Classifying SMEs for Approaching Cybersecurity Competence and Awareness
This addresses the need for tailored cybersecurity approaches for diverse SMEs, but it is incremental as it builds on existing awareness programs by adding a classification system.
The study tackled the problem of one-size-fits-all cybersecurity solutions for SMEs by proposing a classification framework that identifies five SME types based on their characteristics and security needs, and it explains the framework's usage in sampled SMEs to tailor solutions for each class.
Cybersecurity is increasingly a concern for small and medium-sized enterprises (SMEs), and there exist many awareness training programs and tools for them. The literature mainly studies SMEs as a unitary type of company and provides one-size-fits-all recommendations and solutions. However, SMEs are not homogeneous. They are diverse with different vulnerabilities, cybersecurity needs, and competencies. Few studies considered such differences in standards and certificates for security tools adoption and cybersecurity tailoring for these SMEs. This study proposes a classification framework with an outline of cybersecurity improvement needs for each class. The framework suggests five SME types based on their characteristics and specific security needs: cybersecurity abandoned SME, unskilled SME, expert-connected SME, capable SME, and cybersecurity provider SME. In addition to describing the five classes, the study explains the framework's usage in sampled SMEs. The framework proposes solutions for each class to approach cybersecurity awareness and competence more consistent with SME needs. The final publication is available at ACM Digital Library via this https URL https://doi.org/10.1145/3465481.3469200