Organizational Cybersecurity Systems and Sustainable Business Performance of Small and Medium Enterprises (SMEs) in Saudi Arabia: The Mediating and Moderating Role of Cybersecurity Resilience and Organizational Culture
1. Introduction
Cyberattacks are becoming increasingly complex worldwide [1]. According to Fox [1], some sectors have seen a 300% increase in cyberattacks annually. Alotaibi et al. [2] noted that SMEs in Saudi Arabia are at high risk, with incidents rising at a rate of 250% in recent years. Alotaibi et al. [2] emphasized that cybersecurity education gaps make this vulnerability even worse. They reported a 200% increase in cyberthreats targeting Saudi Arabia’s critical infrastructure, emphasizing the need for resilient cybersecurity frameworks. Kong et al. [3] also introduced the advancements, challenges, and prospects of edge computing in the rapidly evolving landscape of the Internet of Things.
Nowadays, most businesses are managed via internet, which makes businesses vulnerable to cybersecurity attacks that have an impact on a firm’s core operations [4]. Internet applications are becoming increasingly important for small and medium enterprises (SMEs), in which internet technologies are found to improve corporate reputation and performance [5]. In addition, SMEs significantly contribute to job creation, economic growth, poverty alleviation, and societal well-being [6]. Moreover, it was found that economies with more significant shares of SME activity have higher growth rates compared to economies with a smaller share of SME activity [7]. Therefore, disruptive technologies such as the Internet of Things (IoT), cloud-based solutions, artificial intelligence, and blockchain have substantially increased the performance of the existing business models with innovative business strategies, reducing the cost of products or services and also considerably increasing the vulnerability of organizations to cybersecurity risks [8].
Cybersecurity encompasses a comprehensive set of strategies and measures to safeguard computer systems and networks from deliberate attacks, accidental breaches, and all forms of unauthorized access in the digital realm. This protection is achieved through methods including but not limited to system audits, data confidentiality, ensuring data integrity, user authentication, maintaining system availability, encryption techniques, and the use of digital signatures [9].
Attackers are motivated by various objectives such as monetary gain, corporate espionage, cyberwarfare, and cyberterrorism [10]. Cybercrimes and attacks cause massive damage to the reputation of enterprises, resulting in the loss of data and customers and incurring huge expenses to fix the damage caused [11]. Therefore, it was found that a comprehensive organizational security strategy combined with sophisticated behavioral awareness promotes a proactive cybersecurity culture [12].
SMEs, like large enterprises, are victimized by cybercrime, and researchers have found that SMEs are reluctant to report cyberattacks and threats for several reasons, including a lack of cybersecurity awareness, concern for reputational harm, and the belief that the incident is not serious enough [13,14]. In general, SMEs need more capabilities, experience, and resources to adopt cybersecurity measures in their companies. Moreover, it is believed that SMEs are too static and do not have dynamic capabilities. Therefore, they need more flexibility in solving and dealing with cyberattack issues [15].
Recent studies have increasingly focused on exploring cybersecurity in organizations [14,16,17]. In general, cybersecurity research has broadened its scope to cover professional groups, organizations, and users such as non-IT professionals [17], senior citizens and the elderly [18,19], large organizations [20], and healthcare domains [21]. However, SMEs are a largely under-researched segment, and more research needs to be conducted to measure the importance of cybersecurity as a method of e-protection and in achieving sustainable business performance. In addition, SME research is primarily grounded in developed Western nations [22]. Therefore, this study aims to take the first step in understanding cybersecurity phenomena in SMEs employing data from Saudi Arabia. This country was selected because it is an understudied region in the context of cybersecurity in SMEs [23]. It is noteworthy that most SMEs in Saudi Arabia are specialized in providing goods or services in their local domain. While Mian and Alatawi [24] and Ferdinand [25] examined the importance of cybersecurity in organizations, there is a great need for understanding its direct impact on sustainable business performance, particularly in Saudi Arabian SMEs. Ferdinand [25] and Tagarev et al. [26] showed that cybersecurity resilience is becoming essential to a firm’s cyberstrategy. However, prior studies have not explicitly examined the mediation of organizational cybersecurity systems and sustainable business performance. O’Reilly et al. [27], Naranjo-Valencia et al. [28], and Uddin et al. [29] showed how organizational culture affects business processes and outcomes. However, its moderating role in cybersecurity resilience and sustainable business performance has yet to be discovered. In fact, cybersecurity is a top priority for modern organizations, particularly SMEs that are extremely vulnerable to cyberattacks.
