Assessment of Cybersecurity Awareness, Threat Exposure, and Adoption Factors Among Small and Medium-Sized Enterprises in Jinja City, Uganda

Abstract

This study assessed cybersecurity preparedness among small and medium-sized enterprises (SMEs) in Jinja City, Uganda, with four specific objectives: (1) to determine the current level of cybersecurity preparedness, (2) to evaluate the gap between perceived employee awareness and actual security practices, (3) to examine the influence of technological, organizational, and environmental factors on cybersecurity adoption, and (4) to identify key predictors of digital resilience. A mixed-methods approach was employed, guided by the Technology–Organization Environment (TOE) framework. Quantitative data were collected through structured questionnaires from 124 SME respondents, while qualitative insights were obtained through focus group discussions with 13 employees and semi-structured interviews with five (5) key informants. Descriptive statistics and regression analysis were used for quantitative data, complemented by thematic analysis of qualitative data. The findings indicate that cybersecurity preparedness among SMEs in Jinja City is generally low and inconsistent. Although 74.1% of respondents expressed confidence in identifying cyber threats, qualitative evidence revealed that this confidence is largely reactive rather than supported by structured security practices. Cyber threats are prevalent, with 68.6% of SMEs experiencing phishing attempts and 63.7% reporting financial losses due to cyber incidents. Organizational constraints are significant: 39.5% of SMEs lack dedicated IT support, and 74.2% report insufficient internal expertise to manage cybersecurity systems. While 75.0% of managers indicate commitment to cybersecurity, adoption is primarily driven by external pressures particularly competitor incidents (83.1%) rather than proactive strategic planning. Regression results confirm that organizational and technological factors are the most significant predictors of cybersecurity preparedness, while environmental factors exert a secondary influence. Overall, SMEs in Jinja City exhibit a basic and fragile level of cybersecurity readiness. The study concludes that improving SME cybersecurity requires strengthening internal capabilities, promoting proactive management practices, and reducing reliance on reactive, event-driven adoption. It recommends targeted capacity building, adoption of cost-effective security solutions, and contextsensitive regulatory support to enhance digital resilience.