SCMT699

2

The Impact of Cyber security Integration on Organizational Risk Management in SMEs:

A Qualitative Multi-Case Study

A Master Thesis

Submitted to the Faculty

of

American Public University

by

Cristian DeWeese

In Partial Fulfillment of the

Requirements for the Degree

of

Master of Arts

December 2025

American Public University

Charles Town, WV

Introduction Comment by Christopher Martinez, PhD: the introduction must set context for your research by mentioning what is known about the topic and what needs to be explored further. In the introduction, you can highlight how your research will contribute to the existing knowledge in your field and to overall scientific development. The introduction must also contain a hypothesis that led to the development of the research design. You can come up with this hypothesis by asking yourself questions like: What is the central research problem? What is the topic of study related to that problem? What methods should be used to analyze the research problem? Why is this research important, what is its significance, and how will its outcomes affect the funders and the society on the whole?      Comment by DeWeese, Cristian: Updated

Background and Context

Small and medium-sized enterprises (SMEs) have become a vital element of any country's economy around the globe, creating jobs and innovations in different sectors. However, owing to their rather limited resources, not being able to recruit security specialists in the sphere of cyber security, and being able to only rely on homemade security systems, SMEs are being targeted even more often by cyber security attacks (Chidukwani et al., 2022). Unlike large organizations, which are likely to spend a lot of money on cyber security systems, SMEs experience several illusions and do not view cyber security as an element of the overall risk management in the global context (Franco et al., 2022).

This failure puts SMEs at risk of a lack of operational time, financial loss, and reputation loss. It is already threatening enough that the majority of studies have shown that approximately sixty percent of SMEs that had suffered a major cyber-attack went out of business in less than half a year (Benjamin et al., 2024). This fact contributes to the necessity to analyze how the practices of cyber security might be effectively incorporated into the enterprise risk management (ERM) to make it more resilient. This study is also important because it is valuable to leaders of SMEs, policymakers, and cyber security users by offering practical approaches to increase the resilience and security of SMEs against the increasing cyber threat.

Hypothesis:

The inabilities of SMEs to add cyber security to their risk management strategies are contributing to their vulnerability to cyber threats (Abdulrahim, 2019). The hypothesis of the research is that SMEs that successfully introduce cyber security as a risk management approach will be more resilient, experience a minor impact of operational failure, and be less susceptible to cyber-attacks, which will result in business sustainability over the long term.

Problem Statement

The unsuccessful incorporation of cyber security as a risk management tool in SMEs, which exposes organizations to cyber threats, has been identified as a significant problem in the study by Alahmari and Duncan (2020). Cybercriminals are now targeting SMEs so much more, as they do not usually have enough resources, expertise, and governance to be sufficiently prepared against such attacks (Al-Dosari & Fetais, 2023). Since SMEs cannot afford to make large investments in advanced technologies and security, unlike large corporations, they often follow the strategy of outsourcing their security with the most common methods and equipment antivirus programs or firewalls. Although these steps offer some respite, they are not usually incorporated into the enterprise risk management (ERM) models (Enaifoghe, 2023). Comment by DeWeese, Cristian: Changed

The consequences of this oftentimes ingratitude are very tragic. It is demonstrated that an impressive nearly 60 percent of SMEs that have suffered a massive cyber-attack go into business within a six-month time frame, which proves the devastating role of an absence of security integration (Benjamin et al., 2024). Nevertheless, a significant number of SMEs still fail to look at cyber security as a business priority and view it as a specific technical challenge (Franco et al., 2022). Existing studies have also not done much to bridge this gap. Most of the research is concentrated on bigger companies or technology-related security solutions without finding out how SMEs use cyber security in planning governance, risk, and resilience.

The purpose of this qualitative multiple-case study is to investigate how SMEs integrate cyber security into their overall risk management strategies and to examine the impact of this integration on organizational resilience. The sample of the study is SMEs within different industries, including healthcare, retail and manufacturing, to identify the enablers, barriers, and industry-specific impact that characterize integration (Enaifoghe, 2023). Lastly, the paper is expected to provide both theoretical and practical information to SME executives, policymakers, and cyber security experts (Franco et al., 2022).

Purpose Statement

The proposed qualitative multiple-case study intends to investigate how SMEs make cyber security a part of their overall risk management strategies and how the integration impacts organizational resilience. The research aims to identify the enablers, barriers, and industry-specific impacts that drive integration by focusing on SMEs operating in dissimilar industries that is, healthcare, retail, and manufacturing (Enaifoghe, 2023). Finally, the research aims at delivering scholarly and practical insights that may be of benefit to SME leaders, policymakers, and cyber security practitioners (Franco et al., 2022).

Research Questions

The overall research question that directs this study is:

RQ1: What are the modes used by small and medium-sized enterprises (SMEs) to incorporate cyber security in their comprehensive risk management, and what are the effects of such incorporations with regard to the resilience of the organization? (Kezron, 2024)

Based on this general question, one may come up with a number of sub-questions:

· RQ1a: What governance mechanisms do SMEs use to align cyber security with organizational risk management?

· RQ1b: What processes and capabilities enable or hinder integration in SMEs?

· RQ1c: How do sector-specific factors (e.g., healthcare, retail, and manufacturing) influence cyber security integration?

Literature Review Comment by Christopher Martinez, PhD: A literature review is a document or section of a document that collects key sources on a topic and discusses those sources in conversation with each other (also called synthesis).   Who? Analyze the work of others, synthesize, paraphrase, and cite. All the while looking for gaps in research you can explore...stand on the shoulders of other researchers.   Comment by Christopher Martinez, PhD: Use subheadings to guide your readers Comment by DeWeese, Cristian: Updated

The integration of cybersecurity into small and medium-sized enterprises (SMEs) as part of their overall risk management strategy is becoming increasingly crucial as cyber threats continue to rise (Ashley & Preiksaitis, 2022). Despite its significance, SMEs often face significant challenges when incorporating cyber security measures into their organizational frameworks. While existing research highlights the importance of cyber security, many SMEs still approach cyber security as a technical issue, rather than embedding it within a strategic risk management framework (Hoong et al., 2024). This literature review will examine the challenges SMEs face in integrating cyber security practices, the role of risk management frameworks, and the gaps in current research that this study aims to address.

