Week 14

To my family and mentors, whose guidance and encouragement sustained me throughout this journey.

I wish to acknowledge the invaluable support of my professors, colleagues, and peers at American Public University. I am grateful to the participating SMEs and their representatives for sharing their time and insights.

Abstract

Small and medium-sized businesses (SMEs) experience the increasing cybersecurity threats and do not have resources and official strategies to cope with them. The current qualitative multiple-case study focuses on the ways in which SMEs in the healthcare, retail and manufacturing industries have incorporated cybersecurity into their enterprise risk management (ERM) frameworks and the consequences of such incorporation to organizational resilience. The data were gathered with the help of documents, semi-structured interviews and reflexive notes and were analyzed on a case-by-case basis on the basis of themes. The results showed disjointed technical defense, fragile governance frameworks and inadequate security culture to be the major challenges and sector dynamics to determine resilience. The paper draws a conclusion that technical controls are not sufficient to ensure the sustainable resilience of cybersecurity in SMEs; governance, organizational culture, and context-dependent frameworks play a significant role in this matter. The findings will provide useful suggestions to SME executives and policy makers to promote cost-effective and responsive integration of cybersecurity.

Keywords: SMEs, cybersecurity, enterprise risk management, organizational resilience, qualitative case study.

Table of Contents Dedication 3 Acknowledgements 4 Introduction 10 Background and Context 10 Hypothesis: 10 Problem Statement 11 Purpose Statement 12 Research Questions 12 Literature Review 13 Cyber security Integration Challenges in SMEs 13 The Importance of Risk Management Framework 14 Critical Evaluation of Frameworks and Application 15 The Role of Organizational Culture in Cyber security Adoption 15 Barriers to Cyber security Integration in SMEs 16 Linking Literature to the Study’s Contribution 16 Real-World Application and Gaps in Literature 17 Conclusion 18 Theoretical Framework 18 Introduction: 18 Enterprise Risk Management (ERM) 19 Socio-technical Integration Approach 19 Application of Frameworks 19 The Strengths of This Framework in the Study 20 Elaborating Theoretical Assumptions 20 Justification of Hypotheses and Research Methods 21 Identifying Key Variables 21 Summary of the Cyber security Risk Management Theory 22 Hypotheses to Be Tested 23 Conclusion 24 Research Design 24 Identification and Operationalization of Variables 24 Design Overview 25 Alignment and Research Questions 25 Sampling Plan 25 Data Collection Procedures 26 Operationalization of Variables 26 Data Analysis 26 Trustworthiness 27 Limitations 27 Findings, Results, and Discussion 27 Results 28 Cybersecurity Practices 28 Organizational Culture 28 Cybersecurity Breaches 28 Employee Engagement 29 Discussion 29 Significance of Results 29 Relation to Research Questions 29 Correlation with Theoretical Framework 30 Recommendations to Future Research 30 Conclusion 30 References 32

Small and medium-sized enterprises (SMEs) have become a vital element of any country's economy around the globe, creating jobs and innovations in different sectors. However, owing to their rather limited resources, not being able to recruit security specialists in the sphere of cyber security, and being able to only rely on homemade security systems, SMEs are being targeted even more often by cyber security attacks (Chidukwani et al., 2022). Unlike large organizations, which are likely to spend a lot of money on cyber security systems, SMEs experience several illusions and do not view cyber security as an element of the overall risk management in the global context (Franco et al., 2022).

This failure puts SMEs at risk of a lack of operational time, financial loss, and reputation loss. It is already threatening enough that the majority of studies have shown that approximately sixty percent of SMEs that had suffered a major cyber-attack went out of business in less than half a year (Benjamin et al., 2024). This fact contributes to the necessity to analyze how the practices of cyber security might be effectively incorporated into the enterprise risk management (ERM) to make it more resilient. This study is also important because it is valuable to leaders of SMEs, policymakers, and cyber security users by offering practical approaches to increase the resilience and security of SMEs against the increasing cyber threat.

The inabilities of SMEs to add cyber security to their risk management strategies are contributing to their vulnerability to cyber threats (Abdulrahim, 2019). The hypothesis of the research is that SMEs that successfully introduce cyber security as a risk management approach will be more resilient, experience a minor impact of operational failure, and be less susceptible to cyber-attacks, which will result in business sustainability over the long term.

