Navigating Cybersecurity Governance: The influence of opportunity structures in socio-technical transitions for small and medium enterprises

Abstract

This study examines cybersecurity discourses of small and medium size businesses in Canada. The findings culminated in a novel conceptual framework, which captures the intricate interplay between the discourse of agency, prevailing conditions, and the resultant discourse of strategy. Central to this model is the discourse of agency, framing cybersecurity as either a high agency mechanism actively contributing to business objectives, or a low agency mechanism perceived as a passive burden. The conditions under which businesses operate, characterized by external pressures and internal motivations, alongside the degree of environmental support, further shape their cybersecurity narratives. These dynamics significantly influence the resultant discourse of strategy, leading to four distinct strategic narratives: Synergistic Asset, Operational Pragmatism, Ambivalent Prospect, and Impractical Liability. For instance, a discourse of Synergistic Asset reflects a perception of an environment positively influenced by robust governmental cybersecurity initiatives, setting benchmarks in cybersecurity practices. Conversely, a discourse of Impractical Liability reflects pronounced levels of risk, influenced by societal narratives and economic apprehensions. We offer a comprehensive model for understanding cybersecurity discourses, bridging empirical findings with theoretical underpinnings, and providing valuable insights for both academia and industry.