Alireza Shojaifar

DOI: https://doi.org/10.48550/arXiv.2007.08201

2020-07-16

Computers and Society

Abstract:Small and medium-sized enterprises (SME) are considered more vulnerable to cyber-attacks. However, and based on SMEs characteristics, they do not adopt good cybersecurity practices. To address the SMEs security adoption problem, we are designing a do-it-yourself (DIY) security assessment and capability improvement method, CYSEC. In the first validation of CYSEC, we conducted a multi-case study in four SMEs. We observed that confidentiality concerns could influence users decisions to provide CYSEC with relevant and accurate security information. The lack of precise information may impact our DIY assessment method to provide accurate recommendations. In this paper, we explore the importance of dynamic consent and its effect on SMEs trust perception and sharing information. We discuss the lack of trust perception may be addressed by applying dynamic consent. Finally, we describe the results of three interviews with SMEs and present how the new way of communication in CYSEC can help us to understand better SMEs attitudes towards sharing information.

Mohammed El-Hajj,Zuhayr Aamir Mirza

DOI: https://doi.org/10.3390/electronics13193910

IF: 2.9

2024-10-03

Electronics

Abstract:As the number of Small and Medium Enterprises (SMEs) rises in the world, the amount of sensitive data used also increases, making them targets for cyberattacks. SMEs face a host of issues such as a lack of resources and poor cybersecurity talent, resulting in multiple vulnerabilities that increase overall risk. Cybersecurity risk assessment frameworks have been developed by multiple organizations such as the National Institute of Science and Technology (NIST) and the International Organization for Standardization (ISO), but they are complicated to understand and challenging to implement. This research aimed to create an effective cybersecurity risk assessment framework specifically for SMEs while considering their limitations. This was achieved by first identifying common threats and vulnerabilities and categorizing them according to their importance and risk. Secondly, popular frameworks like the NIST CSF and ISO 27001/2 were analyzed for their proficiencies and deficiencies while identifying relevant areas for SMEs. Finally, novel techniques catered to SMEs were explored and incorporated to create an effective framework for SMEs. This framework was also developed in the form of a tool, providing an interactive and dynamic environment. The tool was effective, and the framework is a promising start but requires more quantitative analysis.

engineering, electrical & electronic,computer science, information systems,physics, applied

Maria Bada,Jason R.C. Nurse

DOI: https://doi.org/10.1108/ICS-07-2018-0080

2019-06-23

Abstract:Purpose: An essential component of an organisation's cybersecurity strategy is building awareness and education of online threats, and how to protect corporate data and services. This research article focuses on this topic and proposes a high-level programme for cybersecurity education and awareness to be used when targeting Small-to-Medium-sized Enterprises/Businesses (SMEs/SMBs) at a city-level. We ground this programme in existing research as well as unique insight into an ongoing city-based project with similar aims. Findings: We find that whilst literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. On the other hand, existing programmes, such as the one we explored, have great potential but there can also be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities. Originality/value: The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, we engage in a reflection of literature in this space, and present insights into the advances and challenges faced by an on-going programme. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Alireza Shojaifar,Samuel A. Fricker

DOI: https://doi.org/10.48550/arXiv.2007.06308

2020-07-13

Computers and Society

Abstract:Small and medium-sized enterprises are considered an essential part of the EU economy, however, highly vulnerable to cyberattacks. SMEs have specific characteristics which separate them from large companies and influence their adoption of good cybersecurity practices. To mitigate the SMEs' cybersecurity adoption issues and raise their awareness of cyber threats, we have designed a self-paced security assessment and capability improvement method, CYSEC. CYSEC is a security awareness and training method that utilises self-reporting questionnaires to collect companies' information about cybersecurity awareness, practices, and vulnerabilities to generate automated recommendations for counselling. However, confidentiality concerns about cybersecurity information have an impact on companies' willingness to share their information. Security information sharing decreases the risk of incidents and increases users' self-efficacy in security awareness programs. This paper presents the results of semi-structured interviews with seven chief information security officers of SMEs to evaluate the impact of online consent communication on motivation for information sharing. The results were analysed in respect of the Self Determination Theory. The findings demonstrate that online consent with multiple options for indicating a suitable level of agreement improved motivation for information sharing. This allows many SMEs to participate in security information sharing activities and supports security experts to have a better overview of common vulnerabilities. The final publication is available at Springer via https://doi.org/10.1007/978-3-030-57404-8_22

