Analysis of cybersecurity practices in a developing country: The role of firm size and digital strategy
Article Sidebar
Main Article Content
Abstract
Digital technologies have revolutionized how firms operate and compete; however, their integration in business processes also amplifies the exposure to cybersecurity threats which might compromise the firm’s data integrity and market continuity. Cybersecurity practices have therefore become a priority to secure business operations in the new digitally-led market landscape. This study evaluates the cybersecurity maturity level in Costa Rican firms, distinguishing between SMEs and large firms, aiming to identify shared patterns and challenges faced by these firms in improving their cybersecurity practices. Furthermore, we explore whether adoption of cybersecurity practices is explained by factors related to firm size and the adoption of a formal digital strategy. The results of the cluster analysis on a sample of 66 Costa Rican firms suggest that firms show different levels of cybersecurity maturity, with the most advanced firms consistently excelling at cybersecurity engagement, awareness, and vulnerability management. Also, results reveal that firm size and the presence of a formal digital strategy are strongly associated with cybersecurity maturity: larger firms with a digital strategy tend to be ‘cybersecurity leaders’, whereas most sampled smaller firms do not have a formal digital strategy and tend to fall into the ‘cybersecurity laggards’ group, which indicates their greater vulnerability to cyber risks. The identified discrepancies unveil firms’ necessity for strategically integrating security considerations into all their processes, and adopt structured, adaptive improvement approaches to mitigate cyber-threats effectively.
Article Details
The digital version of the journal is registered under the BY-NC-ND 4.0 Creative Commons license. Therefore, this work may be copy and redistribute the material in any medium or format, as long as you give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
The authors keep the copyright and give the journal the right of the first publication and the possibility of editing, reproducing, distributing, exhibiting and communicating in the country and abroad through printed and electronic means. On the other hand, the author declares to assume the commitment on any litigation or claim related to the rights of intellectual property, exonerating of responsibility to the Business School of the Costa Rica Institute of Technology.
References
Abomhara, M., & Køien, G. M. (2015). Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), 65-88. https://doi.org/10.13052/jcsm2245-1439.414
Acs, Z. J., Lafuente, E., & Szerb, L. (2022). A note on the configuration of the digital ecosystem in Latin America. TEC Empresarial, 16(1), 1-15. https://doi.org/10.18845/te.v16i1.5926
Anderberg, M.R. (1973). Cluster Analysis for Applications. Academic Press.
Bayon, M. C., Lafuente, E., & Vaillant, Y. (2016). Human capital and the decision to exploit innovative opportunity. Management Decision, 54(7), 1615-1632. https://doi.org/10.1108/MD-04-2015-0130
Benz, M., & Chatterjee, D. (2020). Calculated risk? A cybersecurity evaluation tool for SMEs. Business Horizons, 63(4), 531-540. https://doi.org/10.1016/j.bushor.2020.03.010
Bharadwaj, A., El Sawy, O. A., Pavlou, P. A., & Venkatraman, N. (2013). Digital business strategy: Toward a next generation of insights. MIS Quarterly, 37(2), 471-482. https://www.jstor.org/stable/43825919
Calinski, R.B., & Harabasz, J. (1974). A dendrite method for cluster analysis. Communications in Statistics, 3(1), 1-27. https://doi.org/10.1080/03610927408827101
Chaudhary, V., Kaushik, A., Furukawa, H., & Khosla, A. (2022). Towards 5th generation AI and IoT driven sustainable intelligent sensors based on 2D MXenes and Borophene. ECS Sensors Plus, 1, 013601. https://doi.org/10.1149/2754-2726/ac5ac6
Chaudhuri, A., Behera, R. K., & Bala, P. K. (2025). Factors impacting cybersecurity transformation: An Industry 5.0 perspective. Computers & Security, 150, 104267. https://doi.org/10.1016/j.cose.2024.104267
Clemente-Almendros, J. A., Nicoara-Popescu, D., & Pastor-Sanz, I. (2024). Digital transformation in SMEs: Understanding its determinants and size heterogeneity. Technology in Society, 77, 102483. https://doi.org/10.1016/j.techsoc.2024.102483
Dinkova, M., El-Dardiry, R., & Overvest, B. (2024). Should firms invest more in cybersecurity? Small Business Economics, 63(1), 21-50. https://doi.org/10.1007/s11187-023-00803-0
Eller, R., Alford, P., Kallmünzer, A., & Peters, M. (2020). Antecedents, consequences, and challenges of small and medium-sized enterprise digitalization. Journal of Business Research, 112, 119-127. https://doi.org/10.1016/j.jbusres.2020.03.004
Escribá-Carda, N., Redondo-Cano, A., & Escribá-Moreno, M. Ángeles. (2024). Firms’ digital transformation and e-human resource management. A qualitative approach. TEC Empresarial, 18(3), 103-128. https://doi.org/10.18845/te.v18i3.7289
Everitt, B.S. (1980). Cluster Analysis. Second edition. Heineman.
