Week 10
deweese3
DeWeeseWeek8-1.docx2
The Impact of Cyber security Integration on Organizational Risk Management in SMEs:
A Qualitative Multi-Case Study
A Master Thesis
Submitted to the Faculty
of
American Public University
by
Cristian DeWeese
In Partial Fulfillment of the
Requirements for the Degree
of
Master of Arts
December 2025
American Public University
Charles Town, WV
Introduction Comment by Christopher Martinez, PhD: the introduction must set context for your research by mentioning what is known about the topic and what needs to be explored further. In the introduction, you can highlight how your research will contribute to the existing knowledge in your field and to overall scientific development. The introduction must also contain a hypothesis that led to the development of the research design. You can come up with this hypothesis by asking yourself questions like: What is the central research problem? What is the topic of study related to that problem? What methods should be used to analyze the research problem? Why is this research important, what is its significance, and how will its outcomes affect the funders and the society on the whole? Comment by DeWeese, Cristian: Updated
Background and Context
Small and medium-sized enterprises (SMEs) have become a vital element of any country's economy around the globe, creating jobs and innovations in different sectors. However, owing to their rather limited resources, not being able to recruit security specialists in the sphere of cyber security, and being able to only rely on homemade security systems, SMEs are being targeted even more often by cyber security attacks (Chidukwani et al., 2022). Unlike large organizations, which are likely to spend a lot of money on cyber security systems, SMEs experience several illusions and do not view cyber security as an element of the overall risk management in the global context (Franco et al., 2022).
This failure puts SMEs at risk of a lack of operational time, financial loss, and reputation loss. It is already threatening enough that the majority of studies have shown that approximately sixty percent of SMEs that had suffered a major cyber-attack went out of business in less than half a year (Benjamin et al., 2024). This fact contributes to the necessity to analyze how the practices of cyber security might be effectively incorporated into the enterprise risk management (ERM) to make it more resilient. This study is also important because it is valuable to leaders of SMEs, policymakers, and cyber security users by offering practical approaches to increase the resilience and security of SMEs against the increasing cyber threat.
Hypothesis:
The inabilities of SMEs to add cyber security to their risk management strategies are contributing to their vulnerability to cyber threats (Abdulrahim, 2019). The hypothesis of the research is that SMEs that successfully introduce cyber security as a risk management approach will be more resilient, experience a minor impact of operational failure, and be less susceptible to cyber-attacks, which will result in business sustainability over the long term.
Problem Statement
The unsuccessful incorporation of cyber security as a risk management tool in SMEs, which exposes organizations to cyber threats, has been identified as a significant problem in the study by Alahmari and Duncan (2020). Cybercriminals are now targeting SMEs so much more, as they do not usually have enough resources, expertise, and governance to be sufficiently prepared against such attacks (Al-Dosari & Fetais, 2023). Since SMEs cannot afford to make large investments in advanced technologies and security, unlike large corporations, they often follow the strategy of outsourcing their security with the most common methods and equipment antivirus programs or firewalls. Although these steps offer some respite, they are not usually incorporated into the enterprise risk management (ERM) models (Enaifoghe, 2023). Comment by DeWeese, Cristian: Changed
The consequences of this oftentimes ingratitude are very tragic. It is demonstrated that an impressive nearly 60 percent of SMEs that have suffered a massive cyber-attack go into business within a six-month time frame, which proves the devastating role of an absence of security integration (Benjamin et al., 2024). Nevertheless, a significant number of SMEs still fail to look at cyber security as a business priority and view it as a specific technical challenge (Franco et al., 2022). Existing studies have also not done much to bridge this gap. Most of the research is concentrated on bigger companies or technology-related security solutions without finding out how SMEs use cyber security in planning governance, risk, and resilience.
The purpose of this qualitative multiple-case study is to investigate how SMEs integrate cyber security into their overall risk management strategies and to examine the impact of this integration on organizational resilience. The sample of the study is SMEs within different industries, including healthcare, retail and manufacturing, to identify the enablers, barriers, and industry-specific impact that characterize integration (Enaifoghe, 2023). Lastly, the paper is expected to provide both theoretical and practical information to SME executives, policymakers, and cyber security experts (Franco et al., 2022).
Purpose Statement
The proposed qualitative multiple-case study intends to investigate how SMEs make cyber security a part of their overall risk management strategies and how the integration impacts organizational resilience. The research aims to identify the enablers, barriers, and industry-specific impacts that drive integration by focusing on SMEs operating in dissimilar industries that is, healthcare, retail, and manufacturing (Enaifoghe, 2023). Finally, the research aims at delivering scholarly and practical insights that may be of benefit to SME leaders, policymakers, and cyber security practitioners (Franco et al., 2022).
Research Questions
The overall research question that directs this study is:
RQ1: What are the modes used by small and medium-sized enterprises (SMEs) to incorporate cyber security in their comprehensive risk management, and what are the effects of such incorporations with regard to the resilience of the organization? (Kezron, 2024)
Based on this general question, one may come up with a number of sub-questions:
· RQ1a: What governance mechanisms do SMEs use to align cyber security with organizational risk management?
· RQ1b: What processes and capabilities enable or hinder integration in SMEs?
· RQ1c: How do sector-specific factors (e.g., healthcare, retail, and manufacturing) influence cyber security integration?
