Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unaware, Unfunded and Uneducated: A Systematic Review of SME Cybersecurity

Carlos Rombaldo Junior, Ingolf Becker, Shane Johnson

TL;DR

This systematic review analyzes SME cybersecurity literature from 2017 to 2024, screening 1,090 studies and including 132 that yield 44 emergent themes. It finds that fundamental understandings of SME threats and effective, SME-specific controls are underdeveloped, with core barriers centered on awareness, literacy, and financial/resources constraints, often compounded by leadership gaps. The review shows some evidence that cloud adoption and regulation can aid cybersecurity, but also highlights the lack of SME-tailored frameworks and a SME-focused threat taxonomy. A key contribution is a structured critique of reporting standards and geographic coverage, followed by a forward-looking agenda to advance SME-focused cybersecurity research, practice, and policy.

Abstract

Small and Medium Enterprises (SMEs) are pivotal in the global economy, accounting for over 90% of businesses and 60% of employment worldwide. Despite their significance, SMEs are often disregarded in cybersecurity initiatives, rendering them ill-equipped to deal with the growing frequency, sophistication, and destructiveness of cyberattacks. We systematically reviewed the cybersecurity literature on SMEs published between 2017 and 2024. We focus on research discussing cyber threats, adopted controls, challenges, and constraints SMEs face in pursuing cybersecurity resilience. Our search yielded 1090 studies that we narrowed to 132 relevant papers. We identified 44 unique themes and categorised them as novel findings or established knowledge. This distinction revealed that research on SMEs is shallow and has made little progress in understanding SMEs' roles, threats, and needs. Studies often repeated early discoveries without replicating or offering new insights. Existing research indicates that the main challenges to attaining cybersecurity resilience of SMEs are a lack of awareness of cybersecurity risks, limited cybersecurity literacy, and constrained financial resources. Resource availability varied between developed and developing countries. Our analysis indicated a relationship among these themes, suggesting that limited literacy is the root cause of awareness and resource constraint issues.

Unaware, Unfunded and Uneducated: A Systematic Review of SME Cybersecurity

TL;DR

This systematic review analyzes SME cybersecurity literature from 2017 to 2024, screening 1,090 studies and including 132 that yield 44 emergent themes. It finds that fundamental understandings of SME threats and effective, SME-specific controls are underdeveloped, with core barriers centered on awareness, literacy, and financial/resources constraints, often compounded by leadership gaps. The review shows some evidence that cloud adoption and regulation can aid cybersecurity, but also highlights the lack of SME-tailored frameworks and a SME-focused threat taxonomy. A key contribution is a structured critique of reporting standards and geographic coverage, followed by a forward-looking agenda to advance SME-focused cybersecurity research, practice, and policy.

Abstract

Small and Medium Enterprises (SMEs) are pivotal in the global economy, accounting for over 90% of businesses and 60% of employment worldwide. Despite their significance, SMEs are often disregarded in cybersecurity initiatives, rendering them ill-equipped to deal with the growing frequency, sophistication, and destructiveness of cyberattacks. We systematically reviewed the cybersecurity literature on SMEs published between 2017 and 2024. We focus on research discussing cyber threats, adopted controls, challenges, and constraints SMEs face in pursuing cybersecurity resilience. Our search yielded 1090 studies that we narrowed to 132 relevant papers. We identified 44 unique themes and categorised them as novel findings or established knowledge. This distinction revealed that research on SMEs is shallow and has made little progress in understanding SMEs' roles, threats, and needs. Studies often repeated early discoveries without replicating or offering new insights. Existing research indicates that the main challenges to attaining cybersecurity resilience of SMEs are a lack of awareness of cybersecurity risks, limited cybersecurity literacy, and constrained financial resources. Resource availability varied between developed and developing countries. Our analysis indicated a relationship among these themes, suggesting that limited literacy is the root cause of awareness and resource constraint issues.
Paper Structure (27 sections, 3 figures, 2 tables)

This paper contains 27 sections, 3 figures, 2 tables.

Table of Contents

  1. Demographics
  2. Results
  3. Lack of awareness of cybersecurity risks
  4. Under-funded and resource-constrained cybersecurity programs
  5. Limited cybersecurity literacy
  6. Lack of tailored solutions and frameworks
  7. Literature overlooked SMEs' specific needs
  8. Low perception of cybersecurity risks
  9. Overwhelmed, sparse or non-existent cybersecurity leadership
  10. Poor security operations
  11. Cloud adoption minimises cybersecurity challenges
  12. Legislation and informative content improve cybersecurity
  13. Remaining themes
  14. Discussion
  15. Cybersecurity threats experienced by SMEs
  16. ...and 12 more sections

Figures (3)

  • Figure 3: PRISMA chart to show the number of articles included/excluded at each stage of the review
  • Figure 4: Potential dependencies between the themes that emerged
  • Figure 5: A heat map gauging the geographic region covered by reviewed literature. This data is available at (https://osf.io/ps7xy/).