Article Preview
TopIntroduction
A survey in the Global Risks Report (World Economic Forum, 2018) has revealed that cyberattacks are in the top ten risks both in terms of likelihood and impact. Cyberattacks are now seen as the third most likely global risk for the world over the next ten years. According to this study, cybersecurity risks are growing, both in their prevalence and in their disruptive potential. Cyberattacks have both short term and long term economic impacts on different economic agents in terms of losses and expenses (Gañán, Ciere, & van Eeten, 2017).
Small and medium-sized enterprises (SMEs), which are the predominant form of enterprise and make up 99.8% of European enterprises in the Organisation for Economic Co-operation and Development (OECD) area (Digital SME Alliance, 2017), are ill-prepared for cyberattacks.
Although there is a multitude of standards available to measure, identify and improve the cybersecurity practices at organisations, many of these are not well suited for SMEs (Manso, Rekleitis, Papazafeiropoulos, & Maritsas, 2015).
In the standardisation processes, in many cases, SMEs are dependent stakeholders, and they lack resources to properly participate in the process. SMEs typically require financial support, access to technical expertise and other types of assistance to be involved in the standardisation process (de Vries, Verheul, & Willemse, 2003). In addition, SMEs may face other barriers to benefit from standards and involvement in standardisation. Awareness of standards and the process of standardisation are two important barriers (de Vries, Blind, Mangelsdorf, & Verheul, 2009).
The goal of this research is to identify the gaps (e.g. knowledge or facilitation gaps) regarding cybersecurity standardisation for SMEs by performing a literature study, analysing the trends in the literature, describing the initiatives that address SMEs, conducting an empirical study through a workshop with applicable stakeholders, and identifying opportunities for future research. Therefore, the following main research question is put forward: “What are the gaps in cybersecurity standardisation for SMEs?”
To answer this main research question in a structured way, three sub research questions were formulated. The first sub research question examines the trends in the literature and state of the art in European level initiatives addressing cybersecurity standardisation for SMEs. The second sub research question addresses the experiences and views of the stakeholders. The third sub research question addresses the future research directions to be considered to fill the gaps.
A visual depiction of these research questions is shown in Figure 1.
Figure 1.
Main research question and sub research questions
SRQ1 is addressed by performing multivocal literature searches to show the trends in the literature on cybersecurity standardisation for SMEs and the state of the art in the European landscape. The findings are presented in the Literature Study section.
SRQ2 is addressed by identifying the stakeholders in cybersecurity standardisation for SMEs and organising a workshop to gather stakeholders’ views and perspectives. In that sense, given the importance of cybersecurity, SMEs’ challenging situation, lack of research addressing SMEs and the diverse stakeholders, the SMESEC and StandICT.eu EU Horizon 2020 projects co-organized the “Cybersecurity Standards: What impacts and gaps for SMEs” workshop to investigate experiences, needs and gaps in cybersecurity standardisation for SMEs by bringing the key parties together. Thus, the workshop addresses the second sub research question: “What are the experiences and views of the stakeholders on the gaps?” The workshop was held on May 24, 2019, in Brussels, Belgium.
SRQ3 is addressed by synthesising all findings from SRQ1 and SRQ2 into a focused agenda for future research.