The unsuccessful incorporation of cyber security as a risk management tool in SMEs, which exposes organizations to cyber threats, has been identified as a significant problem in the study by Alahmari and Duncan (2020). Cybercriminals are now targeting SMEs so much more, as they do not usually have enough resources, expertise, and governance to be sufficiently prepared against such attacks (Al-Dosari & Fetais, 2023). Since SMEs cannot afford to make large investments in advanced technologies and security, unlike large corporations, they often follow the strategy of outsourcing their security with the most common methods and equipment antivirus programs or firewalls. Although these steps offer some respite, they are not usually incorporated into the enterprise risk management (ERM) models (Enaifoghe, 2023). Comment by DeWeese, Cristian: Changed

The consequences of this oftentimes ingratitude are very tragic. It is demonstrated that an impressive nearly 60 percent of SMEs that have suffered a massive cyber-attack go into business within a six-month time frame, which proves the devastating role of an absence of security integration (Benjamin et al., 2024). Nevertheless, a significant number of SMEs still fail to look at cyber security as a business priority and view it as a specific technical challenge (Franco et al., 2022). Existing studies have also not done much to bridge this gap. Most of the research is concentrated on bigger companies or technology-related security solutions without finding out how SMEs use cyber security in planning governance, risk, and resilience.

The purpose of this qualitative multiple-case study is to investigate how SMEs integrate cyber security into their overall risk management strategies and to examine the impact of this integration on organizational resilience. The sample of the study is SMEs within different industries, including healthcare, retail and manufacturing, to identify the enablers, barriers, and industry-specific impact that characterize integration (Enaifoghe, 2023). Lastly, the paper is expected to provide both theoretical and practical information to SME executives, policymakers, and cyber security experts (Franco et al., 2022).

The proposed qualitative multiple-case study intends to investigate how SMEs make cyber security a part of their overall risk management strategies and how the integration impacts organizational resilience. The research aims to identify the enablers, barriers, and industry-specific impacts that drive integration by focusing on SMEs operating in dissimilar industries that is, healthcare, retail, and manufacturing (Enaifoghe, 2023). Finally, the research aims at delivering scholarly and practical insights that may be of benefit to SME leaders, policymakers, and cyber security practitioners (Franco et al., 2022).

The overall research question that directs this study is:

RQ1: What are the modes used by small and medium-sized enterprises (SMEs) to incorporate cyber security in their comprehensive risk management, and what are the effects of such incorporations with regard to the resilience of the organization? (Kezron, 2024)

Based on this general question, one may come up with a number of sub-questions:

· RQ1a: What governance mechanisms do SMEs use to align cyber security with organizational risk management?

· RQ1b: What processes and capabilities enable or hinder integration in SMEs?

· RQ1c: How do sector-specific factors (e.g., healthcare, retail, and manufacturing) influence cyber security integration?

Cybersecurity is increasingly turning out to be a crucial element that needs to be considered by the small and medium-sized enterprises (SMEs) as a part of the general risk management procedure because cyber threats are on the rise (Ashley & Preiksaitis, 2022). Although it is important, SMEs tend to encounter key issues when integrating cyber security in their organizational systems. Although available literature emphasizes the significance of cyber security, a number of SMEs continue to treat cyber security as a technical challenge and do not consider the integration of cyber security into a strategic risk management policy (Hoong et al., 2024). The following literature review will also analyse the issues that SMEs encounter when adopting cyber security practices, the importance of risk management models, and gaps in the existing literature that this piece of work seeks to fill.

The vulnerability of small and medium-sized enterprises (SME) to cyber threat is not a new notion that has been cited in the literature. As Chidukwani et al. (2022) explain, SMEs tend to implement cyber security tools in a non-coordinated way, like installing firewalls or antivirus software, without integrating them into a more generalized policy and risk management strategy.

This fragmented model exposes SMEs to advanced cyber-attacks since the controls at the individual level would not combine to create a unified defense. In the same way, Ashley & Preiksaitis (2022) clarify that the companies of SMEs must change their attitude towards cyber security from a technical issue to a strategic initiative that is applied in the risk management approach of the entire organization.

