Operationalizing Managed Detection and Response in SMEs: A Behavioral Framework for Bridging the Resource-Risk Gap
Keywords:
Managed Detection and Response (MDR), SME Cybersecurity, Risk Management, Cybersecurity Self-EfficacyAbstract
Purpose: Small and Medium-sized Enterprises (SMEs) increasingly face sophisticated cyber threats formerly reserved for large corporations. While Managed Detection and Response (MDR) services offer a viable technical solution for 24/7 threat coverage, adoption rates remain suboptimal. This study investigates the intersection of economic constraints and behavioral psychology to understand the barriers preventing SMEs from operationalizing effective cybersecurity.
Design/Methodology/Approach: This paper employs a mixed-methods approach, synthesizing recent data on SME cyber-hygiene with Social Learning Theory. We analyze the relationship between "Cybersecurity Self-Efficacy"—the belief in one’s ability to execute security measures—and the propensity to invest in external MDR services.
Findings: The analysis reveals that financial limitations are not the sole barrier to adoption. Significant correlation exists between low cybersecurity self-efficacy and the rejection of MDR services. SMEs often suffer from an "optimism bias," underestimating insider threats and overestimating the protective capability of basic firewalls. Furthermore, the study identifies that effective MDR service design must incorporate educational components to bridge the confidence gap.
Originality/Value: By integrating behavioral psychology with technical service design, this research proposes a new framework for cybersecurity governance. It moves beyond the binary of "cost vs. security" to highlight how cognitive factors influence risk management decisions in the SME sector.
References
AAG. (2023). The Latest 2023 Cyber Crime Statistics.
Ahn, J. N., Hu, D., & Vega, M. (2019). “Do as I do, not as I say”: Using social learning theory to unpack the impact of role models on students’ outcomes in education. Social and Personality Psychology Compass, 14(2), 1–12.
Alahmari, A., & Duncan, B. (2020). Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment.
Alahmari, A., & Duncan, R. A. K. (2021). Investigating Potential Barriers to Cybersecurity Risk Management Investment in SMEs. Proceedings of the 13th International Conference on Electronics, Computers and Artificial Intelligence.
Ambika, T., & Senthilvel, K. (2020). Cyber Crimes against the State: A Study on Cyber Terrorism in India. Webology, 17(2), 65–72.
Evaluating Self-Efficacy Pertaining to Cybersecurity for Small Businesses. (2020). The Journal of Applied Business and Economics, 22(12), 13–23.
Ključnikov, A., Mura, L., & Sklenár, D. (2019). Information security management in SMEs: factors of success. Entrepreneurship and Sustainability Issues, 6(4), 2081–2094.
Moneva, A., & Leukfeldt, R. (2023). Insider threats among Dutch SMEs: Nature and extent of incidents, and cyber security measures. Journal of Criminology, 56(4), 416–440.
Petrosyan, A. (2023). Number of ransomware attacks worldwide from 1st quarter 2020 to 4th quarter 2022. Statista.
Rae, A., & Patel, A. (2019). Defining a New Composite Cybersecurity Rating Scheme for SMEs in the U.K.
Rae, A., & Patel, A. (2020). Developing a security behavioural assessment approach for cyber rating UK MSBs.
Rajgopal, P. R. (2025). MDR service design: Building profitable 24/7 threat coverage for SMBs. International Journal of Applied Mathematics, 38(2s), 1114-1137.
Shojaifar, A., & Fricker, S. (2020). SMEs Confidentiality Concerns for Security Information Sharing.
Shojaifar, A., & Fricker, S. (2023). Design and evaluation of a self-paced cybersecurity tool.
Yeboah-Ofori, A., & Opoku-Boateng, F. A. (2023). Mitigating cybercrimes in an evolving organizational landscape.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Samer H. Al-Rahmani
This work is licensed under a Creative Commons Attribution 4.0 International License.