Alireza Shojaifar,Samuel A. Fricker,Martin Gwerder

DOI: https://doi.org/10.48550/arXiv.2007.08177

2020-07-16

Computers and Society

Abstract:Small and medium-sized enterprises (SME) have become the weak spot of our economy for cyber attacks. These companies are large in number and often do not have the controls in place to prevent successful attacks, respectively are not prepared to systematically manage their cybersecurity capabilities. One of the reasons for why many SME do not adopt cybersecurity is that developers of cybersecurity solutions understand little the SME context and the requirements for successful use of these solutions. We elicit requirements by studying how cybersecurity experts provide advice to SME. The experts recommendations offer insights into what important capabilities of the solution are and how these capabilities ought to be used for mitigating cybersecurity threats. The adoption of a recommendation hints at a correct match of the solution, hence successful consideration of requirements. Abandoned recommendations point to a misalignment that can be used as a source to inquire missed requirements. Re-occurrence of adoption or abandonment decisions corroborate the presence of requirements. This poster describes the challenges of SME regarding cybersecurity and introduces our proposed approach to elicit requirements for cybersecurity solutions. The poster describes CYSEC, our tool used to capture cybersecurity advice and help to scale cybersecurity requirements elicitation to a large number of participating SME. We conclude by outlining the planned research to develop and validate CYSEC.

Carlos Rombaldo Junior,Ingolf Becker,Shane Johnson

DOI: https://doi.org/10.48550/arXiv.2309.17186

2023-09-29

Abstract:Small and Medium Enterprises (SMEs) are pivotal in the global economy, accounting for over 90% of businesses and 60% of employment worldwide. Despite their significance, SMEs have been disregarded from cybersecurity initiatives, rendering them ill-equipped to deal with the growing frequency, sophistication, and destructiveness of cyber-attacks. We systematically reviewed the cybersecurity literature on SMEs published between 2017 and 2023. We focus on research discussing cyber threats, adopted controls, challenges, and constraints SMEs face in pursuing cybersecurity resilience. Our search yielded 916 studies that we narrowed to 77 relevant papers. We identified 44 unique themes and categorised them as novel findings or established knowledge. This distinction revealed that research on SMEs is shallow and has made little progress in understanding SMEs' roles, threats, and needs. Studies often repeated early discoveries without replicating or offering new insights. The existing research indicates that the main challenges to attaining cybersecurity resilience of SMEs are a lack of awareness of the cybersecurity risks, limited cybersecurity literacy and constrained financial resources. However, resource availability varied between developed and developing countries. Our analysis indicated a relationship among these themes, suggesting that limited literacy is the root cause of awareness and resource constraint issues.

Cryptography and Security

Alladean Chidukwani,Sebastian Zander,Polychronis Koutsakis

DOI: https://doi.org/10.1109/access.2022.3197899

IF: 3.9

2022-09-04

IEEE Access

Abstract:Small-to-medium sized businesses (SMBs) constitute a large fraction of many countries' economies but according to the literature SMBs are not adequately implementing cyber security which leaves them susceptible to cyber-attacks. Furthermore, research in cyber security is rarely focused on SMBs, despite them representing a large proportion of businesses. In this paper we review recent research on the cyber security of SMBs, with a focus on the alignment of this research to the popular NIST Cyber Security Framework (CSF). From the literature we also summarise the key challenges SMBs face in implementing good cyber security and conclude with key recommendations on how to implement good cyber security. We find that research in SMB cyber security is mainly qualitative analysis and narrowly focused on the Identify and Protect functions of the NIST CSF with very little work on the other existing functions. SMBs should have the ability to detect, respond and recover from cyber-attacks, and if research lacks in those areas, then SMBs may have little guidance on how to act. Future research in SMB cyber security should be more balanced and researchers should adopt well-established powerful quantitative research approaches to refine and test research whilst governments and academia are urged to invest in incentivising researchers to expand their research focus.

