expertise of larger counterparts to effectively combat
cyber threats (Arranz et al., 2024). Despite their size, SMEs are not Cyberspace theory integrates diverse viewpoints and methodologies
exempt from cyber-attacks and are increasingly targeted by cybercri­ to examine and comprehend the virtual world of cyberspace (Caton,
minals seeking to exploit system vulnerabilities. Furthermore, SMEs 2012; Adams and Albakajai, 2016). Its fundamental principle posits
often rely on third-party vendors and partners for various services, cyberspace as a realm distinctly apart from the tangible world. Often
introducing additional cybersecurity risks through supply chain vul­ described as a virtual or digital space, cyberspace is constituted by a
nerabilities. Kabanda et al. (2018) stress that given the interconnected complex network of interconnected computers, servers, and digital de­
nature of the contemporary business environment and the evolving vices where information exchange, communication, and digital in­
tactics of cyber adversaries, cybercrime poses formidable challenges for teractions occur (Adams and Albakajai, 2016). This theory delves into
SMEs. the digital domain’s socio-political, cultural, and economic issues
This study focuses on examining the phenomenon of cybercrime (Albakajai et al., 2020). It investigates how people, groups, and entire
affecting SMEs. We will draw upon a comprehensive European Union societies utilize and move through cyberspace, tackling issues like dig­
database that includes information on 12,000 SMEs from across all EU ital identity, privacy concerns, cybersecurity measures, rights within the
member states. This research takes place within the context of the Eu­ digital landscape, and the spread of accessible information.
ropean Union, where SMEs play a pivotal role in economic growth, In our research, we adopt the definition of cyberspace as outlined by
representing over 99% of all businesses, employing 94 million in­ the United States Department of defense (2008), which describes cy­
dividuals, and contributing to more than half of the total value added by berspace as a global domain within the information environment constituted
the business sector (World Bank Finance, 2021; Bella et al., 2023). by a network of interdependent information technology infrastructures. This
Furthermore, unlike previous research, which primarily employed includes the Internet, telecommunications networks, computer systems, and
qualitative approaches or relied on small sample sizes, our utilization of embedded processors and controllers. Furthermore, given that the focus of
a vast EU database will facilitate the development of well-rounded and this paper is on cybercrime, and in alignment with the stance of CISA.
widely generalizable conclusions. Secondly, as a theoretical framework, gov (2020), our definition of cyberspace expands to include the opera­
we will employ Cyberspace Theory (Caton, 2012; Adams and Albakajai, tors of cyberspace. This extension expands the definition to encompass
2016). Unlike previous studies using alternative approaches, leading to not just the virtual environment of information but also the interactions
a diversity of perspectives and inconclusive results regarding the char­ amongst individuals, thereby emphasizing the critical role of human
acterization of cybercrime, the use of this theoretical framework allows elements within the technical infrastructure. It acknowledges the dy­
us to characterize cybercrime in SMEs comprehensively (Cook et al., namic interplay between technology and its users in the ongoing evo­
2023). This encompasses understanding the motives behind cybercrime, lution and characterization of cyberspace.
the impact of cyber incidents, and the existing gaps in SMEs. Lastly, In this context, cybercrime refers to criminal activities that occur
unlike prior works that focused on cybersecurity practices and technical within the digital domain of cyberspace (Papakonstantinou, 2010;
issues in SMEs, our analysis centres on the perception of fear of cyber­ Brenner, 2010; Wall, 2007). It involves the use of computers, networks,
crime within SMEs. We consider fear as the concern SMEs have and digital devices to commit illegal acts, exploit vulnerabilities, and
regarding the risk of cybercrime. In this regard, there is a certain con­ breach security measures for personal gain or malicious purposes.
troversy in how SMEs confront cybercrime (Fernandez de Arroyabe Following Papakonstantinou (2010), a key aspect of cybercrime in cy­
et al., 2023a). On one hand, there is a level of naivety amongst SMEs berspace theory is its disruptive and transformative nature. Unlike
when facing cybercrime, as they may believe they are not likely targets traditional forms of crime, cybercrime transcends geographical bound­
for cyberattacks. This myopic perspective results in low investments in aries and physical constraints, enabling perpetrators to target victims
cybersecurity. However, the reality shows that 40% of SMEs experience and commit illegal acts worldwide (Brenner, 2010; Walden, 2005). This
cyber impacts as a consequence of these cybercrimes (GOV.UK, 2023). characteristic of cybercrime challenges traditional notions of jurisdic­
Networks are not only filled with targeted attacks, but a high percentage tion, law enforcement, and governance, creating complex legal and
of them are automated and indiscriminate, potentially affecting any regulatory issues in addressing cybercriminal activities. Cybercriminals
company (Benz and Chatterjee, 2020). On the other hand, the percep­ exploit software vulnerabilities, network weaknesses, and digital infra­
tion of fear and concern about cybercrime is, in itself, a harm (Cook structure to conduct a wide range of illegal activities, including hacking,
et al., 2023; Brands and van Wilsem, 2021). It may lead SMEs to avoid malware distribution, identity theft, fraud, phishing, and cyber espio­
reasonably probable real damages, causing a deterrent in participating nage (Wall, 2007). These activities not only pose significant risks to
in networked economic activities. Therefore, understanding how SMEs individuals, organizations, and governments but also have far-reaching
perceive the cybercrime threat and the factors influencing these per­ implications for trust, privacy, and security in cyberspace. In this study,
ceptions is a crucial element. This understanding is vital not only for cybercrime is defined as a collection of illicit activities that utilize digital
addressing cybersecurity in SMEs but also for comprehending the eco­ technologies, networks, and computer systems as tools, targets, or me­
nomic and social implications that cybercrime may bring about. diums for unlawful actions.
This paper contributes to the field by applying Cyberspace Theory to Understanding cybercrime within the framework of cyberspace
analyse the perception and response of SMEs to cybercrime. The analysis theory entails examining its various dimensions, encompassing its ef­
focuses on understanding the factors influencing fear in SMEs, fects on individuals, societies, and the broader digital ecosystem
concluding in a taxonomy that characterizes different SME profiles. The (Papakonstantinou, 2010; Wall, 2007). Applying this theory to cyber­
study not only identifies managerial implications emphasizing robust crime in SMEs requires not only analysing the motives driving cyber­
cybersecurity measures and dynamic risk assessments but also un­ criminal behaviour but also scrutinizing the practices and operations
derscores political implications, advocating for policy support, infor­ within these organizations, as well as the factors that render them sus­
mation sharing, regulatory compliance, public awareness, and capacity- ceptible to cyber threats. Cybercriminals can range from individual
building initiatives. Overall, the paper enriches both theoretical and hackers and organized criminal groups to state-sponsored actors
practical perspectives on cybersecurity within the SME sector. engaged in cyberwarfare (Brenner, 2010). Cybercrime operates on a
global scale, transcending geographical borders (Walden, 2005). Crim­
inals can launch attacks from one part of the world and target victims in
another. The international nature of cybercrime poses challenges for