Some researchers emphasize the importance of the set of frameworks to inform the development of cyber security as part of risk management. Among the tools that the SMEs should use, Benjamin et al. (2024) mention internationally accepted standards, including ISO 31000 on risk management, ISO/IEC 27001 on information security, and the NIST Cyber security Framework. Such frameworks are considered flexible guidelines that organizations can use to organize cyber security threats. Krishnan (2024) warns, however, that even though it might be difficult for small businesses to adopt those frameworks because of the available resources, it is possible to customize them to prioritize top assets, which will enable the SMEs to scale their cyber security practices non-proportionately and/or effectively.

Besides that, the integration of such frameworks to the organizational structure of an SME not only causes their ability to react to cyber threats but also causes the illusion of the culture of continuous improvement and minimization of risks. According to Herath et al. (2023), once such frameworks are established correctly, it is possible to establish improved governance, the sense of open risk ownership, and center the security practices to the business goals.

SMEs are commonly recommended to use frameworks such as ISO 31000, ISO/IEC 27001, and NIST, which can be hard to apply due to their complexity and resource demands in a resource-constrained setting (Olagbemide, 2024). These structures tend to suit larger organizations having dedicated IT departments and a high budget, and thus they are difficult to apply to SMEs without serious modifications. According to Yokowo (2024), these frameworks may be too demanding to smaller companies, but can be customized to prioritize key assets, such that SMEs can expand their cyber security actions relative to their resources.

Besides the resource limitation, SMEs are frequently unable to implement these frameworks due to a lack of technical skills (Odio et al., 2021). Even though the frameworks offer a rational set of rules of the cyber security operations, it supposes a level of competence that remains lacking in the majority of SMEs. One of the barriers to adoption is this absence of linkage between the structures of the frameworks and the capabilities of SMEs.

The increasing frequency and sophistication of cyber-attacks have made cybersecurity a critical concern for organizations of all sizes, including small and medium-sized enterprises (SMEs) (Rawindaran, 2023). Nonetheless, even with increasing awareness of the risks of cybersecurity, most SMEs have major problems with the successful integration of cyber security within their general business strategy.

This research gap is addressed by the present research that examines the application of the Cyber security Risk Management Theory to assist SMEs to implement cyber security systems despite the constraints of the available resources (Moturi et al., 2021). The theory is quite helpful as the organization and technology aspects are combined to offer a wholesome approach that can be applied in practice by SMEs. The paper discusses this issue based on the theory; it provides an explanation of why SMEs are better at managing cyber security threats, particularly in limited resource settings.

ERM is a formal procedure of risk discovery, analysis, treatment and monitoring, which may contribute to the companies responding to risks in the correct way, and cyber security threats should not be an exemption (Jarjoui & Murimi, 2021). ISO 31000 standard is also highly applicable in ERM, and it is a wide spread standard that gives a guarantee that risk management is implemented at any level within the organization. With cyber security being incorporated in the overall ERM framework, companies do not treat it as a distinct issue but rather as an aspect of a broader risk control policy.

The socio-technical approach focuses on people, process, technology and context in order to achieve the apt cyber security. Chidukwani et al. (2022) also state that cybersecurity is a human problem, with the most significant impacts on training, procedures, and organizational culture. Based on this approach, cybersecurity integration is not limited to human factors, but also technological factors within the organization.

Besides the human and technological factors, the socio-technical integration approach promotes the significance of the organizational processes and context in the process of defining the cybersecurity outcomes. Franco et al. (2022) believe that the successful implementation of the cybersecurity measures is the alignment of the organizational processes, including the risk management processes with the technological solutions (Thummala & Bindewari, 2024).

Separating enterprise risk management (ERM) into the current consideration would enable the researcher to learn more about how the phenomenon of cyber security is being framed by the small and medium-sized enterprises (SMEs). Another way to describe it can be implemented based on its socio-technical philosophy that implies that effective development of cyber security is possible because of the collective effort of the organizational culture, the design of the process, and the human aspect (Ahmad & Teo, 2024). The results of such models have kept providing significant empirical data in terms of the strong impact of cyber security uptake in the SME sector.

