Abstract
This research explored the preparedness of company directors and executive management in the South African business landscape to minimise the risks of
cybercrime on organisational performance. Little research has been done in the South African business context on the readiness of companies for the challenges of cybercrime and the latent effects. The Unified Theory of Acceptance and Use of Technology Model (UTAUT) is used as the point of departure in this research to adapt the model for the specific regulatory context of South African business and cybercrime management from the perspective of company directors. The research adopted a twophase, sequential, mixed-methods approach. In the qualitative, first phase, one-onone, semistructured interviews were conducted with knowledgeable, purposefully
selected participants to explore the readiness of company directors to proactively
manage cybercrime risks. The analysis of phase 1 resulted in changes made to the wording and in some cases, number of first order variables of the UTAUT model proposed by Kabra, Ramesh, Akhtar and Dash, (2017). This was done to focus the survey instrument items on the specific business context of South African business
being explored. A pilot survey was then conducted that led to minor changes to the survey variable statements. Thereafter, the survey link was sent out to a broad sample population who is active in the executive and board levels of South African companies
to gather data on the actual readiness of company directors and executive management to manage cybercrime.
The model below diagrammatically represents the proposed changes to the UTAUT. Proposed integrated model of cyber risk management and UTAUT
Source: Researcher’s Own Construction, 2023
5
The key findings from the two phases were that board members and executive management did not feel that they were prepared for mitigation of the risks that are faced by companies in relation to cybercrime. The findings suggested that companies
were not being proactive in implementing ongoing training strategies to bring their
boards and executive teams up to speed with proactive management of these risks.
The conclusion of the research was that South African companies could be better
prepared to manage cybersecurity risks that threaten the stability and continuity of their organisational performance. The research suggests that companies in South Africa need to invest in training for its board and executive management in the management of risks from cybercrime. Failing to do so would be a threat to the stability
of South African companies and even to the South African economy as a whole. The following suggestions for future research were also posited. Firstly, conducting a similar but narrower study per sector, which would include specific regulatory and governance requirements. Secondly, the exploration of cybercrime management technologies, considering more risks have been identified. Thirdly, a study of possible corporate governance frameworks for the digital era. Finally, an analysis of the cybercrime threats whilst referring to ICT frameworks.