Cybersecurity Governance – An Adapted Practical Framework for Small Enterprises

Abstract

Digitalization is advancing and the associated risks are a strategic task for enterprises of all sizes. One risk area to which small businesses often do not pay enough attention are cyber risks. Often, the governance of cyber risks is not embedded at the owner or management level. However, it is important to evaluate, direct and monitor cyber risk mitigation activities by a company's leaders or its owner. A ´cybersecurity governance framework´ for small enterprises was developed and validated by applying Design Science Research. The framework focuses on criteria that are essential for small businesses, such as simplicity of understanding and ease of use (both for non-experts). Six principles identified relevant build the common thread of the framework, which guides the main activities to be implemented: 'responsibility', 'strategy', 'cybersecurity threats and risks', 'development and change', 'conformance' and 'people, skills and competencies'.