Someone Else's Problem? How Cyber Security Outsourcing Influences Security Ownership in SMEs
Authors
Jakobsen, Emilie Tiina Frost ; Sørensen, Tanja ; Hansen, Nadja Dalgaard
Term
4. Term
Publication year
2025
Abstract
This thesis examines how IT outsourcing influences IT managers’ attitudes toward cybersecurity in Danish SMEs. The study is motivated by rising regulatory demands and growing cyber threats, while small firms often lack time, budget, and expertise and therefore outsource IT and security to external providers. We conducted one expert interview and seven interviews with Danish SMEs without formal IT departments, followed by a thematic analysis. Findings show that IT responsibility commonly rests with a single individual who also handles other tasks, most SMEs outsource IT and security, and there is a tendency to shift responsibility to providers in the event of an attack. Limited in-house competencies create dependency on service partners. To promote ownership and responsibility, we developed LockEd: a tangible padlock artifact linked via Bluetooth to a tablet app with short tasks and reflection prompts derived from interview insights; the lock physically signals “open/closed” to trigger engagement. An initial evaluation in one SME over one and a half weeks indicated the system was easy to use, engaging, and taught the participant new things; a minor delay was observed, and the participant saw potential for broader use. We discuss how combining a tangible interface with digital content can increase awareness and a sense of responsibility by separating security learning from everyday digital clutter. Limitations include a short test period and a single participant; longer-term and larger-scale studies are needed. The thesis contributes empirical insight and a practical design concept for supporting security ownership in SMEs with outsourced IT.
Denne afhandling undersøger, hvordan outsourcing af IT påvirker IT-chefers holdninger til cybersikkerhed i danske SMV’er. Baggrunden er stigende regulatoriske krav og øgede cybertrusler, mens små virksomheder ofte mangler tid, budget og ekspertise og derfor overlader IT og sikkerhed til eksterne leverandører. Vi gennemførte et ekspertinterview og syv interviews med danske SMV’er uden formel IT-afdeling og analyserede data tematisk. Resultaterne viser, at IT-ansvaret ofte hviler på én person, som samtidig har andre opgaver, at de fleste outsourcer IT og sikkerhed, og at der er en tendens til at placere ansvaret hos leverandøren ved angreb. Mangel på interne kompetencer skaber afhængighed af eksterne parter. For at styrke ejerskab og ansvar udviklede vi LockEd: et fysisk hængelås-artefakt koblet via Bluetooth til en tabletapp med korte opgaver og refleksioner baseret på interviewindsigter; låsen symboliserer “åben/lukket” og aktiverer læring. En indledende evaluering i én SMV over halvanden uge viste, at systemet var let at bruge, engagerende og lærte deltageren nye ting; der blev observeret en mindre teknisk forsinkelse, og der er potentiale for bredere anvendelse. Vi diskuterer, hvordan en kombination af taktilt design og digitalt indhold kan øge opmærksomhed og ansvarsfølelse ved at afgrænse læring fra daglig digital støj. Begrænsningerne omfatter kort testperiode og få deltagere; der er behov for længerevarende og bredere studier. Afhandlingen bidrager med empirisk indsigt og et praktisk designkoncept til at understøtte sikkerhedsejerskab i SMV’er med outsourcet IT.
[This apstract has been generated with the help of AI directly from the project full text]