Adaptable Security Maturity Assessment and Standardization for Digital SMEs

Figures & data

Table 1. SME categories according to their roles in the digital ecosystem.^27.

SME Category	Description
Digital enablers	SMEs that are active in developing and providing cybersecurity solutions.
Digitally based	SMEs that are highly dependent on digital solutions for their business.
Digitally dependent	SMEs that depend on digital solutions as end-users.
Start-ups	SMEs that neglect or are not well aware of cybersecurity and require specific measures and incentives to adopt cybersecurity solutions.

Figure 1. The research process.⁴²

Figure 2. The meta-model of the Adaptable Security Maturity Assessment and Standardization (ASMAS) Framework.

Figure 3. Control categories, implementation groups, and their associations with the SME categories.

Table 2. Mapping of the high-level requirements (HLRs) and the framework aspects.(O: Organizational, S: Standardization, RM: Risk Management, A&M: Assessment and Measurement, I: Improvement).

#	Requirement	O	S	RM	A&M	I
HLR1	Easy to use, self-assessment, do-it-yourself	✓			✓
HLR2	Situational awareness	✓		✓		✓
HLR3	Support for standardization and standards-transparency		✓			✓
HLR4	Provide cybersecurity awareness			✓		✓
HLR5	Maintainability and adaptability by design		✓	✓

Figure 4. The conceptual model of the ASMAS framework prototype.

Table 3. The summary of control-related content of the knowledge base.

Standard/ Framework	# of Controls
Cyber Essentials	5
The Center for Cyber Security Belgium SME Guide	13
Center for Internet Security Controls	20
NIST Small Business Information Security	33
ISO/IEC 27002	123
Total # of Controls	194
Total # of Control Categories	18

Table 4. The summary of capability, risk, and threat-related content of the knowledge base.

Data	Total #
Capabilities	251
Risk Classes	4
Risk Sub-Classes	13
Risks	57
Threat Categories	8

Table 5. The functions in the ASMAS framework prototype.

Function	Description
Definitions	This function is used to populate the knowledge base. Using this function, it is possible to add new entities and items (e.g., new controls, new control categories, new risks) to the knowledge base (mutability-in-use).
Company	This function is used to define the company names for demonstration purposes. Using the “Company-Capability” sub-function, it is possible to view the controls assigned to each company.
Views	This function has three sub-functions. The “SME Category-Control” is used to query the controls associated with an SME category. The “Threat view on Controls” enables the user to query all the associated controls with a threat category. Using the “Risk view on Controls,” the user can query the related controls by choosing a risk class and a risk sub-class.
Search	This function is used for querying the controls. The user can select a control category and a control source and query the associated controls. If no control category or control source is chosen, then all the controls in the knowledge base are listed.
Assessment	This function is for performing capability assessments and viewing the results. The user can enter the implementation status for the capabilities. The capability order and capability level are displayed while performing the assessment.

Table 6. Set of questions used to evaluate the utility of the ASMAS framework.

Evaluation Construct	#	Statement
Perceived usefulness	1	I think this framework contributes to supporting SMEs to assess and improve their information security and cybersecurity.
	2	I think this framework contributes to helping SMEs increase awareness of information security and cybersecurity security.
	3	I think this framework contributes to helping SMEs increase awareness of information security and cybersecurity security standardization.
Perceived ease of use	4	I think this framework is easy to use to assess and improve my company’s information security and cybersecurity.
	5	I think this framework is easy to use to improve my company’s awareness of information security and cybersecurity security.
	6	I think this framework is easy to use to improve my company’s awareness of information security and cybersecurity security standardization.
Intention to Use	7	I would use this framework to assess and improve my company’s information security and cybersecurity.
	8	I would use this framework to improve my company’s awareness of information security and cybersecurity security.
	9	I would use this framework to improve my company’s awareness of information security and cybersecurity security standardization.

Table 7. Evaluation study participants’ characteristics

SME #	Country	Category^Citation27	# of Employees	Interviewee’s # of Years Security Experience	Interviewee’s Role**	SME Size^Citation73
1	United Kingdom	Digital Enabler	<10	23	CEO	Micro
2	Egypt	Digitally Based	<10	2	CEO	Micro
3*	Netherlands	Digital Enabler	<250	4	Security Specialist	Medium
3*	Netherlands	Digital Enabler	<250	6	Business Security Consultant	Medium
4	Switzerland	Digitally Based	<10	1	CEO	Micro
5	Switzerland	Digitally Dependent	<10	20	CISO	Micro
6	Italy	Digitally Based	<50	5	CTO	Small

* two separate evaluation sessions have been conducted with SME #3. ** CEO: Chief Executive Officer, CISO: Chief Information Security Officer, CTO: Chief Technology Officer

Table 8. Responses to the evaluation form statements.

Evaluation Construct	Statement	Strongly disagree (1)	Disagree (2)	Neutral (3)	Agree (4)	Strongly agree (5)	Average Score
Perceived usefulness	1	0%	0%	14,3%	28,6%	57,1%	4.43
	2	0%	0%	28,6%	42,9%	28,6%	4.00
	3	0%	0%	14,3%	28,6%	57,1%	4.43
	Average score per construct						4.29
Perceived ease of use	4	0%	0%	14,3%	28,6%	57,1%	4.14
	5	0%	0%	28,6%	42,9%	28,6%	4.00
	6	0%	0%	28,6%	14,3%	57,1%	4.29
	Average score per construct						4.14
Intention to Use	7	0%	14,3%	14,3%	42,9%	28,6%	3.57
	8	0%	14,3%	28,6%	28,6%	28,6%	3.43
	9	0%	14,3%	14,3%	14,3%	57,1%	3.86
	Average score per construct						3.62

The European Digital SME Alliance. The EU cybersecurity act and the role of standards for SMEs [Internet]. Brussels; 2020 [accessed 2020 Jan 28]. https://www.digitalsme.eu/digital/uploads/The-EU-Cybersecurity-Act-and-the-Role-of-Standards-for-SMEs.pdf.

 Google Scholar

Peffers K, Tuunanen T, Rothenberger M, Chatterjee S. A design science research methodology for information systems research. J Manage Inf Syst [Internet]. 2007;24(3):45–77. doi:10.2753/MIS0742-1222240302.

 Web of Science ®Google Scholar

European Commission. SME definition. Internal market, industry, entrepreneurship and SMEs - European commission [Internet]. 2016 [accessed 2021 Aug 10]. https://ec.europa.eu/growth/smes/sme-definition_en.

 Google Scholar