2
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

regulatory and law enforcement agencies in terms of jurisdiction and emerge over time.
coordination (Walden, 2005; Wall, 2007). Finally, cybercriminals exploit vulnerabilities within SMEs to engage
Cybercriminals target individuals, businesses, governments, and in activities with the potential for financial gains, compromise of data, or
critical infrastructure. Thus, cybercriminals find various motivations for disruption of digital operations. These criminals employ a diverse array
cybercrime. In the literature, numerous reasons are identified for which of methods, encompassing the exploitation of software vulnerabilities,
cybercriminals may exploit vulnerabilities in companies (ENISA, 2020). social engineering, phishing emails, ransomware attacks, and the utili­
These reasons include economic gains, espionage, data theft, extortion, zation of botnets (ENISA, 2020; Fernandez de Arroyabe et al., 2023a).
and more. No sector is immune to cyber threats, ranging from oppor­ The ever-evolving nature of technology creates fertile ground for the
tunistic and indiscriminate attacks to sophisticated and highly selective development of novel attack-vectors. Additionally, Choo (2011) em­
campaigns against specific entities (Fernandez de Arroyabe et al., phasizes internal vulnerabilities within a company, which pertain to
2023b). These crimes may involve unauthorized access, disruption, or weaknesses or gaps in the organization’s internal systems, processes, or
manipulation of information and digital assets. As seen in Table 1, the practices that could be exploited by malicious actors. These vulnera­
scope of cybercrime extends across a broad spectrum of activities, bilities may exist at various levels, including technology, personnel, and
including hacking, identity theft, online fraud, malware attacks, procedures. Table 3 shows some common internal vulnerabilities of the
denial-of-service (DoS) attacks, phishing, and the distribution of mali­ companies (ENISA, 2020).
cious software, for example (ENISA, 2020).
Regarding the mechanism employed by cybercriminals to execute 2.2. SME and cybercrime: research questions
cybercrime, they leverage the interconnected nature of businesses and
the increasing volume of activities that SMEs are conducting online, As previously mentioned, SMEs play a significant social and eco­
thereby intensifying their exposure to cybersecurity incidents. Conse­ nomic role in society, with estimates suggesting that more than 90% of
quently, businesses find themselves susceptible to cyberattacks, which businesses in Europe fall into this category (Bella et al., 2023). In terms
are continuously growing in sophistication and diversifying, making it of their contribution to employment and GDP, SMEs account for
challenging for companies to safeguard their systems (Fernández De approximately 40% and 60%, respectively. However, despite their
Arroyabe and Fernández de Arroyabe, 2023; Conteh and Schmick, importance, SMEs are not immune to the threat of cybercrime. In fact, it
2016). Cybersecurity attacks can manifest in various ways, contingent has been observed that over 40% of SMEs have experienced cyber­
on the attacker’s objectives, the execution method, and the identity of attacks. Additionally, research indicates that 75% of SMEs would
the perpetrator. The literature identifies different types of adversaries struggle to continue operating if they were targeted by ransomware
employing diverse techniques, including phishing, malware or web at­ attacks. Furthermore, nearly 40% of small businesses have reported
tacks, and the exploitation of vulnerabilities stemming from misman­ significant data loss following a cyberattack. Alarmingly, it has been
agement of computer systems within organizations. ENISA has found that 51% of small businesses affected by ransomware opt to pay
categorized several types of cyber-attacks (ENISA, 2020), with malware the ransom (Rahmonbek, 2024). These statistics confirm that SMEs are
representing 30% of all cyberattacks. Other attacks encompass assaults vulnerable to cybercrime and its detrimental effects.
on websites and domains to steal personal information and banking However, the perception of cybercrime in terms of fear is contra­
data, as well as phishing attempts seeking identity impersonation and dictory. Firstly, a subset of studies emphasizes that senior managers in
malware implementation. In addition to external threats, internal SMEs consider themselves not inclined to cybercrime, arguing that such
personnel can also instigate security breaches, either intentionally or attacks are primarily directed at large companies due to the perceived
inadvertently. ENISA (2020) underscores the significance of such insider limited returns on targeting SMEs (see for example, Fernandez de
threats, indicating that 77% of data leaks in companies result from in­ Arroyabe et al., 2023a). Consequently, cybercrime does not generate
cidents related to insider information. Table 2 presented here offers an concern within these SMEs. Following previous literature, this translates
overview of major cyberattacks, recognizing that it is not exhaustive, as into a lack of involvement by senior managers in IT security issues, as
cybercriminals continually refine and diversify their tactics, and new well as poor communication between IT departments and SME leader­
attack methods may emerge over time. It is crucial to acknowledge that ship (GOV.UK, 2023). For instance, in the context of a cyber breach,
cybersecurity threats evolve constantly, and novel attack methods may approximately 50% of SMEs exhibit limited investment in cybersecurity,
and the existence of cyberattacks and incidents is not ascertained (GOV.
UK, 2023). Similarly, it is noted that 40% of senior managers in SMEs
Table 1 either do not receive information about cybercrime or receive it only
Cybercrime targets companies (source ENISA, 2020). once a year. Secondly, another set of studies indicates that certain SMEs
Target Description invest in cybersecurity as they expand their online activities, driven by a
Financial Gain • Cybercriminals may attempt to steal sensitive financial perception of fear and concern regarding cybercrime. Lastly, empirical
information, such as credit card details or banking evidence suggests that certain SMEs curtail their online activities to
information, to make monetary gains. avoid exposure to networks and the potential dangers of cybercrime,
Corporate Espionage • Competitors companies or nation-states may engage in
resulting in a subsequent decline in economic activity. Therefore, in
cyberattacks to steal valuable intellectual property, trade
secrets, or research and development data. light of these contradictory perceptions of cybercrime within SMEs, our
Disruption of • Some cyberattacks are carried out with the sole purpose of primary research question seeks to investigate the fear in SMEs con­
Services: disrupting a company’s normal operations, causing cerning cybercrime:
financial loss and reputational damage.
Data Violation • Cybercriminals can target companies to gain access to Research question (RQ1). How do SMEs perceive cybercrime in terms of
personal or sensitive information, which they can then sell fear?
on the dark web or use for identity theft.
Political • Nation-states or politically motivated groups may carry The second question aims to investigate the factors influencing the
Motivations out cyberattacks to achieve geopolitical objectives, gather existence of fear regarding cybercrime. Thus, in addition to considering
intelligence, or disrupt the operations of rival nations.
the characteristics of SMEs, we will focus on three factors: the level of
Internal or Insider • Insiders, whether discontented employees or those with
Threats malicious intent, can intentionally or unintentionally digitization, previous experiences of cybercrime, and the impact suf­
compromise a company’s security. fered by the SME as a result of attacks.
Extortion • Cybercriminals may threaten to reveal sensitive or Firstly, we will analyse how the activities conducted on the network
embarrassing information unless the company pays a impact the fear associated with cybercrime. In this regard, the digitali­
ransom or meets specific demands.
zation of businesses is primarily based on the adoption of emerging

3
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

Table 2
The main cyberattacks the companies (source ENISA, 2020).
• Malware: Short for malicious software, malware includes a variety of harmful software such as viruses, worms, trojan horses, ransomware, and spyware. Malware is designed to
disrupt, damage, or gain unauthorized access to computer systems.
• Phishing: Phishing attacks involve tricking individuals into providing sensitive information, such as usernames, passwords, and credit card details, by posing as a trustworthy entity.
Phishing is often carried out through emails, messages, or websites that mimic legitimate sources.
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks: These attacks aim to overwhelm a system, network, or website with excessive traffic, rendering it
unavailable to users. In a DDoS attack, multiple compromised computers are used to generate the traffic, making it more difficult to mitigate.
• Man-in-the-Middle (MitM) Attacks: In MitM attacks, an attacker intercepts and potentially alters the communication between two parties without their knowledge. This can occur
in various forms, including eavesdropping on Wi-Fi networks or intercepting data between a user and a website.
• SQL Injection: This type of attack targets the vulnerabilities in a website’s database by injecting malicious SQL code. Successful SQL injections can allow attackers to manipulate or
retrieve data from the database.
• Cross-Site Scripting (XSS): XSS attacks involve injecting malicious scripts into websites that are viewed by other users. These scripts can then execute in the context of the user’s
browser, potentially stealing information or performing actions on behalf of the user without their consent.
• Ransomware: Ransomware is a type of malware that encrypts a user’s files and demands payment (usually in cryptocurrency) in exchange for the decryption key. It can severely
impact individuals and organizations, denying access to critical data until the ransom is paid.
• Zero-Day Exploits: Zero-day exploits target vulnerabilities in software or hardware that are unknown to the vendor or not yet patched. Attackers exploit these vulnerabilities before
they are discovered or fixed.

poorly protected device connected online potentially impacts the secu­

Table 3
rity and resilience of the company (Corallo et al., 2020; Kabanda et al.,
The main vulnerabilities in the companies (source ENISA, 2020).
2018). Therefore, it is expected that the activities on the internet of
Vulnerability Actions SMEs may influence the fear and concern regarding cybercrime.
Weak Passwords • Weak or easily guessable passwords can provide Secondly, it is expected that previous experiences will impact the
unauthorized access to sensitive systems or data. fear towards cybercrime. The occurrence of prior attacks should increase
Insufficient Access Controls • Inadequate access controls may lead to employees
the perception of cybercrime in SMEs for various reasons. Firstly, SMEs
having more access privileges than necessary for
their roles. with limited cybersecurity resources may lack dedicated personnel or
Outdated Software and • Failure to regularly update and patch software and comprehensive cybersecurity measures, making them more vulnerable
Systems systems leaves them vulnerable to exploitation by to attacks (Arroyabe et al., 2024). The fear of being ill-prepared to
known vulnerabilities. defend against sophisticated cyber threats can be a source of concern for
Lack of Security Training • Employees who are not adequately trained in
cybersecurity awareness may fall victim to social
these businesses. Secondly, many SMEs heavily rely on digital opera­
engineering attacks. tions for various aspects of their business, including communication,
Insider Threats • Employees with malicious intent can pose a transactions, and interactions with customers (Horváth and Szabó,
significant threat. 2019; Masood and Sonntag, 2020). A successful cyberattack can disrupt
Inadequate Network • Poorly secured wireless networks can be exploited by
these operations, instilling fear about potential impacts on daily busi­
Security attackers to gain unauthorized access to the
organization’s internal network. ness activities. Due to concerns about data loss and privacy, SMEs often
Unrestricted Use of • Allowing unrestricted use of USB drives or other handle confidential business and customer data. The fear of losing this
Removable Media removable media can lead to data leakage. data due to a cyberattack not only has financial implications but also
Insecure Configuration • Failure to change default settings on hardware, raises concerns about privacy and compliance with data protection
Settings software, or network devices may expose
regulations. Thirdly, SMEs may be part of larger supply chains (Fer­
vulnerabilities that attackers can exploit.
Inadequate Incident • The lack of a well-defined incident response plan can nandez de Arroyabe et al., 2023). Cyberattacks targeting suppliers or
Response Planning result in delays in identifying, containing, and partners can have a cascading effect on SMEs, generating fears about the
mitigating the impact of a security incident. security and resilience of the entire business ecosystem. Lastly, in some
Poor Physical Security • Insufficient controls to prevent unauthorized
cases, SMEs may have limited awareness of cybersecurity best practices
personnel from accessing physical facilities or critical
infrastructure can lead to security breaches. and the evolving threat landscape (Kabanda et al., 2028; Bertino et al.,
Data Storage and • Storing or transmitting sensitive data without 2016). Fear of the unknown, coupled with a lack of knowledge about
Transmission Insecurity encryption increases the risk of data interception or potential cyber risks, can contribute to heightened concerns. Therefore,
unauthorized access. it is expected that SMEs’ previous experiences with cybercrime may
Vendor and Third-Party • Using third-party services or products without
affect the fear and concern regarding cybercrime.
Risks thoroughly vetting their security practices can
introduce vulnerabilities into the organization’s Finally, not only can experiences affect SMEs’ perception of cyber­
environment. crime, but also being the target of attacks, with the consequent impact
on SMEs, should influence the perception of cybercrime. Cyberattacks
can significantly impact the fear of SMEs for various reasons (ENISA,
technologies and the intensive use of networks (Masood and Sonntag, 2020). Firstly, the financial impact of a cyberattack, including costs
2020; Dabrowska et al., 2022). While digitalization has a significant related to remediation, potential legal actions, and loss of business, can
impact on innovation and business productivity (Dalenogare et al., be more severe for SMEs. This financial strain can induce fear and
2018; Nambisan et al., 2020; Manesh et al., 2020) and involves the anxiety about the business’s sustainability. Secondly, SMEs often
interconnection of businesses, enabling the permeability of social net­ heavily depend on their reputation within their local communities or
works and facilitating access to information or new markets (Moeuf market niches; a cyberattack causing data breaches or service in­
et al., 2019; Vial, 2021), it also poses a greater exposure of companies to terruptions can damage the trust that customers, partners, and stake­
cybersecurity incidents resulting from vulnerabilities in the use of in­ holders have in the SME. The fear of reputation damage can be a major
formation technologies, presenting security challenges (Arroyabe et al., concern.
2024; Fernández de Arroyabe et al., 2023b; Benz and Chatterjee, 2020; Therefore, we believe that both the level of activities on the internet,
Lezzi et al., 2018). Thus, for classic attacks like spyware, malware, previous experiences with cybercrime, and the economic and social
denial-of-service (DoS), ransomware, or phishing, the interconnected impact of cyberattacks can influence SMEs’ perception in terms of fear.
devices of SMEs can serve as potential entry points for cybersecurity As a result, we pose the following research question:
incidents (Choo, 2011; Fernández de Arroyabe and Fernández de
Arroyabe, 2023). The connected nature of networks means that every RQ2. How do the activities on the internet, previous experiences, and the

