Abstract
South African small and medium-sized enterprises (SMEs) play a critical role in national economic growth by driving employment creation and innovation. Many SMEs, however, lack the resources, expertise, and governance structures needed to implement robust network security systems. This leaves them increasingly vulnerable to cyber threats. Existing information security frameworks often fail to capture the contextual realities of these SMEs, where constraints, such as limited budgets, skill shortages, and infrastructural challenges, continue to complicate their information security adoption. To provide insights to these SME challenges, this study developed a substantive theoretical model known as the Theory of Information Security Resilience for SME Network Infrastructure (TISRI) using a grounded theory (GT) approach. Data was collected through in-depth interviews with SME information security practitioners selected through theoretical sampling until theoretical saturation of eight participants. Theoretical sampling used in GT research was used to select these eight participants. This methodological criterion prioritised the conceptual depth that these eight participants provided over sample size. The analysis yielded TISRI, which identifies a taxonomy of SME security management approaches and the interrelationships among resilience factors. The findings contribute theoretically by providing new insights regarding how SMEs in resource-constrained South African contexts can be adaptive and construct scalable information security practices. Practically, TISRI provides a roadmap for information security practitioners and policy makers, seeking to strengthen SME cybersecurity resilience. The study also encourages a broader discourse on SME information security management.