Exploring MSMEs Cybersecurity Awareness and Risk Management : Information Security Awareness

The use of information technology in the management of Micro, Small, and Medium Enterprises (MSMEs) is not limited to business performance and productivity but also aspects of data security and transactions using various mobile, website, and desktop-based applications. This article offers an idea to explore cybersecurity awareness and risk management of MSME actors who adopt information technology. The research method used is qualitative with a case study approach in the Coffeeshop X business and the Y Souvenir business in Salatiga City, Central Java, Indonesia. The data collection technique used in-depth interviews, observation

235 reconstruction of the model that connects cybersecurity and risk management to realize information security resilience based on the MSME business scale.

METHODS
The research method used is a qualitative method with a case study approach to MSME actors in the Coffeeshop and Souvenir business sectors. As an effort to maintain the privacy of MSME actors and the MSME brand, this study uses the initials of the Coffeeshop business identity and the Souvenir business to become the Coffeeshop X business and the Souvenir Y business. Meanwhile, the location of this research is in Salatiga City, Central Java Province, Indonesia. The considerations for adopting a qualitative method and a case study approach are as follows. First, the perspective of MSME actors in the Coffeeshop and Souvenir business sector accumulates from various dimensions related to educational, economic, and sociocultural backgrounds. The knowledge, attitudes, and behavior of system users describe complex processes or dynamics. Second, information security awareness is a private consideration for MSME actors in the Coffeeshop and Souvenir business sector to manage risks that can cause business losses. Third, the output of this study is the result of a description of the thoughts of MSME actors in the Coffeeshop and Souvenir business sector, which is communicated with the results of previous studies to present novelty and contribute to scientific developments in the field of cybersecurity and risk management.  Figure 1 represents the stages of this research. In the first stage, the formulation of the research problem is converted into a research question: first, how is the awareness of Coffeeshop X and Souvenirshop Y entrepreneurs towards information security?; second, how is information security risk management at Coffeeshop X and Souvenirshop Y? based on the formulation of this problem, the data collection process was carried out by conducting in-depth interviews, observations, and document studies. After obtaining the required data and information, the triangulation process is used to analyze the relevance between in-depth interviews, observation, and document studies results. The key informants involved in the indepth interview process have the following qualification standards. First, the informant is an MSME actor in the Coffeeshop and Souvenir business sector. Second, informants use information technology for product marketing and digital transactions. Third, MSME actors in the Coffeeshop and Souvenir business sectors have adopted information technology for product marketing and digital transactions for more than three years. Based on these qualification standards, in-depth interviews were conducted with the owners and employees of the Coffeeshop X business and the Souvenir Y business. The key informant from the Coffeeshop X business was VN, while the key informant from the Souvenir Y business was RRK. Observations technique were applied by observing the MP application process by owners and employees in managing digital transaction data (Coffeeshop X business) and using IN and WA applications for marketing and digital transactions (Souvenir Y business). Meanwhile, the study of documents related to the Coffeeshop X business transaction data and the Souvenir Y business is confidential.  Table 1 results from data processing interviews with owners and employees regarding information security awareness by owners and employees of the Coffeeshop X business and the Y Souvenir business. In the Coffeeshop X and Souvenir Y business context, both owners and employees have knowledge that can be categorized as a medium. However, the attitude of system users regarding Cybersecurity and protection of private matters is still relatively low. In addition, the behavior of system users related to Cybersecurity, risky online behavior, and secure behavior is still relatively low. Based on the results of interviews with Coffeeshop X business employees, the vulnerability aspect that affects the attitudes and behavior of system users is trust in teamwork empowerment. It is following the results of interviews with OI: "We have to admit that our understanding of cybercrime and cybersecurity is still minimal because we do not have an educational background in information technology. However, we are aware of several things related to the rise of cases of data loss due to being stolen by hackers, fraud through websites that are intentionally created to trap users, and other cases. Such information makes us more alert to limit the use of hardware that has installed the MP application, specifically to serve orders and payments. The MP application is a website-based information system that can be used on Smartphone devices with low specifications and is directly connected to the business owner's account. Each employee has created an account and password, and employee number of monitoring the work Based on the results of interviews with OI as the owner of the Coffeeshop X business, it can be seen that digital technology operations for transactions and marketing are part of the selftaught learning process, the results of discussions, and participation in informal education. In the Coffeeshop X business context, the barista has a dual role as an employee in charge of serving digital transactions (orders and payments) and an employee who mixes drinks according to consumer demand. Especially for food products, baristas only make reservations on the MP application. In contrast, the provision of food according to consumer demand will be prepared by the kitchen (chef and assistant chef). The barista's dual role in handling food and beverage transaction services demands talent in action and knowledge of the features of a capable MP application. Baristas who have experience operating MP applications will share knowledge with other employees to reduce the risk of fraud and conflicts due to misunderstandings due to errors or negligence of system users when using the MP application.