Literature Review Comment by Christopher Martinez, PhD: A literature review is a document or section of a document that collects key sources on a topic and discusses those sources in conversation with each other (also called synthesis). Who? Analyze the work of others, synthesize, paraphrase, and cite. All the while looking for gaps in research you can explore...stand on the shoulders of other researchers. Comment by Christopher Martinez, PhD: Use subheadings to guide your readers Comment by DeWeese, Cristian: Updated
The integration of cybersecurity into small and medium-sized enterprises (SMEs) as part of their overall risk management strategy is becoming increasingly crucial as cyber threats continue to rise (Ashley & Preiksaitis, 2022). Despite its significance, SMEs often face significant challenges when incorporating cyber security measures into their organizational frameworks. While existing research highlights the importance of cyber security, many SMEs still approach cyber security as a technical issue, rather than embedding it within a strategic risk management framework (Hoong et al., 2024). This literature review will examine the challenges SMEs face in integrating cyber security practices, the role of risk management frameworks, and the gaps in current research that this study aims to address.
Cyber security Integration Challenges in SMEs
The exposure of small and medium-sized enterprises (SME) to cyber threats is not a novel idea that has been reported in the literature. As Chidukwani et al. (2022) explain, SMEs tend to implement cyber security tools in a non-coordinated way, like installing firewalls or antivirus software, without integrating them into a more generalized policy and risk management strategy.
This fragmented model exposes SMEs to advanced cyber-attacks since the controls at the individual level would not combine to create a unified defense. In the same way, Ashley & Preiksaitis (2022) clarify that the companies of SMEs must change their attitude towards cyber security from a technical issue to a strategic initiative that is applied in the risk management approach of the entire organization.
The Importance of Risk Management Framework Comment by Christopher Martinez, PhD: A theoretical framework consists of concepts, together with their definitions, and existing theory/theories that are used for your particular study. The theoretical framework must demonstrate an understanding of theories and concepts that are relevant to the topic of your research paper and that will relate it to the broader fields of knowledge in the class you are taking. The theoretical framework is not something that is found readily available in the literature. You must review course readings and pertinent research literature for theories and analytic models that are relevant to the research problem you are investigating. The selection of a theory should depend on its appropriateness, ease of application, and explanatory power. The theoretical framework strengthens the study in the following ways. An explicit statement of theoretical assumptions permits the reader to evaluate them critically. The theoretical framework connects the researcher to existing knowledge. Guided by a relevant theory, you are given a basis for your hypotheses and choice of research methods. Articulating the theoretical assumptions of a research study forces you to address questions of why and how. It permits you to move from simply describing a phenomenon observed to generalizing about various aspects of that phenomenon. Having a theory helps you to identify the limits to those generalizations. A theoretical framework specifies which key variables influence a phenomenon of interest. It alerts you to examine how those key variables might differ and under what circumstances. Comment by DeWeese, Cristian: updated
Some researchers emphasize the importance of the set of frameworks to inform the development of cyber security as part of risk management. Among the tools that the SMEs should use, Benjamin et al. (2024) mention internationally accepted standards, including ISO 31000 on risk management, ISO/IEC 27001 on information security, and the NIST Cyber security Framework. Such frameworks are considered flexible guidelines that organizations can use to organize cyber security threats. Krishnan (2024) warns, however, that even though it might be difficult for small businesses to adopt those frameworks because of the available resources, it is possible to customize them to prioritize top assets, which will enable the SMEs to scale their cyber security practices non-proportionately and/or effectively.
Besides that, the integration of such frameworks to the organizational structure of an SME not only causes their ability to react to cyber threats but also causes the illusion of the culture of continuous improvement and minimization of risks. According to Herath et al. (2023), once such frameworks are established correctly, it is possible to establish improved governance, the sense of open risk ownership, and center the security practices to the business goals.
Such forms of standardized strategies can make sure that SMEs are resilient to future threats in addition to being situated to satisfy regulatory demands. The problems related to the introduction of such systems also are present, but, as the findings of Benjamin et al. (2024) indicate, resource allocation and training are two of the most prominent ones. Therefore, although SMEs may have early issues with installation of the comprehensive cyber security systems, the latter will ultimately assist in reducing vulnerability, as well as offer more risk containment possibilities in the long-term perspective.
Critical Evaluation of Frameworks and Application
SMEs are commonly recommended to use frameworks such as ISO 31000, ISO/IEC 27001, and NIST, which can be hard to apply due to their complexity and resource demands in a resource-constrained setting (Olagbemide, 2024). These structures tend to suit larger organizations having dedicated IT departments and a high budget, and thus they are difficult to apply to SMEs without serious modifications. According to Yokowo (2024), these frameworks may be too demanding to smaller companies, but can be customized to prioritize key assets, such that SMEs can expand their cyber security actions relative to their resources.
Besides the resource limitation, SMEs are frequently unable to implement these frameworks due to a lack of technical skills (Odio et al., 2021). Even though the frameworks offer a rational set of rules of the cyber security operations, it supposes a level of competence that remains lacking in the majority of SMEs. One of the barriers to adoption is this absence of linkage between the structures of the frameworks and the capabilities of SMEs. Furthermore, SMEs are having a hard time putting these frameworks into practice actually because of their specific business model and resource limitations. Pathirana and Wilenius (2025) further claim that different frameworks such as ISO 27001 could give the illusion of the continuity, though they might fail to initiate serious changes to the security of the cyber security unless they are incorporated into the organizational culture.