Cyber security Integration Challenges in SMEs

The exposure of small and medium-sized enterprises (SME) to cyber threats is not a novel idea that has been reported in the literature. As Chidukwani et al. (2022) explain, SMEs tend to implement cyber security tools in a non-coordinated way, like installing firewalls or antivirus software, without integrating them into a more generalized policy and risk management strategy.

This fragmented model exposes SMEs to advanced cyber-attacks since the controls at the individual level would not combine to create a unified defense. In the same way, Ashley & Preiksaitis (2022) clarify that the companies of SMEs must change their attitude towards cyber security from a technical issue to a strategic initiative that is applied in the risk management approach of the entire organization.

The Importance of Risk Management Framework Comment by Christopher Martinez, PhD: A theoretical framework consists of concepts, together with their definitions, and existing theory/theories that are used for your particular study. The theoretical framework must demonstrate an understanding of theories and concepts that are relevant to the topic of your  research paper and that will relate it to the broader fields of knowledge in the class you are taking. The theoretical framework is not something that is found readily available in the literature. You must review course readings and pertinent research literature for theories and analytic models that are relevant to the research problem you are investigating. The selection of a theory should depend on its appropriateness, ease of application, and explanatory power. The theoretical framework strengthens the study in the following ways. An explicit statement of  theoretical assumptions permits the reader to evaluate them critically. The theoretical framework connects the researcher to existing knowledge. Guided by a relevant theory, you are given a basis for your hypotheses and choice of research methods. Articulating the theoretical assumptions of a research study forces you to address questions of why and how. It permits you to move from simply describing a phenomenon observed to generalizing about various aspects of that phenomenon. Having a theory helps you to identify the limits to those generalizations. A theoretical framework specifies which key variables influence a phenomenon of interest. It alerts you to examine how those key variables might differ and under what circumstances. Comment by DeWeese, Cristian: updated

Some researchers emphasize the importance of the set of frameworks to inform the development of cyber security as part of risk management. Among the tools that the SMEs should use, Benjamin et al. (2024) mention internationally accepted standards, including ISO 31000 on risk management, ISO/IEC 27001 on information security, and the NIST Cyber security Framework. Such frameworks are considered flexible guidelines that organizations can use to organize cyber security threats. Krishnan (2024) warns, however, that even though it might be difficult for small businesses to adopt those frameworks because of the available resources, it is possible to customize them to prioritize top assets, which will enable the SMEs to scale their cyber security practices non-proportionately and/or effectively.

Besides that, the integration of such frameworks to the organizational structure of an SME not only causes their ability to react to cyber threats but also causes the illusion of the culture of continuous improvement and minimization of risks. According to Herath et al. (2023), once such frameworks are established correctly, it is possible to establish improved governance, the sense of open risk ownership, and center the security practices to the business goals.

Such forms of standardized strategies can make sure that SMEs are resilient to future threats in addition to being situated to satisfy regulatory demands. The problems related to the introduction of such systems also are present, but, as the findings of Benjamin et al. (2024) indicate, resource allocation and training are two of the most prominent ones. Therefore, although SMEs may have early issues with installation of the comprehensive cyber security systems, the latter will ultimately assist in reducing vulnerability, as well as offer more risk containment possibilities in the long-term perspective.

Critical Evaluation of Frameworks and Application

SMEs are commonly recommended to use frameworks such as ISO 31000, ISO/IEC 27001, and NIST, which can be hard to apply due to their complexity and resource demands in a resource-constrained setting (Olagbemide, 2024). These structures tend to suit larger organizations having dedicated IT departments and a high budget, and thus they are difficult to apply to SMEs without serious modifications. According to Yokowo (2024), these frameworks may be too demanding to smaller companies, but can be customized to prioritize key assets, such that SMEs can expand their cyber security actions relative to their resources.

Besides the resource limitation, SMEs are frequently unable to implement these frameworks due to a lack of technical skills (Odio et al., 2021). Even though the frameworks offer a rational set of rules of the cyber security operations, it supposes a level of competence that remains lacking in the majority of SMEs. One of the barriers to adoption is this absence of linkage between the structures of the frameworks and the capabilities of SMEs.

The Role of Organizational Culture in Cyber security Adoption

Organizational culture is another ingredient of successful implementation of cyber security practices in SMEs. The perception and implementation of cyber security measures in the firm depends on organizational culture of SMEs in a variety of studies. The first place security, continuous improvement, and interdepartmental collaboration culture can make a valuable input into the efficiency of the cyber security strategies. Fagbule (2023) also claims that SMEs must have security culture so that they can recognize the necessity of embedding cyber security in their business process rather than viewing it as a one-off technical activity.

Barriers to Cyber security Integration in SMEs

Despite the fact that other literature also focuses on the necessity to adopt cyber security models and practices, SMEs continue to face numerous challenges that restrict effective implementation. Such obstacles may be connected with financial limitations, insufficient number of skilled cyber security specialists or absence of interest to the problem by the leadership and employees who may not realize the significance of cyber security in its full scope. According to Ejaz and Matthew (2024), in most cases, the SMEs are not concerned about cyber security since they see it as an unnecessary cost instead of a necessary investment. The most significant obstacles to cyber security integration amongst SMEs include; scarce resources, organizational resistance, expertise constraints and regulatory issues (Omowole et al., 2024). Analyzing these barriers more closely, it will also become possible to place the issues of SMEs regarding the adoption of effective cyber security systems in context and give an idea of how these issues can be addressed.

