Cybersecurity Governance - Framework for Small and Micro Enterprises

Digitalization continues to advance. Coping with the resulting opportunities and risks is a challenge for companies. One of the risk areas to which small and micro enterprises (S&ME) often are not paying enough attention are cybersecurity risks. Statistics show that more and more S&ME are falling victim to cyber-attacks. Therefore, an interesting area of investigation is the approach of how S&ME deal with cybersecurity governance in an appropriate way. The fact that S&ME are underdeveloped in managing cybersecurity risks and hence increasingly affected by cyber-attacks underlines that the governance perspective with regards to cybersecurity is insufficiently embedded at the owner or management level so as to steer cybersecurity activities in an efficient, effective and acceptable way. As part of this research, a cybersecurity governance framework for S&ME (CGF4S&ME) is developed and evaluated, according to the research method 'design science'. In the process of developing the CGF4S&ME, the design science research framework of Vaishnavi and Kuechler is followed. Thereby, existing frameworks are analyzed, key cybersecurity threats and relevant assets of S&ME are considered. Based on existing frameworks covering the governance perspective, appropriate cybersecurity governance principles and specific activities for S&ME are derived. The newly created CGF4S&ME is evaluated by means of expert interviews. Based on the findings from the interviews, the CGF4S&ME was adjusted, accordingly....