The Role of Organizational Culture in Cyber security Adoption
Another key to successful implementation of cyber security practices in SMEs is its organizational culture. Organizational culture of SMEs is important in influencing the perception and implementation of cyber security measures in the firm in a number of studies. The first place security, continuous improvement, and interdepartmental collaboration culture can add a significant contribution to the effectiveness of the cyber security strategies. Fagbule (2023) also claims that SMEs must have security culture so that they can recognize the necessity of embedding cyber security in their business process rather than viewing it as a one-off technical activity.
Barriers to Cyber security Integration in SMEs
Despite the fact that other literature also focuses on the necessity to adopt cyber security models and practices, SMEs continue to face numerous challenges that restrict effective implementation. Such obstacles may be connected with financial limitations, insufficient number of skilled cyber security specialists or absence of interest to the problem by the leadership and employees who may not realize the significance of cyber security in its full scope. According to Ejaz and Matthew (2024), in most cases, the SMEs are not concerned about cyber security since they see it as an unnecessary cost instead of a necessary investment. The most significant obstacles to cyber security integration amongst SMEs include; scarce resources, organizational resistance, expertise constraints and regulatory issues (Omowole et al., 2024). Analyzing these barriers more closely, it will also become possible to place the issues of SMEs regarding the adoption of effective cyber security systems in context and give an idea of how these issues can be addressed.
Linking Literature to the Study’s Contribution
The existing literature offers useful data regarding the significance of cyber security structures in SMEs and the issue in the integration of the structures into the existing business processes. Nonetheless, it contains minimal information regarding how SMEs can apply these frameworks to their practical scenario, particularly because they are low resource and skill bases. According to the literature, the SMEs must implement some elements of cyber security control as recommended by Pawar and Palivela (2022), but it does not explain how these elements might be integrated in the Enterprise Risk Management (ERM) system of an SME.
The study will close this gap by looking at the practical issue that SMEs encounter during the implementation of cyber security frameworks. This research will offer practical suggestions on how the SMEs can manage these challenges through prioritizing the challenges faced by SMEs in a real world context, e.g. lack of resources, technical expertise, and competing business priorities. The research will also determine how SMEs can focus on cyber security as part of the risk management frameworks they already have and expand their activities accordingly to allocated resources.
Real-World Application and Gaps in Literature
Although a significant amount of the literature has presented a valuable framework and guidelines, the research gaps in implementing these frameworks into practice by SMEs are very large. The literature, according to Johnstone (2021), merely lists a list of controls that an SME needs to implement, and are silent as to how those controls can actually be implemented by their Enterprise Risk Management (ERM) systems in practice. The specified gap implies that the further research is to be conducted on the feasibility of applying cyber security practices to SMEs and the role these interventions play in organizational resiliency and risk reduction.
According to the literature, it is possible to apply some significant frameworks that can potentially allow SMEs to consider cyber security as a branch of their risk management strategies (El-Hajj & Mirza, 2024). The issue of whether there exists a mismatch between the actualization of these structures against the realities on the ground is however taken with seriousness because of the resource limitation of the SMEs. The proposed research will address this gap by deliberating on the practicality of cyber security as part of the ERM systems of the SMEs and its impact on the resilience of organizations.
Conclusion
This literature review has discussed the difficulties that SMEs have in becoming part of the risk management strategies of their organizations that deal with cyber security, the significance of implementing structured risk management systems, and the nature of gaps that exist in the existing literature. Although current literature is rather informative regarding the advantages of such frameworks as ISO 31000, ISO/IEC 27001, and NIST, they tend to ignore the practical challenges that SMEs face in their attempts to use these frameworks.
Theoretical Framework Comment by Christopher Martinez, PhD: A theoretical framework consists of concepts, together with their definitions, and existing theory/theories that are used for your particular study. The theoretical framework must demonstrate an understanding of theories and concepts that are relevant to the topic of your research paper and that will relate it to the broader fields of knowledge in the class you are taking. The theoretical framework is not something that is found readily available in the literature. You must review course readings and pertinent research literature for theories and analytic models that are relevant to the research problem you are investigating. The selection of a theory should depend on its appropriateness, ease of application, and explanatory power. The theoretical framework strengthens the study in the following ways. An explicit statement of theoretical assumptions permits the reader to evaluate them critically. The theoretical framework connects the researcher to existing knowledge. Guided by a relevant theory, you are given a basis for your hypotheses and choice of research methods. Articulating the theoretical assumptions of a research study forces you to address questions of why and how. It permits you to move from simply describing a phenomenon observed to generalizing about various aspects of that phenomenon. Having a theory helps you to identify the limits to those generalizations. A theoretical framework specifies which key variables influence a phenomenon of interest. It alerts you to examine how those key variables might differ and under what circumstances.
Introduction:
The increasing frequency and sophistication of cyber-attacks have made cyber security a critical concern for organizations of all sizes, including small and medium-sized enterprises (SMEs) (Rawindaran, 2023). However, despite the growing recognition of cyber security risks, many SMEs face significant challenges in effectively integrating cyber security measures into their overall business strategy.
This gap is addressed through this study that investigates the ways the Cyber security Risk Management Theory can be used to assist SMEs in implementing cyber security structures despite the constraints of available resources (Moturi et al., 2021). This theory proves particularly useful because the aspects of organization and technology are integrated to provide a comprehensive approach, which can be applied to practice by SMEs. This study examines this question through the theory; it explains why SMEs address cyber security risks more effectively, especially in resource-constrained environments.