Linking Literature to the Study’s Contribution

The existing literature offers useful data regarding the significance of cyber security structures in SMEs and the issue in the integration of the structures into the existing business processes. Nonetheless, it contains minimal information regarding how SMEs can apply these frameworks to their practical scenario, particularly because they are low resource and skill bases. According to the literature, the SMEs must implement some elements of cyber security control as recommended by Pawar and Palivela (2022), but it does not explain how these elements might be integrated in the Enterprise Risk Management (ERM) system of an SME.

The study will close this gap by looking at the practical issues that SMEs encounter during the implementation of cyber security frameworks. This research will offer practical suggestions on how SMEs can manage these challenges through prioritizing the challenges faced by SMEs in a real-world context, e.g. lack of resources, technical expertise, and competing business priorities. The research will also determine how SMEs can focus on cyber security as part of the risk management frameworks they already have and expand their activities accordingly to allocated resources.

Real-World Application and Gaps in Literature

Although a significant amount of the literature has presented a valuable framework and guidelines, the research gaps in implementing these frameworks into practice by SMEs are very large. The literature, according to Johnstone (2021), merely lists a list of controls that an SME needs to implement, and are silent as to how those controls can actually be implemented by their Enterprise Risk Management (ERM) systems in practice. The specified gap implies that the further research is to be conducted on the feasibility of applying cyber security practices to SMEs and the role these interventions play in organizational resiliency and risk reduction.

According to the literature, it is possible to apply some significant frameworks that can potentially allow SMEs to consider cyber security as a branch of their risk management strategies (El-Hajj & Mirza, 2024). The issue of whether there exists a mismatch between the actualization of these structures against the realities on the ground is however taken with seriousness because of the resource limitation of SMEs. The proposed research will address this gap by deliberating on the practicality of cyber security as part of the ERM systems of the SMEs and its impact on the resilience of organizations.

.

Conclusion

This literature review has discussed the difficulties that SMEs have in becoming part of the risk management strategies of their organizations that deal with cyber security, the significance of implementing structured risk management systems, and the nature of gaps that exist in the existing literature. Although current literature is rather informative regarding the advantages of such frameworks as ISO 31000, ISO/IEC 27001, and NIST, they tend to ignore the practical challenges that SMEs face in their attempts to use these frameworks.

Theoretical Framework Comment by Christopher Martinez, PhD: A theoretical framework consists of concepts, together with their definitions, and existing theory/theories that are used for your particular study. The theoretical framework must demonstrate an understanding of theories and concepts that are relevant to the topic of your  research paper and that will relate it to the broader fields of knowledge in the class you are taking. The theoretical framework is not something that is found readily available in the literature. You must review course readings and pertinent research literature for theories and analytic models that are relevant to the research problem you are investigating. The selection of a theory should depend on its appropriateness, ease of application, and explanatory power. The theoretical framework strengthens the study in the following ways. An explicit statement of  theoretical assumptions permits the reader to evaluate them critically. The theoretical framework connects the researcher to existing knowledge. Guided by a relevant theory, you are given a basis for your hypotheses and choice of research methods. Articulating the theoretical assumptions of a research study forces you to address questions of why and how. It permits you to move from simply describing a phenomenon observed to generalizing about various aspects of that phenomenon. Having a theory helps you to identify the limits to those generalizations. A theoretical framework specifies which key variables influence a phenomenon of interest. It alerts you to examine how those key variables might differ and under what circumstances. Comment by cristian deweese: updated

Introduction:

The increasing frequency and sophistication of cyber-attacks have made cybersecurity a critical concern for organizations of all sizes, including small and medium-sized enterprises (SMEs) (Rawindaran, 2023). However, despite the growing recognition of cybersecurity risks, many SMEs face significant challenges in effectively integrating cyber security measures into their overall business strategy.

This research gap is filled by this study that explores how the Cyber security Risk Management Theory can be applied to help SMEs adopt cyber security systems despite the limitations posed by the available resources (Moturi et al., 2021). The theory is quite helpful as the organization and technology aspects are combined to offer a wholesome approach that can be applied in practice by SMEs. The paper discusses this issue based on the theory; it provides an explanation of why SMEs are better at managing cyber security threats, particularly in limited resource settings.

Enterprise Risk Management (ERM)

ERM is a formal procedure of risk discovery, analysis, treatment and monitoring, which may contribute to the companies responding to risks in the correct way, and cyber security threats should not be an exemption (Jarjoui & Murimi, 2021). ISO 31000 standard is also highly applicable in ERM, and it is a wide spread standard that gives a guarantee that risk management is implemented at any level within the organization. With cyber security being incorporated in the overall ERM framework, companies do not treat it as a distinct issue but rather as an aspect of a broader risk control policy.

Socio-technical Integration Approach

The socio-technical approach focuses on people, process, technology and context in order to achieve the apt cyber security. Chidukwani et al. (2022) also state that cybersecurity is a human problem, with the most significant impacts on training, procedures, and organizational culture. Based on this approach, cybersecurity integration is not limited to human factors, but also technological factors within the organization.

Besides the human and technological factors, the socio-technical integration approach promotes the significance of the organizational processes and context in the process of defining the cybersecurity outcomes. Franco et al. (2022) believe that the successful implementation of the cybersecurity measures is the alignment of the organizational processes, including the risk management processes with the technological solutions (Thummala & Bindewari, 2024).

Application of Frameworks

Separating enterprise risk management (ERM) into the current consideration would enable the researcher to learn more about how the phenomenon of cyber security is being framed by the small and medium-sized enterprises (SMEs). Another way to describe it can be implemented based on its socio-technical philosophy that implies that effective development of cyber security is possible because of the collective effort of the organizational culture, the design of the process, and the human aspect (Ahmad & Teo, 2024). The results of such models have kept providing significant empirical data in terms of the strong impact of cyber security uptake in the SME sector.