Combining the ISO 31000 and NIST Cyber security Framework, SMEs will be able to develop a consistent method of identifying, evaluating, and addressing any possible threats (Sabidi & Zolkipli, 2024). Such a procedural format moves cyber security to a continuous system rather than a resolution of an issue and it aligns with the business purpose and a legal requirement. Such frameworks also facilitate incorporation and enhancement of continuous monitoring and improvement procedures which the ever-evolving cyber threat environment demands. Kianpour and Raza (2024) also suggest that the formalized practices will probably lead to the SMEs failing to encounter a high-impact security incident and more effectively implementing cyber security business practices that will support organizational goals.

The model outlines the potential manner in which the cybersecurity concepts might be incorporated into a risk management system, within the small and medium-sized enterprises (SMEs) and the significance of human factor in the effort. The synthesis of these frameworks also fills the gap between technical solutions and organizational culture since it concerns the possibility to use the tools successfully in SMEs, which is not only possible through the implementation of tools but also through the correspondence of the tools to the organizational values and practices (Georgiadou et al., 2022).

This method will enable a less conspicuous analysis of how SMEs would prevent the emergence of cybersecurity threats since it lingers on the socio-cultural and technical dimensions of the issue in question. As the description given by Sikder (2023) states, the self-synchronizing assimilation of the technology, human conduct and organizational functioning are the variables that drive the cybersecurity as a process-on-going and not a response. This general approach contributes more strength to the study, in the sense that it provides a theoretical prism that transcends the biological dictates of technology, and thus that highlights the significance of the organizational commitment and culture as the most effectual approach to the outcomes of cyber security.

The benefit of the selected theoretical frameworks consists in the opportunity to comprehend the topicality of introducing cyber security decision-making to the overall plan of enterprise risk management (ERM) and has grounds to support the hypothesis that the presence of cyber security-related solutions will result in increased levels of resilience and risk management capabilities of small and middle-sized enterprises (SMEs).

According to the ERM model (Enterprise Risk Management), the following variables are brought out as key; risk treatment, risk monitoring where the systematic identification, assessment and management of risks in an organization are highly emphasized. On the other hand, the socio-technical model resides on the human and organizational nature of cyber security integration and moves on to the importance of organizational culture and employee engagement as the vital ones. These aspects are paramount to the effectiveness of cyber security processes since they form a working environment whereby all the stake holders in the organization are involved in the system and data protection processes. All these two models combined will enable the study to provide a holistic view of how both technical and social factors contribute to implementing effective cyber security (Jean-Jules & Vicente, 2021).

Cyber security Risk Management Theory provides a framework for understanding how organizations assess, mitigate, and manage cyber security risks (Melaku, 2023). The theory combines major principles of the risk assessment, organizational culture and cyber security controls. According to this theory, achieving effective cyber security management is a balance between both technical (e.g. firewalls, antivirus software) and organizational (e.g. culture, employee training, strategic alignment) factors.

The assumptions of the theory are as follows:

· Risk Assessment: Risk management is successful only in case the potential cyber security threats are recognized and evaluated (Bokan and Santos, 2021). It involves evaluating the external risks (e.g., cyber-attacks) and internal risks (e.g., negligence of the employees).

· Cyber security Policies and Controls: When risks have been evaluated, the organizations establish policies and technical controls to reduce risks (Parsola, 2023). These measures should be successful because they should be part of the overall business strategy of the organization.

· Organization Culture: Organizational culture is very important in the practice of cyber security. An organization culture that is security conscious is the key to ensuring that cyberspace security becomes a collective responsibility of the organization and not the IT department only.

The interactions of these components in the framework are shown in the diagram below: Comment by Christopher Martinez, PhD [2]: APA Tables and Figures - Purdue OWL® - Purdue University

The model indicates that the cyber security strategy of an organization should not be considered separately but as a component of its overall risk management (Victor-Mgbachi, 2024).

This theoretical framework is exactly what offers a stable piece of knowledge in terms of SME management in terms of cyber security threats. In the Notion of Cyber security Risk Management, the study explores the problems associated with SMEs in the adoption of formal cyber security frameworks and the impact of organizational culture on the adoption of formal cyber security frameworks.