Enterprise Risk Management (ERM)
ERM is an official process of risk identification, analysis, treatment and monitoring, which might help companies to react to risks in an appropriate manner, and cyber security threats cannot be an exception (Jarjoui & Murimi, 2021). Iso 31000 standard is also highly applicable in ERM and it is a wide spread standard that gives a guarantee that risk management is implemented at any level within the organization. With cyber security being incorporated in the overall ERM framework, companies do not treat it as a distinct issue but rather as an aspect of a broader risk control policy.
Socio-technical Integration Approach
The socio-technical approach focuses on people, process, technology and context in order to achieve the apt cyber security. Chidukwani et al. (2022) also state that cyber security is a human problem, with the most significant impacts on training, procedures, and organizational culture. Based on this approach, cyber security integration is not limited to human factors, but also technological factors within the organization.
Besides the human and technological factors, the socio-technical integration approach promotes the significance of the organizational processes and context in the process of defining the cyber security outcomes. Franco et al. (2022) believe that the successful implementation of the cyber security measures is the alignment of the organizational processes, including the risk management processes with the technological solutions (Thummala & Bindewari, 2024).
Application of Frameworks
Separating enterprise risk management (ERM) into the current consideration would enable the researcher to learn more about how the phenomenon of cyber security is being framed by the small and medium-sized enterprises (SMEs). Another way to describe it can be implemented based on its socio-technical philosophy that implies that effective development of cyber security is possible because of the collective effort of the organizational culture, the design of the process, and the human aspect (Ahmad & Teo, 2024). The results of such models have kept providing significant empirical data in terms of the strong impact of cyber security uptake in the SME sector.
Combining the ISO 31000 and NIST Cyber security Framework, SMEs will be able to develop a consistent method of identifying, evaluating, and addressing any possible threats (Sabidi & Zolkipli, 2024). Such a procedural format moves cyber security to a continuous system rather than a resolution of an issue and it aligns with the business purpose and a legal requirement. Such frameworks also facilitate incorporation and enhancement of continuous monitoring and improvement procedures which the ever-evolving cyber threat environment demands. Kianpour and Raza (2024) also suggest that the formalized practices will probably lead to the SMEs failing to encounter a high-impact security incident and more effectively implementing cyber security business practices that will support organizational goals.
The Strengths of This Framework in the Study
Elaborating Theoretical Assumptions
The model outlines the potential manner in which the cyber security concepts might be incorporated into a risk management system, within the small and medium-sized enterprises (SMEs) and the significance of human factor in the effort. The synthesis of these frameworks also fills the gap between technical solutions and organizational culture since it concerns the possibility to use the tools successfully in SMEs, which is not only possible through the implementation of tools but also through the correspondingness of the tools to the organizational values and practices (Georgiadou et al., 2022).
This method will enable a less conspicuous analysis of how SMEs would prevent the emergence of cyber security threats since it lingers on the socio-cultural and technical dimensions of the issue in question. As the description given by Sikder (2023) states, the self-synchronizing assimilation of the technology, human conduct and organizational functioning are the variables that drive the cyber security as a process-on-going and not a response. This general approach contributes more strength to the study, in the sense that it provides a theoretical prism that transcends the biological dictates of technology, and thus that highlights the significance of the organizational commitment and culture as the most effectual approach to the outcomes of cyber security.
Justification of Hypotheses and Research Methods
The benefit of the selected theoretical frameworks consists in the opportunity to comprehend the topicality of introducing cyber security decision-making to the overall plan of enterprise risk management (ERM) and has grounds to support the hypothesis that the presence of cyber security-related solutions will result in increased levels of resilience and risk management capabilities of small and middle-sized enterprises (SMEs).
Identifying Key Variables
According to the ERM model (Enterprise Risk Management), the following variables are brought out as key; risk treatment, risk monitoring where the systematic identification, assessment and management of risks in an organization are highly emphasized. On the other hand, the socio-technical model resides on the human and organizational nature of cyber security integration, and moves on to the importance of organizational culture and employee engagement as the vital ones. These aspects are paramount to the effectiveness of cyber security processes since they form a working environment whereby all the stake holders in the organization are involved in the system and data protection processes. All these two models combined will enable the study to provide a holistic view of how both technical and social factors contribute to implementing effective cyber security (Jean-Jules & Vicente, 2021).
Summary of the Cyber security Risk Management Theory
Cyber security Risk Management Theory provides a framework for understanding how organizations assess, mitigate, and manage cyber security risks (Melaku, 2023). The theory integrates key concepts from risk assessment, organizational culture, and cyber security controls. This theory states that successful cyber security management is a balance of both technical (e.g. firewalls, antivirus software) and organizational (e.g. culture, employee training, strategic alignment) aspects.
The theory’s core assumptions are:
• Risk Assessment: The initial step of successful risk management is identifying and assessing the possible cyber security threats (Bokan and Santos, 2021). It involves evaluating the external risks (e.g., cyber-attacks) and internal risks (e.g., negligence of the employees).
• Cyber security Policies and Controls: When risks have been evaluated, the organizations establish policies and technical controls to reduce risks (Parsola, 2023). These measures should be successful because they should be part of the overall business strategy of the organization.
• Organization Culture: Organizational culture is very important in the practice of cyber security. An organization culture that is security conscious is the key to ensuring that cyberspace security becomes a collective responsibility of the organization and not the IT department only.
