Cybersecurity as a Dynamic Capability: How Micro and Small Social Enterprises Build Digital Resilience
Mohammadi, Behnaz and Jafari-Sadeghi, Vahid and Sukumar, Arun and Mmadubuko, Moses (2026) Cybersecurity as a Dynamic Capability: How Micro and Small Social Enterprises Build Digital Resilience. Information Systems Frontiers. ISSN 1387-3326 (In Press)
![[thumbnail of Revised_Manuscript_ISFI-D-24-00964R3.pdf]](https://www.open-access.bcu.ac.uk/style/images/fileicons/text.png "Revised_Manuscript_ISFI-D-24-00964R3.pdf") |
Text
Revised_Manuscript_ISFI-D-24-00964R3.pdf - Accepted Version Restricted to Repository staff only Download (516kB) | Request a copy |
Abstract
Despite the increasing digitalisation of organisational processes, the cybersecurity capability of micro and small social enterprises remains substantially underexamined within Information Systems research. These organisations occupy a critical yet vulnerable position in the digital ecosystem, handling sensitive beneficiary data while operating with informal structures, limited technical expertise, and mission-driven resource priorities. Existing cybersecurity maturity models assume formal governance and stable resources, providing limited insight into how capability emerges in such contexts. Addressing this gap, this study adopts a qualitative, inductive approach based on 23 semi-structured interviews with owners and managers of UK social enterprises to investigate how cybersecurity capability is developed and enacted in practice. Drawing on the Dynamic Capabilities View, the analysis reveals that cybersecurity capability in social enterprises is constituted through three interrelated and iterative dimensions: technical (readiness, prior exposure, and data sensitivity), organisational (informal coordination, training, and partnership-based support), and psychological (risk perceptions, ethical responsibility, and mission-driven motivation). The findings advance theory by showing that capability development does not follow linear maturity stages but emerges through experiential learning, social capital mobilisation, and values-aligned adaptation. The study contributes an empirically grounded Cybersecurity Capability Framework that explains how resource-constrained, mission-driven organisations sense threats, seize available resources, and reconfigure practices to maintain digital resilience. Practical implications highlight how managers, policymakers, and support organisations can strengthen cybersecurity capability by leveraging collaborative networks, informal learning mechanisms, and mission-aligned security practices. This work extends IS scholarship by illuminating an overlooked organisational form and by reconceptualising cybersecurity capability as a dynamic, context-dependent socio-technical process.
| Item Type: | Article |
|---|---|
| Dates: | Date Event 2 March 2026 Accepted |
| Uncontrolled Keywords: | Cybersecurity capability, social enterprise, dynamic capabilities, digital resilience, small business, qualitative study. |
| Subjects: | CAH17 - business and management > CAH17-01 - business and management > CAH17-01-02 - business studies |
| Divisions: | Business School > Management, Business and Marketing |
| Depositing User: | Gemma Tonks |
| Date Deposited: | 10 Mar 2026 11:30 |
| Last Modified: | 10 Mar 2026 11:30 |
| URI: | https://www.open-access.bcu.ac.uk/id/eprint/16918 |
Actions (login required)
 |
View Item |
Tools
Tools