The cybersecurity landscape’s complexity warrants in-depth exploration as Saudi Arabian businesses digitize and integrate advanced technologies. Although cybersecurity affects business performance, little is known about how cybersecurity resilience affects sustainable business performance. Understanding how cybersecurity resilience affects business outcomes is crucial given the diversity of Saudi Arabian SMEs’ organizational cultures.
This study aims to achieve the following research objectives:
-
To examine the impact of organizational cybersecurity systems on sustainable business performance in Saudi Arabian SMEs;
-
To measure the mediating role of cybersecurity resilience and orientation between organizational cybersecurity systems and sustainable business performance in Saudi Arabian SMEs;
-
To explore the moderating role of organizational culture between cybersecurity resilience and sustainable business performance.
In fact, this study fills a regional and contextual gap in cybersecurity by showing how organizational cybersecurity systems directly affect sustainable business performance in Saudi Arabian SMEs. This research also examines how cybersecurity strategies affect sustainable business performance by examining the mediating role of cybersecurity resilience in organizations. SMEs also gain actionable cyber-resilience insights to improve business outcomes. Furthermore, this study shows how organizational culture significantly impacts cybersecurity resilience and sustainable business performance. Understanding this interaction helps companies align their cybersecurity strategies with their culture, improving performance and resilience to cyberthreats. Finally, this study advances cybersecurity research and provides Saudi Arabian SMEs with practical guidance to grow, sustain, and thrive in a digitalized business environment.
Findings from this research help organizations in general and SMEs in particular to implement overall cyber-resilience strategies, to establish a proactive risk management environment that ensures business survival, and to exploit opportunities. The following section provides an overview of the relevant literature on cybersecurity concepts, preventive measures for cybercrimes, the Saudi Arabian business environment, and theories related to organization and technological capabilities. The third section describes in detail the methodological approach employed to conduct this case study, followed by a section presenting the results of this study. Section 5 discusses the findings and provides insights and managerial implications for SMEs achieving sustainable business performance. Finally, conclusions, limitations, and suggestions for future studies are provided.
4. Results
4.1. Assessing Validity and Reliability
The study used the algorithm technique with 5000 sub-samples in Smart PLS. Based on the guidelines set forth by Hair et al. [85] and Henseler et al. [86], convergent validity is typically assessed using factor loadings and the average variance extracted (AVE). Factor loadings should be 0.6 or higher [88], indicating that the respective items share significant variance with their assigned latent construct. From Table 2, all the items have factor loadings well above this threshold, signifying satisfactory convergent validity for each construct. The AVE, which measures the variance captured by a construct concerning the variance attributable to measurement error, should be greater than 0.5 [85,88]. All constructs shown in Table 2 had AVE values greater than this benchmark, reinforcing the adequacy of convergent validity.
The reliability of the constructs was evaluated using Cronbach’s alpha and composite reliability (CR) [85,87,88]. According to previous studies, both Cronbach’s alpha and CR should exceed the value of 0.7 for a construct to be considered reliable. All constructs shown in Table 2 had both Cronbach’s alpha and CR values comfortably above this threshold. It is worth noting that CR values often exceed Cronbach’s alpha, which is expected, as CR is a more robust and lenient measure of reliability. Therefore, all scales in Table 2 demonstrated strong convergent validity and reliability, indicating that the measures are both valid and consistent in capturing their respective constructs.
According to Hair et al. [85] and Henseler et al. [86], an item’s cross-loadings should be higher on its construct than on any other construct to establish discriminant validity. Table 3 shows that most items had higher construct cross-loadings, indicating good discriminant validity. However, some items appeared to have close cross-loadings with other constructs, raising discriminant validity concerns that may require further investigation. Awang et al. [88] recommended model evaluation to address potential issues for robust and reliable model results.
For discriminant validity using the Fornell–Larcker criterion, the square root of any given construct is AVE (diagonal values) and should be higher than its highest correlation with any other construct (off-diagonal values). According to Hair et al. [85] and Henseler et al. [86], Table 4 suggests that most constructs in the model met this criterion, indicating satisfactory discriminant validity. However, some values were close, implying the need for careful interpretation and potential model refinement, as Awang et al. [88] recommended. Finally, the study confirmed the discriminant validity.
