{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,5]],"date-time":"2026-05-05T02:56:07Z","timestamp":1777949767587,"version":"3.51.4"},"reference-count":43,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T00:00:00Z","timestamp":1751328000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T00:00:00Z","timestamp":1751328000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2025,3,17]],"date-time":"2025-03-17T00:00:00Z","timestamp":1742169600000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/X037282\/1"],"award-info":[{"award-number":["EP\/X037282\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2025,7]]},"DOI":"10.1016\/j.cose.2025.104448","type":"journal-article","created":{"date-parts":[[2025,3,16]],"date-time":"2025-03-16T11:26:45Z","timestamp":1742124405000},"page":"104448","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":11,"special_numbering":"C","title":["Investigating the experiences of providing cyber security support to small- and medium-sized enterprises"],"prefix":"10.1016","volume":"154","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3962-7305","authenticated-orcid":false,"given":"Neeshe","family":"Khan","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Steven","family":"Furnell","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0741-5199","authenticated-orcid":false,"given":"Maria","family":"Bada","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-2446-0259","authenticated-orcid":false,"given":"Matthew","family":"Rand","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4118-1680","authenticated-orcid":false,"given":"Jason R.C.","family":"Nurse","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2025.104448_bib0001","doi-asserted-by":"crossref","unstructured":"Adams, W.C. (2015). Conducting semi-structured interviews. Handbook of practical program evaluation, 492\u2013505. https:\/\/doi.org\/10.1002\/9781119171386.ch19.","DOI":"10.1002\/9781119171386.ch19"},{"key":"10.1016\/j.cose.2025.104448_bib0002","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1016\/j.cose.2014.01.001","article-title":"Protecting organizational competitive advantage: a knowledge leakage perspective","volume":"42","author":"Ahmad","year":"2014","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104448_bib0003","series-title":"2020 international conference on cyber situational awareness, data analytics and assessment (CyberSA)","first-page":"1","article-title":"Cybersecurity risk management in small and medium-sized enterprises: a systematic review of recent evidence","author":"Alahmari","year":"2020"},{"key":"10.1016\/j.cose.2025.104448_bib0004","doi-asserted-by":"crossref","DOI":"10.1016\/j.techsoc.2024.102670","article-title":"Exploring the economic role of cybersecurity in SMEs: a case study of the UK","volume":"78","author":"Arroyabe","year":"2024","journal-title":"Technol. Soc."},{"issue":"3","key":"10.1016\/j.cose.2025.104448_bib0005","doi-asserted-by":"crossref","first-page":"393","DOI":"10.1108\/ICS-07-2018-0080","article-title":"Developing cybersecurity education and awareness programmes for small-and medium-sized enterprises (SMEs)","volume":"27","author":"Bada","year":"2019","journal-title":"Inf. Comput. Secur."},{"issue":"1","key":"10.1016\/j.cose.2025.104448_bib0006","doi-asserted-by":"crossref","first-page":"42","DOI":"10.46303\/repam.2022.3","article-title":"Sample size for interview in qualitative research in social sciences: a guide to novice researchers","volume":"4","author":"Bekele","year":"2022","journal-title":"Res. Educ. Policy Manag."},{"key":"10.1016\/j.cose.2025.104448_bib0007","series-title":"Proceedings of the 4th Annual ACM Conference on Research in Information Technology","first-page":"11","article-title":"Evolution of cybersecurity issues in small businesses","author":"Bhattacharya","year":"2015"},{"key":"10.1016\/j.cose.2025.104448_bib0008","series-title":"Thematic analysis: a Practical Guide","author":"Braun","year":"2021"},{"key":"10.1016\/j.cose.2025.104448_bib0009","doi-asserted-by":"crossref","DOI":"10.1016\/j.cosrev.2023.100592","article-title":"A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises","volume":"50","author":"Chaudhary","year":"2023","journal-title":"Comput. Sci. Rev."},{"key":"10.1016\/j.cose.2025.104448_bib0010","doi-asserted-by":"crossref","first-page":"85701","DOI":"10.1109\/ACCESS.2022.3197899","article-title":"A survey on the cyber security of small-to-medium businesses: challenges, research focus and recommendations","volume":"10","author":"Chidukwani","year":"2022","journal-title":"IEEe Access."