Alireza Shojaifar,Samuel A. Fricker,Martin Gwerder

DOI: https://doi.org/10.48550/arXiv.2007.07602

2020-07-15

Computers and Society

Abstract:Cybersecurity is essential for the protection of companies against cyber threats. Traditionally, cybersecurity experts assess and improve a company's capabilities. However, many small and medium-sized businesses (SMBs) consider such services not to be affordable. We explore an alternative do-it-yourself (DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC, implements the Self-Determination Theory (SDT) to guide and motivate SMBs to adopt good cybersecurity practices. CYSEC uses assessment questions and recommendations to communicate cybersecurity knowledge to the end-user SMBs and encourage self-motivated change. In this paper, the operationalisation of SDT in CYSEC is presented and the results of a multi-case study shown that offer insight into how SMBs adopted cybersecurity practices with CYSEC. Effective automated cybersecurity communication depended on the SMB's hands-on skills, tools adaptedness, and the users' willingness to documenting confidential information. The SMBs wanted to learn in simple, incremental steps, allowing them to understand what they do. An SMB's motivation to improve security depended on the fitness of assessment questions and recommendations with the SMB's business model and IT infrastructure. The results of this study indicate that automated counselling can help many SMBs in security adoption. The final publication is available at Springer via https://link.springer.com/chapter/10.1007%2F978-3-030-59291-2_8

Bilge Yigit Ozkan,Marco Spruit

DOI: https://doi.org/10.48550/arXiv.2007.01751

2020-07-03

Cryptography and Security

Abstract:SMEs constitute a very large part of the economy in every country and they play an important role in economic growth and social development. SMEs are frequent targets of cybersecurity attacks similar to large enterprises. However, unlike large enterprises, SMEs mostly have limited capabilities regarding cybersecurity practices. Given the increasing cybersecurity risks and the large impact that the risks may bring to the SMEs, assessing and improving the cybersecurity capabilities is crucial for SMEs for sustainability. This research aims to provide an approach for SMEs for assessing and improving their cybersecurity capabilities by integrating key elements from existing industry standards.

Lubna Ambreen,Manjula Jain,Rakesh Kumar Yadav,Shweta Loonkar

DOI: https://doi.org/10.31893/multirev.2023ss080

2024-05-12

Multidisciplinary Reviews

Abstract:Small-to-medium-sized enterprises (SMEs) make up a significant portion of the economies of many nations. However, research shows that many companies fall short when establishing cyber security, making them vulnerable to assaults. In addition, while accounting for a sizable share of firms, studies on cyber security focus on SMEs. This study reviews the latest evaluation on the cyber security of SMEs, emphasizing how well this experiment aligns with the well-known National Institute of Standards and Technology (NIST) and Cyber Security Framework (CSF). The report begins by underlining the crucial necessity of cybersecurity in the digital era and the particular issues that SMEs confront. It emphasizes the financial and reputational dangers associated with cyber events, emphasizing the importance of solid cybersecurity procedures. The review investigates several cybersecurity risk management approaches, strategies and frameworks, providing insights into their relevance and efficacy in the context of SMEs. We discovered that study in SME cyber security is sophisticated and specialized attention on the NIST and CSF recognize as well as defend tasks, with minimal effort spent on the other current activities. SMEs should be equipped to detect, react to, and recover from cybercrime. SMEs might not have appropriate information on responding to such occurrences if research in these areas is pathetic. In future studies in SMEs, there needs to be an excellent equilibrium in cyber security. Scholars ought to use firm, proven mathematical methods to improve and test their work, yet governments and academia are urged to invest in providing researchers with incentives to broaden their research horizons.

