Week 6

2

The Impact of Cybersecurity Integration on Organizational Risk Management in SMEs:

A Qualitative Multi-Case Study

A Master Thesis

Submitted to the Faculty

of

American Public University

by

Cristian DeWeese

In Partial Fulfillment of the

Requirements for the Degree

of

Master of Arts

December 2025

American Public University

Charles Town, WV

Introduction Comment by Christopher Martinez, PhD: the introduction must set context for your research by mentioning what is known about the topic and what needs to be explored further. In the introduction, you can highlight how your research will contribute to the existing knowledge in your field and to overall scientific development. The introduction must also contain a hypothesis that led to the development of the research design. You can come up with this hypothesis by asking yourself questions like: What is the central research problem? What is the topic of study related to that problem? What methods should be used to analyze the research problem? Why is this research important, what is its significance, and how will its outcomes affect the funders and the society on the whole?     

Background and Context

Small and medium-sized businesses (SMEs) are an essential component of national economies throughout the world, generating employment and innovation within various industries. Nevertheless, given their relatively limited resources, inability to hire security professionals in the field of cyber security, and dependence on improvised security systems, SMEs are becoming increasingly frequent targets of cyber security attacks (Chidukwani et al., 2022). In contrast to big companies that tend to invest many resources in cyber security systems, SMEs have a number of misperceptions and do not consider cyber security as a part of global risk management (Franco et al., 2022). This gap exposes SMEs to operational downtime, loss at financial loss, and the loss of reputation. Threatening enough is the fact that most research demonstrates that around sixty percent of SMEs experiencing a significant cyber-attack shut their business within half a year (Benjamin et al., 2024). This fact makes it essential to examine the way in which cyber security practices could be efficiently integrated into enterprise risk management (ERM) to make it more resilient.

Problem Statement

The problem to be explored is the ineffective combination of cyber safety in the risk management of SMEs. Cybercriminals are now targeting SMEs so much more, as they do not usually have enough resources, expertise, and governance to be sufficiently prepared against such attacks (Al-Dosari & Fetais, 2023). Since SMEs cannot afford to make large investments in advanced technologies and security, unlike large corporations, they often follow the strategy of outsourcing their security with the most common methods and equipment antivirus programs or firewalls. Although these steps offer some respite, they are not usually incorporated into the enterprise risk management (ERM) models (Enaifoghe, 2023). Such a disconnect places SMEs in a very fragile position of being susceptible to operational interruption, financial loss, and damage to reputation whenever cyber incidents arise. Comment by Christopher Martinez, PhD: What author found this to be a problem in his/her study? Cite the author.

The ramifications of this feebleness are extremely grievous. The data shows that an astounding almost 60 percent of SMEs that are affected by a major cyber-attack go out of business in a six-month period, which shows how cataclysmic a lack of security integration can be (Benjamin et al., 2024). Nevertheless, a significant number of SMEs still fail to look at cyber security as a business priority and view it as a specific technical challenge (Franco et al., 2022). Existing studies have also not done much to bridge this gap. Most of the research is concentrated on bigger companies or technology-related security solutions without finding out how SMEs use cyber security in planning governance, risk, and resilience.

Purpose Statement

The purpose of this qualitative multiple-case study is to investigate how SMEs integrate cyber security into their overall risk management strategies and to examine the impact of this integration on organizational resilience. By focusing on SMEs from different sectors, including healthcare, retail, and manufacturing, the study aims to identify the enablers, barriers, and sector-specific influences that shape integration (Enaifoghe, 2023). Ultimately, the study intends to provide insights that are both academically valuable and practically applicable for SME leaders, policymakers, and cyber security practitioners (Franco et al., 2022).

Research Questions

The overall research question that directs this study is:

RQ1: What are the modes used by small and medium-sized enterprises (SMEs) to incorporate cyber security in their comprehensive risk management, and what are the effects of such incorporations with regard to the resilience of the organization?

Based on this general question, one may come up with a number of sub-questions:

· RQ1a: What governance mechanisms do SMEs use to align cyber security with organizational risk management?

· RQ1b: What processes and capabilities enable or hinder integration in SMEs?

· RQ1c: How do sector-specific factors (e.g., healthcare, retail, and manufacturing) influence cyber security integration?

· RQ1d: What resilience outcomes do SMEs perceive as a result of integrating cyber security with risk management?

Literature Review Comment by Christopher Martinez, PhD: A literature review is a document or section of a document that collects key sources on a topic and discusses those sources in conversation with each other (also called synthesis).   Who? Analyze the work of others, synthesize, paraphrase, and cite. All the while looking for gaps in research you can explore...stand on the shoulders of other researchers.   Comment by Christopher Martinez, PhD: Use subheadings to guide your readers

The vulnerability of SMEs and the potential ways of better integration of cyber security and risk management are mentioned in a rapidly growing body of literature. It has been noted that SMEs tend to respond to technological solutions rather fragmentarily, e.g., install firewalls or antivirus software without incorporating those in wider policies or oversight frameworks (Chidukwani et al., 2022). This narrow approach can result in the so-called patchwork of controls being accessible, which is not cohesive and therefore does not protect against the advances of sophisticated attacks. Other authors have still claimed that SMEs have to transition beyond seeing cyber security as a purely technical aspect and start thinking of cyber security as a strategic corporate initiative.

