Developing a protocol for effective cybersecurity information sharing: a human-centric approach for small and medium enterprises in South Africa

Abstract

Cybersecurity remains a serious concern for Small and Medium Enterprises (SMEs) in South Africa. Despite their significant contributions to the national economy and job creation, SMEs are becoming increasingly susceptible to cyber threats, including phishing, ransomware, business email compromise (BEC), and data breaches. Although Cybersecurity Information Sharing (CIS) has been globally recognised as a critical mechanism for enhancing organisational resilience, SMEs frequently encounter obstacles to effective participation, such as low awareness, limited resources, a lack of skills, and pervasive mistrust. Despite the existence of regulatory frameworks like the Protection of Personal Information Act (POPIA) and the Cybercrimes Act, adherence remains inconsistent, and SMEs still lag behind in implementing effective CIS practices. This gap highlights the necessity for a socio-technical, human-centric approach specifically designed for the SME context. This research study aimed to develop a human-centric CIS protocol that integrates behavioural, socio-cultural, psychological, technological, and regulatory dimensions, placing trust at its core. A key emphasis was placed on understanding how human factors, such as motivation, social impact, and self-efficacy, affect SMEs’ willingness and capacity to participate in CIS. A comprehensive literature review of existing frameworks for CIS (such as NIST, NISTIR 7621, ISO/IEC 27032, and NIST 80018) revealed that they mainly focus on technical and policy aspects, often overlooking behavioural dynamics, which leaves SMEs without clear guidance to address organisational and behavioural challenges. Guided by Social Cognitive Theory (SCT), the study examined how individual capabilities, organisational norms, perceived outcomes, and external policy and technological environments influence SMEs’ cybersecurity decisions. A pragmatist paradigm, utilising an explanatory sequential mixed-methods design, was employed. The quantitative phase surveyed 21 SMEs to assess knowledge, capability, self-efficacy, social persuasion, and outcome expectations in relation to CIS participation. The qualitative phase involved semi-structured interviews with 10 participants to explore socio-cultural constraints, trust dynamics, and organisational practices. SCT was utilised to guide the development of a human-centric CIS protocol, ensuring that it incorporates behavioural, socio-cultural, psychological, technological, and regulatory aspects. The developed CIS protocol was tested by six experts from research, decision-making, and technical backgrounds to ensure practical relevance and applicability. The study achieved four objectives: (1) identifying human factors associated with effective CIS; (2) examining how policy and technology interact with these factors; (3) developing a protocol tailored to the realities of South African SMEs; and (4) evaluating its effectiveness. Findings indicate that trust, peer influence, and supportive policy environments are critical enablers of CIS participation. SMEs with higher self-efficacy and confidence in cybersecurity practices demonstrated a greater willingness to share information. Persistent barriers, including the lack of standardised reporting tools, inadequate technical infrastructure, and organisational mistrust, continue to hinder adoption. This research contributes both theoretically and practically. Theoretically, it extends SCT's applicability to cybersecurity by demonstrating how behavioural and environmental factors jointly shape SMEs' engagement with CIS. Practically, it delivers a human-centric CIS protocol that addresses behavioural, organisational, and policy barriers, providing actionable guidance for SMEs, policymakers, and industry associations. The findings highlight the need for targeted training, stronger policy integration, and trust-building initiatives to foster sustained CIS participation. Ultimately, this study strengthens SME resilience in South Africa's digital economy and lays the groundwork for future research on sector-specific and regional variations in CIS practices.