Etkin Getir

2024-11-10

Abstract:While there is a plethora of cybersecurity and risk management frameworks for different target audiences and use cases, micro-businesses (MBs) are often overlooked. As the smallest business entities, MBs represent a special case with regard to cybersecurity for two reasons: (1) Having fewer than 10 employees, they tend to lack cybersecurity expertise. (2) Because of their low turnover, they usually have a limited budget for cybersecurity. As a result, MBs are often the victims of security breaches and cyber-attacks every year, as demonstrated by various studies. This calls for a non-technical, simple solution tailored specifically for MBs. To address this pressing need, the SEANCE Cybersecurity Framework was developed through a 7-step methodology: (1) A literature review was conducted to explore the current state of research and available frameworks and methodologies, (2) followed by a qualitative survey to identify the cybersecurity challenges faced by MBs. (3) After analyzing the results of the literature review and the survey, (4) the relevant aspects of existing frameworks and tools for MBs were identified and (5) a non-technical framework was developed. (6) A web-based tool was developed to facilitate the implementation of the framework and (7) another qualitative survey was conducted to gather feedback. The SEANCE Framework suggests considering possible vulnerabilities and cyber threats in six hierarchical layers: (1) Self, (2) Employees, (3) Assets, (4) Network, (5) Customers and (6) Environment, with the underlying idea of a vulnerability in an inner layer propagates to the outer layers and therefore needs to be prioritized.

Cryptography and Security

Arun Sukumar,Hannan Amoozad Mahdiraji,Vahid Jafari‐Sadeghi

DOI: https://doi.org/10.1111/risa.14092

2023-01-12

Risk Analysis

Abstract:The role played by information and communication technologies in today's businesses cannot be underestimated. While such technological advancements provide numerous advantages and opportunities, they are known to thread organizations with new challenges such as cyberattacks. This is particularly important for small and medium‐sized enterprises (SMEs) that are deemed to be the least mature and highly vulnerable to cybersecurity risks. Thus, this research is set to assess the cyber risks in online retailing SMEs (e‐tailing SMEs). Therefore, this article employs a sample of 124 small e‐tailers in the United Kingdom and takes advantage of a multi‐criteria decision analysis (MCDA) method. Indeed, we identified a total number of 28 identified cyber‐oriented risks in five exhaustive themes of "security," "dependency," "employee," "strategic," and "legal" risks. Subsequently, an integrated approach using step‐wise weight assessment ratio analysis (SWARA) and best–worst method (BWM) has been employed to develop a pathway of risk assessment. As such, the current study outlines a novel approach toward cybersecurity risk management for e‐tailing SMEs and discusses its effectiveness and contributions to the cyber risk management literature.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Bilgin Metin,Fatma Gül Özhan,Martin Wynn

DOI: https://doi.org/10.3390/electronics13214226

IF: 2.9

2024-10-29

Electronics

Abstract:As businesses increasingly adopt digital processes and solutions to enhance efficiency and productivity, they face heightened cybersecurity threats. Through a systematic literature review and concept development, this article examines the intersection of digitalisation and cybersecurity. It identifies the methodologies and tools used for cybersecurity assessments, factors influencing the adoption of cybersecurity measures, and the critical success factors for implementing these measures. The article also puts forward the concept of cybersecurity governance process categories, which are used to classify the factors uncovered in the research. Findings suggest that current information security standards tend to be too broad and not adequately tailored to the specific needs of small and medium-sized enterprises (SMEs) when implementing emerging technologies, like Internet of Things (IoT), blockchain, and artificial intelligence (AI). Additionally, these standards often employ a top-down approach, which makes it challenging for SMEs to effectively implement them, as they require more scalable solutions tailored to their specific risks and limited resources. The study thus proposes a new framework based on the Plan-Do-Check model, built around the cybersecurity governance process categories and the three core pillars of governance, culture and standards. This is essentially a bottom-up approach that complements current top-down methods, and will be of value to both information technology (IT) professionals as an operational guide, and to researchers as a basis for future research in this field.

engineering, electrical & electronic,computer science, information systems,physics, applied