In the Coffeeshop X business context, team performance is one of the benchmarks for improving business performance. Trust between the owner and the barista as an employee who handles the payment process for food and beverage products plays an essential role in determining the continuity of teamwork in the Coffeeshop X business. Therefore, one form of controlling employee performance to reduce problems arising from vulnerability is the policy of creating employee accounts in the MP application. Thus, the owner can monitor the process of recording purchase transactions based on employee accounts and ask for personal accountability if there is a discrepancy in the audit results between the recorded digital transactions reported and the attached purchase notes (printed). The obstacle identified from the barista's dual role as an employee in charge of mixing coffee and recording digital transactions (orders and payments) at Coffeeshop X is information security awareness that affects the effectiveness and efficiency of digital and manual transaction services. The money storage (cash machine) and MP application hardware (tablet) are located on the same table as the coffee maker without strict supervision, relying only on trust. The barista account is in an operational condition, so irresponsible people can misuse it. In addition, the MP application is a website-based information system that employees can access from personal smartphones by entering the username and password that the owner as the administrator has created. It indicates a high risk of misuse of system user accounts so that it requires attitudes and behaviors that are aware of data or information security.
In terms of quantity, the barista on duty is limited to two people by changing working hours. Consumers who want to order or pay for food and beverage products must wait in front of the cashier until the barista is ready to record digital transactions (orders and payments). The barista does not provide an order confirmation question in the payment process according to the table number but based on the characteristics of the food and beverage product ordered previously. It can cause a technical error, namely the customer's reservation code being swapped, so it takes 10-15 minutes to solve the problem. Meanwhile, other customers have to stay in line or are asked to wait until the issue is resolved or one of the baristas on duty is ready to serve the ordering process manually. Based on the business conditions of Coffeeshop X, it can be seen that knowledge about information security is moderate, but attitudes and behavior are still relatively low (low). Ignorance of private information can be hacked and cause harm to employees and the workplace through various means such as hacking, phishing, and malware [15]. The possibility of data loss is very high if the device that has installed a digital transaction recording application is also used to access social media and other websites [24]. In addition, to optimize business performance, the risks of various business activities related to information security awareness of system users need to be increased [25]. Business performance relies heavily on data to measure sales achievement based on the targeted period, so the data security structure is written in the Standard Operational Procedure and must be applied by every system  [26]. Cybersecurity, especially Information Security Awareness for coffee shop business SMEs (owners and employees), shows that business information security awareness (knowledge, attitudes, and behavior) needs to be optimized to minimize the risk of cybercrime that harms the business.
In the context of the MSME business Souvenir Y, digital marketing using the IN social media application has an essential role in supporting the sustainability of the Souvenir Y business. Business owners can do product marketing independently by documenting souvenirs based on price and size characteristics using smartphone devices. Meanwhile, customer trust in the Souvenir Y business is mobilized by the availability of information in reviews or testimonials from consumers who have a history of purchasing transactions with the Souvenir Y business before. On the other hand, Souvenir Y's knowledge of Cybersecurity and Cyber Crime is still relatively low. Based on the results of interviews with Souvenir Y business owners, it can be seen that the inadequate knowledge of Cybersecurity and Cyber Crime Souvenir Y is caused by educational backgrounds that are not related to information technology. In addition, the attention of business owners is more dominant on business opportunities and market segmentation, compared to the vulnerability of data or business information from digital applications. This is following the results of interviews with RRK: Based on the results of interviews with key informants, namely RRK as the owner of the Souvenir Y business, it can be seen that knowledge about Cybersecurity and Cyber Crime is still relatively low. Nevertheless, the attitude and behavior of using the system for product marketing through IN social media can be categorized as a medium. As a social media account owner for the Souvenir Y business, the password for account security is updated regularly. Furthermore, all emails and passwords from business social media accounts have been recorded manually as an anticipatory form of various risks of losing or forgetting passwords. In addition, hardware or Smartphones used for business are different from smartphones used for personal purposes, thus avoiding multiple potential personal omissions that harm Souvenir Y's business. It shows that knowledge about Cybersecurity and Cyber Crime that is not deep does not always indicate the same attitude and behavior. In the Souvenir Y business context, attitudes and behaviors regarding information or data security awareness can be categorized as a medium stage. Souvenir Y owners always pay attention to the security of social media accounts used to market Souvenir Y products. In addition, the trigger for information security awareness has a relationship with the characteristics of the business being run, where consumer confidence in Souvenir Y's business processes lies in buyer reviews of the products sold. In online shops, several previous studies have shown that consumer satisfaction is influenced by the quality of services applied by online shop entrepreneurs [27]. Therefore, online shop owners must implement quality promotional strategies through websites and social media [28]. Consumer confidence in online business activities is influenced by service quality [29] and ease of transaction [30]. In addition, consumer perceptions of previous transaction history also affect consumer confidence [31].

