Week 15
2
The Impact of Cyber security Integration on Organizational Risk Management in SMEs:
A Qualitative Multi-Case Study
A Master Thesis
Submitted to the Faculty
of
American Public University
by
Cristian DeWeese
In Partial Fulfillment of the
Requirements for the Degree
of
Master of Arts
December 2025
American Public University
Charles Town, WV
It is here that the author gives the American Public University the right to show these contents with educational purposes.
The writer bears the full liability to fulfill the conditions of the copyright law of the United States regarding inclusion of any other materials other than the creation of the author or is not in the public domain.
© Copyright 2019 by Scott Anderson Campbell
All rights reserved.
Declaration
This is my original thesis, and this thesis has not been previously presented to any institution seeking any degree or qualification, either in full or part. All the sources of information have been recognized.
To my family, mentors, whose support and positive influence kept me going through this process.
I would like to recognize the valuable contribution of my American Public University professors, colleagues and peers. I would like to thank the participating SMEs and their representatives who were able to share their time and knowledge.
ABSTRACT OF THE THESIS
The Impact of Cyber security Integration on Organizational Risk Management in SMEs:
A Qualitative Multi-Case Study
by
Cristian DeWeese
American Public University
Charles Town, WV
SMEs are affected by the growing cybersecurity threats and lack the resources and official strategies to address them. The current qualitative multiple-case study focuses on the ways in which SMEs in the healthcare, retail and manufacturing industries have incorporated cyber security into their enterprise risk management (ERM) frameworks and the consequences of such incorporation to organizational resilience. The data were gathered with the help of documents, semi-structured interviews and reflexive notes and were analyzed on a case-by-case basis on the basis of themes. The results showed disjointed technical defense, fragile governance frameworks and inadequate security culture to be the major challenges and sector dynamics to determine resilience. The paper draws a conclusion that technical controls are not sufficient to ensure the sustainable resilience of cyber security in SMEs; governance, organizational culture, and context-dependent frameworks play a significant role in this matter. The findings provide useful suggestions to SME executives and policy makers to promote cost-effective and responsive integration of cyber security.
Keywords: SMEs, cyber security, enterprise risk management, organizational resilience, qualitative case study.
Table of Contents Introduction 11 Background and Context 11 Hypothesis: 11 Problem Statement 12 Purpose Statement 13 Research Questions 13 Literature Review 15 Cyber security Integration Challenges in SMEs 16 The Importance of Risk Management Framework 16 Critical Evaluation of Frameworks and Application 19 The Role of Organizational Culture in Cyber security Adoption 19 Real-World Application and Gaps in Literature 22 Conclusion 23 Theoretical Framework 24 Introduction: 24 Enterprise Risk Management (ERM) 24 Socio-technical Integration Approach 26 Application of Frameworks 26 The Strengths of This Framework in the Study 27 Elaborating Theoretical Assumptions 27 Justification of Hypotheses and Research Methods 28 Identifying Key Variables 29 Summary of the Cyber security Risk Management Theory 31 Hypotheses to Be Tested 32 Conclusion 33 Research Design 33 Identification and Operationalization of Variables Research Design Overview Qualitative Multiple-Case Study Approach Sampling and Participant Selection Data Collection Process 36 Stage 1: Document Collection 37 Stage 2: Semi-Structured Interviews. 37 Stage 3: Reflexive Notes 38 Operationalization of Variables 39 Cyber security Practices 39 Organizational Culture 39 Cyber security Breaches 40 Employee Engagement 41 Trustworthiness 41 Limitations 42 Findings, Results, and Discussion 43 Results 43 Cybersecurity Practices 43 Organizational Culture 43 Cybersecurity Breaches 44 Employee Engagement 44 Discussion 45 Significance of Results 45 Relation to Research Questions 45 Correlation with Theoretical Framework 47 Recommendations to Future Research 48 Conclusion 50 References 52
List of Table
Table 1: Key Variables in Cyber security Risk Management for SMEs 25
List of figures
Figure 3: Cybersecurity Risk Management Flow 32
Small and medium-sized enterprises (SMEs) have become a vital element of any country's economy around the globe, creating jobs and innovations in different sectors. However, owing to their rather limited resources, not being able to recruit security specialists in the sphere of cyber security, and being able to only rely on homemade security systems, SMEs are being targeted even more often by cyber security attacks (Chidukwani et al., 2022). The influence of this disappointment is enormous on the SMEs including wastage of time to carry on the businesses, money and reputation. By so doing, SMEs will be able to enhance their resilience, and guard their operations against the increasing intensity and frequency of cyber threats.
In addition, the study is highly significant to a wide range of stakeholders including the management of SMEs, policy makers and the gurus of cyber security. Analyzing how cyber security may be effectively incorporated into ERM plans, the research offers viable solutions that would enable to make SMEs more resilient and secure to the ever-evolving cyber threat landscape. The results of this research will hopefully have practical implications on the decision-makers so that they will be able to navigate the challenges of cyber security and risk management better. As the reliance on digital systems rises, the resiliency of SMEs to ensure their survival and success in the market place in case of cyber-attacks is becoming a crucial factor.
The inabilities of SMEs to add cyber security to their risk management strategies are contributing to their vulnerability to cyber threats (Abdulrahim, 2019). The hypothesis of the research was that SMEs that successfully introduce cyber security as a risk management approach will be more resilient, experience a minor impact of operational failure, and be less susceptible to cyber-attacks, which will result in business sustainability over the long term.
The unsuccessful incorporation of cyber security as a risk management tool in SMEs, which exposes organizations to cyber threats, has been identified as a significant problem in the study by Alahmari and Duncan (2020). Cybercriminals are now targeting SMEs so much more, as they do not usually have enough resources, expertise, and governance to be sufficiently prepared against such attacks (Al-Dosari & Fetais, 2023).
Since SMEs cannot afford to make large investments in advanced technologies and security, unlike large corporations, they often follow the strategy of outsourcing their security with the most common methods and equipment antivirus programs or firewalls. Although these steps offer some respite, they are not usually incorporated into the enterprise risk management (ERM) models (Enaifoghe, 2023).
The consequences of this oftentimes ingratitude are very tragic. It is demonstrated that an impressive nearly 60 percent of SMEs that have suffered a massive cyber-attack go into business within a six-month time frame, which proves the devastating role of an absence of security integration (Benjamin et al., 2024). Nevertheless, a significant number of SMEs still fail to look at cyber security as a business priority and view it as a specific technical challenge (Franco et al., 2022). Existing studies have also not done much to bridge this gap. Most of the research is concentrated on bigger companies or technology-related security solutions without finding out how SMEs use cyber security in planning governance, risk, and resilience.
The purpose of this qualitative multiple-case study is to investigate how SMEs integrate cyber security into their overall risk management strategies and to examine the impact of this integration on organizational resilience. The sample of the study is SMEs within different industries, including healthcare, retail and manufacturing, to identify the enablers, barriers, and industry-specific impact that characterize integration (Enaifoghe, 2023). Lastly, the paper was expected to provide both theoretical and practical information to SME executives, policymakers, and cyber security experts (Franco et al., 2022).
The proposed qualitative multiple-case study intended to investigate how SMEs make cyber security a part of their overall risk management strategies and how the integration impacts organizational resilience. The research aimed to identify the enablers, barriers, and industry-specific impacts that drive integration by focusing on SMEs operating in dissimilar industries that is, healthcare, retail, and manufacturing (Enaifoghe, 2023). Finally, the research aimed at delivering scholarly and practical insights that may be of benefit to SME leaders, policymakers, and cyber security practitioners (Franco et al., 2022).
The overall research question that directs this study is:
RQ1: What are the modes used by small and medium-sized enterprises (SMEs) to incorporate cyber security in their comprehensive risk management, and what are the effects of such incorporations with regard to the resilience of the organization? (Kezron, 2024)
Based on this general question, one may come up with a number of sub-questions:
· RQ1a: What governance mechanisms do SMEs use to align cyber security with organizational risk management?
· RQ1b: What processes and capabilities enable or hinder integration in SMEs?
· RQ1c: How do sector-specific factors (e.g., healthcare, retail, and manufacturing) influence cyber security integration?
Cybersecurity has become a component that is becoming increasingly important to small and medium enterprises (SMEs) to consider as a strategy in their risk management framework as the rate and complexity of cyber threats grow (Ashley & Preiksaitis, 2022). SMEs now more than ever are susceptible to cyber-attacks since with increasing dependence on electronic tools and systems, a cyber-attack can be disastrous to their operations. Nevertheless, in spite of the paramount significance of cybersecurity, a number of SMEs continue to experience a lot of difficulties when attempting to factor such practices into the organizational frameworks.