4
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

impact of cyber incidents affect the existence of fear regarding cybercrime in Table 5
SMEs? Sector of Activity (NACE) –Sections grouped.
Sector Frequency %
3. Methodology Manufacturing (C) 2094 16.3
Retail (G) 3925 30.5
3.1. Database Services (H/I/J/K/L/M/N/P/Q/R) 4985 38.8
Industry (B/D/E/F) 1859 14.5
Total 12,863 100.0
To empirically explore the research questions, we use the database
from Eurostat, Flash Eurobarometer No. 496, which is conducted for the
European Commission (Eurostat, 2022). This specific survey covers
cybercrime, cyber incidents, and digitalisation in SMEs, with a sample of Table 6
12,863 SMEs. The fieldwork was conducted between November and Number of employees.
December 2021. Interviews were conducted by phone in their respective Employees Frequency %
national languages. The geographical scope of the database includes the <10 employees 6699 52.1
27 countries of the EU. In Tables 4, 5 and 6, we see the distribution of the 10 to 49 employees 3934 30.6
sample by geographical area, sector and size. 50 to 249 employees 2230 17.3
Total 12,863 100.0

3.2. Measures
online bank accounts; iv) Phishing, account takeover, or impersonation
attacks; v) Ransomware; vi) Unauthorized accessing of files or networks;
The first variable in our research model is the online activities con­
vii) Unauthorized listening into video conferences or instant messages;
ducted by SMEs. The question posed is, "Which of the following does
and viii) Any other breaches or attacks. The measurement scale is
your company currently have or use?" The question includes the
ordinal, with 1 indicating "very concerned," 2 "somewhat concerned,"
following multi-item options: i) An online bank account; ii) An online
and 3 "not at all concerned." Similar to the previous variable, the vari­
ordering and payment service for customers; iii) Online ordering or
able fear was constructed as a cumulative index of eight types of
payment systems of suppliers, consultants, or other business partners;
concerns.
iv) A website for your business; v) Web-based applications for payroll
The third group of measures includes variables that refer to the
processing, e-signature, etc.; vi) Cloud computing or storage; vii)
experience with cybercrime. The variables are measured using the
Internet-connected ’smart’ devices; viii) A company intranet; and ix) An
question: "Regarding the experience with cyber incidents, how was this
internet-based video or voice calling service. To measure the degree of
attack carried out?" Similar to the previous measures, the questionnaire
penetration of internet activities in SMEs, we created the variable ac­
employs a multi-item question: i) Exploiting software, hardware, or
tivities, constructed as a cumulative index of nine types of activities.
network vulnerabilities; ii) Password cracking; iii) Identity theft; iv)
The second measure is the fear of cybercrime. The question asks:
Scams and fraud; v) Malicious software; vi) Denial of service (false
"When using the internet for business-related activities, such as selling
traffic to overwhelm a website or network); and vii) Disruption or
goods or online banking, are you concerned about any of the following
defacing of web presence. Consistent with previous variables, the vari­
risks?" Similar to the previous measure, the questionnaire includes a
able experience was constructed as a cumulative index of seven previous
multi-item question: i) Viruses, spyware, or malware (excluding ran­
experiences.
somware); ii) Denial of service attacks; iii) Hacking (or attempts to hack)
Finally, the last variable refers to the impact of cybercrime on SMEs.
The question posed in the questionnaire is: "Still thinking about the
Table 4 serious incidents, how was your business impacted?" As in previous
Geographical distribution of the sample.
variables, the question is multi-item: i) Loss of revenue; ii) Loss of sup­
Country Frequency % pliers, customers, or partners; iii) Repair or recovery costs; iv) Ransom
FR - France 501 3.9 money; v) Prevented the use of resources or services; vi) Prevented
BE - Belgium 502 3.9 employees from carrying out day-to-day work; vii) Additional time
NL - The Netherlands 528 4.1 required to respond to the cybercrime incident(s); viii) Damage to the
DE - Germany 501 3.9
reputation of the company; and ix) Discouraged us from carrying out an
IT - Italy 505 3.9
LU - Luxembourg 253 2.0 activity that was planned. We have also created a new variable, impact,
DK - Denmark 510 4.0 as a result of the cumulative index of impacts.
IE - Ireland 507 3.9 Additionally, we have controlled our analysis with a series of control
GR - Greece 502 3.9
variables. These are:
ES -Spain 505 3.9
PT - Portugal 511 4.0 The first control variable is the size, which is measured on a scale of 1
FI - Finland 502 3.9 to 3, where 1 represents microenterprises (1 to 9 employees), 2 repre­
SE - Sweden 500 3.9 sents small enterprises (10 to 49 employees), and 3 represents medium-
AT - Austria 503 3.9 sized enterprises (50 to 249 employees).
CY - Cyprus (Republic) 251 2.0
The second control variable is the age of the company. We used a
CZ - Czech Republic 504 3.9
EE - Estonia 503 3.9 Likert scale, where respondents were asked, "How long has your com­
HU - Hungary 501 3.9 pany been in business?" The options include 1 for a company with an age
LV - Latvia 500 3.9 of less than 1 year, 2 for a company with an age between 1 and 5 years, 3
LT - Lithuania 504 3.9
for a company with an age between 6 and 10 years, and 4 for a company
MT - Malta 252 2.0
PL - Poland 504 3.9 with an age of more than 10 years.
SK - Slovakia 500 3.9 The third control variable is the revenue of the company. The
SI - Slovenia 500 3.9 question included in the questionnaire is: "What was your company’s
BG - Bulgaria 511 4.0 total turnover in 2020?" The response follows a Likert scale, where 1
RO - Romania 502 3.9
represents SMEs with a revenue of less than 25,000 euros, 2 represents
HR - Croatia 501 3.9
Total 12,863 100.0 more than 25,000 to 50,000 euros, 3 represents more than 50,000 to