Combining the ISO 31000 and NIST Cyber security Framework, SMEs will be able to develop a consistent method of identifying, evaluating, and addressing any possible threats (Sabidi & Zolkipli, 2024). Such a procedural format moves cyber security to a continuous system rather than a resolution of an issue and it aligns with the business purpose and a legal requirement. Such frameworks also facilitate incorporation and enhancement of continuous monitoring and improvement procedures which the ever-evolving cyber threat environment demands. Kianpour and Raza (2024) also suggest that the formalized practices will probably lead to the SMEs failing to encounter a high-impact security incident and more effectively implementing cyber security business practices that will support organizational goals.

The Strengths of This Framework in the Study

Elaborating Theoretical Assumptions

The model outlines the potential manner in which the cybersecurity concepts might be incorporated into a risk management system, within the small and medium-sized enterprises (SMEs) and the significance of human factor in the effort. The synthesis of these frameworks also fills the gap between technical solutions and organizational culture since it concerns the possibility to use the tools successfully in SMEs, which is not only possible through the implementation of tools but also through the correspondence of the tools to the organizational values and practices (Georgiadou et al., 2022).

This method will enable a less conspicuous analysis of how SMEs would prevent the emergence of cybersecurity threats since it lingers on the socio-cultural and technical dimensions of the issue in question. As the description given by Sikder (2023) states, the self-synchronizing assimilation of the technology, human conduct and organizational functioning are the variables that drive the cybersecurity as a process-on-going and not a response. This general approach contributes more strength to the study, in the sense that it provides a theoretical prism that transcends the biological dictates of technology, and thus that highlights the significance of the organizational commitment and culture as the most effectual approach to the outcomes of cyber security.

Justification of Hypotheses and Research Methods

The benefit of the selected theoretical frameworks consists in the opportunity to comprehend the topicality of introducing cyber security decision-making to the overall plan of enterprise risk management (ERM) and has grounds to support the hypothesis that the presence of cyber security-related solutions will result in increased levels of resilience and risk management capabilities of small and middle-sized enterprises (SMEs).

Identifying Key Variables

According to the ERM model (Enterprise Risk Management), the following variables are brought out as key; risk treatment, risk monitoring where the systematic identification, assessment and management of risks in an organization are highly emphasized. On the other hand, the socio-technical model resides on the human and organizational nature of cyber security integration and moves on to the importance of organizational culture and employee engagement as the vital ones. These aspects are paramount to the effectiveness of cyber security processes since they form a working environment whereby all the stake holders in the organization are involved in the system and data protection processes. All these two models combined will enable the study to provide a holistic view of how both technical and social factors contribute to implementing effective cyber security (Jean-Jules & Vicente, 2021).

Summary of the Cyber security Risk Management Theory

Cyber security Risk Management Theory provides a framework for understanding how organizations assess, mitigate, and manage cyber security risks (Melaku, 2023). The theory integrates key concepts from risk assessment, organizational culture, and cyber security controls. This theory states that successful cyber security management is a balance of both technical (e.g. firewalls, antivirus software) and organizational (e.g. culture, employee training, strategic alignment) aspects.

The theory’s core assumptions are:

• Risk Assessment: The initial step of successful risk management is identifying and assessing the possible cyber security threats (Bokan & Santos, 2021). It involves evaluating the external risks (e.g., cyber-attacks) and internal risks (e.g., negligence of the employees).

• Cyber security Policies and Controls: When risks have been evaluated, the organizations establish policies and technical controls to reduce risks (Parsola, 2023). These measures should be successful because they should be part of the overall business strategy of the organization.

• Organization Culture: Organizational culture is very important in the practice of cyber security. An organization culture that is security conscious is the key to ensuring that cyberspace security becomes a collective responsibility of the organization and not the IT department only.

The interactions of these components in the framework are shown in the diagram below : Comment by Christopher Martinez, PhD [2]: APA Tables and Figures - Purdue OWL® - Purdue University

The model indicates that the cyber security strategy of an organization should not be considered separately but as a component of its overall risk management (Victor-Mgbachi, 2024).

Hypotheses to Be Tested

According to the Cyber security Risk Management Theory, the following relationships are the tested hypotheses that refer to the links between cyber security strategies and organizational culture:

1. Hypothesis 1: Cyber security breach is less likely in SMEs where there is a formal cyber security risk management strategy according to the Cyber security Risk Management Theory than where there is no such strategy.

2. Hypothesis 2: We expect the challenges that are related to formal systems of cyber security risk management (e.g., ISO/IEC 27001, NIST) to be more frequently encountered by resource-poor than resource-rich SME (Vance,2025).

3. Hypothesis 3: Good adoption and implementation of cyber security frameworks among SMEs is positively influenced by attentive organizational culture to security.

It will assist in verifying these hypotheses by gathering and interpreting data on the SMEs in the various industries, and their approach to cyber security, organizational culture, and the interdependence of the three and the interdependence of the three among themselves.

Conclusion

This theoretical framework is exactly what offers a stable piece of knowledge in terms of SME management in terms of cyber security threats. In the Notion of Cyber security Risk Management, the study explores the problems associated with SMEs in the adoption of formal cyber security frameworks and the impact of organizational culture on the adoption of formal cyber security frameworks.

Research Design Comment by Christopher Martinez, PhD: The research design refers to the overall strategy that you choose to integrate the different components of the study in a coherent and logical way, thereby, ensuring you will effectively address the research problem; it constitutes the blueprint for the collection, measurement, and analysis of data. Comment by DeWeese, Cristian: updated

The qualitative multiple-case research design will be applicable in the current study. This design will be particularly appropriate since it will be in a position to conduct a thorough research on how cyber security can be swept as a risk management tool in the environment of the SMEs that operate in different parts of the economy including healthcare, retail and manufacturing. The case study method would give us a rough estimate of the processes, issues and solutions, the actions that these SMEs would take on the threat of cyber security (Benjamin et al., 2024; Arroyabe et al., 2024).