This challenge is caused by resource constraints, skills gap, and the inability to handle cyber security and other business operations. With this, it is important that SMEs acknowledge that cyber security is not only a technical problem, but it is a major strategic challenge that must be incorporated into the overall risk management procedures in order to guarantee their resilience and safety in the long term.
Although the literature supports the relevance of cyber security, many SMEs still regard it as a technical issue not as a part of a holistic strategy concerning risk management (Hoong et al., 2024). Such knowledge gap may expose SMEs to cyber risks which otherwise can be addressed using more holistic strategies to risk management.
The literature review of the study sought to investigate the particular issues encountered by SMEs that make them not embrace cyber security measures, the importance of risk management model in averting these threats, and the research gaps that filled by the study. With the help of these gaps, this work can make a contribution to the new knowledge of how SMEs can better integrate cyber security in their risk management practices and, in the end, improve their capacity to withstand and reduce the effects of cyber threats.
Cyber security Integration Challenges in SMEs
Small and medium-sized enterprises (SMEs) are not a new nor are the vulnerability of such organizations to cyber threats that have been documented in the literature. As Chidukwani et al. (2022) elaborate, most of the SMEs use cyber security tools in a fragmented and uncoordinated way, i.e., by merely installing firewalls or antivirus programs. Although all these measures are essential, they are most of the time implemented without being included in a larger, more holistic policy on cyber security or strategy on risk management. This has led to a disintegrated security concept that exposes SMEs to high-technology cyber-attacks. Because these individual controls are independent and not connected to a comprehensive defense mechanism, they cannot offer the degree of protection against the ever-increasing sophisticated threats.
Likewise, Ashley and Preiksaitis (2022) point out those SMEs need to change their approach towards cyber security to seeing it as a technical problem but accept it as an essential strategic project. Cyber security is not an independent and distinct operation that must be considered. It must be part of overall risk management of an organization. The integration of cyber security into the bigger risk management framework will enable SMEs to be in a better position to fend off the changing cyber threats. Such change of minds is critical towards enhancing the resilience of SMEs so that they become more prepared to respond with the constantly increasing demands by cyber dangers in the current digital environment.
The Importance of Risk Management Framework
Some researchers emphasize the importance of the set of frameworks to inform the development of cyber security as part of risk management. Among the tools that the SMEs should use, Benjamin et al. (2024) mention internationally accepted standards, including ISO 31000 on risk management, ISO/IEC 27001 on information security, and the NIST Cyber security Framework.
The cyber security frameworks are becoming more accepted as malleable protocol that organizations can utilize to handle and cope with cyber security threats in a systematic manner. These frameworks bring a systematic method through which businesses can identify and manage risks in order to have a proactive approach to cyber security. Nevertheless, these frameworks may especially be difficult to adopt by small businesses, as Krishnan (2024) warns, as small businesses have limited resources.
Nevertheless, he claims that these frameworks can be tailored to prioritize the most important assets to enable SMEs to increase scale of cyber security practices in a manner that is resource-efficient and resource-effective despite limited resources. With a prior focus on their most valuable assets, SMEs can adopt a more specific method of protecting themselves regarding cyber security, which will ensure maximum security but with as few resources as they currently possess.
In addition, the implementation of these frameworks into the organizational system of an SME does not only make them more capable of responding to cyber threats, but also helps them to create a culture of constant enhancement and reduction of risk. When these frameworks are implemented correctly, they can result in a major change of governance, as Herath et al. (2023) state, which will encourage the establishment of a more clear understanding of risk ownership within the company. This, in its turn, helps to align the practices of the security with greater business related objectives which makes cyber security a part of the general company policy. This way, as a result of the integration, the SMEs will be in a position to create a more secure environment, reduce vulnerabilities, and create a culture of continually evolving cyber security to meet the emerging challenges and threats.
Completely established cyber security models are standardized systems that can prove to be useful in the ability to not only make the SMEs more resilient to the future threats but also better placed to meet the requirements of the regulations. They are frameworks, that provide a systematic approach to addressing cyber security and allow the SMEs to address short term and long term security needs besides complying with the security laws in the sector.
However, as is the case with the implementation of any system, there are challenges. Resource allocation and training, as Benjamin et al. (2024) indicate, are the two most prominent obstacles that SMEs participating in this type of system face. These challenges can particularly be difficult to small businesses that have a small budget and experience in this field when they are taking the very first steps towards adopting full-scale cyber security systems.
Regardless of these early difficulties, the objectives of adopting standardized cyber security systems have long-term benefits compared to short-term challenges. As Benjamin et al. (2024) explain, SMEs may struggle with the implementation process, yet these structures will result in the vulnerability being mitigated and more effective risks contained in the long run. Not only contributes to the overall effectiveness of the risk management procedures of the SME, but also improves its capability to counteract the cyber threats through investment in appropriate resource allocation, training, and integrating a system. The ultimate outcome of the use of such holistic cyber security systems in the long term is the creation of a more resilient and secures organization that will be capable of anticipating future risks and responding proactively to the ever-changing regulatory requirements.
Critical Evaluation of Frameworks and Application
It is recommended that SMEs should implement proven models like ISO 31000, ISO/IEC 27001, and NIST to deal with cyber security risks. Nevertheless, these frameworks may be difficult to adopt because of their complexity and also the high resource needs that they require organizations especially in resource-restrained settings (Olagbemide, 2024). They are normally developed to be used in larger organizations which have their own IT departments and large budgets therefore they cannot be easily used in SMEs without significant change. The customization helps SMEs to scale up their cybersecurity to a gradual extent that will comply with their capacity so that they can still enjoy the structured approach without going beyond their limit.
Besides the resource constraint issues, SMEs have problems in applying these frameworks because they lack technical expertise (Odio et al., 2021). Though these frameworks offer a rationalized set of guidelines that can be used to conduct cyber security activities, they also presuppose some degree of technical competence that most SMEs tend to lack. Such imbalance in terms of skills and knowledge is a significant adoption obstacle, which arises due to the presence of an imbalance between the theoretical framework and practical capability of smaller enterprises.
The technical knowledge needed to unravel the provisions of such frameworks into measures that can be operationalized in order to improve their cyber security posture is lacking in SMEs to make their quest to improve their cyber security status more complex. This incongruity between the shape of the structures and the capacity of SMEs is one of the largest obstacles to successful implementation of such positive cyber security practices.
Organizational Culture and its role in Cyber security Adoption
Organizational culture plays a role in the successful adoption of cyber security by SMEs. Organizational culture can heavily determine the manner in which cyber security practices are viewed and executed in an organization. A number of articles point out that a culture focusing on security, the promotion of constant enhancement, and the promotion of interdepartmental cooperation can be very useful in advancing the efficiency of the cyber security strategies.
When the staff in different departments collaborates through a unified sense of what constitutes security, the organization at large will be stronger against cyber-attacks. Fable (2023) goes further to state that SMEs should develop a culture of security to be able to appreciate the need to integrate cyber security with their daily business activities. Organizations that have a robust culture of security do not perceive cyber security as a onetime technical exercise or a single duty, but as a continuous and a part and parcel of operations.
Obstacles to Cyber security Integration in SME
Despite a rise in the literature of the importance of implementing cyber security models and practices, SMEs continue to face numerous challenges that disrupt the successful implementation of the measures. Such barriers are frequently associated with financial restraints, a skills shortage in cyber security, and the general lack of interest or knowledge among the leaders and workers.
In the vast majority of cases, the employees, as well as decision-makers, are not aware of the significance of cyber security and use it as a secondary or less important part of their overall business strategy but not as a necessity. The existence of these barriers makes the implementation of good cyber security practices in the company a challenge. These obstacles can be addressed in more detail to put the challenges faced by SMEs in the process of using the cyber security systems into perspective.
Linking Literature to the Study’s Contribution
The existing literature offers useful information on the relevance of cyber security frameworks to SMEs and issues that the SMEs encounter in implementing the frameworks in business processes. But little information is available on how SMEs can realistically implement such frameworks especially in their limitations of resources and skills. Although the literature also recognizes that SMEs are expected to enact some aspects of cyber security controls as recommended by Pawar and Palivela (2022), it does not give specific how these aspects can be integrated into Enterprise Risk Management (ERM) systems of SMEs.
The research provides real-life solutions which can be applied by the SMEs by solving actual challenges such as lack of resources, deficiency in technical expertise, and other business concerns. The research also looks into the ways that SMEs could integrate cyber security into their current ERM systems so that they could increase their endeavors on cyber security in accordance with their available resources.