The interactions of these components in the framework are shown in the diagram below:
The model indicates that the cyber security strategy of an organization should not be considered separately but as a component of its overall risk management (Victor-Mgbachi, 2024).
Hypotheses to Be Tested
As per the Cyber security Risk Management Theory, the tested hypothesis that relates to the connections between cyber security strategies and the organizational culture, cyber security attack rate among SMEs are as follows:
1. Hypothesis 1: The cyber security breach in SMEs is lower in case of a formal cyber security risk management strategy present as specified in the Cyber security Risk Management Theory than when there is no such strategy.
2. Hypothesis 2: It is expected that SME with lower resources are more likely to face the challenges of implementing formal systems of cyber security risk management (e.g., ISO/IEC 27001, NIST) when compared to better-resourced SMEs (Vance,2025).
3. Hypothesis 3: Effective organizational culture that is sensitive to security has a positive effect on effective adoption and implementation of cyber security frameworks among SMEs.
Data collection and data analysis of the SMEs in the various sectors and the relationship between their cyber security strategy, organizational culture, and how the three relate to one another confirm these hypotheses.
Conclusion
It is this conceptual framework that offers an integrated understanding of SME management on cyber security risks. The research investigates the issues that SMEs encounter in the process of adopting formal cyber security frameworks and the contribution of organizational culture to the process of adopting formal cyber security frameworks under the Cyber security Risk Management Theory. The developed hypotheses may be used to evaluate the integration of cyber security within the risk management systems of SMEs, providing new knowledge on the topic of cyber security within small and medium-sized enterprises.
Research Design Comment by Christopher Martinez, PhD: The research design refers to the overall strategy that you choose to integrate the different components of the study in a coherent and logical way, thereby, ensuring you will effectively address the research problem; it constitutes the blueprint for the collection, measurement, and analysis of data. Comment by DeWeese, Cristian: updated
The qualitative multiple-case research design will be used in the current study. Such kind of design is particularly appropriate as it will allow conducting a comprehensive study of the adoption of cyber security as a risk management strategy by SMEs that are run in different sectors of the economy, including healthcare, retail, and manufacturing. The case study approach will provide an overall image of the processes, issues, and solutions, which these SMEs would consider to respond to the threat of cyber security (Benjamin et al., 2024; Arroyabe et al., 2024).
To obtain a large variety of opinions, six to eight SMEs will be sampled with the help of purposive sampling. The approach will require the selection of businesses that fall under various industries, and this will offer varying modes of industry-specific strategies regarding cyber security integration (Abubakari, 2024). The sample size will be decided on the participants who will be chosen on the basis of the fact that they are relevant in the research question, and also because they have experience with cyber security practices in their respective organizations.
The important players in the study will be the managers and leaders of the cyber security, and the employees working in the SMEs. These individuals will be interviewed through semi-structured interviews that will provide the flexibility of the discussion but will provide the opportunity to obtain similar and consistent data at the same time (Thummala & Bindewari, 2024). The semi-structured format will enable the interviewer to explore more into the themes and also to provide an opportunity to participants to discuss their personal experiences and knowledge that will result in a more profound and comprehensive understanding of the issue of cyber security integration in SMEs.
Moral issues will be very strictly followed in the course of the research. Informed consent will be given to all the participants and they will be enlightened on the purpose and the nature of the study. It will be ensured that the privacy and anonymity of the respondents is provided by offering a stable data processing system. These measures will be taken to ensure that the research will be carried out in such a manner that will consider the rights and confidentiality of the participants (Enaifoghe, 2023).
The sample is not very large; however, to provide a holistic perspective on the issue of cyber security integration in the context of SMEs, the study will apply a combination of in-depth interviews, member checks, and triangulation. The methodology will help to get more precise and nuanced picture of the topic that will add to the validity and depth of the findings. The research will offer a robust analysis of the research question since it will be based on a number of data sources and methods.
References Comment by Christopher Martinez, PhD: You have 6 of 6 peered reviewed journal articles on this list this is a good start...strive for 80 percent. Your list of references needs to grow in order to conduct proper research on your topic. for your study. Make an appointment with a research librarian to assist you with research. Also, each reference needs to be cited in the document or removed Comment by Christopher Martinez, PhD: You need more reference in your next submission. Make an appointment with a research librarian Comment by DeWeese, Cristian: Updated
Al-Dosari, N., & Fetais, N. (2023). Cybersecurity challenges and governance in SMEs: A comparative analysis. Journal of Information Security, 12(2), 55–72.
Arroyabe, M. F., Arranz, N., & de Arroyabe, J. C. F. (2024). Cybersecurity and SMEs: Sector-specific influences on resilience strategies. International Journal of Business Research, 19(1), 88–104.