Cybersecurity Awareness : Risk Management for Information Security Issues
Cybersecurity awareness has a significant relationship with risk management for business information security [23]. [32] Shows that the risks related to Cybersecurity that need to be managed in a business are as follows: partner trust; information theft; insufficient protection of cargo in transit; plant malfunctioning; counterfeit products; failure of IT equipment; product specification fraud; manipulation of data; poor cryptographic decisions; insufficient protection of cargo in transit. It shows that the components related to Cybersecurity awareness in the business realm are holistic and need to be studied contextually. The Sources of risk in the Coffeeshop business can be analyzed based on supply risk, operational risk, and customer risk. The Customer risk aspect is dominant in the Coffeeshop business because of the business characteristics that rely on services and food or beverage products. Some factors influence consumers to choose coffeeshop characteristics based on location, cost, atmosphere, facilities, food, and beverages. Consumer perceptions of the services provided by coffee shop owners and employees also affect consumer loyalty and willingness to pay [33]. Therefore, the product marketing management applied by the Coffeeshop Business manager must be representative of product quality, as well as consumer preferences. Meanwhile, the authentication of food and beverage products and services that reflect the characteristics of a coffee shop is an essential part of attracting consumers' attention. Based on the features of the Coffeeshop business, the concept of risk management based on aspects of supply risk, operational risk, and customer risk becomes relevant.
In addition to coffee shops, the concept of risk management based on aspects of supply risk, operational risk, and customer risk is also relevant to the characteristics of the souvenir business. Souvenir business can be managed individually, group, or professional business entity [34]. Raw materials and the features of Souvenir products also vary according to consumer preferences. Product marketing can be applied conventionally and digitally depending on the financial capabilities of the business owner [35]. Finally, souvenir products relate to the memories or socio-cultural identity of the people in an area or country. The Souvenir business offers material aspects and cultural aspects, namely the value attached to the Souvenir product [36]. Thus, the Souvenir business entrepreneur seeks to manage various risks related to supply risk, operational risk, and customer risk, as shown in Table 2 below.  Table 2 is a source of risks related to Cyber Security in a business context. In Coffeeshop X's business, risk management strategies for Cyber Security can be analyzed from three aspects: supply risk, operational risk, and customer risk. Expressly, risk management for supply risk is limited to the risk management of vendor credential theft. Meanwhile, risk management for operational risk is limited to product specification fraud and data theft risk management. Meanwhile, risk management for customer risk is risk management for cases of data manipulation, unauthorized access to customer data, false communications, information sabotage, unauthorized payment gateways, and intellectual property theft. Coffeeshop X's business has business processes that involve vendors as suppliers of raw materials. Meanwhile, information regarding the vendor's credentials is confidential, so the risk of disseminating vendor information needs to be anticipated. The Coffeeshop X business seeks to protect member data as permanent consumers and transaction history by consumers. Purchase data is confidential, which is only used by the owner of the Coffeeshop X business. In addition, original product specifications, in this case, raw materials and seasonings for the manufacture of specialty drinks and food products belonging to the Coffeeshop X business, are also confidential. There are rules for baristas in recording payment transactions via cash or transfer to a predetermined account number.