4.2. Assessing Path Model
The study used SEM analysis to test the research hypotheses (Table 5). The study used a 5% significance level with a 95% confidence interval. Therefore, the value of p should be lower than 0.05, and the t-value should be higher than +1.96. The direct effects elucidate the straightforward impact of one variable on another, uninfluenced by other intervening variables (Figure 4). H1 demonstrates a significant positive relationship between organizational cybersecurity training and policies and cybersecurity resilience strategy and orientation, with values indicative of this effect (β = 0.151, t = 2.638, p = 0.008). Similarly, H2 reveals that regulatory effectiveness and government policies significantly influence cybersecurity resilience strategy and orientation (β = 0.208, t = 3.537, p = 0.000). H3 and H4 also present significant direct effects, where absorptive capacity affects cybersecurity resilience strategy and orientation (β = 0.204, t = 3.215, p = 0.001), and the implications of the COVID-19 pandemic vulnerability consequences on the same outcome were notable (β = 0.321, t = 5.407, p = 0.000). In terms of organizational performance, H5 establishes a potent direct influence of the organizational cybersecurity system on sustainable business performance (β = 0.784, t = 17.647, p = 0.000), and the effect of organizational culture on sustainable business performance was also significant (β = 0.116, t = 3.432, p = 0.001).
Mediating effects expound on how a specific variable can influence another by introducing an intervening variable. In our study, the hypotheses from H7 to H10 attempt to outline these effects. H7 to H9, which explore the influence of organizational cybersecurity training and policies, regulatory effectiveness and government policies, and absorptive capacity on sustainable business performance through cybersecurity resilience strategy and orientation, do not seem statistically significant. Their corresponding values, such as the β-values (0.004 to 0.005) and p-values (ranging from 0.546 to 0.566), validate this lack of significance. Similarly, H10, which observes the mediating role of cybersecurity resilience strategy and orientation in the relationship between the COVID-19 pandemic vulnerability consequences and sustainable business performance, also appeared insignificant, as supported by its corresponding values (β = 0.008, t = 0.616, p = 0.538).
Moderating effects shed light on how the relationship dynamics between two variables might evolve based on the level of a third variable. In this context, H11 is crucial. The interaction between cybersecurity resilience strategy and orientation and organizational culture has implications for sustainable business performance. Although this effect was marginally significant (β = 0.036, t = 1.901, p = 0.057), it hints that organizational culture might slightly moderate the relationship between cybersecurity resilience strategy and sustainable business performance.
Finally, the findings showed that H1, H2, H3, H4, H5, and the direct effect of organizational culture on sustainable business performance were significant and are therefore accepted. In contrast, hypotheses H6, H7, H8, H9, and H10 were not statistically significant and thus are rejected. The outcome for H11 teeters on the edge of significance, suggesting a potential area for future investigation or more expansive data collection to derive a conclusive stance. It is worth noting that the direct effect of organizational culture on sustainable business performance was tested, and this effect was significant (β = 0.116, t = 3.432, p = 0.001).
5. Discussion
The study was conducted in Saudi Arabia by targeting SMEs in the service and manufacturing sectors. The study used a quantitative research design by administering a survey questionnaire. As from the plethora of research studies presented over the years, cybersecurity and organizational resilience have garnered significant attention recently. The recognition of the interplay between technological advancements and the strategic capabilities of organizations and the subsequent impacts on resilience is a theme that resonates throughout many of these studies. This is especially true during challenges such as the COVID-19 pandemic. For example, Wided’s [54] study on IT capabilities and organizational resilience in SMEs post COVID-19 aligns with the consensus that integrating advanced IT capabilities such as big data analytics strengthens strategic flexibility and resilience in an organization. This echoes the findings of Huang and Pearlson’s [69] work, which highlighted the importance of cultivating a cybersecurity culture within an organization and suggested that technology, while essential, is not the only solution; cultural and strategic alignment is equally as important.
Drawing parallels with previous studies, the emphasis on absorptive capacity as a cornerstone for cyber-resilience is consistently highlighted. Cybersecurity resilience is dependent on absorptive capacity. The research conducted by Levinson [79] investigated the importance of absorptive capacities in promoting proactive and inclusive approaches to cybersecurity governance. This is consistent with Chowdhury and Quaddus’s [51] research, in which they discussed resiliency utilizing the dynamic capability theory and asserted that absorptive capacity is essential to the long-term viability of supply chains. This finding is consistent with their findings. This points to a trend in the research that indicates that for organizations to be adaptable and resilient, they need to recognize, assimilate, and exploit new information effectively. In addition, the cybersecurity landscape is not limited to technical defenses and strategies; rather, it encompasses a broader spectrum including human factors, governance, and regulatory frameworks. This is because technical defenses and strategies are only part of the equation. For instance, the systematic review conducted by Nifakos et al. [55] emphasized human factors’ role in cybersecurity within healthcare organizations. This supports the findings of other research, such as that conducted by Rajamäki et al. [56], highlighting the necessity of providing cybersecurity education in hospitals. Concerning governance, the research conducted by Clark-Ginsberg and Slayton [89] highlighted the significance of regulating risks within complex systems. This perspective is congruent with the research conducted by Wessel [58] on the role that regulation plays in enhancing the cybersecurity resilience of the European Union.