Geeta Sandeep Nadella,Hari Gonaygunta,Deepak Kumar,Priyanka Pramod Pawar

DOI: https://doi.org/10.30574/wjarr.2024.22.1.1185

2024-04-30

World Journal of Advanced Research and Reviews

Abstract:This study delves into the intricate dynamics of cybersecurity adoption within small and medium enterprises (SMEs), with a specific focus on the transformative potential of AI-driven solutions from a machine learning perspective. Leveraging a rich and diverse dataset of real-world cybersecurity incidents tailored to the SME context, the research meticulously investigates the efficacy of three prominent machine learning models: logistic regression, random forest, and gradient boost classifiers. Through a comprehensive evaluation using a suite of performance metrics, including accuracy, precision, recall, and F1 scores, the study scrutinizes the predictive capabilities of these models in forecasting and categorizing cyber threats encountered by SMEs. The findings unveil nuanced insights into the multifaceted challenges and opportunities inherent in the cybersecurity landscape of SMEs, shedding light on the complex interplay between AI-driven solutions and evolving cyber threats. While the analysis reveals commendable performance across the models, it also uncovers inherent limitations in accurately discerning and categorizing specific types of attacks. These findings underscore the critical need for ongoing refinement and optimization of AI-driven cybersecurity solutions, necessitating a continuous, iterative process informed by real-world data and adaptive learning mechanisms. By harnessing the strengths of machine learning and embracing a proactive stance towards cybersecurity, SMEs can fortify their defense mechanisms and safeguard their digital assets in the increasingly volatile and interconnected digital ecosystem.

George Kassar

DOI: https://doi.org/10.3897/aca.6.e107358

2023-06-20

ARPHA Conference Abstracts

Abstract:The COVID-19 pandemic has caused a rapid shift to remote working, creating new challenges to cyber security, especially for SMEs, which are exposed to various cyber security risks such as phishing attacks, malware, and ransomware. To enhance SMEs' resilience to cyber-attacks, cyber security awareness is essential. Resilience refers to the capacity to adapt and recover from significant disruptions or adversities, both for individuals and organizations (Masten 2018, Norris et al. 2007). It enables organizations to cope effectively with unexpected events, bounce back from crises, and foster future success (Duchek 2020, Lengnick-Hall et al. 2011). Resilience includes an adaptation aspect that allows firms to come out of a crisis stronger than before, which distinguishes it from robustness (Madni and Jackson 2009). Looking back at the peaks of the health crisis, it can be argued that the pandemic can be perceived as a "stress test" of unprecedented dimensions, challenging the resilience of business models, interconnected systems, societal institutions, and even entire economies (Tressel and Ding 2021). In the context of SMEs during the latter, resilience was perceived as their ability to face these challenges, such as supply chain disruptions, changes in consumer behavior, and government-imposed restrictions, etc. (Klein and Todesco 2021). Cybersecurity is a broadly used term, whose definitions are variable, often subjective and uninformative. One of the most comprehensive definitions refers to cybersecurity as “the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights” (Craigen et al. 2014). Cybersecurity Awareness refers to the understanding and knowledge of these risks and the measures to mitigate them, which is considered as a crucial factor in protecting against cyber-attacks. Studies confirm that cyber awareness training can improve knowledge and skills of employees, thereby reducing the risk of cyber-attacks and leading to more informed decisions (Hijji and Alam 2022) Several models have explored the relationship between resilience and cybersecurity awareness, providing insight and useful lenses into the ways in which resilience may influence cybersecurity awareness and behaviors; two of these models are the Protection Motivation Theory (PMT) and the Dynamic Capabilities Theory (DCT). The PMT was initially developed by Rogers (1975), to describe how individuals are motivated to react in a self-protective way towards a perceived health threat. Adapted to cybersecurity, this theory proposes that individuals with higher levels of resilience are more likely to engage in protective behaviors in response to perceived cyber threats, due to increased threat appraisal and coping skills. (Li et al. 2022). On the other hand, the definition of dynamic capabilities as originally defined by Teece et al. (1997) is the ability of the firm to combine, develop and reconfigure external and internal expertise to respond to speedily changing environment. The DCT can be applied to the field of cybersecurity risk management to enhance organizational capabilities and improve response to emerging threats. (Barreto 2010, Naseer et al. 2018) It is within this context that the present working paper scope aims at exploring the resilience of SMEs and the impact of their cybersecurity awareness amid the abrupt shift towards mass remote work during the pandemic and the subsequent increased cybersecurity risks and exposures. Accordingly, the outcomes of the observations and deductions from the literatures suggest the following proposition / belief statement: P1: In time of crisis and abrupt challenges; the most practical model would be a combination of both Protection Motivation Theory (PMT) and Dynamic Capabilities Theory (DCT); as such, the relationship between cybersecurity awareness and resilience is critical, as promoting awareness can enhance the resilience of SMEs. the most practical model would be a combination of both Protection Motivation Theory (PMT) and Dynamic Capabilities Theory (DCT); as such, the relationship between cybersecurity awareness and resilience is critical, as promoting awareness can enhance the resilience of SMEs. A pilot study was conducted to test the feasibility and effectiveness of the research design and data collection methods. The pilot was based on a qualitative research design drawing on data collection through an in-depth interview with conversational style approach as described by Schober and Conrad (1997), and data analysis based on the Braun and Clarke (2006) thematic qualitative analysis. A purposive sampling was used to interview three SMEs managing owners from Beirut - Lebanon, between Dec’ 22 and Jan’ 23. The preliminary results of the pilot study provide initial insights of a practical model for SMEs based on a combination of the PMT and DCT which can help them develop a proactive approach to cybersecurity that incorporates both motivation and capability-building. Hence, four main themes emerged for developing the said approach. The 1st theme is conducting a thorough “risk assessment” of cybersecurity posture by identifying and assessing the level of potential threats and vulnerabilities using the PMT model. The 2nd theme is using DCT model to develop the “dynamic capabilities” necessary to respond to those risks, which includes investing in new technologies, training employees, and establishing a culture of awareness. The 3rd theme is “building motivation” among employees to take cybersecurity seriously, which can be achieved through the PMT model by highlighting potential impacts and rewarding good practices. Finally, the 4th theme is “continuous improvement”, which involves ongoing monitoring, risk assessment, capability-building, and motivation-building using a combination of PMT and DCT models. This work is a preliminary stage that requires further elaborations and generalizations. Yet, the findings from the pilot showed the potentials from integrating PMT and DCT models to enhance SMEs' cybersecurity posture and suggest that such approach could enable more proactive stance towards cybersecurity by fostering a culture of awareness, preparedness, and continuous improvement. These insights could be valuable for SMEs seeking to mitigate the risks associated with the increasing prevalence of cyber threats and attacks.

