Securing the Digital Edge: How Security Management Mediates
the Impact of ICT Infrastructure on Firm Performance
in Emerging Markets

2.1 Conceptual overview

This study integrates two complementary theoretical perspectives: (1) the Resource-Based View (RBV) and its dynamic capabilities extension, which frames ICT adoption as a strategic, value-generating resource; and (2) the Routine Activity Theory (RAT), adapted to the organizational level, which explains why firms exposed to crime victimization invest more intensively in protective mechanisms that, in turn, improve operational resilience and performance outcomes.

2.2 Theoretical foundations

2.2.1 Resource-based view and dynamic capabilities

The Resource-Based View, formulated by Wernerfelt (1984) and systematized by Barney (1991), posits that sustained competitive advantage derives from firm-specific resources that are valuable, rare, inimitable, and non-substitutable (VRIN). ICT assets — hardware infrastructure, internet connectivity, and the human capital capable of exploiting them — constitute strategic resources that enable firms to generate superior performance outcomes (Bharadwaj, 2000; Melville et al., 2004). Building on RBV, Teece et al. (1997) introduced the dynamic capabilities perspective, emphasizing that firms must continuously sense opportunities, seize them through resource reconfiguration, and transform operational routines. Aral and Weill (2007) demonstrate that IT assets generate positive spillovers across the firm, enabling broader capability development.

2.2.2 ICT as an enabler of e-commerce

E-commerce represents the most visible and economically significant form of digital market participation for firms (Zhu et al., 2006). The Technology–Organization–Environment (TOE) framework (Tornatzky & Fleischer, 1990) establishes that technology readiness — operationalized through ICT infrastructure and internet access — is a primary determinant of e-commerce adoption. Zhu and Kraemer (2005) show that technology competence directly drives e-commerce value creation in a cross-national sample. Hajli et al. (2015) and Barbu et al. (2021) demonstrate positive effects of ICT investment on online sales performance in emerging market firms. For Peruvian SMEs specifically, Heredia Pérez et al. (2022) document that internet access and digital capability are the strongest predictors of online sales adoption.

2.2.3 Routine activity theory applied to business security

Cohen and Felson's (1979) Routine Activity Theory proposes that crime occurs when a motivated offender, a suitable target, and the absence of a capable guardian converge. In its organizational adaptation, firms constitute targets when visible, accessible, and weakly protected. Exposure to criminal victimization is expected to increase firms’ investment in protective measures — physical security, surveillance technology, insurance, and cybersecurity infrastructure (Boba Santos, 2013; Holt & Bossler, 2016). Digitally endowed firms are better positioned to implement sophisticated security responses because they possess the ICT infrastructure necessary to integrate these systems.

2.2.4 Security management as a strategic resource for firm performance

Security investment is increasingly recognized not merely as a cost center but as a strategic resource that protects firm value and enables operational continuity (Gordon & Loeb, 2002; Anderson & Moore, 2006). Firms that invest in adequate security systems reduce expected losses from criminal activity, maintain operational continuity, and signal reliability to business partners (Böhme et al., 2015). Gordon and Loeb's (2002) model demonstrates that optimal security investment increases with the value of assets at risk, providing a theoretical rationale for why security investment is concentrated among larger, more digitally endowed firms. Kankanhalli et al. (2003) and Cavusoglu et al. (2004) confirm that organizational security investment positively affects firm performance through risk reduction.

2.3 Research hypotheses

Drawing on the portfolio perspective and the Oslo Manual taxonomy, we formulate the following nine testable hypotheses, summarized in Table 1:

2.4 Contextual rationale: Peru as an emerging market setting

Peru exhibits significant heterogeneity in firm-level ICT endowment and security exposure, maximizing variance in key constructs. According to INEI (2024), 44.9% of surveyed firms report internet access, while only 21.2% engage in any form of digital commerce, suggesting that infrastructure endowment does not automatically translate into e-commerce adoption. 15.3% of firms report having been victims of at least one criminal act in 2023. This combination of digital heterogeneity and security vulnerability makes Peru’s firm-level data uniquely valuable for investigating the co-evolution of digitalization and security management as drivers of business performance — a gap identified by Katz and Callorda (2019) and Cirera and Maloney (2017) in the Latin American business development literature.

3.1 Research design and data source

This study employs a cross-sectional, quantitative research design grounded in secondary microdata from Peru’s Annual Economic Survey 2024 (Encuesta Económica Anual, EEA 2024), conducted by the Instituto Nacional de Estadística e Informática (INEI). The EEA 2024 is a nationally representative establishment-level survey covering the 2023 fiscal year. Microdata access was obtained through INEI’s Microdata Catalogue (https://proyectos.inei.gob.pe/microdatos/). This study uses three thematic modules: (i) Chapter 01 — firm identification; (ii) ICT Module — digital infrastructure, internet access, human capital, and e-commerce; and (iii) Security Module — crime victimization, security measures adopted, and security expenditure. The inner join of the ICT and Security modules yielded a matched sample of 10,327 firms, of which 9,966 constitute the analytical sample after listwise deletion (missing rate < 0.5%).