This method can help SMEs focus effectively on cyber security without burdening their operations and have a sustainable cyber security practice and integrate it in their general risk management framework. The research provides a guiding policy through these real-life recommendations that can help SMEs overcome the challenges of cyber security more effectively and become more resilient to the increasing cyber threats.
Real-World Application and Gaps in Literature
Although a significant amount of the literature has presented a valuable framework and guidelines, the research gaps in implementing these frameworks into practice by SMEs are very large. The literature, according to Johnstone (2021), merely lists a list of controls that an SME needs to implement, and are silent as to how those controls can actually be implemented by their Enterprise Risk Management (ERM) systems in practice. The specified gap implies that the further research is to be conducted on the feasibility of applying cyber security practices to SMEs and the role these interventions play in organizational resiliency and risk reduction.
According to the literature, it is possible to apply some significant frameworks that can potentially allow SMEs to consider cyber security as a branch of their risk management strategies (El-Hajj & Mirza, 2024). The issue of whether there exists a mismatch between the actualization of these structures against the realities on the ground is however taken with seriousness because of the resource limitation of SMEs. The proposed research addresses this gap by deliberating on the practicality of cyber security as part of the ERM systems of the SMEs and its impact on the resilience of organizations.
This literature review has identified the challenges that the small and medium-sized enterprises (SMEs) have encountered with the problem of incorporating cyber security in their general risk management plans. It has discussed the importance of the introduction of the organized system of risk management in response to the cyber threat and has determined the gaps in current literature. Although the existing studies can serve as a valuable source of information on the advantages of such frameworks like ISO 31000, ISO/IEC 27001 or NIST, they tend to ignore the real-life challenges that the SMEs face when implementing and using the mentioned frameworks.
Figure 1: https://www.nist.gov/news-events/news/2023/08/nist-drafts-major-update-its-widely-used-cybersecurity-framework
The problems of poor resources, absence of technical know-how, and resistance by the organization are typical challenges that hamper successful execution of cyber security measures. This review has highlighted that greater context-driven solutions are required, which take into account the special conditions of the SMEs, and provide recommendations on how these organizations may focus on cyber security in the context of the resources at their disposal and the current risk management frameworks.
The increasing frequency and sophistication of cyber-attacks have made cyber security a critical concern for organizations of all sizes, including small and medium-sized enterprises (SMEs) (Rawindaran, 2023). Nonetheless, even with increasing awareness of the risks of cyber security, most SMEs have major problems with the successful integration of cyber security within their general business strategy.
This research gap is addressed by the present research that examines the application of the Cyber security Risk Management Theory to assist SMEs to implement cyber security systems despite the constraints of the available resources (Moturi et al., 2021). The theory is quite helpful as the organization and technology aspects are combined to offer a wholesome approach that can be applied in practice by SMEs. The paper discusses this issue based on the theory; it provides an explanation of why SMEs are better at managing cyber security threats, particularly in limited resource settings.
Enterprise Risk Management (ERM)
Enterprise Risk Management (ERM) is a process that exists in a formal manner and it incorporates identification, analysis, and treatment of risks and continuous monitoring of risks to ensure that organizations respond to risks in an orderly and suitable way. The threats of cyber security cannot be an exemption to this process since they are very dangerous to both the organization in terms of its operations, reputation, and finances. To mitigate the threat adequately, Jarjoui and Murimi (2021) emphasize that companies should introduce such a concept as cyber security into the ERM framework.
One of the global standards on ERM that offers a holistic or practical practice in risk management is the ISO 31000 standard which ensures risk management practices are applied throughout an organization. Its applicability to the sphere of cyber security, in particular, comes in quite handy because it encourages the businesses to consider cyber security as a subset of a more comprehensive risk management strategy.
The image illustrates the key principles of the ISO 31000 Risk Management model that is based on a continuous improvement, the integration, inclusiveness, and the significance of human and cultural aspects, etc. However, integrating cyber security into the general framework of ERM enables companies to ensure that its approach to the cyber threat management aligns with the overall organizational objectives and risk management approaches that would, by extension, make them more resilient and enable them to address the consequences of the cyber security threats more effectively.
Socio-technical Combination Method
The socio-technical perspective on cyber security emphasizes the mutual control among people, process, technology and context for achieving effective security outcomes. This is because cyber security is not just a technical matter, but also people’s behaviors and organizations’ structures that contribute to its performance.
Practice of Frameworks
A way to describe it can be implemented based on its socio-technical philosophy that implies that effective development of cyber security is possible because of the collective effort of the organizational culture, the design of the process, and the human aspect (Ahmad & Teo, 2024). The results of such models have kept providing significant empirical data in terms of the strong impact of cyber security uptake in the SME sector.
Integrating the ISO 31000 standard and the NIST Cyber security Framework, SMEs can work on a unified and well-organized method of identification, assessment, and mitigation against possible cyber threats (Sabidi & Zolkipli, 2024). This procedural strategy turns cyber security into a reactive, one-time fix, but instead it is a living system that is seamlessly integrated with the entire goals of the organization and meets the legal requirements as a matter of fact. Consolidation of these frameworks will help the SMEs to take cyber security as a continuous process so that they can be active in dealing with any threats that come by and not just waiting to respond to an incident after it is already an occurrence.
Kianpour and Raza (2024) also indicate that formalizing the cyber security practices would also reduce the possibility of SME experiencing high-impact security incidents. Furthermore, integrating these practices within the fundamental work of the organization not just improves cyber security, but also makes organizations consistent with larger business objectives so that security arrangements would enhance the success and stability of the organization in the long term.
The Strengths of This Framework in the Study
Elaborating Theoretical Assumptions
The model outlines the potential manner in which the cyber security concepts might be incorporated into a risk management system, within the small and medium-sized enterprises (SMEs) and the significance of human factor in the effort. The synthesis of these frameworks also fills the gap between technical solutions and organizational culture since it concerns the possibility to use the tools successfully in SMEs, which is not only possible through the implementation of tools but also through the correspondence of the tools to the organizational values and practices (Georgiadou et al., 2022).
This method will allow studying the ways of preventing the appearance of cyber security threats in SMEs more thoroughly and subtly, as it focuses on both the socio-cultural and technical aspects of the matter. According to Sikder (2023), such a dynamic acts as a self-synchronizing assimilation of technology, human behavior, and organizational functioning, which are drivers of cyber security as an ongoing process, as opposed to a reactionary response? With these intersections, the strategy would make cyber security become a part and parcel of the organization, and not a one-time solution to a problem.
Generally speaking, such an approach provides a great strength to the study, as it provides a theoretical frame beyond the technical sphere of cyber security. It introduces the significance of a holistic and active way of ensuring successful cyber security outcomes by identifying the most essential roles of organizational commitment and organizational culture. This perception brings out the reality that the holistic approach to cyber security is not absolutely dependent on application of technology, but rather the culture of security within the company. With organizational commitment and organizational culture in line with the goal of cyber security, the organization becomes more apt to prevent and manage cyber threats and cyber security remains an on-going and component aspect of the business process.
Justification of Hypotheses and Research Methods
The advantage of the chosen theoretical frameworks is that they contribute to the explanation of the significance of implementing cyber security decision-making in the larger context of Enterprise Risk Management (ERM). The integration of cyber security into the ERM strategy enables the SMEs to deal with cyber threats as a subset of their entire risk management process instead of viewing them as a single challenge. Not only does this combined strategy make cyber security objectives consistent with business objectives, but it also increases the performance of the organization to prevent, foresee, and react to cyber threats successfully.
The theoretical assumptions offer a strong ground to evidencing the hypothesis that the existence of the solutions related to cyber security within the framework of ERM results in the increased rates of resilience and the ability to manage risks in the small and medium-sized enterprises (SMEs).
Cyber security as a strategic and continuous component of the risk management process of the organization helps the enterprise to better balance its overall capacity to resist cyber-attacks, minimize weaknesses and recover faster with the eventuality of a cyber-attack. Such correlation would help the SMEs to develop a more emphatic infrastructure which improves their proactive protection features, and their response to the changing cyber threats.
Identifying Key Variables
To manage the cyber security threats successfully, the SMEs should consider various variables that define the cyber security activities success. These include the risk treatment, risk monitoring, employee engagement, organizational culture and resource distribution. These key variables are summarized in the table below and how they can be applied to cyber security framework application within SMEs.