Friday, D., Melnyk, S. A., Altman, M., Harrison, N., & Ryan, S. (2024). An inductive analysis of collaborative cybersecurity management capabilities, relational antecedents and supply chain cybersecurity parameters. International Journal of Physical Distribution & Logistics Management, 54(5), 476-500. https://doi.org/10.1108/IJPDLM-01-2023-0034
Greene, W. (2003). Econometric Analysis, 5th ed. Prentice Hall.
Hasan, S., Ali, M., Kurnia, S., & Thurasamy, R. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58, 102726. https://doi.org/10.1016/j.jisa.2020.102726
Hasani, T., O’Reilly, N., Dehghantanha, A., Rezania, D., & Levallet, N. (2023). Evaluating the adoption of cybersecurity and its influence on organizational performance. SN Business & Economics, 3(5), 97. https://doi.org/10.1007/s43546-023-00477-6
Heiding, F., Katsikeas, S., & Lagerström, R. (2023). Research communities in cyber security vulnerability assessments: A comprehensive literature review. Computer Science Review, 48, 100551. https://doi.org/10.1016/j.cosrev.2023.100551
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165. https://doi.org/10.1016/j.dss.2009.02.005
Hoong, Y., & Rezania, D. (2024). Navigating cybersecurity governance: The influence of opportunity structures in sociotechnical transitions for small and medium enterprises. Computers & Security, 142, 103852. https://doi.org/10.1016/j.cose.2024.103852
James, T., Nottingham, Q., & Kim, B. C. (2013). Determining the antecedents of digital security practices in the general public dimension. Information Technology and Management, 14, 69-89. https://doi.org/10.1007/s10799-012-0147-4
Lafuente, E., Acs, Z. J., & Szerb, L. (2024). Analysis of the digital platform economy around the world: A network DEA model for identifying policy priorities. Journal of Small Business Management, 62(2), 847-891. https://doi.org/10.1080/00472778.2022.2100895
Lafuente, E., Alonso-Ubieta, S., Leiva, J. C., & Mora-Esquivel, R. (2021). Strategic priorities and competitiveness of businesses operating in different entrepreneurial ecosystems: a benefit of the doubt (BOD) analysis. International Journal of Entrepreneurial Behavior & Research, 27(5), 1351-1377. https://doi.org/10.1108/IJEBR-06-2020-0425
Lafuente, E., Araya, M., & Leiva, J. C. (2022). Assessment of local competitiveness: A composite indicator analysis of Costa Rican counties using the ‘Benefit of the Doubt’ model. Socio-Economic Planning Sciences, 81, 100864. https://doi.org/10.1016/j.seps.2020.100864
Lafuente, E., Bayo-Moriones, A., & García-Cestona, M. (2010). ISO-9000 certification and ownership structure: Effects upon firm performance. British Journal of Management, 21(3), 649-665. https://doi.org/10.1111/j.1467-8551.2009.00660.x
Lafuente, E., & Sallan, J. M. (2024). Digitally powered solution delivery: The use of IoT and AI for transitioning towards a solution business model. International Journal of Production Economics, 277, 109383. https://doi.org/10.1016/j.ijpe.2024.109383
Lafuente, E., Solano, A., Leiva, J. C., & Mora-Esquivel, R. (2019). Determinants of innovation performance: Exploring the role of organisational learning capability in knowledge-intensive business services (KIBS) firms. ARLA-Academia Revista Latinoamericana de Administración, 32(1), 40-62. https://doi.org/10.1108/ARLA-10-2017-0309
Lafuente, E., Szerb, L., & Rideg, A. (2020). A system dynamics approach for assessing SMEs’ competitiveness. Journal of Small Business and Enterprise Development, 27(4), 555-578. https://doi.org/10.1108/JSBED-06-2019-0204
Lafuente, E., Vaillant, Y., & Leiva, J.C. (2018). Sustainable and traditional product innovation without scale and experience, but only for KIBS!. Sustainability, 10(4), 1169. https://doi.org/10.3390/su10041169
Lafuente, E., Vaillant, Y., & Rabetino, R. (2023). Digital disruption of optimal co-innovation configurations. Technovation, 125, 102772. https://doi.org/10.1016/j.technovation.2023.102772