5
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

100,000 euros, 4 represents more than 100,000 to 250,000 euros, 5 Table 8

represents more than 250,000 to 500,000 euros, 6 represents more than Distribution of accumulative activities on the Internet of SMEs.
500,000 to 2 million euros, 7 represents more than 2 to 10 million euros, Value Frequency %
8 represents more than 10 to 50 million euros, and 9 represents more
.00 325 2.5
than 50 million euros. 1.00 782 6.1
The next control variable is the training received in the SME on 2.00 1146 8.9
cybercrime. The question included in the questionnaire is: "In the last 12 3.00 1681 13.1
months, has your company provided employees with any training or 4.00 2099 16.3
5.00 2017 15.7
awareness raising about the risks of cybercrime?" 6.00 1816 14.1
Finally, we have included a question about the ownership of IT de­ 7.00 1396 10.9
vices in the company or if they are personal devices used by employees 8.00 1069 8.3
for their activities. The question posed is: "Do employees in your com­ 9.00 532 4.1
Total 12,863 100.0
pany use personally-owned devices such as smartphones, tablets, lap­
tops, or desktop computers to carry out regular business-related
activities? This includes devices that are subsidized by your company."
Table 9
4. Analysis and results Experience in cybercrime in SMEs.
Experiences Frequency %
We first checked the robustness of the survey and the results. We Exploiting software, hardware, or network vulnerabilities 830 6.5
performed checks of the survey to verify the robustness of the ques­ Password cracking 672 5.2
tionnaires and answers, testing the common method variance and Identity theft 578 4.5
common method bias, following the method of Podsakoff et al. (2003). Scams and fraud 1143 8.9
Malicious software 1151 8.9
The analysis has identified nine distinct constructs that collectively ac­
Denial of service (false traffic to overwhelm website or 504 3.9
count for 57.94% of the variance. The first factor accounts for 13.30% of network)
the variance, which is in line with the recommended threshold of 50%. Disruption or defacing of web presence 457 3.7
Consequently, we can infer that common method variance and common
method bias are not significant concerns in our findings.
Before analysing the research questions, we conducted a descriptive Table 10
analysis of our results, evaluating both the internet activities of SMEs Impact of cybercrime on the SMEs.
and their previous experience with cybercrime, as well as its impact in
Impact Frequency %
economic and social terms. In Table 7, we present the results of the
activities carried out by the companies on the internet. Overall, we Loss of revenue 476 3.7
Loss of suppliers, customers, or partners 240 1.9
observe that basic activities such as having an online bank account Repair or recovery costs 993 7.7
(81.8%), having a website (74.6%), and having a connected smart de­ Ransom money 232 1.8
vice (64.9%) are the most common amongst SMEs. The remaining ac­ Prevented the use of resources or services 871 6.8
tivities, such as payment systems, cloud storage, or the use of an Prevented employees from carrying out day-to-day work 976 7.6
Additional time required to respond to the cybercrime incident 1507 11.7
intranet, example, are utilized by less than 50% of the companies in the
(s)
sample. Going deeper into the analysis of activities conducted on the Damage to the reputation of the company 325 2.5
internet, Table 8 shows the cumulative distribution of these activities. Discouraged us from carrying out an activity that was planned 553 4.3
From the results, we can note that the highest percentage of cumulative
activities in a company corresponds to 4 (16.3%) or five activities
(15.7%), and to a lesser extent, some companies engage in 3 or six ac­ Regarding the analysis of RQ1, which focuses on the existence of fear
tivities on the Internet. about cybercrime in SMEs, Table 11 presents the results of fear about
In Tables 9 and 10, we present the results of SMEs’ experience with potential cybercrime. This table examines the diverse typology of
cybercrime and the impact suffered by these companies. Overall, we cybercrime used by cyber attackers and, on the other hand, the degree of
observe that in both tables, the response is low, being less than 10% of concern. Overall, we observe fear or concern in more than 75% of SMEs,
SMEs, except for attacks on software, hardware, and network vulnera­ indicated by the fact that in the majority of cybercrime cases, the level of
bilities, which are close to 25% of the companies. Regarding the impact unconcern is less than 25%. We also observe a fairly balanced distri­
of cybercrime on SMEs, we see a diversity of damages, including eco­ bution of the types of cybercrime used, indicating how cybercriminals
nomic aspects such as costs, operational repair, or theft. We also observe are diversifying their cybercrime tactics.
other types of damages such as loss of reputation and acting as a Regarding RQ2, which investigates how the level of internet activ­
deterrent to potential activities. ities, experience, or the impact of cybercrime affects the fear or concern
of SMEs, Tables 12 and 13 present the results of the regression analyses.
In Model 4 of Table 12, it is evident that previous experiences
Table 7 (β=− 0.203; p < .001), impact (β=− 0.150; p < .001), and the degree of
Activities in internet develops for the SMEs. internet activities (β=0.046; p < .005) undertaken by SMEs have a
Activities N %
positive impact on the fear of cybercrime in SMEs. Table 12 displays the
marginal effects of each independent variable. Overall, we observe that
An online bank account 10,416 81.8
all three functions are monotonically increasing, indicating a growing
An online ordering and payment service for customers 4687 36.4
Online ordering or payment systems of suppliers, consultants or 5546 43.1 effect on the dependant variable as the independent variable increases.
other business partners However, we note that the trajectory of the variable differs across the
A website for your business 9597 74.6 range of the variables. While the level of internet activities has a com­
Web-based applications for payroll processing, e-signature etc. 6394 49.7
plete range across the variable, experiences and impact variables have a
Cloud computing or storage 5883 45.7
Internet-connected ‘smart’ devices 8347 64.9
limited range within the lower values of the variable. In terms of the
A company intranet 4572 35.5 robustness of the regression models, we ruled out the existence of
An internet-based video or voice calling service 5164 40.1 collinearity between independent variables, as evidenced by the

6
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

Table 11
Level of fear about cybercrime.
Typology of fear Very concerned Somewhat Not at all

Frequency % Frequency % Frequency %

Viruses, spyware or malware (excluding ransomware) 3466 26.9 5906 45.9 3255 25.3
Denial of service attacks 5338 41.5 4918 38.2 1889 14.7
Hacking (or attempts to hack) online bank accounts 4383 34.1 4945 38.4 3358 26.1
Phishing, account takeover or impersonation attacks 3837 29.8 5584 43.4 3245 25.2
Ransomware 4843 37.7 4854 37.7 2455 19.1
Unauthorised accessing of files or networks 4419 34.4 5588 43.4 2653 20.6
Unauthorised listening to video conferences or instant messages 7081 55.0 3845 29.9 1548 12.0
Any other breaches or attacks 4325 33.6 5900 45.9 2200 17.1

Table 12
Regression analysis of fear.
Variables Model 1 Model 2 Model 3 Model 4 Model 4 VIF

Estimate Error Estimate Error Estimate Error Estimate Error Estimate Error

SIZE .193*** .025 .161*** .025 .149*** .044 .102* .044 .139** .044 1.360
SENIORITY .082** .025 .079** .025 .118** .047 .119* .047 .131** .047 1.060
REVENUE − 0.029*** .007 − 0.033*** .007 − 0.027* .003 − 0.025** .003 − 0.020** .003 1.338
TRAINING .000** .000 .000** .000 .000* .000* .000 .000 .000** .000 1.004
DIGITALISATION .054*** .008 .046** .015 1.101
EXPERIENCE .287*** .027 .203*** .029 1.232
IMPACT .196*** .017 .150*** .019 1.239
− 2 Log Likelihood 11,946.740 23,240.781 8830.028 9687.224 16,781.282
Chi-Square 95.970 141.182 135.361 149.040 204.099
Sig. .000 .000 /000 .000 .000
Cox and Snell .009 .013 .040 .044 .059
Nagelkerke .009 .013 .040 .044 .060
McFadden .002 .002 .007 .008 .011

Variance Inflation Factor (VIF) being less than 2 for all variables. see the mean values of experience and the impact of cybercrime on SMEs
Similarly, we addressed the issue of autocorrelation bias in residuals based on each cluster. Cluster 2 has the lowest mean values, while
with the dependant variable using the Durbin-Watson test. Cluster 4 has the highest values for impact and experience. Furthermore,
Once we determined how experience, impact, and the level of Clusters 1 and 3 have mean values for impact and experience with
internet activities affect fear of cybercrime, we conducted an explor­ cybercrime.
atory analysis to classify SMEs into different groups based on the To control the results of the cluster analysis, we show in Figs. 3 and 4
perception of fear. The objective was to obtain a taxonomy of cyber­ the mean values of control variables (size, turnover, seniority, sector,
crime and fear. Using the K-mean Cluster as a statistical model (Dudek, and country), classified by cluster, using them as variables. Overall, we
2020; Mamat et al., 2018), we proceeded in two stages. First, the input observe similar characteristics in the four clusters, with a slight variation
variables for K-means were the degree of fear or concern and the ac­ in the turnover of the companies. In the case of Cluster 3, we see a slight
tivities carried out on the internet. Second, we selected the most robust difference compared to the other clusters. To clarify this result, we
solution using Silhouette analysis (Dudek, 2020; Mamat et al., 2018). conducted an ANOVA analysis, using turnover as the variable and the
This analysis allows us to determine the robustness of the cluster solu­ cluster of belonging as a control variable, and found no significant dif­
tion, the cohesion of each cluster, and the separation of groups. The ferences between clusters, ruling out the existence of bias.
silhouette index takes values in the range [− 1, 1], with values closer to 1 Lastly, Fig. 5 presents the average results of actions undertaken by
indicating a more solid solution. After obtaining the Silhouette index, SMEs to manage cybersecurity and cybercrime. Variables such as
the four-cluster solution has a higher Silhouette value (0.67). Addi­ training conducted by SMEs in the last 12 months on the risks of
tionally, we conducted a complementary analysis using the Bayesian cybercrime are shown, and the second variable indicates whether SMEs
Schwarz criterion (Kass, 1995; Fraley and Raftery, 2002), and the results use employees’ IT devices. We observe significant variability in training
confirm that the three-cluster solution is the most robust in terms of about the risks of cybercrime amongst clusters, with Cluster 2 being the
cohesion and separation. one that has intensively engaged in training activities within the SME.
The results of the K-means cluster analysis show that SMEs are Moreover, we see that this same cluster is the one that most extensively
grouped into four clusters. Furthermore, we conducted a robustness utilizes employees’ devices compared to the other clusters. However,
check of the analysis through ANOVA, and the results show a significant Cluster 4 is characterized by the lowest level of training and the use of
difference in the degree of fear and activities conducted on the internet personal devices in internet activities.
based on the SMEs’ membership in each cluster. Tables 14, 15 and 16
display the ANOVA analysis, the number of companies each cluster 5. Discussion
encompasses, and the main values of each cluster.
In Fig. 1, we present the mean values of the variables fear and The application of Cyberspace Theory to cybercrime in SMEs has
internet activities based on SMEs’ membership in each cluster. In more enabled us to establish a framework for characterizing cybercrime. In
detail, we observe that Cluster 4 has a higher level of fear than all the contrast to earlier studies that focused either on cyberattacks or cyber­
clusters, followed by Cluster 3 and then Cluster 1, with the lowest level security measures (see for example, Fernandez de Arroyabe et al.,
of fear in Cluster 2. We also display the level of activities conducted on 2023b), the application of Cyberspace Theory has enabled us not only to
the internet, noting that the lowest value corresponds to Cluster 3, with a examine the motives and objectives behind the existence of cybercrime
similar level in the other three clusters. On the other hand, in Fig. 2, we but also to scrutinize the routines and activities within these

7
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

Table 13
Regression analysis of marginal values.
Variables Model 1 Model 2 Model 3 Model 4 Model 4 Model 5
Estimate Error Estimate Error Estimate Error