},{"key":"10.1016\/j.cose.2025.104448_bib0011","series-title":"Cybersecurity Breaches Survey 2024","year":"2024"},{"issue":"3","key":"10.1016\/j.cose.2025.104448_bib0012","doi-asserted-by":"crossref","DOI":"10.1080\/17517575.2021.1942997","article-title":"The severity and effects of Cyber-breaches in SMEs: a machine learning approach","volume":"17","author":"Fernandez De Arroyabe","year":"2023","journal-title":"Enterp. Inf. Syst."},{"key":"10.1016\/j.cose.2025.104448_bib0013","series-title":"UK Small Business Statistics: Business Population Estimates for the UK and Regions in 2023","year":"2023"},{"key":"10.1016\/j.cose.2025.104448_bib0014","series-title":"Discovery of Grounded theory: Strategies for Qualitative Research","author":"Glaser","year":"2017"},{"issue":"2","key":"10.1016\/j.cose.2025.104448_bib0015","doi-asserted-by":"crossref","first-page":"69","DOI":"10.23919\/SAIEE.2013.8531867","article-title":"Ignorance to awareness: towards an information security awareness process","volume":"104","author":"Gundu","year":"2013","journal-title":"SAIEE Afr. Res. J."},{"issue":"3","key":"10.1016\/j.cose.2025.104448_bib0016","doi-asserted-by":"crossref","first-page":"303","DOI":"10.30958\/ajbe.2-3-5","article-title":"What attitude changes are needed to cause smes to take a strategic approach to information security?","volume":"2","author":"Henson","year":"2016","journal-title":"Athens J. Bus. Econ."},{"key":"10.1016\/j.cose.2025.104448_bib0017","series-title":"Human Aspects of Software Engineering","first-page":"1","article-title":"Using grounded theory to study the human aspects of software engineering","author":"Hoda","year":"2010"},{"issue":"3","key":"10.1016\/j.cose.2025.104448_bib0018","doi-asserted-by":"crossref","first-page":"269","DOI":"10.1080\/10919392.2018.1484598","article-title":"Exploring SME cybersecurity practices in developing countries","volume":"28","author":"Kabanda","year":"2018","journal-title":"J. Organ. Comput. Electr. Commerce"},{"key":"10.1016\/j.cose.2025.104448_bib0019","series-title":"The Digital Transformation of SMEs","author":"Kergroach","year":"2021"},{"key":"10.1016\/j.cose.2025.104448_bib0020","unstructured":"Khan, N., Furnell, S., Bada, M., Nurse, J.R., & Rand, M. (2024). Assessing cyber security support for small and medium-sized enterprises. Retrieved from https:\/\/nottingham-repository.worktribe.com\/output\/901361."},{"key":"10.1016\/j.cose.2025.104448_bib0021","first-page":"426","volume":"426","author":"King","year":"2012"},{"key":"10.1016\/j.cose.2025.104448_bib0022","series-title":"NVivo (Version 12.7.0)","year":"2024"},{"issue":"9280","key":"10.1016\/j.cose.2025.104448_bib0023","doi-asserted-by":"crossref","first-page":"483","DOI":"10.1016\/S0140-6736(01)05627-6","article-title":"Qualitative research: standards, challenges, and guidelines","volume":"358","author":"Malterud","year":"2001","journal-title":"Lancet"},{"key":"10.1016\/j.cose.2025.104448_bib0024","series-title":"2023 International Conference on Electrical, Computer and Energy Technologies (ICECET)","first-page":"1","article-title":"Cyber resilience in the entrepreneurial environment: a framework for enhancing cybersecurity awareness in SMEs","author":"Mmango","year":"2023"},{"key":"10.1016\/j.cose.2025.104448_bib0025","series-title":"The Human Computer Interaction Handbook","first-page":"1003","article-title":"Grounded theory method in human-computer interaction and computer-supported cooperative work","author":"Muller","year":"2012"},{"issue":"2","key":"10.1016\/j.cose.2025.104448_bib0026","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1177\/1468794112446106","article-title":"Unsatisfactory Saturation\u2019: a critical exploration of the notion of saturated sample sizes in qualitative research","volume":"13","author":"O'reilly","year":"2013","journal-title":"Qual. Res."},{"issue":"4","key":"10.1016\/j.cose.2025.104448_bib0027","doi-asserted-by":"crossref","first-page":"472","DOI":"10.1093\/comjnl\/bxx093","article-title":"Risk and the small-scale cyber security decision making dialogue\u2014a UK case study","volume":"61","author":"Osborn","year":"2018","journal-title":"Comput. J."},{"issue":"8","key":"10.1016\/j.cose.2025.104448_bib0028","first-page":"92","article-title":"Cybersecuring small businesses","volume":"49","author":"Paulsen","year":"2016","journal-title":"Computer. (Long. Beach. Calif)"},{"issue":"4-5","key":"10.1016\/j.cose.2025.104448_bib0029","first-page":"257","article-title":"The relation between information security events and firm market value, empirical evidence on recent disclosures: an extension of the GLZ study","volume":"19","author":"Pirounias","year":"2014","journal-title":"J. Inf. Secur. Appl."