Identification and Operationalization of Variables Comment by Christopher Martinez, PhD [2]: You have a good foundation here, but your research design needs to be more systematic. Try to walk the reader through exactly how you’ll move from your research question to data collection and analysis — step by step. Think of it like a roadmap: what will you do first, how will you do it, and why? The more explicit and organized your plan, the stronger and more defensible your design will be.

The cyber security practices, organizational culture, cyber security breach, and the employee engagement are the variables that are of high importance to this study. The following way will operationalize these variables:

Cyber security Practices: This variable means the measures and resources that SMEs use to safeguard their online resources, such as firewalls, antivirus software, and security measures (Chidukwani et al., 2022). This will be gauged by interviews of managers and employees regarding the actual cyber security tools and processes they have in the place.

Organizational Culture: This will be assessed by examining the overall attitude towards cyber security within the organization, the level of awareness among employees, and the importance placed on cyber security by leadership. The degree of integration of cyber security into the company’s culture will be evaluated through semi-structured interviews and analysis of organizational documents.

Cyber Security Breaches: The occurrence and severity of any cyber security incidents in the past will be recorded and analyzed (Thamrongthanakit, 2023). This data will be obtained through interviews and secondary data, such as incident reports.

Sampling Plan

Purposive sampling will be used to sample 6 to 8 SMEs in different industries (healthcare, retail, and manufacturing). This type of sampling is suitable because it will enable the researcher to target those businesses that are most pertinent to the research questions and who have some experience with cyber security practices (Govender et al., 2025). The sample will comprise the businesses of the different levels and the different departments of the business to make plethora of approaches and difficulties. By making sure that the sample of SMEs is heterogeneous in terms of organizational contexts, the study will place itself in a better position of attaining a deeper level of data and broad generalizability of the findings (Abubakari, 2024). The topics will involve the major decision makers who will involve the managers and leaders who have been involved in managing cyber security and the individuals who have been involved in security practices. These participants are chosen because they possess direct experience of cyber security practices within their organizations.

Justification of Case Studies Used

Case study approach is very appropriate in this research since it enables an analysis of the complex real life problems in their organizational setting. Cyber security measures have specific challenges and opportunities to SMEs in various industries (Rawindaran et al., 2023). The choice of various case studies in different sectors will reveal sector-specific trends, obstacles, and remedies to cyber security integration in this study. Case studies also allow the researcher to look into these phenomena in a more detailed manner giving a subtle insight unlike in other research designs.

Data Collection/Sources

The information will be gathered in form of semi-structured interviews with the main stakeholders (managers, leaders in cyber security, and employees). Such interviews will give information on the perception and implementation of cyber security practices in SMEs. The semi-structured format permits the flexibility of exploring personal experiences, and, at the same time, it guarantees uniformity in the kind of questions posed, which will allow collecting similar data across the cases (Thummala & Bindewari, 2024).

Secondary data will also be examined to complement the qualitative data obtained through interviews since the reports of incidents, cyber security policy documents, and internal audits will also be reviewed. This method of mixed research will assist in triangulation of the results and a better perspective on the topic of the research (Benjamin et al., 2024).

Summary of Analysis Procedures

The thematic analysis method will be applied to analyze the data. Interviews will be transcribed, and key themes related to cyber security practices, organizational culture, and challenges will be identified and coded. Pattern matching will be used to identify common themes across different sectors, and comparisons will be drawn to understand how cyber security strategies differ based on organizational size, sector, and resources. The data will also be analyzed for discrepancies and similarities between the experiences of managers and employees to understand different perspectives on cyber security practices.

Limitations of the Study and Bias Discussion

While the qualitative case study design provides in-depth insights, it has several limitations. First, the sample size is small (six to eight SMEs), which may limit the generalizability of the findings (Kwarteng et al., 2024). Second, because the study focuses on a limited number of sectors, the findings may not fully represent all industries. The results will therefore be more context-specific rather than broadly applicable to all SMEs.

Additionally, researcher bias may occur during data collection and analysis. To mitigate this, the researcher will maintain a reflective journal and apply a member-checking technique, where participants will review the findings to ensure the accuracy and credibility of the results. The use of triangulation by combining interviews, documents, and incident reports will further enhance the validity of the findings (Enaifoghe, 2023).

References Comment by Christopher Martinez, PhD: You have 6 of 6 peered reviewed journal articles on this list this is a good start...strive for 80 percent. Your list of references needs to grow in order to conduct proper research on your topic. for your study. Make an appointment with a research librarian to assist you with research. Also, each reference needs to be cited in the document or removed Comment by Christopher Martinez, PhD: You need more reference in your next submission. Make an appointment with a research librarian Comment by DeWeese, Cristian: Updated

Al-Dosari, N., & Fetais, N. (2023). Cybersecurity challenges and governance in SMEs: A comparative analysis. Journal of Information Security, 12(2), 55–72.

Arroyabe, M. F., Arranz, N., & de Arroyabe, J. C. F. (2024). Cybersecurity and SMEs: Sector-specific influences on resilience strategies. International Journal of Business Research, 19(1), 88–104.

