Resilience by Design: An Integrative Framework for Cybersecurity Readiness, Risk Management, and Threat Mitigation in Small and Medium-Sized Enterprises
Keywords:
SMB Cybersecurity, Risk Management, Managed Detection and Response, ISO 27002, HOGO FrameworkAbstract
Background: Small and Medium-sized Enterprises (SMEs) constitute the backbone of the global economy yet remain disproportionately vulnerable to cyber threats due to resource constraints and a lack of specialized expertise. Traditional enterprise-grade security frameworks are often too complex or costly for these entities to implement effectively.
Methods: This study employs a systematic review methodology, adhering to PRISMA-P protocols, to analyze current literature on SMB cybersecurity behaviors, risk management strategies, and technological adoption. The review synthesizes data regarding the efficacy of Managed Detection and Response (MDR) services, the "HOGO" reference framework, and the mediating role of organizational awareness.
Results: The analysis reveals that while threat awareness is increasing, it does not inextricably lead to improved security posture without structured management capabilities. The integration of outsourced MDR services significantly mitigates the technical skills gap. Furthermore, adapting ISO 27002-based frameworks (such as HOGO) provides a necessary scaffold for compliance and resilience.
Conclusion: Achieving cybersecurity resilience in the SMB sector requires a hybrid approach that combines simplified governance frameworks with cost-effective, outsourced technical solutions. Future policy must focus on incentivizing the adoption of these integrated models to protect the digital ecosystem.
References
Rajgopal, P. R. (2025). MDR service design: Building profitable 24/7 threat coverage for SMBs. International Journal of Applied Mathematics, 38(2s), 1114-1137.
Cruzado, C. F., Rodriguez-Baca, L. S., Huanca-Lopez, L. G., & Acuna-Salinas, E. I. (2022). Reference framework “HOGO” for cybersecurity in SMEs based on ISO 27002 and 27032.
Gill, C. (2011). Missing links: how descriptive validity impacts the policy relevance of randomized controlled trials in criminology. Journal of Experimental Criminology, 7(3), 201–224.
Oroni, C. Z., & Fu, X. (2023). Structural evaluation of management capability and the mediation role of cybersecurity awareness towards enterprise performance.
Berry, C. T., & Berry, R. (2018). An initial assessment of small business risk management approaches for cyber security threats. International Journal of Business Continuity and Risk Management, 8(1).
Cleveland, J., & Scheg, A. (2018). Small-Medium Business Information Security Intention Related to Cyberthreat Awareness: A Quantitative Experiment. PhD thesis, Northcentral University, Ann Arbor.
Cloud Security Alliance. (2025). CCM Lite | CSA. https://cloudsecurityalliance.org/research/ccm-lite.
European Commission. (2020). The EU Cybersecurity Act: Shaping Europe’s digital future. https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act.
Tranfield, D., Denyer, D., & Smart, P. (2003). Towards a Methodology for Developing Evidence-Informed Management Knowledge by Means of Systematic Review.
Weisburd, D., Farrington, D., & Gill, C. (2017). What Works in Crime Prevention and Rehabilitation: An Assessment of Systematic Reviews. Criminology and Public Policy, 16(2), 415–449.
González, D. P., Trigueros-Preciado, S., & González, P. S. (2019). Organizational practices as antecedents of the information security management performance.
Moher, D., Shamseer, L., Clarke, M., Ghersi, D., Liberati, A., Petticrew, M., Shekelle, P., & Stewart, L. A. (2016). Preferred reporting items for systematic review and meta-analysis protocols (PRISMA-P) 2015 statement. Revista Espanola de Nutricion Humana y Dietetica, 20(2), 148–160.
Almubayedh, D. A., Al khalis, M., Alazman, G., Alabdali, M., Al-Refai, R., & Nagy, N. (2018). Security Related Issues In Saudi Arabia Small Organizations: A Saudi Case Study. 21st Saudi Computer Society National Computer Conference, NCC 2018, 21, 1–6.
Dickson, M. (2019). Small firms suffer close to 10,000 cyber-attacks daily. FSB, The Federation of Small Businesses.
Osborn, E., & Simpson, A. (2018). Risk and the Small-Scale Cyber Security Decision Making Dialogue - a UK Case Study.
Eilts, D. (2020). An Empirical Assessment of Cybersecurity Readiness and Resilience in Small Businesses. ProQuest Dissertations and Theses, 11(15), 309.
Eaves, S. (2023). Security for Small and Medium-Sized Businesses | IoT Security Podcast | PSA Certified.
Luukkonen, O. A., & Sönmez, Y. Ü. (2022). Cybersecurity for Small and Medium-Sized Businesses. Journal of Sustainable Economics and Management Studies, 3(1), 21-38.
Elezaj, O., Yayilgan, S. Y., Abomhara, M., Yeng, P., & Ahmed, J. (2019). Data-Driven Intrusion Detection System for Small and Medium Enterprises. IEEE 24th Int. Workshop on Computer Aided Modeling and Design of Communication Links and Networks, 1–7.
Eş, A., & Serdar, N. (2021). SİBER Saldirilara Karşı Kobilerin Farkındalık Düzeylerini Incelenmesi: Ankara Ili Örneği. Journal of Duzce University Institute of Social Sciences, 11(1), 133–151.
Gafni, R., & Pavel, T. (2019). The invisible hole of information on SMB’s cybersecurity. Online Journal of Applied Knowledge Management (OJAKM), 7(1), 14–26.
Heikkila, M., Rattya, A., Pieska, A. S., & Jansa, J. (2016). Security Challenges in Small- and Medium-Sized Manufacturing Enterprises. Int. Symp. On Small-scale Intelligent Manufacturing Systems, 25–30.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Selvion G. Harstrom
This work is licensed under a Creative Commons Attribution 4.0 International License.