Table 1: Key Variables in Cyber security Risk Management for SMEs
|
Variable |
Description |
Relevance to SMEs |
|
Risk Treatment |
Methods and strategies used to handle identified cyber security risks. |
High |
|
Risk Monitoring |
Ongoing tracking and assessment of risks to ensure they are effectively managed. |
Essential |
|
Employee Engagement |
Involvement of employees in cyber security practices, training, and compliance. |
High |
|
Organizational Culture |
The role of company culture in encouraging cyber security best practices. |
Critical |
|
Resource Allocation |
The availability of financial and human resources to implement cyber security. |
Limited |
The following table presents the most important variables, which include risk treatment, employee engagement, and resource allocation, that are essential in the successful approach to cyber security risk management in SMEs, and their applicability to SMEs is indicated in the last column. A risk treatment and risk monitoring are also key variables highlighted according to the Enterprise Risk Management (ERM) model where the systematic identification, assessment and management of risks in an organization are put into the limelight. The model follows a proactive and structured method of managing risks, thus risks are always assessed and addressed with time. By contrast, the socio-technical model emphasizes the human and organizational elements of the integration of cyber security and says that organizational culture and employee engagement are the most significant areas in ensuring the success of cyber security.
Such socio-technical factors are critical to the success of cyber security processes since they build a work environment within which all stakeholders in the organization take active interest in system and data protection activities. The ERM and the socio-technical framework can be as well combined to serve as a comprehensive framework to comprehend how the technical and social aspects lead to the use of effective cyber security practices. Such a combination will enable the study to offer the comprehensive view of how the organization can successfully deal with cyber risks by harmonizing the organizational culture and processes with technological solutions (Jean-Jules & Vicente, 2021).
Summary of the Cyber security Risk Management Theory
Cyber security Risk Management Theory provides a framework for understanding how organizations assess, mitigate, and manage cyber security risks (Melaku, 2023). The theory combines major principles of the risk assessment, organizational culture and cyber security controls. According to this theory, achieving effective cyber security management is a balance between both technical (e.g. firewalls, antivirus software) and organizational (e.g. culture, employee training, strategic alignment) factors.
The assumptions of the theory are as follows:
Risk Assessment: Risk management is successful only in case the potential cyber security threats are recognized and evaluated (Bokan & Santos, 2021). It involves evaluating the external risks (e.g., cyber-attacks) and internal risks (e.g., negligence of the employees).
Cyber security Policies and Controls: When risks have been evaluated, the organizations establish policies and technical controls to reduce risks (Parsola, 2023). These measures should be successful because they should be part of the overall business strategy of the organization.
Organization Culture: Organizational culture is very important in the practice of cyber security. An organization culture that is security conscious is the key to ensuring that cyberspace security becomes a collective responsibility of the organization and not the IT department only.
The interactions of these components in the framework are shown in the diagram below:
Figure 3: Cyber security Risk Management Flow
The model indicates that the cyber security strategy of an organization should not be considered separately but as a component of its overall risk management (Victor-Mgbachi, 2024).
According to the Cyber security Risk Management Theory, the following relationships are the tested hypotheses that refer to the links between cyber security strategies and organizational culture:
1. Hypothesis 1: Cyber security breach is less likely in SMEs where there is a formal cyber security risk management strategy according to the Cyber security Risk Management Theory than where there is no such strategy.
2. Hypothesis 2: We expect the challenges that are related to formal systems of cyber security risk management (e.g., ISO/IEC 27001, NIST) to be more frequently encountered by resource-poor than resource-rich SME (Vance,2025).
3. Hypothesis 3: Good adoption and implementation of cyber security frameworks among SMEs is positively influenced by attentive organizational culture to security.
It assist in verifying these hypotheses by gathering and interpreting data on the SMEs in the various industries, and their approach to cyber security, organizational culture, and the interdependence of the three and the interdependence of the three among themselves.
This theoretical perspective is precisely what provides a firm block of knowledge at the level of SME management with regard to cyber security threats. Within the Notion of Cyber security Risk Management, this research investigates small business on cyber fatalism emphasizing issues with formal cyber security frameworks in SMEs and organizational culture influence on adoption of formal cyber security frameworks.
Research Design
The qualitative multiple- case research design was especially well suited for the present study because it allowed a comprehensive investigation of how cyber security can be used as a risk management tool in the environment of SMEs that operate in various sectors of economy such as healthcare, retail and manufacturing.
Collection and Formulation of Variables
The Cyber Security Practices, Organizational Culture, and Cyber Security Breach and Employee Engagement are the most significant ranking variable of high value to the current study. These are the definitions of these measures:
Overview of Research Design
The main aim of this study was to examine the adoption of cyber security towards small and medium-sized organizations (SMEs) ERM system, as well as how resilient companies become after applying them with cyber security. The study seeks to answer the research question: How can cyber security be included in the enterprise risk management (ERM) process of SMEs and how does including the cyber security in ERM affect the resilience of a firm. What I understand as the motivation of this question is that this will make all those different mechanisms which have been built up
Qualitative Multi-Case Analysis
The approach of the Qualitative Multi-Case Analysis has been chosen in order to address the research questions in a preliminary manner and provide some understanding for how cyber security is adopted by SMEs. This approach was rather well suited for particularly complex and applied problems which are closer to reality; see e.g. cyber security, where a deep knowledge of organizational procedures as well as industry processes is a must. It enabled an overall view of the treatment to the implementation of practicing cyber security practices in different cases that could be a useful source of information for the problem and approaches to SMEs in.
According to Creswell (2009), a case study design also enables the investigation of the phenomenon in the natural environment and, thus, a more profound examination of how cyber security is incorporated into the system of the overall risk management. In addition, the fact that the study has selected a few cases within the different industries (healthcare, retail, and manufacturing) enabled the researcher to compare and contrast how the SMEs that have different resource constraints and industry-related risk take up the issue.
The case study methodology has been instrumental in the discovery of the numerous applications that cyber security may have in SMEs, and how they can be integrated in risk management plans (Go vender et al., 2025).
Sampling and Participant Selection
The purposive sampling method was applied to select the sample (between six and eight SMEs) with the aim of developing a sample of SMEs in healthcare, retail and manufacturing industry. Chidukwani et al. (2022) indicate that purposive sampling assists the researcher in concentrating on certain instances that are likely to provide useful and pertinent information. The criteria that the SMEs had to satisfy were their participation into the risk management process, the existence of the developed cyber security system and interest in the research.
All the selected organizations to be studied have already adopted some degree of cyber security in their operations, which means that the research could analyze the effectiveness of the integrations as components of their general risk management plans (Enaifoghe, 2023). In addition, the respondents were both the leaders of the organizations, the IT/security managers, and the frontline employees. The interviews with the leaders and managers were received to acquire information on strategic decision making on cyber security and frontline employees to give a good understanding of how these cyber security measures are implemented in day to day lives. This was a multi-level selection technique that gave an overview of how cyber security was being practiced and understood at different levels of organizations (Thummala & Bindewari, 2024).
This paper was designed into three various stages during the data collection process to ensure that a broad range of information would be obtained. These measures were aimed to receive not only objective data in the organizational literature, but emotional subjective elements in the interviews, which would give a fuller picture of the way cyber security is actualized in the systems of ERM.
The first step of data collection involved gathering of organizational documents such as security policies, incident records and cyber security audits. Through the analysis of these documents, the study could evaluate the score of cyber security integration in the ERM framework of every organization as well as detect areas that might have overlooked cyber security or failed to respond to it adequately. Documents also became the foundation of comprehending the written policies and procedures in place which could later be compared with the actual practices found out during interviews (Benjamin et al., 2024).
It was especially helpful when working with documents to determine any irregularities between formal cyber security policies as they existed on paper and how they were applied in real-life operations. They enabled the researcher to determine whether the SMEs had normal methods of cyber security, or rather these were small scale and informal, as it is common with smaller organizations that have fewer resources (Olagbemide, 2024).
Stage 2: Semi-Structured Interviews.
The second phase was the semi-structured interviews with the organizational leaders, IT/security managers, and the frontline employees. Both interviews took 45 to 60 minutes and addressed the perspective of the participants regarding the inclusion of cyber security in the ERM framework, the role played by the organizational culture in cyber security practices, and the perceived obstacles and facilitators of successful integration. The semi-structured format was flexible in questioning which provided the researcher with the opportunity to investigate particular issues deeper but at the same time covered the main points within the sphere of relevance of the research questions (Thummala & Bindewari, 2024).
The study sought to gain the subjective insights of the people directly engaged with cyber security practices through interviews and this gave them an idea of the challenges that SMEs are likely to encounter in mapping cyber security to larger organizational risk management. Also, interviews enabled exploring the role of organizational culture as a determinant of the engagement of the employees with cyber security practices. There was a need to find out how the leadership commitment to cyber security affected the general organizational thinking and whether employees were encouraged to practice security beyond the compulsory compliance.
