Cybersecurity as a Dynamic Capability: How Micro and Small Social Enterprises Build Digital Resilience

Despite the increasing digitalisation of organisational processes, the cybersecurity capability of micro and small social enterprises remains substantially underexamined within Information Systems research. These organisations occupy a critical yet vulnerable position in the digital ecosystem, handling sensitive beneficiary data while operating with informal structures, limited technical expertise, and mission-driven resource priorities. Existing cybersecurity maturity models assume formal governance and stable resources, providing limited insight into how capability emerges in such contexts. Addressing this gap, this study adopts a qualitative, inductive approach based on 23 semi-structured interviews with owners and managers of UK social enterprises to investigate how cybersecurity capability is developed and enacted in practice. Drawing on the Dynamic Capabilities View, the analysis reveals that cybersecurity capability in social enterprises is constituted through three interrelated and iterative dimensions: technical (readiness, prior exposure, and data sensitivity), organisational (informal coordination, training, and partnership-based support), and psychological (risk perceptions, ethical responsibility, and mission-driven motivation). The findings advance theory by showing that capability development does not follow linear maturity stages but emerges through experiential learning, social capital mobilisation, and values-aligned adaptation. The study contributes an empirically grounded Cybersecurity Capability Framework that explains how resource-constrained, mission-driven organisations sense threats, seize available resources, and reconfigure practices to maintain digital resilience. Practical implications highlight how managers, policymakers, and support organisations can strengthen cybersecurity capability by leveraging collaborative networks, informal learning mechanisms, and mission-aligned security practices. This work extends IS scholarship by illuminating an overlooked organisational form and by reconceptualising cybersecurity capability as a dynamic, context-dependent socio-technical process.