Therefore, it is abundantly clear that the role that dynamic capabilities and strategic alignment plays in cultivating resilience is widely acknowledged across the studies. Garcia-Perez et al. [90] and Golgeci and Kuivalainen [71] found a relationship between digital transformation and resilience. Moreover, these findings echo the broader sentiment captured by Teece’s [47,49] work on dynamic capabilities, which emphasized the need for organizations to continuously adapt, integrate, and reconfigure their internal and external competencies to address rapidly changing environments. This accumulated knowledge points toward an all-encompassing, multi-pronged approach to resiliency that incorporates technological prowess, human factors, governance, and the flexibility of strategic planning.
5.1. Managerial Implications
The service industry in Saudi Arabia is currently at a pivotal crossroads due to the country’s rapidly developing digital landscape. According to Wided [54], managers in the service sector should prioritize investments in information technology capabilities and big data analytics to ensure strategic flexibility and organizational resilience. This is because there is an increasing dependence on these two areas. In light of the findings of Mian and Alatawi’s [24] study, it is clear that there is a pressing need to improve cybersecurity, particularly in industries such as banking. Because of the inherently data-intensive nature of the service sector, the protection of customer and transactional data should be of the utmost importance. In addition, as digital service touchpoints become more prevalent (such as online banking, e-commerce, and e-health), service providers should cultivate a robust cybersecurity culture. This requirement is based on the findings of Huang and Pearlson [69]. In order to accomplish this goal, continuous training, regular risk assessments, and the cultivation of a culture in which everyone shares responsibility for cybersecurity are required.
In the years after COVID-19, the Saudi Arabian manufacturing sector, particularly the country’s small- and medium-sized enterprises (SMEs), has been confronted with significant difficulties. According to Wided [54], for managers to succeed in such uncertain times, they need to integrate information technology capabilities into their operations to enhance their resilience and flexibility. In addition, research conducted by Andrawina and Govindaraju [80] highlighted the significance of absorptive capacity and knowledge sharing capability in enhancing innovation performance. In light of Saudi Arabia’s role as a hub in the global supply chain, manufacturing companies in the country should prioritize supply chain visibility and improve their capacity for rapid adaptation to and adoption of innovative technologies and business procedures. According to Golgeci and Kuivalainen [71], the role of social capital in supply chain resilience is another important area of focus that should be examined. As a result, the leaders of the manufacturing sector in Saudi Arabia ought to prioritize cultivating vigorous, trusting relationships with their suppliers, partners, and other stakeholders. This will allow for more effective communication and collaboration and greater collective resilience in the face of disruptions.
Several hypotheses had insignificant effects for various reasons. For H6, cybersecurity resilience strategy and orientation have not displayed a significant effect on sustainable business performance, suggesting that while these strategies are important for immediate cybersecurity response [51,54], they might not have a significant impact on long-term business performance due to other cultural factors. The mediating effects in H7, H8, H9, and H10 have not shown significant mediating effects, suggesting that cybersecurity resilience strategy and orientation do not directly affect sustainable business performance. This might be because market dynamics, technological advances, or internal organizational factors drive sustainable business performance more [8,14,30]. The moderating effect of culture in H11, despite being close to significance, suggests that organizational culture improves sustainable business performance but has a weaker effect on cybersecurity resilience strategy.
5.2. Limitations and Future Directions
The current investigation is restricted by its heavy reliance on a select number of studies, which may not comprehensively capture the entire scope of information technology capabilities and cybersecurity in Saudi Arabia. In addition, by concentrating only on the service and manufacturing sectors, one risks missing nuanced insights from other important industries. Conducting empirical studies directly within Saudi organizations to gauge the real-time challenges and implementations of IT capabilities would be extremely helpful for future research and would be an excellent idea. Comparisons across industries rather than between the service and manufacturing sectors may produce more insightful results. Furthermore, because Saudi Arabia’s Vision 2030 emphasizes technological advancement and digital transformation, longitudinal studies that track the evolution of IT capabilities and cybersecurity measures over a decade can provide crucial insights into the nation’s journey toward becoming a transformed state.
To overcome these limitations, future studies should broaden their scope by including a diverse range of industries beyond just service and manufacturing, thereby capturing a more comprehensive picture of IT capabilities and cybersecurity in Saudi Arabia. Longitudinal research in Saudi organizations can reveal real-time cybersecurity challenges and applications. Longitudinal studies aligned with Saudi Arabia’s Vision 2030 would provide valuable insights into IT and cybersecurity evolution during digital transformation.