The qualitative multiple-case research design will be applicable in the current study. This design will be particularly appropriate since it will be in a position to conduct a thorough research on how cyber security can be swept as a risk management tool in the environment of the SMEs that operate in different parts of the economy including healthcare, retail and manufacturing. The case study method would give us a rough estimate of the processes, issues and solutions, the actions that these SMEs would take on the threat of cyber security (Benjamin et al., 2024; Arroyabe et al., 2024).

The cyber security practices, organizational culture, cyber security breach, and the employee engagement are the variables that are of high importance to this study. The following way will operationalize these variables:

This study uses a qualitative multiple-case study approach to investigate how small and medium-sized enterprises (SMEs) integrate cybersecurity into their enterprise risk management (ERM) systems. A case study design is appropriate because it allows for the exploration of complex, real-world organizational issues within their natural contexts (Rawindaran et al., 2023). The design will be organized in the form of a systematic roadmap following Creswell (2009) and that will clarify how the research questions will inform sampling, data collection and analysis in such a way that it will be replicated by other researchers.

The general research question (RQ1), will identify how SMEs incorporate cybersecurity in risk management and the impacts it has on organizational resiliency. Sub questions dwell upon the governance mechanisms (RQ1a), the enablers and barriers of integration (RQ1b), and the factors that are specific to the sector (RQ1c). Every aspect of the design, as well as sampling to analysis, is harmonized to produce data addressing these questions in a direct manner (Franco et al., 2022).

Six to eight SMEs and in the field of healthcare, retail, and manufacturing will be selected by purposive sampling. The criteria that will be used to select people will depend on active risk management processes, current cybersecurity and willingness to participate. This guarantees heterogeneity among the cases and facilitates literal and theoretical replication (Govender et al., 2025; Abubakari, 2024). The participants will consist of organizational leaders, IT/security managers, and frontline workers because all of them have direct experience related to cybersecurity practices (Chidukwani et al., 2022).

Data gathering will be done in three stages. To start with, organizational documents will be collected such as security policies, incident reports, and audits. Second, managers, IT/security employees, and employees will undergo semi-structured interviews of 45 to 60 minutes to document the perceptions towards practices, culture, and breaches (Thummala & Bindewari, 2024). Third, the researcher will take notes of reflexivity following every interview to control bias. There will be triangulation of secondary data sources, which increase credibility (Benjamin et al., 2024).

Important variables are defined and operationalized to lead to the analysis. Documents will be reported and assessed by observing tools, policies, and processes that will be observed by the participants of the process of cybersecurity practices. The organizational culture will be evaluated based on the attitude of the leadership, awareness of the employees and incorporating security in day-to-day activities. The evaluation of cybersecurity breaches will be based on frequency, severity, and impact on the business (Thamrongthanakit, 2023). The engagement of the employees will be measured using training attendance, reporting behaviors, and compliance with security measures.

The analysis of the information will be performed according to the systematic framework of qualitative research proposed by Creswell, (2009). In both scenarios, transcripts and documents will be coded inductively in order to determine major themes. They will then be divided into thematic and pattern matching and compared across the sectors in order to compare findings and test rival explanations through cross-case analysis. The research questions will be directly addressed by linking the governance, practices, and culture to organizational resilience by employing explanation building (Franco et al., 2022).

Validity and reliability will be increased using several methods. Triangulation of interviews, documents and reports will provide credibility. Member checking will enable the participants to examine summaries of facts. A case study protocol and coding audit trail will be used to enhance the level of dependability. Reflexive journaling will be used to ensure that confirmability is upheld, and each case will be described thickly to facilitate the transferability (Enaifoghe, 2023).

The design has limitations. The sample size is small making it hard to generalize to all SMEs studied and results can be affected because this is a self-reported sample. Healthcare, retail and manufacturing sectoral focus might not capture insights on other sectors. There is also the risk of researcher bias which will be overcome by using triangulation, reflexive notes and systematic coding. In spite of these limitations, transparency and defensibility are ensured by the explicit step by step design (Creswell, 2009).

The findings in this section are based on six SMEs in healthcare, retail and manufacturing industries. The findings are grouped together in a thematic way on the topics of cybersecurity practices, organizational culture, cybersecurity incidents, and employee engagement. Findings are then analyzed based on the research questions, theoretical framework (Enterprise Risk Management and socio-technical integration) and on the available literature.

