| Summary: | This study aims to empirically explore and evaluate the current state of cyber security management for small and medium-sized businesses in South Korea. As academic discourse relating to the cyber security management of businesses is relatively new, there is a clear lack of literature relating to this discipline. This study, therefore, looks to address this issue by taking an exploratory approach to the subject. Based on various sources in the UK, this study used the UK’s cyber security framework as a conceptual model against which conditions in South Korea were examined. Drawing on a mixed methods approach, this study employed three research methods: documentary research, quantitative questionnaires, and qualitative interviews. In the quantitative phase, current situations of the businesses in relation to cyber security were assessed and differences by business sectors and sizes were identified. In the qualitative phase, five themes were identified. Findings from the quantitative and qualitative research were triangulated with the existing literature, including the qualitative results describing the empirical field of enquiry, to present a holistic picture of cyber security management of South Korean businesses. It was revealed that small and medium-sized businesses did not have a structural mechanism to prevent or mitigate risks at the pre-breach stage. Rather, they focused on responses at the post-breach stage. This finding demonstrated that small and medium-sized businesses were not prepared for the risks and threats from a preventative point of view. In addition, management of cyber security in businesses was not an isolated mechanism, but affected by external influences and initiatives. However, small and medium-sized businesses relied more upon private organisations than public organisations, which indicates that there was an insufficient role of public sector organisations in protecting small and medium-sized businesses. In conclusion, this research has proposed an integrated cyber security risk management model. The framework was based on the argument that cyber security management relates to three elements: risk assessment, organisational behaviours and external factors. It is here that the biggest gains can be made if businesses manage cyber security in a holistic manner and if national leadership is strengthened in the Korean cyber security governance. This empirical research has made a contribution to knowledge in relevant studies by presenting a comprehensive landscape of cyber security management of businesses.
|
|---|
