Date of Conferral



Doctor of Information Technology (D.I.T.)


Information Systems and Technology


Jodine Burchell


Some small businesses’ cybersecurity analysts lack strategies to prevent their organizations from compromising personally identifiable information (PII) via external cybersecurity threats. Small business leaders are concerned, as they are the most targeted critical infrastructures in the United States and are a vital part of the economic system as data breaches threaten the viability of these organizations. Grounded in routine activity theory, the purpose of this pragmatic qualitative inquiry was to explore strategies small business organizations utilize to prevent external cybersecurity threats. The participants were nine cybersecurity analysts who utilized strategies to defend small businesses from external threats. Data were collected via online semistructured interviews and the National Institute of Standards and Technology documentation as well as analyzed thematically. Six major themes emerged: (a) applying standards regarding external threats, (b) evaluation of cybersecurity strategies and effectiveness, (c) consistent awareness of the external threat landscape, (d) assessing threat security posture, (e) measuring the ability to address risk and prevent attacks related to external threats, and (f) centralizing communication across departments to provide a holistic perspective on threats. A key recommendation for cybersecurity analysts is to employ moving the target defenses to prevent external cybersecurity threats. The implications for positive social change include the potential to provide small business cybersecurity analysts with additional strategies to effectively mitigate the compromise of customer PII, creating more resilient economic infrastructures while strengthening communities.