Evaluating Cybersecurity Investment Strategies in a Medium-Sized Enterprise: A Case Study of a Growing POS Service Provider in Indonesia

Ryan Adhi Nugraha; Muhammad Hafizhuddin Hilman; Setiadi Yazid; Eko Yon Handri

doi:10.59261/jequi.v8i2.310

Authors

Ryan Adhi Nugraha Universitas Indonesia
Muhammad Hafizhuddin Hilman Universitas Indonesia
Setiadi Yazid Universitas Indonesia
Eko Yon Handri Universitas Indonesia

DOI:

https://doi.org/10.59261/jequi.v8i2.310

Keywords:

cybersecurity strategy, medium-sized enterprise, proactive security, reactive security, SaaS POS

Abstract

Background: As mid-sized businesses use third-party integrations on services like SaaS-based POS systems, cybersecurity expands potential avenues of attack. Many of these organizations engage in reactive cybersecurity, or waiting until something happens instead of preventing it. In the face of increasingly complex organizational architecture, it is imperative to reevaluate whether these reactive approaches are still adequate in guaranteeing operational continuity and data safety.

Objective: This research is performed to investigate whether a reactive approach of cybersecurity may still suffice for a medium sized company that expands its operation in Indonesia, which runs over the SaaS POS platform.

Method: The study uses a qualitative single-case study design. The data were collected through semi-structure interviews with business and engineering stakeholders, triangulated by supporting organizational documents. Data were analyzed through rubric-based qualitative coding and mapped against a literature-derived reactive–proactive cybersecurity posture rubric in regard to incident response, budget allocation, and layered security infrastructure.

Results: The results suggest daily operational readiness is limited by symptom-driven detection systems, periodic and manual monitoring practices, and response schedules dependent on unstructured coordination with follow-ups. There are baseline preventive controls, but many program-level capabilities are nascent—everything from centralized telemetry and alerting, to consistent incident workflow with remediation tracking, balanced against a systematic and periodic cadence of assurance.

Conclusion: ..

Downloads

Download data is not yet available.

References

Abdelrazek, M. A., Grundy, J., & Ibrahim, A. S. (2015). Improving Tenants’ Trust in SaaS Applications Using Dynamic Security Monitors. 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS), 70–79. https://doi.org/10.1109/ICECCS.2015.18

Ahmad, A., Maynard, S. B., Desouza, K. C., Kotsias, J., Whitty, M. T., & Baskerville, R. L. (2021). How can organizations develop situation awareness for incident response: A case study of management practice. Computers & Security, 101, 102122. https://doi.org/10.1016/j.cose.2020.102122

Alpi, K. M., & Evans, J. J. (2019). Distinguishing case study as a research method from case reports as a publication type. Journal of the Medical Library Association, 107(1). https://doi.org/10.5195/jmla.2019.615

Belkina, M., Daniel, S., Nikolic, S., Haque, R., Lyden, S., Neal, P., Grundy, S., & Hassan, G. M. (2025a). Implementing generative AI (GenAI) in higher education: A systematic review of case studies. Computers and Education: Artificial Intelligence, 8, 100407. https://doi.org/10.1016/j.caeai.2025.100407

Berisha, G., & Pula, J. S. (2015). Defining Small and Medium Enterprises: a critical review. In Academic Journal of Business, Administration, Law and Social Sciences, 1(1). www.iipccl.org

Carvalho, N., Adão, T., Morais, R., Costa, A. R., & Peres, E. (2025). Cybersecurity in Precision Agriculture: a short review and a practical status assessment over mySense IoT-based platform. Procedia Computer Science, 256, 255–266. https://doi.org/10.1016/j.procs.2025.02.119

Chaudhary, S., Gkioulos, V., & Katsikas, S. (2022). Developing metrics to assess the effectiveness of cybersecurity awareness program. Journal of Cybersecurity, 8(1). https://doi.org/10.1093/cybsec/tyac006

Chauhan, M., & Shiaeles, S. (2023). An Analysis of Cloud Security Frameworks, Problems and Proposed Solutions. Network, 3(3), 422–450. https://doi.org/10.3390/network3030018

de Bruin, R., & von Solms, S. H. (2015). Modelling Cyber Security Governance Maturity. 2015 IEEE International Symposium on Technology and Society (ISTAS), 1–8. https://doi.org/10.1109/ISTAS.2015.7439415

Dong, K., Lin, R., Yin, X., & Xie, Z. (2021). How does overconfidence affect information security investment and information security performance? Enterprise Information Systems, 15(4), 474–491. https://doi.org/10.1080/17517575.2019.1644672

Fredrick, S., Singh, P., & V, R. (2023). Cyber Threat Monitoring and Incident Response with IntelliWatch SIEM. 2023 International Conference on Sustainable Communication Networks and Application (ICSCNA), 209–215. https://doi.org/10.1109/ICSCNA58489.2023.10370155

Furnell, S., Heyburn, H., Whitehead, A., & Shah, J. N. (2020). Understanding the full cost of cyber security breaches. Computer Fraud & Security, 2020(12), 6–12. https://doi.org/10.1016/S1361-3723(20)30127-5