The third step was that the researcher made reflexive notes at the end of every interview. Such notes were meant to document any individual thoughts, bias and other insights that emerge in the process of data collection. One of the major methods to preserve the objectivity and prevent any bias in the interpretation of the information by the researcher is reflexive journaling (Benjamin et al., 2024).
One of the ways this practice assisted was in making the data collection process transparent and also in identifying any possible bias in the data collection process and addressing them during the analysis process. By making personal reflections, the researcher would be able to constantly determine how his/her experiences or expectations would influence the data interpretation.
Operationalization of Variables
The key variables would have required operationalization so that the research questions would be adequately covered in the study. The most important variables as investigated in the research included cyber security practices, organizational culture, cyber security breaches, and employee engagement. All the variables were defined and measured meticulously by referring to the data obtained by way of organizational documents, interviews, and reflexive notes.
The processes, tools, and measures that the SMEs put in place to safeguard their information systems against cyber-attacks can be termed as cyber security practices. The security policies and cyber security audits were used to evaluate these practices. The researcher evaluated the fact that these practices were in line with industry standards, as well as that they were effective in eliminating the risks that the organization was exposed to.
Also, when speaking with the IT/security personnel, the researcher obtained information about the particular tools and controls of cyber security employed (firewalls, anti-virus software, encryption systems, and access control measures). The researcher also enquired of how cyber security has been incorporated in the general risk management system and whether they were applied systematically through the organization. This operationalization enabled the researcher to determine whether the SMEs had organized, holistic cyber security operationalizations or they were disjointed and in-vivo (Franco et al., 2022).
Culture organization was measured on the leadership attitude, employee awareness, and how cyber security is incorporated in day-to-day operations. The researcher measured leader commitment in cyber security through interviewing managers regarding their perceptions in cyber security as a strategy priority. The researcher also examined the extent of communicating and highlighting cyber security by the organization leadership. The awareness of cyber security practices among employees was determined in the interviews of the employees. They questioned employees concerning their levels of awareness of cyber security risks, the perception of whether they were interested in security practices, and the frequency of their security training on cyber security matters. The intensity of integration of cyber security in regular operations was investigated by assessing the extent of adherence of the employees to security measures and the perception towards cyber security as routine work.
This method of assessing the organizational culture served to identify whether the organization had a strong and security-conscious culture or cyber security was regarded as a secondary element to other business focus areas.
The variable of cyber security breaches was measured through reviewing the incident reports and interviewing the IT/security personnel and employees in terms of discussing the breaches. The researcher checked the number of reported breaches, severity of these breaches, and the effect of such breaches. Frequency was determined as an incidence in the number of reported incidents in a period of time. The severity was measured in terms of the level of breach including the possibility of causing system downtime, loss of customer data or financial losses. The results of such violations to the business were discussed in the interviews with an emphasis on the operational interferences, reputational losses, and the costs incurred in recovering the business. These tests assisted the researcher to understand the effectiveness of the cyber security practices in preventing breaches and the effectiveness in how the organizations reacted to challenges in cyber security (Thamrongthanakit, 2023).
Engagement of the employees on cyber security was measured by looking at training attendance, reporting behaviors and adherence of security measures. The researcher measured the frequency at which the employees attended a cyber security training program and the ability to adhere to security procedures in their routine work. The measurement of reporting behaviors was done by querying the employees on whether they knew how to report any security incidents or suspicious activities. Adherence was measured through evaluating the employee responses to questions regarding their compliance with security practices; including following password protocol or using secure net. This operationalization enabled the researcher to gauge how active employees were in their pursuit of cyber security practices and whether they knew their contribution to the keeping of the security posture of the organization (Ejaz & Matthew, 2024).
Several methods have been used to increases the validity and reliability of the study. The credibility of the findings was given through triangulation of the data collected during interviews, documents, and reports. The researcher could ensure that the results were similar by comparing the information obtained using various sources, and this increased the credibility of the study. Member checking was also done in which the participants were allowed to review the summaries of their answers to make sure that the researcher has properly comprehended and portrayed their views. This has contributed towards making sure that the views of the participants were accurately captured in the results.
Case study protocol and coding audit trail were developed in order to improve the degree of reliability in the research. They were used to have a good document of the procedures followed in the research process, which made the methodology transparent and could be replicated by other researchers in case the need arises. In order to provide confirmability in the study, reflexive journaling was applied. The fact that the researcher records personal thoughts, insights, and the possible biases meant that the data interpretation process was based on the experiences of the participants, and not on the preconceived notions of the researcher.
Also, the cases were thick described giving the detailed and context-based descriptions of the cases to enable transferability. This deep strategy enabled the thorough comprehension of the organizational environments and activities, and the results could be implemented to other situations (Enaifoghe, 2023).
The design has limitations. The sample size is small making it hard to generalize to all SMEs studied and results can be affected because this is a self-reported sample. Healthcare, retail and manufacturing sectorial focus might not capture insights on other sectors. There is also the risk of researcher bias which overcomes by using triangulation, reflexive notes and systematic coding. In spite of these limitations, transparency and defensibility are ensured by the explicit step by step design (Creswell, 2009).
Findings, Results, and Discussion
The findings in this section are based on six SMEs in healthcare, retail and manufacturing industries. The findings are grouped together in a thematic way on the topics of cyber security practices, organizational culture, cyber security incidents, and employee engagement. Findings are then analyzed based on the research questions, theoretical framework (Enterprise Risk Management and socio-technical integration) and on the available literature.
The six SMEs also reported that they had some technical defenses; the most advanced being antivirus software, firewall, and frequent updates of the system. Nevertheless, the use was very fragmented, and there was no organization that implements a single framework, like ISO 27001 or NIST, on a full basis (Chidukwani et al., 2022). Three of the SMEs depended on outsourced IT vendors to a large extent, thus establishing disproportionate accountability of cyber risks. The adoption of a structured ERM approach was only partly evident in one healthcare SME, as the threat of cyber threats was reflected in its risk register.
In the cases, cyber security had also been perceived as a technical task as opposed to taking a strategic priority. The interviews with the leaders showed lack of commitment and prioritization to budgets as compared to operational risks. There was little to no reinforcement of cyber security training as employees received very little or a single instance of training. This result shows that literature concurs that often SMEs do not have a security-conscious culture (Fagbule, 2023).
Four respondents out of six SMEs had encountered at least one major breach in the last 3 years. Financial losses, downtime and reputational damage were reported. Retail SMEs were especially prone to point-of-sale attack and phishing, whereas manufacturing SMEs noted ransom ware attacks. The violations in both instances revealed loopholes in any given governance and slowed recovery, as expected based on the results of Benjamin et al. (2024).
The results of the interview showed that the engagement of the employees in the practice of cyber security was not high. Most of the front line staff members knew little about how to report security incident using the right reporting channels or they were not comfortable using them especially when it involved identifying phishing attempts. Such ignorance and lack of comfort regarding reporting of such computer security implied the presence of a major gap in the activities of the organization in instilling a proactive culture of security among its workforce.
Moreover, the information indicated that the training programs were not ongoing, but occasional. Training was provided to employees at ad hoc intervals thus causing uneven knowledge and negative compliance to security practices. This is an absence of continuing education that brings out a major shortcoming of the human resource systems at SMEs- a shortcoming that curtails their capacities to build long term security resilience. These results support earlier claims that SMEs do not tend to invest in regular and multifaceted training that is essential in building a security-aware workforce (Ejaz & Matthew, 2024).
The results indicate that there is a marked disparity in the technical interventions taken on board by SMEs and integration of cyber security with larger risk management tools. SMEs know about essential threats, but they approach them informally and in a reactive manner, which makes them extremely vulnerable. The reported violations support the assumption that operational and financial risk is more common in the absence of integration.
Relation to Research Questions
The results showed that the degree of the governance mechanisms in the SMEs was inadequate as only one SME took the issue of cyber security risks as one of its Enterprise Risk Management (ERM) frameworks. This brings into focus a major point of aberration in the process of incorporating cyber security into the overall risk management strategy of the organization. Although most SMEs practiced some type of cyber security, the practices were usually not linked to the formal risk management frameworks. Formalizing the governance systems led to the fact that there were no guiding procedures that would help coordinate the cyber security strategies with the organizational objectives.
The lack of connection between cyber security and Enterprise Risk Management (ERM) presents a very severe problem: cyber security is not regarded as a core issue of the organizational strategy of risk management, but rather as an additional topic. Consequently, it will be talked about as an incidental matter, instead of being properly incorporated into the overall organizational risk strategy. Such non-integration can be very detrimental to organizations as they will be unprepared to mitigate cyber risks.