SIZE .165*** .025 .146** .044 .093* .044

ANTIGUEDAD .076** .025 .115* .047 .123** .047
REVENUE − 0.033*** .007 − 0.026* .013 − 0.024* .013
TRAINING .000** .000 .000** .000 .000** .000
[DIGITALISATION=0.00] − 0.758*** .137
[DIGITALISATION=1.00] − 0.423*** .106
[DIGITALISATION=2.00] − 0.418** .099
[DIGITALISATION=3.00] − 0.237** .093
[DIGITALISATION=4.00] − 0.151* .090
[DIGITALISATION=5.00] − 0.132* .090
[DIGITALISATION=6.00] − 0.140* .090
[DIGITALISATION=7.00] − 0.120 .093
[DIGITALISATION=8.00] − 0.055 .096
[DIGITALISATION=9.00] 0a .
[EXPERIENCE=0.00] − 1.554*** .508
[EXPERIENCE=1.00] − 1.156*** .505
[EXPERIENCE=2.00] − 0.958** .507
[EXPERIENCE=3.00] − 0.592 .513
[EXPERIENCE=4.00] − 0.196 .532
[EXPERIENCE=5.00] − 0.155 .576
[EXPERIENCE=6.00] .047 .630
[EXPERIENCE=7.00] 0a .
[IMPACT=0.00] − 1.743*** .619
[IMPACT=1.00] − 1.255*** .620
[IMPACT=2.00] − 1.133** .621
[IMPACT=3.00] − 1.119* .624
[IMPACT=4.00] − 0.826 .627
[IMPACT=5.00] − 0.665 .635
[IMPACT=6.00] − 0.466 .647
[IMPACT=7.00] − 0.541 .671
[IMPACT=8.00] − 0.561 .846
[IMPACT=9.00] 0a .
− 2 Log Likelihood 3224.401 8825.465 9669.907
Chi-Square 157.562 139.924 166.358
Sig. .000 .000 .000
Cox and Snell .014 .041 .049
Nagelkerke .014 .041 .049
McFadden .003 .008 .009

et al., 2023a), we can confirm that cybercrime encompasses a broad

Table 14
spectrum of activities, including computer hacking, identity theft, online
ANOVA analysis.
fraud, malware attacks, denial-of-service (DoS) attacks, phishing, and
Variables Sum of Squares Mean Square F Sig. malicious software distribution, all seeking economic gains, espionage,
ACTIVITIES 5162.531 1720.844 379.498 .000 data theft, extortion, etc., being amongst the most prevalent. Our results
4,922,2.2,38 4.535 reveal that cybercrime diversifies its attack methods, continuously
5,438,4.7,69
growing in sophistication and diversity, making it challenging for
FEAR 190,163.223 63,387.741 19,150.443 .000
3,592,9.9,22 3.310 companies to defend themselves (Fernández De Arroyabe and Fernández
22,609,3.1,46 de Arroyabe, 2023; Jensen et al., 2021; Conteh and Schmick, 2016).
Moreover, our findings confirm existing literature (Fernandez de
Arroyabe et al., 2023a), indicating that SMEs are potential targets of
Table 15 cybercrime. Similarly, our results show that no sector is immune to
Distribution of the number of employees for clusters. cyber incidents, ranging from opportunistic and indiscriminate attacks
to sophisticated and highly selective campaigns against specific entities.
Cluster Frequency %
In contrast to prior works that pointed to a sectorial bias towards IT
1 5325 41.4 technology sectors (Kabanda et al., 2018; Lezzi et al., 2018; Mirtsch
2 3638 28.3
et al., 2020; Nam, 2019), our results demonstrate that all sectors are
3 785 6.1
4 1111 8.6 susceptible to potential attacks due to the increasing prevalence of
Missing 2004 15.6 internet activities. Thus, we observe that the means employed by
Total 12,863 100.0 cybercriminals to execute cybercrime are rooted in the interconnected
nature of businesses and the rising trend of internet activities within
SMEs, thereby heightening their exposure to cyber incidents. Conse­
organizations, as well as the factors contributing to their vulnerability to
quently, our results illustrate that cybercriminals exploit the vulnera­
cyber threats. The application of Cyberspace Theory to cybercrime in
bilities of SMEs to commit crimes that impact the SME, whether through
SMEs facilitates a comprehensive characterization of cybercriminals and
financial gains, compromising data, or disrupting digital operations.
cybercrimes (Cook et al., 2023; Choi et al., 2021). Specifically, our
Concerning the analysis of Research Question 1 (RQ1), which re­
findings demonstrate that cybercriminals employ numerous methods
volves around the presence of fear and concern regarding cybercrime in
through which attackers can exploit vulnerabilities in companies.
SMEs, the findings related to fear and concern about potential
Consistent with prior research (ENISA, 2020; Fernandez de Arroyabe

8
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

Table 16
Mean Values of Clusters.
VARIABLES RANGE CLUSTER 1 CLUSTER 2 CLUSTER 3 CLUSTER 4

Minimum Maximum Mean Mean Mean Mean

FEAR 0.00 24.00 15.889 9.8397 19.860 23.592

ACTIVITIES .00 9.00 5.010 4.952 3.348 5.672
EXPERIENCE .00 7.00 1.370 1.140 1.477 1.674
IMPACT .00 9.00 1.688 1..095 1.663 2.193
TOTAL SMES 5325 3638 785 1111

Fig. 1. Mean values of Fear and Activities by Cluster.

Fig. 2. Mean values of Experience and Impact by Cluster. Fig. 3. Mean values of Employees, Seniority and Turnover.

cybercrime reveal a high degree of fear, shedding light on the ongoing economic activity (Fernandez de Arroyabe and Fernandez de Arroyabe,
debate surrounding the perception of cybercrime in terms of fear and 2023).
concern (Fernandez de Arroyabe et al., 2023b). As we have indicated, Regarding RQ2, which investigates the factors influencing SMEs in
our results indicate that SMEs are potential targets for cybercrime, experiencing fear and concern regarding cybercrime, our findings
thereby clarifying the stance of a certain body of literature that asserted brighten key aspects of this intricate relationship. Firstly, our results
SMEs believed they were not targets for cyberattacks. Our results are in affirm how internet activities impact the fear associated with cyber­
line with previous works that demonstrate that the interconnected na­ crime. The interconnectivity stemming from companies’ internet activ­
ture of business networks and the increased level of internet activities ities exposes them to cybersecurity incidents arising from vulnerabilities
render all SMEs potential targets (Mirtsh et al., 2020; Nam, 2019). in information technology usage, presenting security challenges
Additionally, we validate prior research by noting that certain SMEs (Arroyabe et al., 2024; Fernández de Arroyabe et al., 2023a,b; Benz and
restrain their online activities to mitigate exposure to networks and the Chatterjee, 2020; Sule et al., 2021; Lezzi et al., 2018). Classic cyber
potential dangers of cybercrime, resulting in a subsequent decline in threats such as spyware, malware, denial-of-service (DoS), ransomware,

9
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

stakeholders have in the SME. Therefore, fear of reputational harm can

be a significant concern.
Continuing with Research Question 2 (RQ2), our results allow us to
formulate a taxonomy on the perception of cybercrime in SMEs based on
the explored clusters. The taxonomy provides a nuanced understanding
of how different clusters of SMEs perceive and respond to cybercrime,
considering factors such as fear, internet activities, impact, experience,
and cybersecurity actions. Initially, we observed variability in the
perception of fear related to cybercrime, and our findings enabled us to
determine that this variability is derived from the internet activities
conducted by SMEs, as well as their experiences and the impact of
cybercrime. However, we note that fear is independent of SME charac­
teristics such as size, sector, revenue, etc. Additionally, our observations
indicate the significance of cybersecurity training in addressing the risks
of cybercrime, along with the utilization of IT devices by workers. Below
Fig. 4. Mean values of Sector and Countries by Cluster. we show the taxonomy of the Perception of Cybercrime in SMEs by
Clusters:
or phishing find potential entry points through interconnected devices in Cluster 1. Balanced Engagement Cluster (Moderate Fear, High Internet
SMEs (Choo, 2011; Fernandez De Arroyabe and Fernandez de Arroyabe, Activities, Moderate Impact and Experience)
2023). The interconnected nature of digitization signifies that each
inadequately protected device online potentially impacts the security Cluster 1 identifies a moderate level of fear regarding cybercrime,
and resilience of the enterprise (Corallo et al., 2020; Kabanda et al., attributed to engagement in internet activities and encounters with
2018). Secondly, our results demonstrate that prior experiences influ­ cyber threats, particularly considering their impact. This finding aligns
ence fear towards cybercrime. Previous cyberattacks intensify the with existing literature, which notes that SMEs operating within the
perception of cybercrime in SMEs, indicating that, on one hand, SMEs financial services sector tend to exhibit a moderate level of concern
with limited cybersecurity resources may lack dedicated personnel or about cybercrime (Yeboah-Ofori et al., 2019; Saban et al., 2021). This
comprehensive measures, rendering them more susceptible. Fear of concern is shaped by their level of involvement in online activities and
being ill-prepared to defend against sophisticated cyber threats becomes their experiences with cyber threats, especially regarding the conse­
a source of concern. On the other hand, many SMEs heavily rely on quences of such incidents. According to Moneva and Leukfeldt (2023),
digital operations for communication, transactions, and customer in­ SMEs in this sector adopt a balanced approach to their digital opera­
teractions. A successful cyberattack can disrupt these operations, insti­ tions, engaging in internet activities to a high extent. Moreover, these
gating fear about potential impacts on daily business activities. Lastly, SMEs experience a moderate level of impact from cybercrime and
our findings substantiate that not only experiences but also being a demonstrate an adequate level of proficiency in managing cybercrime
target of attacks, with ensuing impacts on SMEs, should affect the incidents, corroborating previous works (Moneva and Leukfeldt, 2023).
perception of cybercrime. Cyberattacks can significantly impact the fear They also participate to a moderate degree in cybercrime training pro­
and concerns of SMEs for several reasons. Our results align with the grams and advocate for the use of employee-owned devices in con­
literature indicating that the financial impact of a cyberattack, including ducting online activities, indicating a comprehensive strategy toward
costs related to remediation, potential legal actions, and loss of business, cybersecurity practices.
can be more severe for SMEs (ENISA, 2020). This financial strain can
generate fear and anxiety about business sustainability. Furthermore,
the fear of cybercrime can stem, from their reputation within local
communities or market niches; a cyberattack causing data breaches or
service interruptions can damage the trust that customers, partners, and

Fig. 5. Mean values of Personally-Owned Devices and Training by Cluster.