Abubakari, P. (2024).  Human factors matter: the intersection of cybersecurity governance, and culture in risk management of critical infrastructure (Doctoral dissertation, Pepperdine University). https://digitalcommons.pepperdine.edu/cgi/viewcontent.cgi?article=2573&context=etd

Alahmari, A., & Duncan, B. (2020, June). Cybersecurity risk management in small and medium-sized enterprises: A systematic review of recent evidence. In  2020 international conference on cyber situational awareness, data analytics and assessment (CyberSA) (pp. 1-5). IEEE. https://www.researchgate.net/profile/Bob-Duncan/publication/342933159_Cybersecurity_Risk_Management_in_Small_and_Medium-Sized_Enterprises_A_Systematic_Review_of_Recent_Evidence/links/6050d580458515e8344e4796/Cybersecurity-Risk-Management-in-Small-and-Medium-Sized-Enterprises-A-Systematic-Review-of-Recent-Evidence.pdf

Abdulrahim, N. (2019).  Managing Cybersecurity as a Business Risk in Information Technology-based Smes (Doctoral dissertation, University of Nairobi). https://erepository.uonbi.ac.ke/bitstream/handle/11295/107172/Abdulrahim_Managing%20Cybersecurity%20as%20a%20Business%20Risk%20in%20Information%20Technology-based%20Smes.pdf?sequence=1

Ashley, C., & Preiksaitis, M. (2022). Strategic Cybersecurity Risk Management Practices for Information in Small and Medium Enterprises.  Business Management Research and Applications: A Cross-Disciplinary Journal,  1(2), 109-157. https://bmrajournal.columbiasouthern.edu/index.php/bmra/article/download/3421/2886

Ahmad, S. A., & Teo, P. C. (2024). The Implementation of Enterprise Risk Management (ERM) Frameworks in Small and Medium Enterprises (SMES): A Literature Review.  International Journal of Academic Research in Business and Social Sciences,  14(9), 290-307. https://kwpublications.com/papers_submitted/11397/the-implementation-of-enterprise-risk-management-erm-frameworks-in-small-and-medium-enterprises-smes-a-literature-review.pdf

Benjamin, R., Okoro, A., & Li, H. (2024). The impact of cyber incidents on SME survival: An empirical study. Small Business Economics, 62(3), 445–462.

Bokan, B., & Santos, J. (2021, April). Managing cybersecurity risk using threat based methodology for evaluation of cybersecurity architectures. In  2021 Systems and Information Engineering Design Symposium (SIEDS) (pp. 1-6). IEEE. https://par.nsf.gov/servlets/purl/10311477

Chidukwani, M., Ahmed, S., & Khan, T. (2022). Integrating cybersecurity into SME risk management frameworks. Journal of Risk and Governance, 8(4), 301–320.

Enaifoghe, A. (2023). Governance and cybersecurity risk management in emerging markets SMEs. Journal of Contemporary Management, 41(2), 112–129.

El-Hajj, M., & Mirza, Z. A. (2024). ProtectingSmall and Medium Enterprises: A specialized cybersecurity risk assessment framework and tool.  Electronics (Switzerland),  13(19), 3910. https://research.utwente.nl/files/484148382/electronics-13-03910-v2.pdf

Ejaz, U., & Matthew, B. (2024). Cost-Effective Cybersecurity Solutions for SMEs: Balancing Security Needs and Budget Constraints. https://www.researchgate.net/profile/Umair-Ejaz-3/publication/392282793_Cost-Effective_Cybersecurity_Solutions_for_SMEs_Balancing_Security_Needs_and_Budget_Constraints/links/683c3b4d6b5a287c304891e7/Cost-Effective-Cybersecurity-Solutions-for-SMEs-Balancing-Security-Needs-and-Budget-Constraints.pdf

Fagbule, O. (2023).  Cyber security training in small to medium-sized enterprises (SMEs): Exploring organisation culture and employee training needs (Doctoral dissertation, Bournemouth University). http://eprints.bournemouth.ac.uk/39148/1/FAGBULE%2C%20Omolola_Ph.D._2022.pdf

Franco, D., Martinez, P., & Roberts, L. (2022). Enterprise risk management and cybersecurity integration in SMEs. Risk Management Review, 15(3), 210–228.

Govender, K. K., Naude, M., & Munodawafa, T. (2025). AN EXPLORATORY QUALITATIVE STUDY OF COMPETITIVE STRATEGIES USED BY SMALL AND MEDIUM-SIZED ENTERPRISES IN BOTSWANA.  Journal of Management: Small and Medium Enterprises (SMEs),  18(1), 11-37. https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Govender%2C+K.+K.%2C+Naude%2C+M.%2C+%26+Munodawafa%2C+T.+%282025%29.+AN+EXPLORATORY+QUALITATIVE+STUDY+OF+COMPETITIVE+STRATEGIES+USED+BY+SMALL+AND+MEDIUM-SIZED+ENTERPRISES+IN+BOTSWANA.+Journal+of+Management%3A+Small+and+Medium+Enterprises+%28SMEs%29%2C+18%281%29%2C+11-37.&btnG =

Georgiadou, A., Mouzakitis, S., Bounas, K., & Askounis, D. (2022). A cyber-security culture framework for assessing organization readiness.  Journal of Computer Information Systems,  62(3), 452-462. https://d1wqtxts1xzle7.cloudfront.net/113950803/08874417.2020.184558320240429-1-7zuy1m-libre.pdf?1714424439=&response-content-disposition=inline%3B+filename%3DA_Cyber_Security_Culture_Framework_for_A.pdf&Expires=1758134371&Signature=dB9B7rLXSbGM6ohZ9fMaRpCPB6Oa9Of9XxvjlNhlO5v~4-x9EmVDuZLcm0F3YT~L-URK3wwP9hXqIJzuiDsBQD1Ph786Bw9jvNEcyhSrQkt1o-icZBqVDJN73LtCaha6xam2e1sNr-NigiLSdz2RGWmd8hKxcp~fzB0HZbDf4Im1iq-RAayyhDyTE6ms8AF0UzSQOqf8ZrDBxQBk-iRwTEibW1M4qDQaot5L8TrnJ3rEUCLNeeL8HOU3NzF1CLAMlPFDpej3oSSlIoKI8SUk7TRz65-Vx-Z~Yr87nMFa8zvI6gavTau7a-kSxqoLLu1Cl-tsfsxu8EczSkSJDka7yQ__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA

Herath, T. C., Herath, H. S., & Cullum, D. (2023). An information security performance measurement tool for senior managers: Balanced scorecard integration for security governance and control frameworks.  Information Systems Frontiers,  25(2), 681-721. https://www.researchgate.net/profile/Hemantha-Herath/publication/358909388_An_Information_Security_Performance_Measurement_Tool_for_Senior_Managers_Balanced_Scorecard_Integration_for_Security_Governance_and_Control_Frameworks/links/6390a7aa484e65005bee951c/An-Information-Security-Performance-Measurement-Tool-for-Senior-Managers-Balanced-Scorecard-Integration-for-Security-Governance-and-Control-Frameworks.pdf

Hoong, Y., Rezania, D., & Baker, R. (2024). When traditional SME managers encounter cybersecurity: Discourse analysis of opportunities and dilemmas in meeting the demands.  Technology in Society,  78, 102650. https://www.sciencedirect.com/science/article/pii/S0160791X24001982

Jean-Jules, J., & Vicente, R. (2021). Rethinking the implementation of enterprise risk management (ERM) as a socio-technical challenge.  Journal of Risk Research,  24(2), 247-266. https://d1wqtxts1xzle7.cloudfront.net/84523919/Fardapaper-Rethinking-the-implementation-of-enterprise-risk-management-ERM-as-a-socio-technical-challenge-libre.pdf?1650438373=&response-content-disposition=inline%3B+filename%3DRethinking_the_implementation_of_enterpr.pdf&Expires=1758097695&Signature=a4EA-0J-pAcf2OfYbvwetP7oQ2njskCW9UkaLfY3EaM9qyKAbRP5DYa0vGhnbSjmESLjqXBheSEn4BLisbpoofCBMt6g1IgJvXSMaS4Q35oqjlDjlAHdTkg6jcbVo5nZrHeRYXiO32FBioOdJ311gR62YkdrqsbNTsNblqHhRuIW9itEFRCdDCx-QnfTkkcVwg-04z~wPDDieEeGyOPMq7oHA0kHeKwIWFk14p5mgN52ryTKD1NzbYBYl2wXPjk~AxinzR~LKt2fu~xHupHO0lz0nMznVavcxIuk9FRt2GAcIem8oN9DvChUHJIfUwWBMm7N-V4vnJeMWXdWJGgWOw__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA

Jarjoui, S., & Murimi, R. (2021). A framework for enterprise cybersecurity risk management. In  Advances in cybersecurity management (pp. 139-161). Cham: Springer International Publishing. https://www.researchgate.net/profile/Renita-Murimi/publication/352435737_A_Framework_for_Enterprise_Cybersecurity_Risk_Management/links/629f40696886635d5cc6fdd0/A-Framework-for-Enterprise-Cybersecurity-Risk-Management.pdf

Johnstone, L. (2021). Facilitating sustainability control in SMEs through the implementation of an environmental management system.  Journal of Management Control,  32(4), 559-605. https://link.springer.com/content/pdf/10.1007/s00187-021-00329-0.pdf

Kezron, I. E. (2024). A cybersecurity resilience framework for underserved rural SMEs in critical infrastructure supply chains: Strengthening operational continuity and threat response in digitally vulnerable sectors.  World Journal of Advanced Research and Reviews,  24(3), 3464-3477. https://www.researchgate.net/profile/Edward-Isabirye/publication/392900639_A_cybersecurity_resilience_framework_for_underserved_rural_SMEs_in_critical_infrastructure_supply_chains_Strengthening_operational_continuity_and_threat_response_in_digitally_vulnerable_regions/links/6856f5ea99d2ce32c1ca0d86/A-cybersecurity-resilience-framework-for-underserved-rural-SMEs-in-critical-infrastructure-supply-chains-Strengthening-operational-continuity-and-threat-response-in-digitally-vulnerable-regions.pdf

Kianpour, M., & Raza, S. (2024). More than malware: unmasking the hidden risk of cybersecurity regulations.  International Cybersecurity Law Review,  5(1), 169-212. https://link.springer.com/content/pdf/10.1365/s43439-024-00111-7.pdf

Krishnan, R. (2024). Challenges and benefits for small and medium enterprises in the transformation to smart manufacturing: a systematic literature review and framework.  Journal of Manufacturing Technology Management,  35(4), 918-938. https://www.emerald.com/jmtm/article-abstract/35/4/918/1219381/Challenges-and-benefits-for-small-and-medium?redirectedFrom=fulltext

Kwarteng, M. A., Ntsiful, A., Diego, L. F. P., & Novák, P. (2024). Extending UTAUT with competitive pressure for SMEs digitalization adoption in two European nations: a multi-group analysis.  Aslib Journal of Information Management,  76(5), 842-868. https://www.sciencedirect.com/science/article/pii/S2667096823000381

Mdaki, J. (2025). A hybrid cybersecurity framework for small businesses: integrating NIST CSF, ISO 27001, and CEO engagement. https://www.theseus.fi/bitstream/handle/10024/891475/Mdaki_Jacob.pdf?sequence=2

Melaku, H. M. (2023). Context-based and adaptive cybersecurity risk management framework.  Risks,  11(6), 101. https://www.mdpi.com/2227-9091/11/6/101

Moturi, C. A., Abdulrahim, N. R., & Orwa, D. O. (2021). Towards adequate cybersecurity risk management in SMEs.  International Journal of Business Continuity and Risk Management,  11(4), 343-366. https://www.inderscienceonline.com/doi/abs/10.1504/IJBCRM.2021.119943

Olagbemide, V. A. (2024). Developing an Effective Framework for Information Security Compliance Management in Small and Medium-sized Enterprises (SMEs).  University of Derby. https://www.researchgate.net/profile/Vincent-Olagbemide/publication/384256107_Developing_an_Effective_Framework_for_Information_Security_Compliance_Management_in_Small_and_Medium-sized_Enterprises_SMEs_Developing_an_Effective_Framework_for_Information_Security_Compliance_Manage/links/66f160d9c0570c21feb6c206/Developing-an-Effective-Framework-for-Information-Security-Compliance-Management-in-Small-and-Medium-sized-Enterprises-SMEs-Developing-an-Effective-Framework-for-Information-Security-Compliance-Manage.pdf