Unless cyber security is accorded the due attention in the ERM system, organizations might find it hard to formulate strong measures to counter cyber threats by preventing, identifying, and addressing them. According to Franco et al. (2022), this negligence weakens the organization in managing the cyber security issues efficiently and, thus, their reaction to the cyber risks is less efficient and can leave the organization at a higher risk. Lack of addressing cyber security as a fundamental risk management consideration can expose organizations to enormous losses in protection of their online resources and business continuity against cyber attackers.
Enablers and Barriers (RQ1b):
Several obstacles were mentioned in relation to the facilitation and barriers of cyber security integration. Financial limitations were the largest obstacle because most SMEs lacked the resources to invest in general cyber security.
Variations Particular to Industry (RQ1c)
The premise of the hypothesis was that different industries had significantly varied approaches to implementing cyber security. Contract on supervisory necessities in the context of cyber security were better among Healthcare SMEs, this was chiefly due to the fact that there is a strong need to follow strict regulations in the industry as regards to patient data protection. This heightened awareness, though, did not necessarily result in comprehensive deployment of cyber security as a component of their ERM.
On the contrary, the retail SMEs was more prone to risks of customer-data security like data breach and payment fraud because of the sensitivity of the information that they handled (customer). These agencies were observed to be more interested in the safeguarding of customer information, but in this case, little connection existed with the general risk management policies. On the one hand, the manufacturing SMEs were very vulnerable to the ransom ware threats, thus presenting high operation risks, including disruption of production and losses.
The various types of cyber menaces that these sectors are exposed to highlight the success of industry-specific pressure in the form that the industry affects the prioritization of and the integration of cyber security into the risk management practices of SMEs. These variations in sectors contribute to the significance of applying industry-specific approaches to cyber security because of the benefits of taking risks, as well as the problems of each sector, into account (Arroyabe et al., 2024).
Association with Theoretic Framework
The findings of the study are quite consistent with the socio-technical approach, which postulates that effective cyber security integration should provide balance and harmonization of people, practices, and technology (Chidukwani et al., 2022). Within the framework of this method, the affordability of the right technical controls is not sufficient to assist in cyber security resilience. Most of the SMEs employed various technical control interventions such as firewalls and antivirus packages to control the cyber risks, but they failed mostly because of their weak organizational culture and their systems of governance.
In particular, SMEs were struggling to effectively integrate the concept of cyber security in their business due to lack of leadership dedication and lack of formalism that would have allowed them to align cyber security with their business strategy. Good leadership and coordinated processes are the keys to achieving cyber security but without it SMEs are unable to easily formulate a flexible and effective security stance.
On the same note, SMEs have had a low success in integrating cyber risks as part of the wider Enterprise Risk Management (ERM) model. In most situations, cyber security has been either separated or disregarded in ERM integration across various departments. This fragmentation shows that SMEs also find it difficult to consider cyber security as a component of their overall risk management strategy.
The results here highlight the challenge encountered by SMEs in attaining a comprehensive approach to cyber security. As it is presented in accordance with Ahmad and Teo (2024), the study reveals that SMEs in many cases are unable to develop a single, strategically-oriented approach to cyber security because of the limitations in the resources and organizational issues. These restrictions do not allow them to develop the systems and mechanisms of governance required to be able to fully integrate cyber security, which subsequently affects their overall capacity to achieve successful management of cyber threats.
Recommendations to Future Research
Knowledge about Sector-Specific Frameworks of SMEs
The article highlights the necessity of further more specific studies on the area of sector-specific frameworks which can be tailored and scaled down under the condition of SMEs which are not well endowed. Whereas big organizations may have the resources to adopt extensive cyber security and invest in state-of-the-art technical controls, SMEs, in many cases, do not have the funds or the skills to do so. The area of future research should be how sector-specific frameworks, which require specific challenges and risks of various industries, can be simplified and scaled to the constraints of resources common to SMEs.
Such frameworks would assist smaller businesses to learn how to effectively manage cyber security issues on a smaller budget. Besides, studies are also needed on how these simplified ERM-to-cyber security hybrids can be structured to minimize costs and at the same time, ensure that all necessary cyber security provisions are undertaken. Through modification of existing frameworks, the researchers can assist SMEs to adopt more realistic and affordable cyber security measures that do not affect the resilience offering direct and practical advice to these organizations.
Comparative Research between large and SMEs across industries and between large enterprises and SMEs
The other important suggestion is that comparative research is necessary over a broader variety of industries and between SMEs and large businesses. The study would offer quality evidence regarding the approach of organizations with dissimilar size and resource level to the integration of cyber security into the general risk management frameworks. The comparison of SMEs with big organizations can assist in understanding that challenges of SMEs may be more related not only to its size and limited resources but also to organization structure, culture and governance.
Through investigating different industries: healthcare, retail, manufacturing, and finance, researchers are able to learn more about how industry-specific risks affect the integration of cyber security and whether SMEs in some of the spheres are in a better position to overcome them than others. Such comparative study would be of great use to policymakers, leaders in the industry, and researchers to adjust their cyber security approaches to better fit the SMEs in various industries.
Longitudinal Effects Studies of incremental adoption of Standards
Lastly, the article recommends that longitudinal research may be of special importance in identifying whether incremental adoption of cyber security standards, including ISO 27001, is more resiliency-enhancing, over time. Although most SMEs might not be able to implement complex and holistic standards immediately because of the lack of resources, a step-by-step adoption of the standards can greatly lead to the sustainability of the changes in cyber security behaviors.
Further studies might provide over time perspectives of the consequences of implementing these standards gradually and whether SMEs are gradually becoming more resilient and capable of handling risk and responding to incidents, continuing to move in line with best practices. The other areas that such research can look at are the effectiveness of incremental adoption to superior models of governance to help the SMEs in the establishment of effective security base at an acceptable price.
The longitudinal research would be quite valuable and would provide the necessary data regarding the possibilities of the gradual implementation of such standards and would be implemented to establish the scalable and affordable governance structures capable of evolving alongside the advancement of SMEs and the escalation of their cyber security-related issues.
According to the study findings, it is true that although SMEs are fully aware of the cyber security risks that they face, they have not been integrating cyber security in their enterprise risk management (ERM) models fully/consistently. Although a significant number of SMEs recognize the need to be concerned with cyber security, they still tend to address it in a disjointed way as an independent problem instead of evaluating it as an essential part of their overall risk management plan. This absence of integration exposes SMEs to high risks of cyber security attacks and makes them less resistant as a company.
The inability to incorporate cyber security into the ERM structure implies that these firms are not well equipped to manage the dynamic and changing character of cyber-attacks. This increased vulnerability to attacks explains why cyber security has to be approached more strategically and systematically in SMEs.
Connecting these results to theoretical models, the paper proves that the integration of cyber security sustainability is impossible to be fulfilled by technical mechanisms only. Although adequate technical controls are important it is pointed out that it is only a combination of governance, organizational culture and sector adaptation that cause actual resilience. It also demands that it has some good governance structures to enforce policies and procedures to streamline cyber security with the broader organizational strategy and culture that facilitates employee involvement and compliance.
Moreover, the specific changes to the industry are crucial since different industries possess distinct cyber security issues, and those require certain resolutions. The study shows that technical solutions are unable to achieve the achievement of sustainable cyber security integration in the SMEs since it must be incorporated in both the culture and the strategy.
References
Al-Dosari, N., & Fetais, N. (2023). Cybersecurity challenges and governance in SMEs: A comparative analysis. Journal of Information Security, 12(2), 55–72.
Arroyabe, M. F., Arranz, N., & de Arroyabe, J. C. F. (2024). Cybersecurity and SMEs: Sector-specific influences on resilience strategies. International Journal of Business Research, 19(1), 88–104.