Lucian Florin Ilca,Ogruţan Petre Lucian,Titus Constantin Balan

DOI: https://doi.org/10.3390/s23156757

IF: 3.9

2023-07-29

Sensors

Abstract:In this study, the methodology of cyber-resilience in small and medium-sized organizations (SMEs) is investigated, and a comprehensive solution utilizing prescriptive malware analysis, detection and response using open-source solutions is proposed for detecting new emerging threats. By leveraging open-source solutions and software, a system specifically designed for SMEs with up to 250 employees is developed, focusing on the detection of new threats. Through extensive testing and validation, as well as efficient algorithms and techniques for anomaly detection, safety, and security, the effectiveness of the approach in enhancing SMEs' cyber-defense capabilities and bolstering their overall cyber-resilience is demonstrated. The findings highlight the practicality and scalability of utilizing open-source resources to address the unique cybersecurity challenges faced by SMEs. The proposed system combines advanced malware analysis techniques with real-time threat intelligence feeds to identify and analyze malicious activities within SME networks. By employing machine-learning algorithms and behavior-based analysis, the system can effectively detect and classify sophisticated malware strains, including those previously unseen. To evaluate the system's effectiveness, extensive testing and validation were conducted using real-world datasets and scenarios. The results demonstrate significant improvements in malware detection rates, with the system successfully identifying emerging threats that traditional security measures often miss. The proposed system represents a practical and scalable solution using containerized applications that can be readily deployed by SMEs seeking to enhance their cyber-defense capabilities.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Lucky Bamidele Benjamin,Ayodeji Enoch Adegbola,Prisca Amajuoyi,Mayokun Daniel Adegbola,Kudirat Bukola Adeusi