Gao, X., Qiu, M., Wang, Y., & Wang, X. (2023). Information security investment with budget constraint and security information sharing in resource-sharing environments. Journal of the Operational Research Society, 74(6), 1520–1535. https://doi.org/10.1080/01605682.2022.2096506

Gupta, D., Elluri, L., Jain, A., Moni, S. S., & Aslan, O. (2024). Blockchain-Enhanced Framework for Secure Third-Party Vendor Risk Management and Vigilant Security Controls. 2024 IEEE International Conference on Big Data (BigData), 5577–5584. https://doi.org/10.1109/BigData62323.2024.10825025

Herath, H. S. B., & Herath, T. C. (2008). Investments in Information Security: A Real Options Perspective with Bayesian Postaudit. Journal of Management Information Systems, 25(3), 337–375. https://doi.org/10.2753/MIS0742-1222250310

Herath, T. C., Herath, H. S. B., & Cullum, D. (2022). An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks. Information Systems Frontiers. https://doi.org/10.1007/s10796-022-10246-9

Jardine, E. (2018). Mind the denominator: towards a more effective measurement system for cybersecurity. Journal of Cyber Policy, 3(1), 116–139. https://doi.org/10.1080/23738871.2018.1472288

Kamble, A., & Dhotre, P. (2025). Centralized Security Monitoring for Effective Threat Detection and Analysis. 2025 IEEE 5th International Conference on ICT in Business Industry & Government (ICTBIG), 1–6. https://doi.org/10.1109/ICTBIG68706.2025.11323853

Khan, S., Kabanov, I., Hua, Y., & Madnick, S. (2023). A Systematic Analysis of the Capital One Data Breach: Critical Lessons Learned. ACM Transactions on Privacy and Security, 26(1), 1–29. https://doi.org/10.1145/3546068

Kumar J. Y., Dhaarna, S. R. C. A., Johrawanshi, A., Gupta, M., Choudhary, D. K., & Pandey, A. (2024). Cybersecurity Frameworks: A Roadmap for Business Resilience. 2024 International Conference on Cybernation and Computation (CYBERCOM), 102–108. https://doi.org/10.1109/CYBERCOM63683.2024.10803234

Le, N. T., & Hoang, D. B. (2016). Can maturity models support cyber security? 2016 IEEE 35th International Performance Computing and Communications Conference (IPCCC), 1–7. https://doi.org/10.1109/PCCC.2016.7820663

Lindkvist, A., Hoglund, E., & Djebbar, F. (2025). Cybersecurity Practices, Challenges and Posture in Small and Medium Enterprises: A Survey-Study in Sweden. European Conference on Cyber Warfare and Security, 24(1), 838–847. https://doi.org/10.34190/eccws.24.1.3579

Liu, C., & Babar, M. A. (2026). Corporate cybersecurity risk and data breaches: A systematic review of empirical research. Australian Journal of Management, 51(1), 62–92. https://doi.org/10.1177/03128962241293658

Liu, M., Shore, M., Yeoh, W., Jiang, F., & Zeadally, S. (2025). Toward effective cybersecurity management: a hierarchical process model with performance assessment. Journal of Cybersecurity, 11(1). https://doi.org/10.1093/cybsec/tyaf020

Li, Y., & Xu, L. (2021). Cybersecurity investments in a two-echelon supply chain with third-party risk propagation. International Journal of Production Research, 59(4), 1216–1238. https://doi.org/10.1080/00207543.2020.1721591

López-Ortega, E., Canales-Sanchez, D., Bautista-Godinez, T., & Macias-Herrera, S. (2016). Classification of micro, small and medium enterprises (M-SME) based on their available levels of knowledge. Technovation, 47, 59–69. https://doi.org/10.1016/j.technovation.2015.10.001

Magdy E. H., & Crispm, J. (2026). Assessing Industry 4.0 adoption in Cairo SMEs: a study on manufacturing sector. International Journal of Computer Integrated Manufacturing, 39(4–5), 705–726. https://doi.org/10.1080/0951192X.2025.2545481

Martinsuo, M., & Huemann, M. (2021). Reporting case studies for making an impact. International Journal of Project Management, 39(8), 827–833. https://doi.org/10.1016/j.ijproman.2021.11.005

McCormack, L., & Bendechache, M. (2026). The Trustworthy AI Maturity Model (TAIMM): Integrating ethics and regulation across the AI lifecycle. Journal of Responsible Technology, 26, 100156. https://doi.org/10.1016/j.jrt.2026.100156

Mohammad, M. H. G., Mohammad, A. N., Ahmad, A. A. F., Abdel, K. A. K., & Abu, H. Y. (2026). Cybersecurity spending and IT capability development: The mediating role of IT governance effectiveness. EDPACS, 71(5), 82–92. https://doi.org/10.1080/07366981.2025.2564773