Research has also emphasized the importance of frameworks that provide structure for integration. Standards such as ISO 31000 for risk management, ISO/IEC 27001 for information security management, and the U.S. National Institute of Standards and Technology (NIST) Cyber security Framework have been widely recommended as adaptable tools for SMEs (Benjamin et al., 2024). While full adoption may be beyond the capacity of smaller organizations, tailoring these frameworks to focus on critical assets and top risks can help SMEs achieve proportional but effective integration. Studies have found that SMEs who map their cyber security practices directly into ERM registers and treatment plans demonstrate improved visibility between threats, controls, and business outcomes (Franco et al., 2022).

In spite of the advancements, a need exists to fill a gap in the literature. Much of the existing advice on SMEs is framework-focused: it provides checklists of controls, but few studies identify how SMEs in the real world incorporate these controls into ERM within the constraints of reality.

Theoretical Framework Comment by Christopher Martinez, PhD: A theoretical framework consists of concepts, together with their definitions, and existing theory/theories that are used for your particular study. The theoretical framework must demonstrate an understanding of theories and concepts that are relevant to the topic of your  research paper and that will relate it to the broader fields of knowledge in the class you are taking. The theoretical framework is not something that is found readily available in the literature. You must review course readings and pertinent research literature for theories and analytic models that are relevant to the research problem you are investigating. The selection of a theory should depend on its appropriateness, ease of application, and explanatory power. The theoretical framework strengthens the study in the following ways. An explicit statement of  theoretical assumptions permits the reader to evaluate them critically. The theoretical framework connects the researcher to existing knowledge. Guided by a relevant theory, you are given a basis for your hypotheses and choice of research methods. Articulating the theoretical assumptions of a research study forces you to address questions of why and how. It permits you to move from simply describing a phenomenon observed to generalizing about various aspects of that phenomenon. Having a theory helps you to identify the limits to those generalizations. A theoretical framework specifies which key variables influence a phenomenon of interest. It alerts you to examine how those key variables might differ and under what circumstances.

This work follows a hybrid approach that incorporates enterprise risk management (ERM) and a socio-technical integration approach. The ISO 31000 definition of this ERM provides a formalized method of risk identification, analysis, treatment, and monitoring, and helps to integrate cyber security into an overarching organizational risk management, instead of treating it individually. Socio-technical lens emphasizes the interplay of people, processes, technology, and context as factors in attaining cyber security activities (Chidukwani et al., 2022).

Research Design Comment by Christopher Martinez, PhD: The research design refers to the overall strategy that you choose to integrate the different components of the study in a coherent and logical way, thereby, ensuring you will effectively address the research problem; it constitutes the blueprint for the collection, measurement, and analysis of data.

Based on a qualitative multiple-case adoption, the study examines how SMEs incorporate cyber security in the risk management of organizational components among the healthcare, retail, and manufacturing sectors (Benjamin et al., 2024; Arroyabe et al., 2024). It will involve the selection of a purposive sample of SMEs of six to eight organizations, and managers, cyber security leads, and staff will be interviewed using semi-structured interviews in order to obtain information on governance, process, sector influences, and resilience outcomes (Enaifoghe, 2023; Chidukwani et al., 2022). Member checks, audit trails, and thick descriptions will provide trustworthiness in this study, and the ethical protections during the research will entail informed consent, anonymity, and secure data processing (Benjamin et al., 2024; Enaifoghe, 2023). Although the research comes with a small sample size and use of self-reporting, triangulation, and transparency will help address the concerns.

References Comment by Christopher Martinez, PhD: You have 6 of 6 peered reviewed journal articles on this list this is a good start...strive for 80 percent. Your list of references needs to grow in order to conduct proper research on your topic. for your study. Make an appointment with a research librarian to assist you with research. Also, each reference needs to be cited in the document or removed Comment by Christopher Martinez, PhD: You need more reference in your next submission. Make an appointment with a research librarian

Al-Dosari, N., & Fetais, N. (2023). Cybersecurity challenges and governance in SMEs: A comparative analysis. Journal of Information Security, 12(2), 55–72.

Arroyabe, M. F., Arranz, N., & de Arroyabe, J. C. F. (2024). Cybersecurity and SMEs: Sector-specific influences on resilience strategies. International Journal of Business Research, 19(1), 88–104.

Benjamin, R., Okoro, A., & Li, H. (2024). The impact of cyber incidents on SME survival: An empirical study. Small Business Economics, 62(3), 445–462.

Chidukwani, M., Ahmed, S., & Khan, T. (2022). Integrating cybersecurity into SME risk management frameworks. Journal of Risk and Governance, 8(4), 301–320.

Enaifoghe, A. (2023). Governance and cybersecurity risk management in emerging markets SMEs. Journal of Contemporary Management, 41(2), 112–129.

Franco, D., Martinez, P., & Roberts, L. (2022). Enterprise risk management and cybersecurity integration in SMEs. Risk Management Review, 15(3), 210–228.