Abubakari, P. (2024). Human factors matter: the intersection of cybersecurity governance, and culture in risk management of critical infrastructure (Doctoral dissertation, Pepperdine University). https://digitalcommons.pepperdine.edu/cgi/viewcontent.cgi?article=2573&context=etd
Alahmari, A., & Duncan, B. (2020, June). Cybersecurity risk management in small and medium-sized enterprises: A systematic review of recent evidence. In 2020 international conference on cyber situational awareness, data analytics and assessment (CyberSA) (pp. 1-5). IEEE. https://www.researchgate.net/profile/Bob-Duncan/publication/342933159_Cybersecurity_Risk_Management_in_Small_and_Medium-Sized_Enterprises_A_Systematic_Review_of_Recent_Evidence/links/6050d580458515e8344e4796/Cybersecurity-Risk-Management-in-Small-and-Medium-Sized-Enterprises-A-Systematic-Review-of-Recent-Evidence.pdf
Abdulrahim, N. (2019). Managing Cybersecurity as a Business Risk in Information Technology-based Smes (Doctoral dissertation, University of Nairobi). https://erepository.uonbi.ac.ke/bitstream/handle/11295/107172/Abdulrahim_Managing%20Cybersecurity%20as%20a%20Business%20Risk%20in%20Information%20Technology-based%20Smes.pdf?sequence=1
Ashley, C., & Preiksaitis, M. (2022). Strategic Cybersecurity Risk Management Practices for Information in Small and Medium Enterprises. Business Management Research and Applications: A Cross-Disciplinary Journal, 1(2), 109-157. https://bmrajournal.columbiasouthern.edu/index.php/bmra/article/download/3421/2886
Ahmad, S. A., & Teo, P. C. (2024). The Implementation of Enterprise Risk Management (ERM) Frameworks in Small and Medium Enterprises (SMES): A Literature Review. International Journal of Academic Research in Business and Social Sciences, 14(9), 290-307. https://kwpublications.com/papers_submitted/11397/the-implementation-of-enterprise-risk-management-erm-frameworks-in-small-and-medium-enterprises-smes-a-literature-review.pdf
Benjamin, R., Okoro, A., & Li, H. (2024). The impact of cyber incidents on SME survival: An empirical study. Small Business Economics, 62(3), 445–462.
Bokan, B., & Santos, J. (2021, April). Managing cybersecurity risk using threat based methodology for evaluation of cybersecurity architectures. In 2021 Systems and Information Engineering Design Symposium (SIEDS) (pp. 1-6). IEEE. https://par.nsf.gov/servlets/purl/10311477
Chidukwani, M., Ahmed, S., & Khan, T. (2022). Integrating cybersecurity into SME risk management frameworks. Journal of Risk and Governance, 8(4), 301–320.
Enaifoghe, A. (2023). Governance and cybersecurity risk management in emerging markets SMEs. Journal of Contemporary Management, 41(2), 112–129.
El-Hajj, M., & Mirza, Z. A. (2024). ProtectingSmall and Medium Enterprises: A specialized cybersecurity risk assessment framework and tool. Electronics (Switzerland), 13(19), 3910. https://research.utwente.nl/files/484148382/electronics-13-03910-v2.pdf
Ejaz, U., & Matthew, B. (2024). Cost-Effective Cybersecurity Solutions for SMEs: Balancing Security Needs and Budget Constraints. https://www.researchgate.net/profile/Umair-Ejaz-3/publication/392282793_Cost-Effective_Cybersecurity_Solutions_for_SMEs_Balancing_Security_Needs_and_Budget_Constraints/links/683c3b4d6b5a287c304891e7/Cost-Effective-Cybersecurity-Solutions-for-SMEs-Balancing-Security-Needs-and-Budget-Constraints.pdf
Fagbule, O. (2023). Cyber security training in small to medium-sized enterprises (SMEs): Exploring organisation culture and employee training needs (Doctoral dissertation, Bournemouth University). http://eprints.bournemouth.ac.uk/39148/1/FAGBULE%2C%20Omolola_Ph.D._2022.pdf
Franco, D., Martinez, P., & Roberts, L. (2022). Enterprise risk management and cybersecurity integration in SMEs. Risk Management Review, 15(3), 210–228.
Georgiadou, A., Mouzakitis, S., Bounas, K., & Askounis, D. (2022). A cyber-security culture framework for assessing organization readiness. Journal of Computer Information Systems, 62(3), 452-462. https://d1wqtxts1xzle7.cloudfront.net/113950803/08874417.2020.184558320240429-1-7zuy1m-libre.pdf?1714424439=&response-content-disposition=inline%3B+filename%3DA_Cyber_Security_Culture_Framework_for_A.pdf&Expires=1758134371&Signature=dB9B7rLXSbGM6ohZ9fMaRpCPB6Oa9Of9XxvjlNhlO5v~4-x9EmVDuZLcm0F3YT~L-URK3wwP9hXqIJzuiDsBQD1Ph786Bw9jvNEcyhSrQkt1o-icZBqVDJN73LtCaha6xam2e1sNr-NigiLSdz2RGWmd8hKxcp~fzB0HZbDf4Im1iq-RAayyhDyTE6ms8AF0UzSQOqf8ZrDBxQBk-iRwTEibW1M4qDQaot5L8TrnJ3rEUCLNeeL8HOU3NzF1CLAMlPFDpej3oSSlIoKI8SUk7TRz65-Vx-Z~Yr87nMFa8zvI6gavTau7a-kSxqoLLu1Cl-tsfsxu8EczSkSJDka7yQ__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