This study shows a fundamental difference between the risk management of the Coffeeshop X business and the Souvenir Y business. The risk management of the Coffeeshop X business is procedural and complex because it involves more than one system user. Meanwhile, the business process for marketing is carried out by the owner, while the production of food and beverages is explicitly handled by the kitchen (chef and assistant chef). Furthermore, the brewing and reservation sections are operated by the barista who doubles as an admin. It is different from the Souvenir business risk management, which is managed at the micro-level. It emphasizes the security of consumer data and information accumulated in the Souvenir Y business digital communication media (WA applications and IN social media). Case studies on Coffeeshop X and Souvenir Y in risk management show that the customer risk aspect is dominant, compared to the supplier risk and operational risk aspects. Thus it can be seen that the study of risk management related to information security awareness in MSMEs cannot be generalized and needs to be reviewed contextually based on business characteristics, products, market segmentation, business processes, number of workers, and technology used. This study offers a model for realizing information security resilience by linking cybersecurity awareness and risk management in learning information security resilience for Micro, Small, and Medium Enterprises (MSMEs). The construction of ideas for designing models is interpreted based on various negligence of business actors in understanding business processes and the needs of technology tools. In addition, the dominance of socio-cultural aspects in the economic dimension, especially in business, has led to the indecisiveness of system access mobility based on user authority. Also, through Coffeeshop X and Souvenirshop Y, the use of information technology tends to follow the trend or popularity of the market without understanding the scale of the business and the business processes involved. In addition, employees who work at Coffeeshop X and Souvenirshop Y can access the system without any usage restrictions based on authority so that they are vulnerable to abuse.

Engange Cybersecurity Awareness and Risk Management for Information Security Resilience in MSMEs
In Micro, Small, and Medium Enterprises (MSMEs), professional teamwork tends to be weak because the working relationship is dominated by mutual trust between business owners and working employees. Therefore, a professional attitude in administrative matters needs to be applied as a work culture by reminding various aspects of information security vulnerabilities that may occur and the risk of employee negligence on business continuity. In the context of Coffeeshop X and Souvenirshop Y, a work culture that relies on social values needs to be balanced with the value of professionalism that adheres to the business system. It is necessary to reduce business obstacles caused by the lack of awareness about cybersecurity without proper risk management. This study offers a constructive idea to realize information security resilience in MSMEs, as shown in Figure 2.  Figure 1 is a recommendation from this research for efforts to maintain information security based on the results of cybersecurity and risk management analysis, namely: first, reclassification of business security levels based on the characteristics of technology devices used to support business processes; second, limiting the mobility of system users based on the employee's authority which the business owner has validated; third, rebuilding the value of professional teamwork in administrative matters; fourth, remind employees regularly about the vulnerability aspects of business information security. These four things are reconstructed from the results of the Coffeeshop X and Souvenirshop Y case studies. Previous studies examining cybersecurity and risk management in the MSME sector have not presented a contextual idea regarding maintaining business information security based on business characteristics. Through this study, the description of the Coffeeshop and Souvenirshop business processes that are managed independently or based on a team needs to pay attention to the resilience of information security caused by weak knowledge, attitudes, and behavior. Moreover, running a business by ignoring the risk of information security in supply, operational, and customer aspects.
The limitation in this research is the reconstruction of ideas that rely on micro and small-scale businesses from a holistic study of MSMEs. In addition, the adoption of qualitative methods as an approach that prioritizes the depth of information has ignored the generalization of the MSME business. However, this research has succeeded in capturing the characteristics of 1 242 MSME businesses in Indonesia, especially on the micro and small scale, which still shows gaps in previous research. The recommendation for further research is to compare the results of this study by connecting aspects of cybersecurity, risk management aspects with the business model canvas in case studies that represent the characteristics of Micro, Small, and Medium Enterprises in Indonesia. Thus, this kind of research can contribute to the development of science in business system security that connects information technology, information systems, economics, and MSMEs.

CONCLUSIONS
This research shows that team-managed businesses have a higher vulnerability than individual-managed businesses. Based on case studies on MSME Coffeeshop X and Souvenir Y, the use of information systems for recording transactions and product marketing involving more than one system user has a higher level of vulnerability than information systems for transactions processing and product marketing operated by one person. According to the aspects of knowledge, attitude, and behavior, the classification of information security awareness shows that the level of expertise about Cybersecurity and Cyber Crime at a low or medium level is not always the same as the level of attitude and behavior of system users. It shows that the level of knowledge, attitudes, and behavior about information security awareness is highly dependent on product characteristics, business processes, and the number of system users. Furthermore, risk management at Coffeeshop X and Souvenir Y is very dominant in customer risk compared to supplier risk and operational risk. Thus it can be seen that the study of risk management related to information security awareness in MSMEs cannot be generalized and needs to be reviewed contextually based on business characteristics, products, market segmentation, business processes, number of workers, and technology used. This study offers an idea to overcome this problem, namely by considering the following four aspects: first, reclassification of business security levels based on the characteristics of technology devices used to support business processes; second, limiting the mobility of system users based on the employee's authority which the business owner has validated; third, rebuilding the value of professional teamwork in administrative matters; fourth, remind employees regularly about the vulnerability aspects of business information security. Thus, information security resilience is realized for business continuity.