Monev, V. (2021). The “Self-Assessment” Method within a Mature Third-Party Risk Management Process in the Context of Information Security. 2021 International Conference on Information Technologies (InfoTech), 1–7. https://doi.org/10.1109/InfoTech52438.2021.9548373

Naseer, A., Naseer, H., Ahmad, A., Maynard, S. B., & Siddiqui, A. M. (2023). Moving towards agile cybersecurity incident response: A case study exploring the enabling role of big data analytics-embedded dynamic capabilities. Computers & Security, 135, 103525. https://doi.org/10.1016/j.cose.2023.103525

Nitz, L., Akbari Gurabi, M., Cermak, M., Zadnik, M., Karpuk, D., Drichel, A., Schäfer, S., Holmes, B., & Mandal, A. (2025). On Collaboration and Automation in the Context of Threat Detection and Response with Privacy-Preserving Features. Digital Threats: Research and Practice, 6(1), 1–36. https://doi.org/10.1145/3707651

Olipp, N., Jöbstl, L., & Woschank, M. (2026). Factors of success and challenges of the transformation of the production and logistics system from a linear to a circular model in Austrian small and medium-sized enterprises. Cogent Engineering, 13(1). https://doi.org/10.1080/23311916.2025.2599578

Oriola, O., Adeyemo, A. B., Papadaki, M., & Kotzé, E. (2021). A collaborative approach for national cybersecurity incident management. Information & Computer Security, 29(3), 457–484. https://doi.org/10.1108/ICS-02-2020-0027

Patterson, C. M., Nurse, J. R. C., & Franqueira, V. N. L. (2023). Learning from cyber security incidents: A systematic review and future research agenda. Computers & Security, 132, 103309. https://doi.org/10.1016/j.cose.2023.103309

Pech, M., & Vrchota, J. (2020). Classification of Small- and Medium-Sized Enterprises Based on the Level of Industry 4.0 Implementation. Applied Sciences, 10(15), 5150. https://doi.org/10.3390/app10155150

Qin, Y., Yang, X., Yang, L.-X., & Huang, K. (2025). Mitigating Social Engineering Attacks Through Cost-Effective Security Awareness Training Policy. IEEE Transactions on Network Science and Engineering, 12(4), 3145–3158. https://doi.org/10.1109/TNSE.2025.3556927

Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, tyw001. https://doi.org/10.1093/cybsec/tyw001

Saad, M. A. T. (2026). Economic impact of cybersecurity breaches on organizational sustainability. EDPACS, 1–14. https://doi.org/10.1080/07366981.2025.2602630

Sawik, T., & Sawik, B. (2022). A rough cut cybersecurity investment using portfolio of security controls with maximum cybersecurity value. International Journal of Production Research, 60(21), 6556–6572. https://doi.org/10.1080/00207543.2021.1994166

Schulze, F., Dallasega, P., Alfnes, E., & Sgarbossa, F. (2026). The mitigation effect of Industry 4.0 technologies on Lean implementation barriers in Engineer-to-Order companies: A Multiple Case Study. Production Planning & Control, 37(2), 128–152. https://doi.org/10.1080/09537287.2025.2468449

Shaikh, F. A., & Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124, 102974. https://doi.org/10.1016/j.cose.2022.102974

Suhonen, T., & Martínez, C. (2023). Continuous Auditing and Continuous Certification in MEDINA – Security Auditor’s View. Open Research Europe, 3, 208. https://doi.org/10.12688/openreseurope.16703.1

Tariq, S., Baruwal Chhetri, M., Nepal, S., & Paris, C. (2025). Alert Fatigue in Security Operations Centres: Research Challenges and Opportunities. ACM Computing Surveys, 57(9), 1–38. https://doi.org/10.1145/3723158

Tuyishime, E., Balan, T. C., Cotfas, P. A., Cotfas, D. T., & Rekeraho, A. (2023). Enhancing Cloud Security—Proactive Threat Monitoring and Detection Using a SIEM-Based Approach. Applied Sciences, 13(22), 12359. https://doi.org/10.3390/app132212359

Wang, X., Li, W. W., Leung, A. C. M., & Yue, W. T. (2024). To alert or alleviate? A natural experiment on the effect of anti-phishing laws on corporate IT and security investments. Decision Support Systems, 179, 114173. https://doi.org/10.1016/j.dss.2024.114173

Wang, Y., & Xu, F. (2026). Optimal cybersecurity investment with collaborative defense in scale-free supply chain networks: a stochastic game-based dynamic programming approach. International Journal of Production Research, 1–13. https://doi.org/10.1080/00207543.2026.2653814

Younus, Z. S., & Alanezi, M. (2023). Detect and Mitigate Cyberattacks Using SIEM. 2023 16th International Conference on Developments in ESystems Engineering (DeSE), 510–515. https://doi.org/10.1109/DeSE60595.2023.10469387

Zhong, C., Zaza, S., & Bartelt, V. (2024). Understanding Communication Preferences in Collaborative Cybersecurity Incident Response. Proceedings of the 2024 Computers and People Research Conference, 1–1. https://doi.org/10.1145/3632634.3655851