Abubakari, P. (2024). Human factors matter: the intersection of cybersecurity governance, and culture in risk management of critical infrastructure (Doctoral dissertation, Pepperdine University). https://digitalcommons.pepperdine.edu/cgi/viewcontent.cgi?article=2573&context=etd
Alahmari, A., & Duncan, B. (2020, June). Cybersecurity risk management in small and medium-sized enterprises: A systematic review of recent evidence. In 2020 international conference on cyber situational awareness, data analytics and assessment (CyberSA) (pp. 1-5). IEEE. https://www.researchgate.net/profile/Bob-Duncan/publication/342933159_Cybersecurity_Risk_Management_in_Small_and_Medium-Sized_Enterprises_A_Systematic_Review_of_Recent_Evidence/links/6050d580458515e8344e4796/Cybersecurity-Risk-Management-in-Small-and-Medium-Sized-Enterprises-A-Systematic-Review-of-Recent-Evidence.pdf
Abdulrahim, N. (2019). Managing Cybersecurity as a Business Risk in Information Technology-based Smes (Doctoral dissertation, University of Nairobi). https://erepository.uonbi.ac.ke/bitstream/handle/11295/107172/Abdulrahim_Managing%20Cybersecurity%20as%20a%20Business%20Risk%20in%20Information%20Technology-based%20Smes.pdf?sequence=1
Ashley, C., & Preiksaitis, M. (2022). Strategic Cybersecurity Risk Management Practices for Information in Small and Medium Enterprises. Business Management Research and Applications: A Cross-Disciplinary Journal, 1(2), 109-157. https://bmrajournal.columbiasouthern.edu/index.php/bmra/article/download/3421/2886
Ahmad, S. A., & Teo, P. C. (2024). The Implementation of Enterprise Risk Management (ERM) Frameworks in Small and Medium Enterprises (SMES): A Literature Review. International Journal of Academic Research in Business and Social Sciences, 14(9), 290-307. https://kwpublications.com/papers_submitted/11397/the-implementation-of-enterprise-risk-management-erm-frameworks-in-small-and-medium-enterprises-smes-a-literature-review.pdf
Benjamin, R., Okoro, A., & Li, H. (2024). The impact of cyber incidents on SME survival: An empirical study. Small Business Economics, 62(3), 445–462.
Bokan, B., & Santos, J. (2021, April). Managing cybersecurity risk using threat based methodology for evaluation of cybersecurity architectures. In 2021 Systems and Information Engineering Design Symposium (SIEDS) (pp. 1-6). IEEE. https://par.nsf.gov/servlets/purl/10311477
Chidukwani, M., Ahmed, S., & Khan, T. (2022). Integrating cybersecurity into SME risk management frameworks. Journal of Risk and Governance, 8(4), 301–320.
Enaifoghe, A. (2023). Governance and cybersecurity risk management in emerging markets SMEs. Journal of Contemporary Management, 41(2), 112–129.
El-Hajj, M., & Mirza, Z. A. (2024). ProtectingSmall and Medium Enterprises: A specialized cybersecurity risk assessment framework and tool. Electronics (Switzerland), 13(19), 3910. https://research.utwente.nl/files/484148382/electronics-13-03910-v2.pdf
Ejaz, U., & Matthew, B. (2024). Cost-Effective Cybersecurity Solutions for SMEs: Balancing Security Needs and Budget Constraints. https://www.researchgate.net/profile/Umair-Ejaz-3/publication/392282793_Cost-Effective_Cybersecurity_Solutions_for_SMEs_Balancing_Security_Needs_and_Budget_Constraints/links/683c3b4d6b5a287c304891e7/Cost-Effective-Cybersecurity-Solutions-for-SMEs-Balancing-Security-Needs-and-Budget-Constraints.pdf
Fagbule, O. (2023). Cyber security training in small to medium-sized enterprises (SMEs): Exploring organisation culture and employee training needs (Doctoral dissertation, Bournemouth University). http://eprints.bournemouth.ac.uk/39148/1/FAGBULE%2C%20Omolola_Ph.D._2022.pdf
Franco, D., Martinez, P., & Roberts, L. (2022). Enterprise risk management and cybersecurity integration in SMEs. Risk Management Review, 15(3), 210–228.
Govender, K. K., Naude, M., & Munodawafa, T. (2025). AN EXPLORATORY QUALITATIVE STUDY OF COMPETITIVE STRATEGIES USED BY SMALL AND MEDIUM-SIZED ENTERPRISES IN BOTSWANA. Journal of Management: Small and Medium Enterprises (SMEs), 18(1), 11-37. https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Govender%2C+K.+K.%2C+Naude%2C+M.%2C+%26+Munodawafa%2C+T.+%282025%29.+AN+EXPLORATORY+QUALITATIVE+STUDY+OF+COMPETITIVE+STRATEGIES+USED+BY+SMALL+AND+MEDIUM-SIZED+ENTERPRISES+IN+BOTSWANA.+Journal+of+Management%3A+Small+and+Medium+Enterprises+%28SMEs%29%2C+18%281%29%2C+11-37.&btnG =
Georgiadou, A., Mouzakitis, S., Bounas, K., & Askounis, D. (2022). A cyber-security culture framework for assessing organization readiness. Journal of Computer Information Systems, 62(3), 452-462. https://d1wqtxts1xzle7.cloudfront.net/113950803/08874417.2020.184558320240429-1-7zuy1m-libre.pdf?1714424439=&response-content-disposition=inline%3B+filename%3DA_Cyber_Security_Culture_Framework_for_A.pdf&Expires=1758134371&Signature=dB9B7rLXSbGM6ohZ9fMaRpCPB6Oa9Of9XxvjlNhlO5v~4-x9EmVDuZLcm0F3YT~L-URK3wwP9hXqIJzuiDsBQD1Ph786Bw9jvNEcyhSrQkt1o-icZBqVDJN73LtCaha6xam2e1sNr-NigiLSdz2RGWmd8hKxcp~fzB0HZbDf4Im1iq-RAayyhDyTE6ms8AF0UzSQOqf8ZrDBxQBk-iRwTEibW1M4qDQaot5L8TrnJ3rEUCLNeeL8HOU3NzF1CLAMlPFDpej3oSSlIoKI8SUk7TRz65-Vx-Z~Yr87nMFa8zvI6gavTau7a-kSxqoLLu1Cl-tsfsxu8EczSkSJDka7yQ__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
Herath, T. C., Herath, H. S., & Cullum, D. (2023). An information security performance measurement tool for senior managers: Balanced scorecard integration for security governance and control frameworks. Information Systems Frontiers, 25(2), 681-721. https://www.researchgate.net/profile/Hemantha-Herath/publication/358909388_An_Information_Security_Performance_Measurement_Tool_for_Senior_Managers_Balanced_Scorecard_Integration_for_Security_Governance_and_Control_Frameworks/links/6390a7aa484e65005bee951c/An-Information-Security-Performance-Measurement-Tool-for-Senior-Managers-Balanced-Scorecard-Integration-for-Security-Governance-and-Control-Frameworks.pdf
Hoong, Y., Rezania, D., & Baker, R. (2024). When traditional SME managers encounter cybersecurity: Discourse analysis of opportunities and dilemmas in meeting the demands. Technology in Society, 78, 102650. https://www.sciencedirect.com/science/article/pii/S0160791X24001982
Jean-Jules, J., & Vicente, R. (2021). Rethinking the implementation of enterprise risk management (ERM) as a socio-technical challenge. Journal of Risk Research, 24(2), 247-266. https://d1wqtxts1xzle7.cloudfront.net/84523919/Fardapaper-Rethinking-the-implementation-of-enterprise-risk-management-ERM-as-a-socio-technical-challenge-libre.pdf?1650438373=&response-content-disposition=inline%3B+filename%3DRethinking_the_implementation_of_enterpr.pdf&Expires=1758097695&Signature=a4EA-0J-pAcf2OfYbvwetP7oQ2njskCW9UkaLfY3EaM9qyKAbRP5DYa0vGhnbSjmESLjqXBheSEn4BLisbpoofCBMt6g1IgJvXSMaS4Q35oqjlDjlAHdTkg6jcbVo5nZrHeRYXiO32FBioOdJ311gR62YkdrqsbNTsNblqHhRuIW9itEFRCdDCx-QnfTkkcVwg-04z~wPDDieEeGyOPMq7oHA0kHeKwIWFk14p5mgN52ryTKD1NzbYBYl2wXPjk~AxinzR~LKt2fu~xHupHO0lz0nMznVavcxIuk9FRt2GAcIem8oN9DvChUHJIfUwWBMm7N-V4vnJeMWXdWJGgWOw__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
Jarjoui, S., & Murimi, R. (2021). A framework for enterprise cybersecurity risk management. In Advances in cybersecurity management (pp. 139-161). Cham: Springer International Publishing. https://www.researchgate.net/profile/Renita-Murimi/publication/352435737_A_Framework_for_Enterprise_Cybersecurity_Risk_Management/links/629f40696886635d5cc6fdd0/A-Framework-for-Enterprise-Cybersecurity-Risk-Management.pdf
Johnstone, L. (2021). Facilitating sustainability control in SMEs through the implementation of an environmental management system. Journal of Management Control, 32(4), 559-605. https://link.springer.com/content/pdf/10.1007/s00187-021-00329-0.pdf