3.2 Sample characteristics

The analytical sample comprises 9,966 firms distributed across 14 economic sectors ( Table 2). Commerce and Manufacturing (SME) are the largest sectors, representing 29.8% and 22.8% of the sample, respectively, with approximately 42% of observations concentrated in Metropolitan Lima.

3.3 Operationalization of variables

All constructs are derived from validated survey items in the EEA 2024. Multi-item constructs were scored as the mean proportion of affirmative responses (0–1). Table 3 provides the full operationalization.

3.4 Analytical strategy: Structural equation modeling

3.4.1 Justification of the SEM approach

Structural Equation Modeling (SEM) is appropriate because: (1) the model involves multiple simultaneous equations with endogenous mediators; (2) the hypotheses include both direct and indirect (mediated) effects; and (3) SEM explicitly accounts for measurement error (Hair et al., 2019; Kline, 2016; Byrne, 2016). Given the non-normal distribution of several indicators — e-commerce adoption (Skewness = 3.70; Excess Kurtosis = 14.27) — we employ Full Information Maximum Likelihood (FIML) estimation with robust standard errors (Satorra–Bentler correction). Model estimation used semopy v2.3 in Python (Meshcheryakov & Igolkina, 2021).

3.4.2 Model specification

The structural model comprises three recursive blocks:

3.4.3 Model evaluation criteria

We evaluated model fit using multiple indices following standard SEM guidelines ( Table 4). These include comparative fit indices (CFI, TLI), absolute fit indices (RMSEA, SRMR), and relative chi-square (χ²/df ).

3.4.4 Mediation analysis

Indirect effects were computed as the product of path coefficients ( ${\beta }_a\times {\beta }_b$ ), following Baron and Kenny (1986) and Sobel (1982). Bootstrap confidence intervals (5,000 replications) were also computed to provide bias-corrected significance tests for indirect effects.

3.5 Common method bias assessment

Harman’s single-factor test: the first unrotated factor explained 18.7% of total variance (well below the 50% threshold), providing no evidence of pervasive common method variance (Podsakoff et al., 2003). The architectural separation of ICT and Security modules — administered as separate questionnaire chapters — further reduces same-source bias. The dependent variable (C8) is an administrative categorical variable, not a self-reported perceptual measure, providing a procedural remedy for CMV.

3.6 Multicollinearity diagnostics

All variance inflation factors (VIF) are below 2.0, substantially below the threshold of 10 (Hair et al., 2019), indicating that multicollinearity does not constitute a threat. Detailed VIF diagnostics for each construct are presented in Table 5.

4.1 Descriptive statistics and bivariate correlations

Table 6 reports the descriptive statistics for all constructs (N = 9,966). ICT Infrastructure (C1) shows a mean of 0.578 (SD = 0.206). Internet access (C2) is present in 44.9% of firms. E-commerce adoption remains nascent: means of 0.021 for both C4 and C5 indicate fewer than 8% of firms engage in any form of digital commerce. Criminal victimization (C6) affects 15.3% of firms; Security Management (C7) averages 0.257 (SD = 0.258), with the IQR (0.000–0.444) suggesting a bimodal distribution. Large and medium-sized firms (C8) represent 63.3% of the sample.

Table 7 presents the Pearson correlation matrix. ICT Infrastructure (C1) exhibits the strongest bivariate associations with Security Management (r = 0.441, p < 0.001) and Firm Performance (r = 0.482, p < 0.001). The complete correlation structure is visualized in Figure 1.

Figure 1. Pearson correlation matrix for all nine constructs (N = 9,966).

*** p < 0.001, ** p < 0.01, * p < 0.05.

Source: EEA 2024, INEI.

4.2 Structural model results

Table 8 presents the standardized path coefficients, standard errors, t-statistics, and p-values for all structural paths.

4.3 Model fit

To assess the adequacy of the structural model, we evaluated fit indices following standard SEM guidelines ( Table 9). Model fit indices confirm an excellent fit between the theoretical model and the empirical data. CFI (0.988) and TLI (0.976) both exceed the 0.95 threshold. RMSEA (0.028) is well below 0.06. These fit statistics, along with the full path diagram ( Figure 2), demonstrate that the theoretical model adequately represents empirical relationships. The χ²/df ratio above 3.0 is expected with N > 9,000 given the χ² statistic’s sensitivity to large samples (Kline, 2016).

Figure 2. Full path diagram of the three-block recursive SEM model.

CFI = 0.988, TLI = 0.976, RMSEA = 0.028, GFI = 0.986. Solid lines = significant paths (p < 0.001). Source: EEA 2024, INEI.

Source: semopy v2.3 estimation on EEA 2024 microdata.