10
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

activities aimed at mitigating the risks associated with cybercrime. For

example, in the context of the retail sector, SMEs in this cluster display a
high level of fear that responds to changes in online activities (Salam
et al., 2021). This cautious approach is driven by the sector’s experi­
ences with cybercrime, particularly the tangible damages suffered.
Notably, the SMEs within this cluster demonstrate the lowest level of
engagement in internet activities, which, in line with Ibrahim et al.
(2017), allows us to conclude that these SMEs reflect a reactive posture
towards digital operations. Importantly, despite their lower involvement
in internet activities, the sector remains actively engaged in training
initiatives related to cybercrime risks, underscoring a steadfast
commitment to cybersecurity practices. This finding corroborates pre­
vious research, which emphasizes the importance of proactive training
efforts in enhancing SME cybersecurity (Moneva and Leukfeldt, 2023).
Cluster 4. Impactful Resilience Cluster (Highest Fear, Highest Internet
Activities, Highest Impact and Experience)
Cluster 2. Proactive Telecommuting Cluster (Lowest Fear, High Internet
Activities, Lowest Impact and Experience) Cluster 4 comprises companies exhibiting the highest levels of
internet activities along with significant experience in dealing with
Cluster 2 exhibits a notable pattern of high internet activity levels, cybercrime, particularly in terms of substantial damages incurred. As a
yet records the lowest average values for fear, experiences, and impact result, these companies demonstrate the highest fear levels regarding
compared to other clusters. This observation aligns with findings from cybercrime, yet they maintain an active approach toward the advance­
previous studies, such as those by Yeboah-Ofori et al. (2019) and Saban ment of online operations. However, this proactive stance is not as
et al. (2021), which highlight the paradoxical relationship between fear pronounced in their engagement with cybercrime training activities or
of cybercrime and engagement in online activities within SMEs, the utilization of IT devices by SME workers. For instance, within the
particularly in the manufacturing sector. Despite the low fear levels, this Healthcare sector, which serves as an illustrative example, SMEs in this
cluster demonstrates the highest involvement in training activities cluster exhibit the highest fear levels, influenced by their extensive
related to cybersecurity and the utilization of personal devices by em­ internet activities and extensive experience with cybercrime, particu­
ployees. This trend suggests a prevalent culture of telecommuting within larly concerning the significant damages incurred (Shah et al., 2019).
SMEs, wherein concerns about cybercrime risks may have been exter­ Rachh (2021) points out that in the health sector, SMEs engage in the
nalized (Ansong and Boateng, 2018). Moreover, the increased emphasis highest level of internet activities and demonstrate a proactive approach
on cybersecurity training could potentially mitigate these concerns. In to digital operations. They possess the highest levels of impact and
line with Caldeira and Wared (2002), within the manufacturing sector, experience with cybercrime incidents, highlighting their comprehensive
SMEs show the lowest fear levels despite their active participation in understanding of the associated challenges. However, despite their
high levels of internet activities. This indicates a nuanced perception of proactive attitude toward internet activities, the sector’s engagement
cybercrime risks, possibly influenced by organizational practices and with cybercrime training and the utilization of IT devices by employees
training initiatives. Additionally, the manufacturing sector’s high is comparatively less evident than in other sectors (Vuletić, 2017). This
engagement in online activities underscores its dependence on digital finding is consistent with prior research by Moneva and Leukfeldt
operations. (2023), which underscores the importance of a holistic approach to
cybersecurity readiness, encompassing both proactive measures and
employee training initiatives.

6. Conclusion

In conclusion, this study has applied Cyberspace Theory to analyse

cybercrime in SMEs, providing a comprehensive characterization of
cyber criminals and their activities. Unlike previous research focusing
solely on cyberattacks or cybersecurity measures, Cyberspace Theory
has allowed us to delve into the motives, objectives, routines, and vul­
nerabilities contributing to cyber threats. Our findings confirm the
diverse methods employed by cybercriminals, including computer
hacking, identity theft, online fraud, malware attacks, denial-of-service
(DoS) attacks, phishing, and malicious software distribution. Cyber­
crime continues to evolve in sophistication and diversity, posing chal­
lenges for SMEs to defend themselves.
Furthermore, our results reaffirm that SMEs are potential targets for
Cluster 3. Reactive Caution Cluster (High Fear, Lowest Internet Activ­
cybercrime across various sectors. Contrary to the notion that only
ities, Moderate Impact and Experience)
larger companies face significant cyber threats, our study demonstrates
Cluster 3 demonstrates the lowest level of engagement in internet that all sectors, due to increased internet activities, are susceptible to
activities compared to other clusters, suggesting that companies within cyber incidents. The interconnected nature of businesses and the
this cluster, characterized by a heightened fear of cybercrime, adopt a growing trend of internet usage heighten SMEs’ exposure to cyber
reactive approach to the evolving landscape of online operations. threats, as cybercriminals exploit vulnerabilities for financial gains, data
Following Wong et al. (2022), this reactive attitude may be influenced compromise, and disruptions to digital operations.
by the elevated levels of experience with cybercrime, particularly the Analysing research questions, our findings indicate a high degree of
tangible damages incurred by SMEs. However, despite their reactive fear amongst SMEs, challenging previous beliefs that SMEs are not prime
stance, these companies exhibit an active commitment to training targets. The interconnected nature of business networks and heightened

11
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

internet activities render all SMEs potential targets, impacting economic is essential. Given the interconnected nature of the digital environment,
activity. Moreover, we reveal that internet activities and prior experi­ SMEs should actively participate in collaborative initiatives within the
ences significantly influence fear and concern about cybercrime. cyber ecosystem. This involves sharing threat intelligence, adopting best
Cybersecurity incidents arising from internet activities expose SMEs to practices, and collaborating with industry peers to enhance overall
threats, while prior cyber attacks intensify fear. Being a target of attacks cybersecurity resilience. Lastly, having a proactive incident response is a
further impacts SMEs’ perception of cybercrime, with financial impli­ key factor. SMEs must develop and consistently update incident
cations and concerns about reputation within communities or market response plans to efficiently address and mitigate the impact of cyber
niches. incidents, thereby minimizing financial losses and reputational damage.
The formulated taxonomy based on explored clusters provides a Lastly, we have included political implications. Policymakers play a
nuanced understanding of how SMEs perceive and respond to cyber­ pivotal role in addressing cybercrime challenges faced by SMEs.
crime. The variability in fear is linked to internet activities, experiences, Recognizing the susceptibility of SMEs to cyber threats, policymakers
and the impact of cybercrime, independent of SME characteristics. The should formulate supportive policies. This may involve offering finan­
taxonomy highlights the significance of cybersecurity training and IT cial incentives for cybersecurity investments, developing training pro­
device utilization in addressing cyber threats. Overall, this study con­ grams, or establishing regulatory frameworks that foster a cybersecurity
tributes valuable insights for SMEs to enhance their cybersecurity stra­ culture. Governments can further contribute by creating information-
tegies and adapt to the evolving landscape of cyber threats. sharing platforms for SMEs to exchange insights on cyber threats and
A theoretical contribution to Cyberspace Theory in the realm of incidents. Facilitating collaboration amongst SMEs, larger enterprises,
cybercrime within SMEs involves integrating dynamic elements into this and governmental agencies enhances the overall cybersecurity resil­
framework. Thus, there is a necessity to introduce a temporal dimension ience. Policymakers should also focus on developing clear and attainable
to cybercrime, recognizing the evolving nature of cyber threats over regulatory frameworks concerning cybersecurity for SMEs. Compliance
time, including the cyclical tactics employed by cybercriminals and the with these regulations encourages the implementation of necessary
adaptive behaviours of both offenders and potential victims. The cybersecurity measures and cultivates a culture of cyber resilience.
extended theory introduces the concept of a suitable target, expanding Initiating public awareness campaigns is another avenue for govern­
its scope to encompass various components of cyberspace. This ac­ ments to educate SMEs about prevalent cyber threats and emphasize the
knowledges that not only the organization itself but also its digital as­ significance of cybersecurity, fostering proactive cybersecurity prac­
sets, online presence, and interconnected networks are pivotal factors. tices. Policymakers should invest in capacity-building initiatives for
The absence of capable guardians is not limited to physical presence; it SMEs, providing resources and support for the development of cyber­
also encompasses effective cybersecurity measures, incident response security capabilities. This includes training programs, access to cyber­
capabilities, and collaborative efforts within the cyber ecosystem. security experts, and financial assistance for adopting advanced
Additionally, considering the asymmetry of information in cyberspace technologies. In summary, the collaboration between managers and
becomes crucial, recognizing that potential offenders may possess a policymakers is paramount in effectively addressing cybercrime chal­
higher level of technical expertise, leaving SMEs lacking awareness and lenges in SMEs. While managers focus on cybersecurity measures,
understanding of evolving cyber threats. This information gap signifi­ employee training, and collaboration, policymakers play a vital role in
cantly influences routine activities, rendering SMEs more susceptible to creating a supportive regulatory environment, facilitating information
cybercrime. Furthermore, the enhanced Cyberspace framework in­ sharing, and building SME capacity to combat cyber threats effectively.
corporates the adaptability of cybercriminals, distinguishing them from While our study contributes valuable insights into the perception of
traditional criminals. Cyber offenders continually adjust their methods, cybercrime in SMEs, it is essential to acknowledge certain limitations.
presenting challenges for SMEs in predicting and defending against Firstly, the generalizability of our findings may be constrained due to the
potential threats. The routine activities of cybercriminals involve specific context and sample characteristics. The study focuses on SMEs
exploiting emerging vulnerabilities, staying informed about security within a certain geographic area and industry sectors, and variations
measures, and adapting to countermeasures. Finally, the Cyberspace across different regions or sectors may exist. Additionally, the use of a
framework introduces the concept of a cybersecurity culture within cross-sectional design limits our ability to establish causal relationships
organizations, evaluating how the routine activities of employees, their or capture changes over time. Longitudinal studies would provide a
awareness of cybersecurity practices, and the organizational emphasis more comprehensive understanding of the dynamics involved.
on security collectively contribute to overall resilience against cyber Furthermore, the reliance on self-reported data introduces the possi­
threats. A robust cybersecurity culture serves as a proactive guardian bility of response bias, as participants might underreport or over report
against potential cybercrime. By incorporating these dynamic elements, certain aspects. Future research could employ a mixed-methods
Cyberspace Theory evolves into a more comprehensive framework for approach or incorporate objective measures to enhance data validity.
comprehending cybercrime in SMEs. This adaptation addresses the Lastly, our study primarily emphasizes the quantitative aspect, and a
distinctive challenges posed by the rapidly changing nature of cyber qualitative exploration could offer a deeper understanding of the nu­
threats and the intricate interplay of factors within the digital ances surrounding SMEs’ experiences and perceptions of cybercrime.
environment. These limitations, while inherent to the study design, highlight areas for
As second contribution, we have developed managerial implications. potential refinement and further investigation in future research
SMEs must adopt and consistently update robust cybersecurity measures endeavours.
to counter the dynamic nature of cyber threats. This involves investing
in advanced technologies, providing regular employee training, and CRediT authorship contribution statement
fostering a cybersecurity culture within the organization. Additionally,
recognizing the influence of prior experiences on fear and concern, SMEs Marta F. Arroyabe: Writing – review & editing, Writing – original
should institute tailored training programs to augment the cybersecurity draft, Software, Methodology, Investigation, Formal analysis, Data
awareness and skills of employees. These programs should encompass curation, Conceptualization. Carlos F.A. Arranz: Writing – review &
not only basic security practices but also address specific threats and editing, Writing – original draft, Methodology, Investigation, Formal
vulnerabilities relevant to the organization. Conducting dynamic risk analysis, Data curation, Conceptualization. Ignacio Fernandez De
assessments is crucial for SMEs to adapt to the evolving cyber threat Arroyabe: Writing – review & editing, Writing – original draft, Vali­
landscape. This process entails regularly evaluating the organization’s dation, Methodology, Investigation, Formal analysis, Conceptualization.
online activities, potential vulnerabilities, and the efficacy of existing Juan Carlos Fernandez de Arroyabe: Writing – review & editing,
cybersecurity measures. Furthermore, engaging in collaborative efforts Writing – original draft, Supervision, Methodology, Formal analysis,

