Classifying SMEs for Approaching Cybersecurity Competence and Awareness

TL;DR

This paper introduces a classification framework for SMEs based on their cybersecurity needs, enabling tailored awareness and competence strategies to address their diverse vulnerabilities.

Contribution

It proposes a novel five-class SME framework that differentiates cybersecurity needs, guiding more effective and customized security solutions for diverse SME types.

Findings

Framework identifies five distinct SME cybersecurity classes.

Tailored solutions improve cybersecurity awareness for each SME class.

Framework usage demonstrated on sampled SMEs.

Abstract

Cybersecurity is increasingly a concern for small and medium-sized enterprises (SMEs), and there exist many awareness training programs and tools for them. The literature mainly studies SMEs as a unitary type of company and provides one-size-fits-all recommendations and solutions. However, SMEs are not homogeneous. They are diverse with different vulnerabilities, cybersecurity needs, and competencies. Few studies considered such differences in standards and certificates for security tools adoption and cybersecurity tailoring for these SMEs. This study proposes a classification framework with an outline of cybersecurity improvement needs for each class. The framework suggests five SME types based on their characteristics and specific security needs: cybersecurity abandoned SME, unskilled SME, expert-connected SME, capable SME, and cybersecurity provider SME. In addition to describing the five classes, the study explains the framework's usage in sampled SMEs. The framework proposes solutions for each class to approach cybersecurity awareness and competence more consistent with SME needs. The final publication is available at ACM Digital Library via this https URL https://doi.org/10.1145/3465481.3469200