},{"key":"10.1016\/j.cose.2025.104448_bib0030","series-title":"29th USENIX Security Symposium (USENIX Security 20)","first-page":"89","article-title":"A comprehensive quality evaluation of security and privacy advice on the web","author":"Redmiles","year":"2020"},{"key":"10.1016\/j.cose.2025.104448_bib0031","series-title":"2016 Cybersecurity and Cyberforensics Conference (CCC)","first-page":"137","article-title":"Cybersecurity and the unbearability of uncertainty","author":"Renaud","year":"2016"},{"issue":"5","key":"10.1016\/j.cose.2025.104448_bib0032","doi-asserted-by":"crossref","first-page":"534","DOI":"10.1108\/ICS-09-2015-0041","article-title":"Explaining small business InfoSec posture using social theories","volume":"24","author":"Rohn","year":"2016","journal-title":"Inf. Comput. Secur."},{"key":"10.1016\/j.cose.2025.104448_bib0033","series-title":"Interpretative Phenomenological Analysis","author":"Spiers","year":"2019"},{"issue":"1","key":"10.1016\/j.cose.2025.104448_bib0034","article-title":"Cybersecurity needs for SMEs","volume":"25","author":"Tetteh","year":"2024","journal-title":"Issues Inf. Syst."},{"issue":"1","key":"10.1016\/j.cose.2025.104448_bib0035","first-page":"29","article-title":"Factors influencing cybersecurity risk among minority-owned small businesses","volume":"6","author":"Thompson","year":"2023","journal-title":"Rev. Contemp. Bus. Anal."},{"key":"10.1016\/j.cose.2025.104448_bib0036","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2021.102535","article-title":"Developing decision support for cybersecurity threat and incident managers","volume":"113","author":"van der Kleij","year":"2022","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104448_bib0037","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103693","article-title":"Cybercrime during the COVID-19 pandemic: prevalence, nature and impact of cybercrime for citizens and SME owners in the Netherlands","volume":"139","author":"van de Weijer","year":"2024","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104448_bib0038","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.104137","article-title":"Reducing the risk of social engineering attacks using SOAR measures in a real world environment: a case study","volume":"148","author":"Waelchli","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104448_bib0039","unstructured":"Willig, C. (2008). Introducing qualitative research in psychology: adventures in theory and method account."},{"key":"10.1016\/j.cose.2025.104448_bib0040","first-page":"1","article-title":"One size does not fit all: exploring the cybersecurity perspectives and engagement preferences of UK-Based small businesses","author":"Wilson","year":"2024","journal-title":"Inf. Secur. J."},{"issue":"2","key":"10.1016\/j.cose.2025.104448_bib0041","first-page":"397","article-title":"It won't happen to me: surveying SME attitudes to cyber-security","volume":"63","author":"Wilson","year":"2023","journal-title":"J. Comput. Inf. Syst."},{"key":"10.1016\/j.cose.2025.104448_bib0042","article-title":"The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities","volume":"66","author":"Wong","year":"2022","journal-title":"Int. J. Inf. Manag."},{"key":"10.1016\/j.cose.2025.104448_bib0043","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.103938","article-title":"Assessing information security culture: a mixed-methods approach to navigating challenges in international corporate IT departments","author":"Zanke","year":"2024","journal-title":"Comput. Secur."}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404825001373?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404825001373?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T04:26:26Z","timestamp":1777868786000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404825001373"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7]]},"references-count":43,"alternative-id":["S0167404825001373"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2025.104448","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2025,7]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Investigating the experiences of providing cyber security support to small- and medium-sized enterprises","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2025.104448","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"Crown Copyright \u00a9 2025 Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"104448"}}