Herath, T. C., Herath, H. S., & Cullum, D. (2023). An information security performance measurement tool for senior managers: Balanced scorecard integration for security governance and control frameworks. Information Systems Frontiers, 25(2), 681-721. https://www.researchgate.net/profile/Hemantha-Herath/publication/358909388_An_Information_Security_Performance_Measurement_Tool_for_Senior_Managers_Balanced_Scorecard_Integration_for_Security_Governance_and_Control_Frameworks/links/6390a7aa484e65005bee951c/An-Information-Security-Performance-Measurement-Tool-for-Senior-Managers-Balanced-Scorecard-Integration-for-Security-Governance-and-Control-Frameworks.pdf
Hoong, Y., Rezania, D., & Baker, R. (2024). When traditional SME managers encounter cybersecurity: Discourse analysis of opportunities and dilemmas in meeting the demands. Technology in Society, 78, 102650. https://www.sciencedirect.com/science/article/pii/S0160791X24001982
Jean-Jules, J., & Vicente, R. (2021). Rethinking the implementation of enterprise risk management (ERM) as a socio-technical challenge. Journal of Risk Research, 24(2), 247-266. https://d1wqtxts1xzle7.cloudfront.net/84523919/Fardapaper-Rethinking-the-implementation-of-enterprise-risk-management-ERM-as-a-socio-technical-challenge-libre.pdf?1650438373=&response-content-disposition=inline%3B+filename%3DRethinking_the_implementation_of_enterpr.pdf&Expires=1758097695&Signature=a4EA-0J-pAcf2OfYbvwetP7oQ2njskCW9UkaLfY3EaM9qyKAbRP5DYa0vGhnbSjmESLjqXBheSEn4BLisbpoofCBMt6g1IgJvXSMaS4Q35oqjlDjlAHdTkg6jcbVo5nZrHeRYXiO32FBioOdJ311gR62YkdrqsbNTsNblqHhRuIW9itEFRCdDCx-QnfTkkcVwg-04z~wPDDieEeGyOPMq7oHA0kHeKwIWFk14p5mgN52ryTKD1NzbYBYl2wXPjk~AxinzR~LKt2fu~xHupHO0lz0nMznVavcxIuk9FRt2GAcIem8oN9DvChUHJIfUwWBMm7N-V4vnJeMWXdWJGgWOw__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
Jarjoui, S., & Murimi, R. (2021). A framework for enterprise cybersecurity risk management. In Advances in cybersecurity management (pp. 139-161). Cham: Springer International Publishing. https://www.researchgate.net/profile/Renita-Murimi/publication/352435737_A_Framework_for_Enterprise_Cybersecurity_Risk_Management/links/629f40696886635d5cc6fdd0/A-Framework-for-Enterprise-Cybersecurity-Risk-Management.pdf
Johnstone, L. (2021). Facilitating sustainability control in SMEs through the implementation of an environmental management system. Journal of Management Control, 32(4), 559-605. https://link.springer.com/content/pdf/10.1007/s00187-021-00329-0.pdf
Kezron, I. E. (2024). A cybersecurity resilience framework for underserved rural SMEs in critical infrastructure supply chains: Strengthening operational continuity and threat response in digitally vulnerable sectors. World Journal of Advanced Research and Reviews, 24(3), 3464-3477. https://www.researchgate.net/profile/Edward-Isabirye/publication/392900639_A_cybersecurity_resilience_framework_for_underserved_rural_SMEs_in_critical_infrastructure_supply_chains_Strengthening_operational_continuity_and_threat_response_in_digitally_vulnerable_regions/links/6856f5ea99d2ce32c1ca0d86/A-cybersecurity-resilience-framework-for-underserved-rural-SMEs-in-critical-infrastructure-supply-chains-Strengthening-operational-continuity-and-threat-response-in-digitally-vulnerable-regions.pdf
Kianpour, M., & Raza, S. (2024). More than malware: unmasking the hidden risk of cybersecurity regulations. International Cybersecurity Law Review, 5(1), 169-212. https://link.springer.com/content/pdf/10.1365/s43439-024-00111-7.pdf
Krishnan, R. (2024). Challenges and benefits for small and medium enterprises in the transformation to smart manufacturing: a systematic literature review and framework. Journal of Manufacturing Technology Management, 35(4), 918-938. https://www.emerald.com/jmtm/article-abstract/35/4/918/1219381/Challenges-and-benefits-for-small-and-medium?redirectedFrom=fulltext
Mdaki, J. (2025). A hybrid cybersecurity framework for small businesses: integrating NIST CSF, ISO 27001, and CEO engagement. https://www.theseus.fi/bitstream/handle/10024/891475/Mdaki_Jacob.pdf?sequence=2
Melaku, H. M. (2023). Context-based and adaptive cybersecurity risk management framework. Risks, 11(6), 101. https://www.mdpi.com/2227-9091/11/6/101
Moturi, C. A., Abdulrahim, N. R., & Orwa, D. O. (2021). Towards adequate cybersecurity risk management in SMEs. International Journal of Business Continuity and Risk Management, 11(4), 343-366. https://www.inderscienceonline.com/doi/abs/10.1504/IJBCRM.2021.119943
Olagbemide, V. A. (2024). Developing an Effective Framework for Information Security Compliance Management in Small and Medium-sized Enterprises (SMEs). University of Derby. https://www.researchgate.net/profile/Vincent-Olagbemide/publication/384256107_Developing_an_Effective_Framework_for_Information_Security_Compliance_Management_in_Small_and_Medium-sized_Enterprises_SMEs_Developing_an_Effective_Framework_for_Information_Security_Compliance_Manage/links/66f160d9c0570c21feb6c206/Developing-an-Effective-Framework-for-Information-Security-Compliance-Management-in-Small-and-Medium-sized-Enterprises-SMEs-Developing-an-Effective-Framework-for-Information-Security-Compliance-Manage.pdf