Lederer, M., Schott, P., Huber, S., & Kurz, M. (2013). Strategic business process analysis: A procedure model to align business strategy with business process analysis methods. In: Fischer, H., Schneeberger, J. (eds) S-BPM ONE - Running Processes. S-BPM ONE 2013. Communications in Computer and Information Science, vol 360. Springer. https://doi.org/10.1007/978-3-642-36754-0_16
Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24. https://doi.org/10.1016/j.ijinfomgt.2018.10.017
Li, L., Xu, L., & He, W. (2022). The effects of antecedents and mediating factors on cybersecurity protection behavior. Computers in Human Behavior Reports, 5, 100165. https://doi.org/10.1016/j.chbr.2021.100165
Long, J.S. (1997). Regression Models for Categorical and Limited Dependent Variables. Sage Publications. Melville, N., Kraemer, K., & Gurbaxani, V. (2004). Information technology and organizational performance: An integrative model of IT business value. MIS Quarterly, 28(2), 283-322. https://doi.org/10.2307/25148636
Mora-Esquivel, R., & Leiva, J.C. (2025). The role of digital service innovation strategy on SME performance: an international study. Journal of Enterprise Information Management. https://doi.org/10.1108/JEIM-02-2024-0099
Neri, M., Niccolini, F., & Martino, L. (2024). Organizational cybersecurity readiness in the ICT sector: a quanti-qualitative assessment. Information & Computer Security, 32(1), 38-52. https://doi.org/10.1108/ICS-05-2023-0084
OECD (2017). Key issues for digital transformation in the G20. OECD Publishing. https://www.oecd.org/g20/key-issues-fordigital-transformation-in-the-g20.pdf
OECD (2024). New perspectives on measuring cybersecurity. OECD Digital Economy Papers, No. 366. https://www.oecd.org/en/publications/new-perspectives-on-measuring-cybersecurity_b1e31997-en.html
Porter, M. E., & Heppelmann, J. E. (2014). How smart, connected products are transforming competition. Harvard Business Review, 92(11), 64-88. https://dialnet.unirioja.es/servlet/articulo?codigo=5544175
Rabetino, R., Kohtamäki, M., Foss, N. J., Rahman, N., & Huikkola, T. (2025). Microfoundations for business model innovation: Exploring the interplay between individuals, practices, and organizational design. Journal of Product Innovation Management, in press, https://doi.org/10.1111/jpim.12784
Rojas-Segura, J., Faith-Vargas, M., & Martínez-Villavicencio, J. (2023). Conceptualizing digital transformation using semantic decomposition. TEC Empresarial, 17(3), 63-75. https://doi.org/10.18845/te.v17i3.6850
Tam, T., Rao, A., & Hall, J. (2021). The good, the bad and the missing: A narrative review of cyber-security implications for Australian small businesses. Computers & Security, 109, 102385. https://doi.org/10.1016/j.cose.2021.102385
Teece, D.J. (2018). Dynamic capabilities as (workable) management systems theory. Journal of Management & Organization, 24(3), 359-368. https://doi.org/10.1017/jmo.2017.75
Vaillant, Y., & Lafuente, E. (2024). Digital versus non-digital servitization for environmental and non-financial performance benefits. Journal of Cleaner Production, 450, 142078. https://doi.org/10.1016/j.jclepro.2024.142078
Vaillant, Y., Lafuente, E., & Vendrell-Herrero, F. (2025). AI platforms as cooperation enablers favoring the development of strategic situating capabilities within solution delivery ecosystems. Journal of Product Innovation Management https://doi.org/10.1111/jpim.12807
Verhoef, P. C., Broekhuizen, T., Bart, Y., Bhattacharya, A., Dong, J. Q., Fabian, N., & Haenlein, M. (2021). Digital transformation: A multidisciplinary reflection and research agenda. Journal of Business Research, 122, 889-901. https://doi.org/10.1016/j.jbusres.2019.09.022
Vroom, C., & Von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191-198. https://doi.org/10.1016/j.cose.2004.01.012
Wilson, M., McDonald, S., Button, D., & McGarry, K. (2023). It won’t happen to me: surveying SME attitudes to cyber-security. Journal of Computer Information Systems, 63(2), 397-409. https://doi.org/10.1080/08874417.2022.2067791
Wong, L. W., Lee, V. H., Tan, G. W. H., Ooi, K. B., & Sohal, A. (2022). The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. International Journal of Information Management, 66, 102520. https://doi.org/10.1016/j.ijinfomgt.2022.102520