12
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

Data curation, Conceptualization. European Union, 2022. Eurostat, Flash Eurobarometer No. 496. Eurobarometer.
European Commission. https://europa.eu/eurobarometer/surveys/detail/2280.
Fernandez de Arroyabe, I.F., Arranz, C.F., Arroyabe, M.F., de Arroyabe, J.C.F., 2023b.
Declaration of competing interest Cybersecurity capabilities and cyber-attacks as drivers of investment in
cybersecurity systems: a UK survey for 2018 and 2019. Comput. Secur. 124, 102954.
Fernandez De Arroyabe, I., Fernandez de Arroyabe, J.C., 2023. The severity and effects of
The authors state that they have no conflict of interest in the paper. Cyber-breaches in SMEs: a machine learning approach. Enterpr. Inf. Syst. 17 (3),
1942997.
Fernandez de Arroyabe, J.C., Arroyabe, M.F., Fernandez, I., Arranz, C.F., 2023a.
Data availability Cybersecurity resilience in SMEs. A machine learning approach. J. Comput. Inf. Syst.
1–17.
The authors do not have permission to share data. Fox, J., 2024. Top Cybersecurity Statistics for 2024. Cobalt. https://www.cobalt.
io/blog/cybersecurity-statistics-2024#:~:text=75%25%20of%20security%20pr
ofessionals%20have,burden%20on%20organizations%20.
Fraley, C., Raftery, A.E., 2002. Model-based clustering, discriminant analysis, and
References density estimation. Am. Stat. Assoc. 97 (458), 611–631.
GOV.UK, 2023. Cyber Security Breaches Survey 2023. Department for Science,
Innovation and Technology. https://www.gov.uk/government/statistics/cyber-secu
Adams, J., Albakajai, M., 2016. Cyberspace: a new threat to the sovereignty of the state.
rity-breaches-survey-2023/cyber-security-breaches-survey-2023.
J. Manag. Stud. 4 (6), 256–265.
Horváth, D., Szabó, R.Z., 2019. Driving forces and barriers of Industry 4.0: do
Albakjaji, M., Adams, J., Almahmoud, H., Al Shishany, A.S., 2020. The legal dilemma in
multinational and small and medium-sized companies have equal opportunities?
governing the privacy right of e-commerce users: evidence from the USA context.
Technol. Forecast. Soc. Change 146, 119–132.
Int. J. Serv. Sci. Manag. Eng. Technol. 11 (4), 166–187.
Ibrahim, N.F., Wang, X., Bourne, H., 2017. Exploring the effect of user engagement in
Ansong, E., Boateng, R., 2018. Organisational adoption of telecommuting: evidence from
online brand communities: evidence from Twitter. Comput. Human Behav. 72,
a developing country. Electron. J. Inf. Syst. Dev. Countries 84 (1), e12008.
321–338.
Arroyabe, M.F., Arranz, C.F.A., Arroyabe, I.F.D., Fernandez De Arroyabe Fernandez, J.C,
Jensen, M.L., Durcikova, A., Wright, R.T., 2021. Using susceptibility claims to motivate
2024. The effect of IT security issues on the implementation of industry 4.0 in SMEs:
behaviour change in IT security. Eur. J. Inf. Syst. 30 (1), 27–45.
barriers and challenges. Technol. Forecast. Soc. Change 199, 123051. -123051.
Kabanda, S., Tanner, M., Kent, C., 2018. Exploring SME cybersecurity practices in
Babiceanu, R.F., Seker, R., 2019. Cyber resilience protection for industrial internet of
developing countries. J. Org. Comput. Electron. Commer. 28 (3), 269–282.
things: a software-defined networking approach. Comput. Ind. 104, 47–58.
Kass, R.E., Wasserman, L., 1995. A reference Bayesian test for nested hypotheses and its
Bella, D., Katsinis, L., Lagüera-González, A., Odenthal, J., Hell, L., Lozar, M., 2023.
relationship to the Schwarz criterion. J. Am. Stat. Assoc. 90 (431), 928–934.
Annual Report on European SMEs 2022/2023. SME Performance Review 2022/
Lezzi, M., Lazoi, M., Corallo, A., 2018. Cybersecurity for Industry 4.0 in the current
2023. European Commission. https://single-market-economy.ec.europa.eu/syst
literature: a reference framework. Comput. Ind. 103, 97–110.
em/files/2023-08/Annual%20Report%20on%20European%20SMEs%202023_FINA
Mamat, A.R., Mohamed, F.S., Mohamed, M.A., Rawi, N.M., Awang, M.I., 2018.
L.pdf.
Silhouette index for determining optimal k-means clustering on images in different
Benz, M., Chatterjee, D., 2020. Calculated risk? A cybersecurity evaluation tool for SMEs.
color models. Int. J. Eng. Technol. 7 (2), 105–109.
Bus. Horiz. 63 (4), 531–540.
Manesh, M.F., Pellegrini, M.M., Marzi, G., Dabic, M., 2020. Knowledge management in
Bertino, E., Choo, K.K.R., Georgakopolous, D., Nepal, S., 2016. Internet of Things (IoT)
the fourth industrial revolution: mapping the literature and scoping future avenues.
smart and secure service delivery. ACM Trans. Internet Technol. 16 (4), 22–29.
IEEE Trans. Eng. Manage. 68 (1), 289–300.
Boswell, R., 2023. 60% of European SMEs That are Cyber-Attacked Have to Close After
Masood, T., Sonntag, P., 2020. Industry 4.0: adoption challenges and benefits for SMEs.
Six Months. Startup Magazine. https://startupsmagazine.co.uk/article-60-european
Comput. Ind. 121, 103261.
-smes-are-cyber-attacked-have-close-after-six-months.
Mirtsch, M., Kinne, J., Blind, K., 2020. Exploring the adoption of the international
Brands, J., van Wilsem, J., 2021. Connected and fearful? Exploring fear of online
information security management system standard ISO/IEC 27001: a web mining-
financial crime, internet behaviour and their relationship. Eur. J. Criminol. 18,
based analysis. IEEE Trans. Eng. Manage. 68 (1), 87–100.
213–234.
Moeuf, A., Lamouri, S., Pellerin, R., Tamayo-Giraldo, S., Tobon-Valencia, E., Eburdy, R.,
Brenner, S.W., 2010. Cybercrime: Criminal Threats from Cyberspace. Bloomsbury
2019. Identification of critical success factors, risks and opportunities of industry 4.0
Publishing USA.
in SMEs. Int. J. Prod. Res. 58 (5), 1–17.
Caldeira, M.M., Ward, J.M., 2002. Understanding the successful adoption and use of IS/
Moneva, A., Leukfeldt, R., 2023. Insider threats among Dutch SMEs: nature and extent of
IT in SMEs: an explanation from Portuguese manufacturing industries. Inf. Syst. J. 12
incidents, and cyber security measures. J. Criminol. 56 (4), 416–440.
(2), 121–152.
Moody, R., 2024. Since 2018, Ransomware Attacks on the Education Sector Have Cost
Caton, J.F., 2012. On the Theory of Cyberspace. Strategic Studies Institute, US Army War
the World Economy Over $53 Billion in Downtime Alone. Comparitech. htt
College. https://www.jstor.org/stable/pdf/resrep12116.26.pdf.
ps://www.comparitech.com/blog/vpn-privacy/school-ransomware-attacks-worldw
Chief Healthcare Executive (2024). More than 88 million people have been affected by
ide/.
health data breaches this year. https://www.chiefhealthcareexecutive.com/view/m
Nam, T., 2019. Understanding the gap between perceived threats to and preparedness for
ore-than-88-million-people-have-been-affected-by-health-data-breaches-this-year.
cybersecurity. Technol. Soc. 58, 101122.
Choi, J., Kruis, N.E., Choo, K.S., 2021. Explaining fear of identity theft victimization
Nambisan, S., Lyytinen, K., Yoo, Y. (Eds.), 2020. Handbook of Digital Innovation.
using a routine activity approach. J. Contemp. Crim. Justice 37, 406–426.
Edward Elgar Publishing.
Choo, K.R., 2011. The cyber threat landscape: challenges and future research directions.
Papakonstantinou, V., 2010. Cyberspace and cybercrime. Handbook of Electronic
Comput. Secur. 30 (8), 719–731.
Security and Digital Forensics, pp. 455–476.
CISA,gov, 2020. Cyberspace Policy Review, 2009. Cybersecurity & Infrastructure
Podsakoff, P.M., MacKenzie, S.B., Lee, J.Y., Podsakoff, N.P., 2003. Common method
Security Agency. https://www.cisa.gov/resources-tools/resources/2009-cyber
biases in behavioral research: a critical review of the literature and recommended
space-policy-review.
remedies. J. Appl. Psychol. 88 (5), 879.
Conteh, N.Y., Schmick, P.J., 2016. Cybersecurity: risks, vulnerabilities and
Poireault, K. (2024). Manufacturing top targeted industry in record-breaking cyber
countermeasures to prevent social engineering attacks. Int. J. Adv. Comput. Res. 6
extortion surge. https://www.infosecurity-magazine.com/news/manufacturing
(23), 31–43.
-top-targeted-orange/.
Cook, S., Giommoni, L., Trajtenberg Pareja, N., Levi, M., Williams, M.L., 2023. Fear of
Rachh, A., 2021. A study of future opportunities and challenges in digital healthcare
economic cybercrime across Europe: a multilevel application of Routine Activity
sector: cyber security vs. crimes in digital healthcare sector. Asia Pacific J. Health
Theory. Br. J. Criminol. 63 (2), 384–406.
Manag. 16 (3), 7–15.
Corallo, A., Lazoi, M., Lezzi, M., 2020. Cybersecurity in the context of Industry 4.0: a
Rahmonbek, R., 2024. 35 Alarming Small Business Cybersecurity Statistics for 2024.
structured classification of critical assets and business impacts. Comput. Ind. 114,
StrongDM. https://www.strongdm.com/blog/small-business-cyber-security-statis
103165.
tics.
Dąbrowska, J., Almpanopoulou, A., Brem, A., Chesbrough, H., Cucino, V., Di Minin, A.,
Saban, K.A., Rau, S., Wood, C.A., 2021. SME executives’ perceptions and the information
Ritala, P., 2022. Digital transformation, for better or worse: a critical multi-level
security preparedness model. Information & Computer Security 29 (2), 263–282.
research agenda. R&D Manag. 52 (5), 930–954.
Salam, M.T., Imtiaz, H., Burhan, M., 2021. The perceptions of SME retailers towards the
Dalenogare, L.S., Benitez, G.B., Ayala, N.F., Frank, A.G., 2018. The expected contribution
usage of social media marketing amid COVID-19 crisis. J. Entrepreneurship Emerg.
of Industry 4.0 technologies for industrial performance. Int. J. Prod. Econ. 204,
Econ. 13 (4), 588–605.
383–394.
Shah, M.H., Jones, P., Choudrie, J., 2019. Cybercrimes prevention: promising
Deloitte, 2020. Digitalising SMEs: The role of Digitalisation and Digital Policy in
organisational practices. Inf. Technol. People 32 (5), 1125–1129.
Supporting the SME Economic Recovery. https://www2.deloitte.com/content/dam/
Sule, M.J., Zennaro, M., Thomas, G., 2021. Cybersecurity through the lens of digital
Deloitte/sg/Documents/strategy/sea-cons-podcast-fom-epi-9-digitising-movemen
identity and data protection: issues and trends. Technol. Soc. 67, 101734.
t-goods-transcript.pdf.
Vial, G., 2021. Understanding Digital Transformation: A Review and a Research Agenda.
Dudek, A., 2020. Silhouette index as clustering evaluation tool. In: Classification and
Managing digital Transformation. Routledge.
Data Analysis: Theory and Applications, 28. Springer International Publishing,
Vuletić, I., 2017. Data-driven healthcare and cybercrime: a threat we are not aware of.
pp. 19–33.
Asia Pacif. J. Health Law Ethics 11 (2), 16–32.
ENISA, 2020. ENISA Threat Landscape 2020: Cyber Attacks Becoming More Sophisticated,
Walden, I., 2005. Crime and security in cyberspace. Cambridge Rev. Int. Affair. 18 (1),
Targeted, Widespread and Undetected. European Union Agency For Cybersecurity.
51–68.
https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends.