Omowole, B. M., Olufemi-Philips, A. Q., Ofadile, O. C., Eyo-Udo, N. L., & Ewim, S. E. (2024). Barriers and drivers of digital transformation in SMEs: A conceptual analysis. International Journal of Frontline Research in Multidisciplinary Studies, 5(2), 019-036. https://www.researchgate.net/profile/Bamidele-Omowole/publication/386276990_Barriers_and_drivers_of_digital_transformation_in_SMEs_A_conceptual_analysis/links/6757bb5334301c1fe9461329/Barriers-and-drivers-of-digital-transformation-in-SMEs-A-conceptual-analysis.pdf
Odio, P. E., Kokogho, E., Olorunfemi, T. A., Nwaozomudoh, M. O., Adeniji, I. E., & Sobowale, A. (2021). Innovative financial solutions: A conceptual framework for expanding SME portfolios in Nigeria's banking sector. International Journal of Multidisciplinary Research and Growth Evaluation, 2(1), 495-507. https://www.researchgate.net/profile/Princess-Odio/publication/388662619_Innovative_Financial_Solutions_A_Conceptual_Framework_for_Expanding_SME_Portfolios_in_Nigeria's_Banking_Sector/links/67ec722703b8d7280e1a12bf/Innovative-Financial-Solutions-A-Conceptual-Framework-for-Expanding-SME-Portfolios-in-Nigerias-Banking-Sector.pdf
Pathirana, A. I. W., & Wilenius, M. (2025). ISO 27001 and Global Privacy Compliance. https://www.utupub.fi/bitstream/handle/10024/182519/Pathirana_Asanka_Thesis.pdf?sequence=1
Pawar, S., & Palivela, H. (2022). LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). International Journal of Information Management Data Insights, 2(1), 100080. https://www.sciencedirect.com/science/article/pii/S2667096822000234
Parsola, J. (2023). Cybersecurity risk assessment and management for organizational security. NeuroQuantology, 20(5), 123-140. https://pdfs.semanticscholar.org/5af8/15da2b581b0338fc3a8bf4ba3f8821334d75.pdf
Rawindaran, N. (2023). Impact of cyber security awareness in small, medium enterprises (SMEs) in Wales (Doctoral dissertation, Cardiff Metropolitan University). https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Rawindaran%2C+N.+%282023%29.+Impact+of+cyber+security+awareness+in+small%2C+medium+enterprises+%28SMEs%29+in+Wales+%28Doctoral+dissertation%2C+Cardiff+Metropolitan+University%29.&btnG =
Sabidi, M. L., & Zolkipli, M. F. (2024). The Role of Risk Management in Cybersecurity Protocols. Borneo International Journal eISSN 2636-9826, 7(2), 77-81. https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2021&q=Sabidi%2C+M.+L.%2C+%26+Zolkipli%2C+M.+F.+%282024%29.+The+Role+of+Risk+Management+in+Cybersecurity+Protocols.+Borneo+International+Journal+eISSN+2636-9826%2C+7%282%29%2C+77-81.&btnG =
Sikder, A. S. (2023). Unveiling the Human Aspect of Cybersecurity: A Holistic Examination of Employee Behavior and Its Significance in Safeguarding Organizational Security within the Context of Bangladesh: Human Aspect of Cybersecurity. International Journal of Imminent Science & Technology., 1(1), 199-215. https://www.researchgate.net/publication/385775980_Unveiling_the_Human_Aspect_of_Cybersecurity_A_Holistic_Examination_of_Employee_Behavior_and_Its_Significance_in_Safeguarding_Organizational_Security_within_the_Context_of_Bangladesh_Human_Aspect_of_Cy
Thummala, V. R., & Bindewari, S. (2024). Optimizing Cybersecurity Practices through Compliance and Risk Assessment. International Journal of Research Radicals in Multidisciplinary Fields, ISSN, 910-930. https://www.researchgate.net/profile/Venkata-Thummala/publication/390446033_Optimizing_Cybersecurity_Practices_through_Compliance_and_Risk_Assessment/links/67ee2c2403b8d7280e1e445b/Optimizing-Cybersecurity-Practices-through-Compliance-and-Risk-Assessment.pdf
Victor-Mgbachi, T. O. Y. I. N. (2024). Navigating cybersecurity beyond compliance: Understanding your threat landscape and vulnerabilities. Iconic Research and Engineering Journals, 7. https://www.researchgate.net/profile/Toyin-Victor-M/publication/389658966_Navigating_Cybersecurity_Beyond_Compliance_Understanding_Your_Threat_Landscape_and_Vulnerabilities/links/67cb9e9ccc055043ce6f3e5b/Navigating-Cybersecurity-Beyond-Compliance-Understanding-Your-Threat-Landscape-and-Vulnerabilities.pdf
Vance, A. S. (2025). Cybersecurity and Quantum Computing: A Quantitative Analysis Proposing a Framework for Assessing Quantum Cybersecurity Maturity. https://www.proquest.com/openview/e0989d58104ca4567a61c9747d23008e/1.pdf?pq-origsite=gscholar&cbl=18750&diss=y
Yokowo, R. Y. (2024). Building a Cybersecurity Maturity Guide For Small and Medium-sized Enterprises (SME) With Open Source Solutions. https://pcs.usp.br/pcspf/wp-content/uploads/sites/8/2024/12/Monografia_PCS3860_COOP_2024_Grupo_C23.pdf