Kezron, I. E. (2024). A cybersecurity resilience framework for underserved rural SMEs in critical infrastructure supply chains: Strengthening operational continuity and threat response in digitally vulnerable sectors. World Journal of Advanced Research and Reviews, 24(3), 3464-3477. https://www.researchgate.net/profile/Edward-Isabirye/publication/392900639_A_cybersecurity_resilience_framework_for_underserved_rural_SMEs_in_critical_infrastructure_supply_chains_Strengthening_operational_continuity_and_threat_response_in_digitally_vulnerable_regions/links/6856f5ea99d2ce32c1ca0d86/A-cybersecurity-resilience-framework-for-underserved-rural-SMEs-in-critical-infrastructure-supply-chains-Strengthening-operational-continuity-and-threat-response-in-digitally-vulnerable-regions.pdf
Kianpour, M., & Raza, S. (2024). More than malware: unmasking the hidden risk of cybersecurity regulations. International Cybersecurity Law Review, 5(1), 169-212. https://link.springer.com/content/pdf/10.1365/s43439-024-00111-7.pdf
Krishnan, R. (2024). Challenges and benefits for small and medium enterprises in the transformation to smart manufacturing: a systematic literature review and framework. Journal of Manufacturing Technology Management, 35(4), 918-938. https://www.emerald.com/jmtm/article-abstract/35/4/918/1219381/Challenges-and-benefits-for-small-and-medium?redirectedFrom=fulltext
Kwarteng, M. A., Ntsiful, A., Diego, L. F. P., & Novák, P. (2024). Extending UTAUT with competitive pressure for SMEs digitalization adoption in two European nations: a multi-group analysis. Aslib Journal of Information Management, 76(5), 842-868. https://www.sciencedirect.com/science/article/pii/S2667096823000381
Mdaki, J. (2025). A hybrid cybersecurity framework for small businesses: integrating NIST CSF, ISO 27001, and CEO engagement. https://www.theseus.fi/bitstream/handle/10024/891475/Mdaki_Jacob.pdf?sequence=2
Melaku, H. M. (2023). Context-based and adaptive cybersecurity risk management framework. Risks, 11(6), 101. https://www.mdpi.com/2227-9091/11/6/101
Moturi, C. A., Abdulrahim, N. R., & Orwa, D. O. (2021). Towards adequate cybersecurity risk management in SMEs. International Journal of Business Continuity and Risk Management, 11(4), 343-366. https://www.inderscienceonline.com/doi/abs/10.1504/IJBCRM.2021.119943
Olagbemide, V. A. (2024). Developing an Effective Framework for Information Security Compliance Management in Small and Medium-sized Enterprises (SMEs). University of Derby. https://www.researchgate.net/profile/Vincent-Olagbemide/publication/384256107_Developing_an_Effective_Framework_for_Information_Security_Compliance_Management_in_Small_and_Medium-sized_Enterprises_SMEs_Developing_an_Effective_Framework_for_Information_Security_Compliance_Manage/links/66f160d9c0570c21feb6c206/Developing-an-Effective-Framework-for-Information-Security-Compliance-Management-in-Small-and-Medium-sized-Enterprises-SMEs-Developing-an-Effective-Framework-for-Information-Security-Compliance-Manage.pdf
Omowole, B. M., Olufemi-Philips, A. Q., Ofadile, O. C., Eyo-Udo, N. L., & Ewim, S. E. (2024). Barriers and drivers of digital transformation in SMEs: A conceptual analysis. International Journal of Frontline Research in Multidisciplinary Studies, 5(2), 019-036. https://www.researchgate.net/profile/Bamidele-Omowole/publication/386276990_Barriers_and_drivers_of_digital_transformation_in_SMEs_A_conceptual_analysis/links/6757bb5334301c1fe9461329/Barriers-and-drivers-of-digital-transformation-in-SMEs-A-conceptual-analysis.pdf
Odio, P. E., Kokogho, E., Olorunfemi, T. A., Nwaozomudoh, M. O., Adeniji, I. E., & Sobowale, A. (2021). Innovative financial solutions: A conceptual framework for expanding SME portfolios in Nigeria's banking sector. International Journal of Multidisciplinary Research and Growth Evaluation, 2(1), 495-507. https://www.researchgate.net/profile/Princess-Odio/publication/388662619_Innovative_Financial_Solutions_A_Conceptual_Framework_for_Expanding_SME_Portfolios_in_Nigeria's_Banking_Sector/links/67ec722703b8d7280e1a12bf/Innovative-Financial-Solutions-A-Conceptual-Framework-for-Expanding-SME-Portfolios-in-Nigerias-Banking-Sector.pdf
Pathirana, A. I. W., & Wilenius, M. (2025). ISO 27001 and Global Privacy Compliance. https://www.utupub.fi/bitstream/handle/10024/182519/Pathirana_Asanka_Thesis.pdf?sequence=1
Pawar, S., & Palivela, H. (2022). LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). International Journal of Information Management Data Insights, 2(1), 100080. https://www.sciencedirect.com/science/article/pii/S2667096822000234
Parsola, J. (2023). Cybersecurity risk assessment and management for organizational security. NeuroQuantology, 20(5), 123-140. https://pdfs.semanticscholar.org/5af8/15da2b581b0338fc3a8bf4ba3f8821334d75.pdf
Rawindaran, N. (2023). Impact of cyber security awareness in small, medium enterprises (SMEs) in Wales (Doctoral dissertation, Cardiff Metropolitan University). https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Rawindaran%2C+N.+%282023%29.+Impact+of+cyber+security+awareness+in+small%2C+medium+enterprises+%28SMEs%29+in+Wales+%28Doctoral+dissertation%2C+Cardiff+Metropolitan+University%29.&btnG =
Sabidi, M. L., & Zolkipli, M. F. (2024). The Role of Risk Management in Cybersecurity Protocols. Borneo International Journal eISSN 2636-9826, 7(2), 77-81. https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Sabidi%2C+M.+L.%2C+%26+Zolkipli%2C+M.+F.+%282024%29.+The+Role+of+Risk+Management+in+Cybersecurity+Protocols.+Borneo+International+Journal+eISSN+2636-9826%2C+7%282%29%2C+77-81.&btnG =
Sikder, A. S. (2023). Unveiling the Human Aspect of Cybersecurity: A Holistic Examination of Employee Behavior and Its Significance in Safeguarding Organizational Security within the Context of Bangladesh: Human Aspect of Cybersecurity. International Journal of Imminent Science & Technology., 1(1), 199-215. https://www.researchgate.net/publication/385775980_Unveiling_the_Human_Aspect_of_Cybersecurity_A_Holistic_Examination_of_Employee_Behavior_and_Its_Significance_in_Safeguarding_Organizational_Security_within_the_Context_of_Bangladesh_Human_Aspect_of_Cy
Thamrongthanakit, T. (2023). Impacts of cybersecurity practices on cyberattack damage and protection among small and medium enterprises in Thailand. https://www.diva-portal.org/smash/get/diva2:1784412/FULLTEXT01.pdf
Thummala, V. R., & Bindewari, S. (2024). Optimizing Cybersecurity Practices through Compliance and Risk Assessment. International Journal of Research Radicals in Multidisciplinary Fields, ISSN, 910-930. https://www.researchgate.net/profile/Venkata-Thummala/publication/390446033_Optimizing_Cybersecurity_Practices_through_Compliance_and_Risk_Assessment/links/67ee2c2403b8d7280e1e445b/Optimizing-Cybersecurity-Practices-through-Compliance-and-Risk-Assessment.pdf
Victor-Mgbachi, T. O. Y. I. N. (2024). Navigating cybersecurity beyond compliance: Understanding your threat landscape and vulnerabilities. Iconic Research and Engineering Journals, 7. https://www.researchgate.net/profile/Toyin-Victor-M/publication/389658966_Navigating_Cybersecurity_Beyond_Compliance_Understanding_Your_Threat_Landscape_and_Vulnerabilities/links/67cb9e9ccc055043ce6f3e5b/Navigating-Cybersecurity-Beyond-Compliance-Understanding-Your-Threat-Landscape-and-Vulnerabilities.pdf
Vance, A. S. (2025). Cybersecurity and Quantum Computing: A Quantitative Analysis Proposing a Framework for Assessing Quantum Cybersecurity Maturity. https://www.proquest.com/openview/e0989d58104ca4567a61c9747d23008e/1.pdf?pq-origsite=gscholar&cbl=18750&diss=y
Yokowo, R. Y. (2024). Building a Cybersecurity Maturity Guide For Small and Medium-sized Enterprises (SME) With Open Source Solutions. https://pcs.usp.br/pcspf/wp-content/uploads/sites/8/2024/12/Monografia_PCS3860_COOP_2024_Grupo_C23.pdf