Omowole, B. M., Olufemi-Philips, A. Q., Ofadile, O. C., Eyo-Udo, N. L., & Ewim, S. E. (2024). Barriers and drivers of digital transformation in SMEs: A conceptual analysis.  International Journal of Frontline Research in Multidisciplinary Studies,  5(2), 019-036. https://www.researchgate.net/profile/Bamidele-Omowole/publication/386276990_Barriers_and_drivers_of_digital_transformation_in_SMEs_A_conceptual_analysis/links/6757bb5334301c1fe9461329/Barriers-and-drivers-of-digital-transformation-in-SMEs-A-conceptual-analysis.pdf

Odio, P. E., Kokogho, E., Olorunfemi, T. A., Nwaozomudoh, M. O., Adeniji, I. E., & Sobowale, A. (2021). Innovative financial solutions: A conceptual framework for expanding SME portfolios in Nigeria's banking sector.  International Journal of Multidisciplinary Research and Growth Evaluation,  2(1), 495-507. https://www.researchgate.net/profile/Princess-Odio/publication/388662619_Innovative_Financial_Solutions_A_Conceptual_Framework_for_Expanding_SME_Portfolios_in_Nigeria's_Banking_Sector/links/67ec722703b8d7280e1a12bf/Innovative-Financial-Solutions-A-Conceptual-Framework-for-Expanding-SME-Portfolios-in-Nigerias-Banking-Sector.pdf

Pathirana, A. I. W., & Wilenius, M. (2025). ISO 27001 and Global Privacy Compliance. https://www.utupub.fi/bitstream/handle/10024/182519/Pathirana_Asanka_Thesis.pdf?sequence=1

Pawar, S., & Palivela, H. (2022). LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs).  International Journal of Information Management Data Insights,  2(1), 100080. https://www.sciencedirect.com/science/article/pii/S2667096822000234

Parsola, J. (2023). Cybersecurity risk assessment and management for organizational security.  NeuroQuantology,  20(5), 123-140. https://pdfs.semanticscholar.org/5af8/15da2b581b0338fc3a8bf4ba3f8821334d75.pdf

Rawindaran, N. (2023).  Impact of cyber security awareness in small, medium enterprises (SMEs) in Wales (Doctoral dissertation, Cardiff Metropolitan University). https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Rawindaran%2C+N.+%282023%29.+Impact+of+cyber+security+awareness+in+small%2C+medium+enterprises+%28SMEs%29+in+Wales+%28Doctoral+dissertation%2C+Cardiff+Metropolitan+University%29.&btnG =

Sabidi, M. L., & Zolkipli, M. F. (2024). The Role of Risk Management in Cybersecurity Protocols.  Borneo International Journal eISSN 2636-9826,  7(2), 77-81. https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Sabidi%2C+M.+L.%2C+%26+Zolkipli%2C+M.+F.+%282024%29.+The+Role+of+Risk+Management+in+Cybersecurity+Protocols.+Borneo+International+Journal+eISSN+2636-9826%2C+7%282%29%2C+77-81.&btnG =

Sikder, A. S. (2023). Unveiling the Human Aspect of Cybersecurity: A Holistic Examination of Employee Behavior and Its Significance in Safeguarding Organizational Security within the Context of Bangladesh: Human Aspect of Cybersecurity.  International Journal of Imminent Science & Technology.,  1(1), 199-215. https://www.researchgate.net/publication/385775980_Unveiling_the_Human_Aspect_of_Cybersecurity_A_Holistic_Examination_of_Employee_Behavior_and_Its_Significance_in_Safeguarding_Organizational_Security_within_the_Context_of_Bangladesh_Human_Aspect_of_Cy

Thamrongthanakit, T. (2023). Impacts of cybersecurity practices on cyberattack damage and protection among small and medium enterprises in Thailand. https://www.diva-portal.org/smash/get/diva2:1784412/FULLTEXT01.pdf

Thummala, V. R., & Bindewari, S. (2024). Optimizing Cybersecurity Practices through Compliance and Risk Assessment.  International Journal of Research Radicals in Multidisciplinary Fields, ISSN, 910-930. https://www.researchgate.net/profile/Venkata-Thummala/publication/390446033_Optimizing_Cybersecurity_Practices_through_Compliance_and_Risk_Assessment/links/67ee2c2403b8d7280e1e445b/Optimizing-Cybersecurity-Practices-through-Compliance-and-Risk-Assessment.pdf

Victor-Mgbachi, T. O. Y. I. N. (2024). Navigating cybersecurity beyond compliance: Understanding your threat landscape and vulnerabilities.  Iconic Research and Engineering Journals,  7. https://www.researchgate.net/profile/Toyin-Victor-M/publication/389658966_Navigating_Cybersecurity_Beyond_Compliance_Understanding_Your_Threat_Landscape_and_Vulnerabilities/links/67cb9e9ccc055043ce6f3e5b/Navigating-Cybersecurity-Beyond-Compliance-Understanding-Your-Threat-Landscape-and-Vulnerabilities.pdf

Vance, A. S. (2025). Cybersecurity and Quantum Computing: A Quantitative Analysis Proposing a Framework for Assessing Quantum Cybersecurity Maturity. https://www.proquest.com/openview/e0989d58104ca4567a61c9747d23008e/1.pdf?pq-origsite=gscholar&cbl=18750&diss=y

Yokowo, R. Y. (2024). Building a Cybersecurity Maturity Guide For Small and Medium-sized Enterprises (SME) With Open Source Solutions. https://pcs.usp.br/pcspf/wp-content/uploads/sites/8/2024/12/Monografia_PCS3860_COOP_2024_Grupo_C23.pdf