eISSN: 3087-4297 editor@aimjournals.com
All Journals
Submit your article

International Journal of Cyber Threat Intelligence and Secure Networking

Open Access Peer Review International
Open Access

Cybersecurity Governance and Resilience in Small and Medium-Sized Enterprises: A Socio-Technical, Resource-Based, and Regulatory Framework for Sustainable Digital Competitiveness

DOI
PDF
Dr. Elena Marovic 1 , Dr. Sofia Markovic 1 ,
4 Department of Information Systems, University of Ljubljana, Slovenia
4 Faculty of Organizational Sciences, University of Belgrade, Serbia

Abstract

Background: Small and medium-sized enterprises (SMEs) occupy a central role in employment generation, innovation, and economic dynamism, yet they remain disproportionately exposed to cyber risk because of constrained resources, limited formal governance, fragmented technical infrastructures, and rapidly evolving regulatory demands (World Bank, 2015; Gherghina et al., 2020; Heidt et al., 2019). The digitalization of SME operations, supply chain connectivity, cloud dependence, and growing exposure to disclosure and compliance pressures have transformed cybersecurity from a purely technical issue into a strategic, organizational, and relational concern (Proudfoot et al., 2024; Wallis & Dorey, 2024).

Objective: This article develops an integrated conceptual framework explaining how SMEs can build cybersecurity resilience through the interaction of internal capabilities, socio-technical alignment, relational governance, institutional legitimacy, and adaptive compliance under emerging regulatory regimes.

Methodology: A qualitative theory-building design was employed using integrative literature synthesis and conceptual analysis grounded in design-oriented reasoning. The study draws on the resource-based view, dynamic capabilities, socio-technical systems theory, relational governance, signaling theory, and institutional theory to interpret the cybersecurity challenges and strategic options facing SMEs (Barney, 1991; Teece et al., 1997; Bostrom & Heinen, 1977; Poppo & Zenger, 2002; Connelly et al., 2011; DiMaggio & Powell, 1983). The research logic follows a problem-centered, framework-development approach informed by action-oriented and design science perspectives (Castro et al., 2025).

Results: The analysis shows that SME cybersecurity resilience depends not merely on technology adoption but on the orchestration of managerial cognition, governance formalization, trust-based collaboration, risk disclosure, regulatory interpretation, secure data management, and continuous learning. The study identifies six interdependent pillars of resilience: strategic capability formation, socio-technical integration, adaptive governance, ecosystem trust, regulatory readiness, and intelligent security augmentation. It further demonstrates that compliance-driven security is insufficient unless translated into operational routines, organizational culture, and partner-level coordination.

Conclusion: Cybersecurity in SMEs should be understood as a dynamic organizational capability and a source of competitive legitimacy rather than as a narrow cost center. The article contributes a multi-theoretical framework and offers implications for SME leaders, policymakers, technology providers, and researchers concerned with digital resilience, responsible innovation, and long-term competitiveness.