4.4 Hypothesis testing

All nine hypotheses were supported ( Table 10). ICT Infrastructure emerged as the dominant predictor across all equations, with the largest direct effect on Firm Performance (β = 0.327, p < 0.001). Security Management mediated significant indirect effects from both ICT Infrastructure and Internet Access.

4.5 Effect sizes and explanatory power

Cohen’s f² values confirm the economic significance of the structural relationships. Block 2 (Security Management): R² = 0.220, f² = 0.282 — medium-to-large effect. Block 3 (Firm Performance): R² = 0.290, f² = 0.408 — large effect. Block 1 (E-commerce Sales: R² = 0.046, f² = 0.048; Procurement: R² = 0.018, f² = 0.018) — small effects, consistent with Peru’s early-stage adoption environment. ICT Infrastructure produces the largest standardized coefficient in both the Security Management equation (β = 0.356) and the Firm Performance equation (β = 0.327).

4.6 Mediation analysis: Indirect effects

Table 11 presents the decomposition of total effects into direct and indirect components.

4.7 Sector-level analysis

Table 12 presents construct means by economic sector. Universities (ICT Infra = 0.738; Internet = 0.926; Security = 0.422) and Electricity & Energy (ICT Infra = 0.689; Security = 0.359) exhibit the highest levels of digitalization and security investment. Transport & Communications (Victimization = 0.184) and Commerce (Victimization = 0.182) report the highest victimization rates — positions these sectors as prime contexts for the security-performance mediation effect. Sector-level heterogeneity is illustrated in Figure 3.

Figure 3. Construct means by economic sector (N = 9,966). Sectors sorted by ICT infrastructure mean.

Source: EEA 2024, INEI.

4.8 Unexpected finding: Negative effect of digital human capital on performance

Digital Human Capital (C3) exhibits a small but statistically significant negative direct coefficient on Firm Performance (β = −0.032, p < 0.001). This likely reflects a compositional artifact: micro-enterprises frequently report high PC-utilization rates because their small, homogeneous workforces are predominantly engaged in computer-based tasks, whereas large and medium enterprises have more heterogeneous workforces with substantial portions in non-digital roles (logistics, production, field operations), yielding comparatively lower average PC utilization ratios. The indirect effect of C3 through e-commerce is positive (β = +0.040 × 0.197 = +0.008), partially offsetting the negative direct path.

5.1 Overview and theoretical integration: The digital resilience framework

This study provides robust evidence for a three-block theoretical architecture where ICT infrastructure, security management, and firm performance co-evolve (R² = 0.220 for Security; R² = 0.290 for Performance). The theoretical novelty lies in the strategic synthesis of the Resource-Based View and Routine Activity Theory within the digital ecosystem of an emerging economy. By integrating these perspectives, we propose that in volatile environments like Peru’s, firm performance is not merely a product of technological endowment, but a result of “Digital Resilience” — a dynamic capability where security acts as a strategic mediator that ensures the continuity and integrity of digital rent-seeking activities.

5.2 Implications for emerging markets: The resilience gap

Our findings challenge the technological determinism prevalent in studies from developed economies. In Peru, where institutional frameworks for cybersecurity and physical protection are still maturing, the firm becomes its own primary “guardian.” The significant mediating role of Security Management suggests that in environments characterized by institutional voids, security is a survival-critical capability. Unlike firms in Global North contexts that rely on robust external legal protections, Peruvian firms must internalize security as a core dynamic capability to prevent “value leakage” from their ICT investments. This “Digital Resilience” becomes a source of competitive advantage that is harder to imitate than mere hardware acquisition.

5.3 Block analysis and boundary conditions

ICT Infrastructure is the dominant predictor across all equations (β = 0.356 in Security; β = 0.327 in Performance). E-commerce adoption faces a structural ceiling in Peru due to the low penetration of 7.8%. The non-significant path from E-commerce to Security (β = 0.014, p = 0.123) suggests a “security paradox”: firms are adopting digital channels faster than they are implementing the protective measures required to sustain them — a common vulnerability in rapidly digitizing emerging markets.

6.1 Theoretical contributions

This research extends RAT to the organizational level, demonstrating that the “capable guardian” mechanism is mediated by technological endowment. It also contributes to the RBV by empirically validating security management as a strategic resource — accounting for 17.6% of the total effect of ICT on performance. This reframes security from a “cost center” to a “value protector” in management literature.

6.2 Managerial implications

6.3 Policy implications

6.4 Limitations and future research

While the sample size provides exceptional statistical power, the cross-sectional nature of EEA 2024 limits causal claims. Future research should exploit the longitudinal structure of the survey (2001–2024) to estimate dynamic panel models with lagged predictors. Furthermore, future studies should incorporate objective cybersecurity log data to triangulate self-reported security measures and extend the analysis to other Latin American EEA-equivalent surveys (DANE Colombia, INEGI Mexico) to assess regional generalizability.