DOI: https://doi.org/10.30574/gjeta.2024.19.2.0084

2024-05-30

Global Journal of Engineering and Technology Advances

Abstract:This study delves into the cybersecurity landscape for small and medium-sized enterprises (SMEs), focusing on identifying prevalent cybersecurity risks, evaluating existing mitigation strategies, and exploring the role of innovation and technology in bolstering cyber resilience. Employing a systematic literature review and content analysis, the research scrutinizes academic journals, industry reports, and government publications from 2015 to 2024, to gather insights into the cybersecurity challenges and strategies pertinent to SMEs. Key findings reveal that SMEs are particularly vulnerable to a range of cyber threats, including phishing, malware, data breaches, and ransomware, primarily due to resource constraints, lack of awareness, and inadequate cybersecurity measures. Effective mitigation strategies highlighted include the adoption of comprehensive cybersecurity policies, regular employee training, and the implementation of advanced technological solutions. The study predicts an increasing reliance on artificial intelligence and machine learning for threat detection, alongside a growing trend of collaboration between SMEs and cybersecurity firms. The research underscores the necessity for supportive policies and frameworks that encourage SMEs to strengthen their cybersecurity posture, recommending financial incentives and the development of SME-specific cybersecurity standards. Building a cyber-secure culture within SMEs, characterized by organizational commitment and regular awareness programs, is identified as crucial for enhancing cyber resilience. Finally, the study emphasizes the importance of cybersecurity for SMEs, offering strategic recommendations for navigating digital threats and suggesting avenues for future research, including the exploration of behavioral aspects of cybersecurity and the impact of emerging technologies.

Ruwan Nagahawatta,Sachithra Lokuge,Matthew Warren,Scott Salzman

DOI: https://doi.org/10.48550/arXiv.2111.05993

2021-11-10

Cryptography and Security

Abstract:The advancement and the proliferation of information systems among enterprises have given rise to understanding cybersecurity. Cybersecurity practices provide a set of techniques and procedures to protect the systems, networks, programs and data from attack, damage, or unauthorised access. Such cybersecurity practices vary and are applied differently to different types of enterprises. The purpose of this research is to compare the critical cybersecurity threats and practices in the cloud context among micro, small, and medium enterprises. By conducting a survey among 289 micro, small and medium-sized enterprises in Australia, this study highlights the significant differences in their cloud security practices. It also concludes that future studies that focus on cybersecurity issues and practices in the context of cloud computing should pay attention to these differences.

Khalifa AL-Dosari,Noora Fetais

DOI: https://doi.org/10.3390/electronics12173629

IF: 2.9

2023-08-29

Electronics

Abstract:Information-technology (IT) security standards are regularly updated in a rapidly changing technological world to maintain pace with advanced technologies. This study was motivated by the realization that established IT risk-management frameworks might provide an adequate defence for small- and medium-sized enterprises (SMEs), especially those actively adopting new technologies. We reviewed that a dynamic IT risk-management framework, updated to reflect emerging technological changes, would offer improved security and privacy for SMEs. To evaluate this, we conducted a systematic literature review spanning 2016 to 2021, focusing on IT risk-management research in various application areas. This study revealed that, while established frameworks like NIST have their benefits, they need to be better suited to the unique needs of SMEs due to their high degree of abstractness, vague guidelines, and lack of adaptability to technological advancements. The findings suggest a pressing need to evolve IT risk-management frameworks, particularly by incorporating advanced methods such as system dynamics, machine learning, and technoeconomic and sociotechnological models. These innovative approaches provide a more dynamic, responsive, and holistic approach to risk management, thereby significantly improving the IT security of SMEs. The study's implications underscore the urgency of developing flexible, dynamic, and technology-informed IT risk-management strategies, offering novel insights into a more practical approach to IT risk management.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hezam Akram Abdulghani,Anastasija Collen,Niels Alexander Nijdam

DOI: https://doi.org/10.3390/s23084174

2023-04-21

Abstract:Internet of Things (IoT) faces security concerns different from existing challenges in conventional information systems connected through the Internet because of their limited resources and heterogeneous network setups. This work proposes a novel framework for securing IoT objects, the key objective of which is to assign different Security Level Certificates (SLC) for IoT objects according to their hardware capabilities and protection measures implemented. Objects with SLCs, therefore, will be able to communicate with each other or with the Internet in a secure manner. The proposed framework is composed of five phases, namely: classification, mitigation guidelines, SLC assignment, communication plan, and legacy integration. The groundwork relies on the identification of a set of security attributes, termed security goals. By performing an analysis on common IoT attacks, we identify which of these security goals are violated for specific types of IoT. The feasibility and application of the proposed framework is illustrated at each phase using the smart home as a case study. We also provide qualitative arguments to demonstrate how the deployment of our framework solves IoT specific security challenges.