Review and Design of Business Domain-Specific Cybersecurity Controls Framework for Micro, Small, and Medium Enterprises (MSMEs)

Abstract

Micro, small, and medium enterprises (MSMEs) play a crucial role in the global economy, contributing significantly to employment opportunities, national income, and GDP. With Industry 4.0, there has been an increase in digitization in MSMEs, which has caused an increased cyberattack surface. Even though there are popular cybersecurity standards and frameworks, adoption of those at a significant level is lagging in MSMEs, causing one out of two such companies to be facing cyber threats. MSMEs have limited resources, less cybersecurity knowledge, and differing priorities for their business. Existing cybersecurity standards and frameworks are generic in nature, not specific to their business domain’s security needs. This paper assesses the current cybersecurity posture of MSMEs and the problems they face in implementing cybersecurity and shares insights on the proposed new framework, which is providing business domain-specific least cybersecurity control implementation based on the Confidentiality, Integrity, and Availability (CIA) Triad and Defense in Depth concept.

Received: 26 September 2024 | Revised: 15 January 2025 | Accepted: 11 February 2025

Conflicts of Interest

The authors declare that they have no conflicts of interest to this work.

Data Availability Statement

Data available from the corresponding author upon reasonable request.

Author Contribution Statement

Shekhar Pawar: Conceptualization, Methodology, Software, Validation, Formal Analysis, Investigation, Resources, Data Curation, Writing - Original Draft, Writing - Review & Editing, Visualization, Project Administration. Hemant Palivela: Supervision.