Sizing up people and process: a conceptual lens for thinking about cybersecurity in large and small enterprises

This paper proposes a conceptual lens for analysing organisational cybersecurity challenges in light of ‘firm size’. There is extensive literature in the fields of business and organisational studies that connect firm size to various observed outcomes, as well as looking at the determinants and advantages or disadvantages of how large an enterprise is. This paper will theoretically examine cybersecurity challenges in large and small enterprises, both in the private sector (‘firms’) and in the public sector (‘agencies’ or ‘services’). While there are obviously technical aspects of cybersecurity, including challenges related to resources for acquiring equipment, convergence in information-sharing standards, and limitations of hardware and software, this paper focuses instead on social and organisational cybersecurity challenges. It will frame these challenges in terms of a balance of ‘process’ challenges – that is, the coordination of cybersecurity functions within the organisation – and in terms of ‘people’ challenges – that is, the recruitment, development and retention of qualified staff. The theoretical approach suggests a line of future research that would examine empirically if in fact the balance of ‘process’ and ‘people’ challenges look more similar among large firms (of whichever sector) than they do of large and small firms in the same sector.