13
M.F. Arroyabe et al. Computers & Security 141 (2024) 103826

Wall, D.S., 2007. Policing cybercrimes: situating the public police in networks of security fosters entrepreneurial activity. She has published her work in “Journal of Business
within cyberspace. Police. Pract. Res. 8 (2), 183–205. Research”, "R&D Management", “Technovation”, “Studies in Higher Education”, “British
Wong, L.W., Lee, V.H., Tan, G.W., Ooi, K.B., Sohal, A., 2022. The role of cybersecurity Journal of Management”, “European Journal of Innovation Management”, “Technology
and policy awareness in shifting employee compliance attitudes: building supply Analysis and Strategic Management”, “Journal of Cleaner Production”, “Technological Fore­
chain capabilities. Int. J. Inf. Manage. 66, 102520. casting and Social Change”, "Journal of Computer Information Systems" or "Computers and
World Bank Finance, 2021. Improving SMEs’ Access to Finance and Finding Innovative Security".
Solutions to Unlock Sources of Capital. https://tinyurl.com/2ap98wrn.
Yeboah-Ofori, A., Abdulai, J., Katsriku, F., 2019. Cybercrime and risks for cyber-physical
Carlos F.A. Arranz is a Lecturer in Business Operations at the University of Greenwich.
systems. Int. J. Cyber-Secur. Digit. Forensic. 8 (1), 43–57.
His-main research interest centres on the application of Machine Learning methods to the
analysis of business, particularly on the implementation of Circular Economy Models. He
Marta F. Arroyabe is a Reader and Deputy Head of the Strategy Operations and Entre­ holds a PhD in Business Analytics from Essex Business School (University of Essex), an
preneurship (SOE) Group at Essex Business School. Marta’s research focuses on four pri­ MRes in International Political Economy from the London School of Economics and Po­
mary areas: innovation, digitalisation & cybersecurity, environmental management, and litical Science (LSE), and an MRes in Economics and Finance from the Université du
entrepreneurship. In the area of innovation, her research aims to understand the devel­ Luxembourg. Before that, he received a BSc in Economics and Business Economics (In­
opment and implementation of innovation in firms and explores firms’ innovation de­ ternational Economics Studies Specialisation) from Maastricht University.
cisions and strategies. In digitalisation and cybersecurity, her research investigates the
intersection of IT security, digital transformation, and cybersecurity resilience in SMEs.
Ignacio Fernandez de Arroyabe is Cyber Risk Manager in Lloyds Bank Commercial
Her research investigates the digitalisation dynamics in SMEs, emphasising the multifac­
Banking (UK). He has worked in cybersecurity in Jaguar Land Rover in the UK. His-
eted nature of drivers, interactions, and the overall decision-making process within the
research interests are in cybersecurity risk management in the firms. He is a PhD candi­
evolving landscape of Industry 4.0. Her research also delves into the strategic decision-
date in cybersecurity at Loughborough University.
making behind cybersecurity investments in SMEs and provides an understanding of
how cybersecurity challenges, capabilities and organisations’ external environment
intersect with the broader landscape of digital transformation and strategic decision- Juan Carlos. Fernandez de Arroyabe is a Professor in Essex Business School (University
making within SMEs, aiming to shed light on practical aspects that can enhance resil­ of Essex). His-research interests include joint R&D projects, R&D networks, cybersecurity,
ience and decision-making in the face of evolving cyber threats. In the area of environ­ and complex technological systems. He is author or co-author of numerous papers pub­
mental management, she primarily focuses on two topics, eco-innovation and circular lished in the British Journal of Management, Computer and Security; IEEE Transaction Engi­
economy, where she studies business responses to improving environmental performance neering Management, the Complexity, Technovation, Studies in Higher Education, Journal
and to increasing societal concerns for the environment. Her research explores the Cleaner Production, Business Strategy and The Environment, Journal Business Research;
development of eco-innovation and circular economy business models in firms and the Emergence: Organization and Complexity, Technological Forecasting Social Change, Journal of
impact of these on firms’ performance. Finally, in the area of entrepreneurship, her Enterprise Information Management, International Small Business Journal, European Journal of
research primarily focuses on entrepreneurial education and entrepreneurial intention. Work and Organisational Psychology, Scandinavian Journal of Tourism, and Industry Higher
Her work aims to understand to which extent entrepreneurial education in higher edu­ Education. Also, he is Associate Editor of the Journal of Entrepreneurship in Emerging
cation institutions (such as universities) spurs students’ entrepreneurial intention and Economies and member of Editorial Board of Technological Forecasting Social Change.

14