The six SMEs also reported that they had some technical defenses, the most advanced being antivirus software, firewall, and frequent updates of the system. Nevertheless, the use was very fragmented, and there was no organization that implements a single framework, like ISO 27001 or NIST, on a full basis (Chidukwani et al., 2022). Three of the SMEs depended on outsourced IT vendors to a large extent, thus establishing disproportionate accountability of cyber risks. The adoption of a structured ERM approach was only partly evident in one healthcare SME, as the threat of cyber threats was reflected in its risk register.

In the cases, cybersecurity had also been perceived as a technical task as opposed to taking a strategic priority. The interviews with the leaders showed lack of commitment and prioritization to budgets as compared to operational risks. There was little to no reinforcement of cybersecurity training as employees received very little or a single instance of training. This result shows that literature concurs that often SMEs do not have a security-conscious culture (Fagbule, 2023).

Four respondents out of six SMEs had encountered at least one major breach in the last 3 years. Financial losses, downtime and reputational damage were reported. Retail SMEs were especially prone to point-of-sale attack and phishing, whereas manufacturing SMEs noted ransomware attacks. The violations in both instances revealed loopholes in any given governance and slowed recovery, as expected based on the results of Benjamin et al. (2024).

The interview data revealed that employees were not very engaged in cybersecurity practices. Reporting channels were also unknown or not felt comfortable with recognizing phishing by many of the frontline staff. In the case of training, it was mainly discontinuous but not continuous. This confirms previous assertions that SMEs can be deficient in human resource systems that give them a chance to develop security resilience (Ejaz & Matthew, 2024).

The results indicate that there is a marked disparity in the technical interventions taken on board by SMEs and integration of cybersecurity with larger risk management tools. SMEs know about essential threats, but they approach them informally and in a reactive manner, which makes them extremely vulnerable. The reported violations support the assumption that operational and financial risk is more common in the absence of integration.

Governance (RQ1a): The level of governance mechanisms was insufficient, as only one SME considered cyber risks in ERM. This implies that SMEs do not have formal structures to make security strategies aligned with their overall strategy (Franco et al., 2022).

RQ1b (Enablers/Barriers): The barriers were acknowledged as financial limitations, dependence on third parties, and lack of technical skills. One enabler was leadership readiness to try with the low-cost training solutions, but they were not regular.

RQ1c (Sectoral Differences): Healthcare SMEs had more awareness related to regulations, retail SMEs had more frequent customer-data risks, and manufacturing SMEs had more ransomware threats. These industry-specific variations indicate how integration is affected by industry-specific forces (Arroyabe et al., 2024).

The findings are highly consistent with the socio-technical approach according to which effective cybersecurity integration means having people, processes, and technology aligned (Chidukwani et al., 2022). Whereas, SMEs were using technical controls, resilience was constrained by poor organizational culture and governance. In the same manner, the importance of the ERM framework by focusing on integrating cyber risks within business units was seldom achieved, which is indicative of the difficulty identified by Ahmad and Teo (2024).

The article highlights that more efforts should be made in understanding sector-specific frameworks which can be scaled down to suit SMEs with scarce resources. The simplified ERM to cybersecurity hybrids to be tested in future studies could be specific to SMEs and especially emphasize the cost-effective governance models. Comparative research in a wider range of industries, or between SMEs and large businesses would also help clarify the role of size and resources in integration. Lastly, longitudinal studies would be able to determine whether standards in the form of incremental adoption of standards such as ISO 27001 enhance resiliency in the long run.

The results validate the fact that even though SMEs recognize the existence of cybersecurity threats, they have not fully and uniformly integrated them in enterprise risk management. This creates increased susceptibility of breach and decreased organizational resilience. The connection between these findings and theoretical frameworks will allow the study to prove that sustainable cybersecurity integration will not be possible solely through technical mechanisms but rather with the help of governance, culture, and sector-specific adaptation.

Al-Dosari, N., & Fetais, N. (2023). Cybersecurity challenges and governance in SMEs: A comparative analysis. Journal of Information Security, 12(2), 55–72.

Arroyabe, M. F., Arranz, N., & de Arroyabe, J. C. F. (2024). Cybersecurity and SMEs: Sector-specific influences on resilience strategies. International Journal of Business Research, 19(1), 88–104.