Exploring the economic role of cybersecurity in SMEs: A case study of the UK

Abstract

This study explores the economic role of cybersecurity in Small and Medium Enterprises (SMEs), situating cybersecurity within the framework of merit-goods within the economic theory of market failures and public goods. By examining 240 SMEs across the UK, the empirical findings of this investigation underscore its classification as a merit-good due to its extensive social benefits and the critical gap in its optimal provision. The results confirm the existence of market failure, such as the lack and asymmetry of information regarding cybersecurity, acknowledging the myopia and lack of information within SMEs, leading to suboptimal implementation of cybersecurity. Moreover, the lack of optimal implementation is evidenced by the findings indicating that neither cybersecurity incidents nor cybersecurity impacts in SMEs drive the implementation of cybersecurity. Additionally, we observe that implementation is more focused on control systems than on management systems, which is a significant differentiating factor from large enterprises. The study contributes theoretically by framing cybersecurity as a merit-good, provides managerial insights into SME cybersecurity practices, and emphasizes the importance of nuanced policies to bridge the implementation gap.