Cybersecurity is increasingly a concern for small and medium-sized enterprises (SMEs), and there exist many awareness training programs and tools for them. The literature mainly studies SMEs as a unitary type of company and provides one-size-fits-all recommendations and solutions. However, SMEs are not homogeneous. They are diverse with different vulnerabilities, cybersecurity needs, and competencies. Few studies considered such differences in standards and certificates for security tools adoption and cybersecurity tailoring for these SMEs. This study proposes a classification framework with an outline of cybersecurity improvement needs for each class. The framework suggests five SME types based on their characteristics and specific security needs: cybersecurity abandoned SME, unskilled SME, expert-connected SME, capable SME, and cybersecurity provider SME. In addition to describing the five classes, the study explains the framework's usage in sampled SMEs. The framework proposes solutions for each class to approach cybersecurity awareness and competence more consistent with SME needs. The final publication is available at ACM Digital Library via this https URL https://doi.org/10.1145/3465481.3469200
翻译:网络安全日益成为中小企业关注的一个问题,并且存在许多提高认识的培训方案和工具。文献主要研究中小企业作为单一类型的公司,提供一刀切的建议和解决办法。然而,中小企业并不是一成不变的,它们的脆弱性、网络安全需要和能力各不相同。很少有研究认为采用安全工具的标准和证书以及这些中小企业的网络安全定制方面存在差异。本研究报告提出了一个分类框架,概述了每类企业改进网络安全的需要。框架根据它们的特点和具体的安全需要,提出了五类中小企业:废弃的网络安全中小企业、非技术中小企业、具有专门知识的中小企业、有能力的中小企业和网络安全供应商中小企业。除了描述这五类课程外,该研究还解释了该框架在抽样中小企业中的使用情况。框架提出了各类企业网络安全意识和能力与中小企业需求更加一致的解决办法。最后出版物可在ACM数字图书馆查阅,网址为https://doi.org/101145/344869200。