Keywords

SMEs, cybersecurity resilience, socio-technical systems, dynamic capabilities

References

📄 Ahmed, S. D., Al-Ismail, F. S. M., Shafiullah, M., AL-Sulaiman, F. A., & El-Amin, I. M. (2020). Grid integration challenges of wind energy: A review. IEEE Access, 8, 10857–10878. https://doi.org/10.1109/ACCESS.2020.2964896
📄 Alanzi, H. M., & Alkhatib, M. (2025). Blockchain-based identity management system prototype for enhanced privacy and security. Electronics, 14, 2605. https://doi.org/10.3390/electronics142605
📄 Annoni, P. G. J., & Seiler, P. (2016). Wind farm flow modeling using an input-output reduced-order model. In Proceedings of the American Control Conference (pp. 506–512).
📄 Awan, M., Alam, A., & Kamran, M. (2025). Cybersecurity challenges in SMEs. Journal of Cybersecurity Risk Analysis, 3, 89–102.
📄 Baeza, V. M., & Salor, L. C. (2024). New horizons in tactical communications: An overview of emerging technologies possibilities. IEEE Potentials, 43, 12–19.
📄 Bai, C., Sheng, S., & Li, J. (2020). Third-party relational governance and collaborative innovation performance. International Journal of Innovation Studies, 4, 123–135.
📄 Bansal, G., & Axelton, Z. (2024). Impact of cybersecurity disclosures on stakeholder intentions. Journal of Computer Information Systems, 64, 78–91.
📄 Barney, J. (1991). Firm resources and sustained competitive advantage. Journal of Management, 17, 99–120.
📄 Bharadwaj, A. (2000). A resource-based perspective on IT capability and firm performance. MIS Quarterly, 24, 169–196.
📄 Bostrom, R. P., & Heinen, J. S. (1977). MIS problems and failures: A socio-technical perspective. MIS Quarterly, 1, 17–32.
📄 Castro, V., Peña, M. L., Marcos, E., & Salgado, M. (2025). Combining action research with design science. International Journal of Qualitative Methods, 24, 1–15.
📄 Clark, A., & Mujeye, S. (2025). A critical analysis of SME cybersecurity policies and practices. In Proceedings of the ACM International Conference on Information Security and Privacy (pp. 178–183).
📄 Claro, D. P., Hagelaar, G., & Omta, O. (2003). The determinants of relational governance and performance. Industrial Marketing Management, 32, 703–716.
📄 Connelly, B. L., Certo, S. T., Ireland, R. D., & Reutzel, C. R. (2011). Signaling theory: A review and assessment. Journal of Management, 37, 39–67.
📄 DiMaggio, P. J., & Powell, W. W. (1983). The iron cage revisited. American Sociological Review, 48, 147–160.
📄 El-Hajj, M., & Mirza, Z. A. (2024). Protecting SMEs: A cybersecurity risk assessment framework. Electronics, 13, 3910.
📄 Elsayed, A., Ismail, M., & Ahmed, S. (2024). The impact of cybersecurity disclosure on banks’ performance. Future Business Journal, 10, 115.
📄 Fernandez de Arroyabe, J. C., Arranz, N., & Li, J. (2024). Cybersecurity resilience in SMEs: A machine learning approach. Journal of Computer Information Systems, 64, 1–17.
📄 Garcia Cid, M. I., González, J. Á., Martín, L. O., & Gómez, D. D. R. (2022). Disruptive quantum safe technologies. In Proceedings of the ARES Conference (pp. 1–8).
📄 Gherghina, Ș. C., Botezatu, M. A., Hosszu, A., & Simionescu, L. N. (2020). SMEs as engines of economic growth. Sustainability, 12, 347.
📄 He, C., Wang, Y., Zhang, T., Hao, F., & Ma, Y. (2025). Blockchain-based secure data risk management method. Electronics, 14, 3058.
📄 Heidt, M., Gerlach, J., & Buxmann, P. (2019). Security divide between SMEs and large companies. Information Systems Frontiers, 21, 1285–1305.
📄 Hepworth, E., Salisbury, U., Li, M., Rodgers, E., & Force, N. Z. D. (2025). Software-defined networking architecture for coalition tactical networks.
📄 Hoong, Y., Davis, P. A. E., & Windekilde, I. M. (2024). SME managers and cybersecurity challenges. Technology in Society, 78, 102650.
📄 ISO/IEC. (2022). ISO/IEC 27001: Information security management systems. Geneva: ISO.
📄 Joswig, T., & Kurz, W. (2025). NIS2 adoption in EU SMEs. Journal of Next-Generation Research, 5, 99.
📄 Khan, N., Furnell, S., Bada, M., Nurse, J., & Rand, M. (2025). Barriers to cybersecurity adoption in SMEs. Information & Computer Security.
📄 Kianpour, M., & Raza, S. (2024). Cybersecurity regulation risks. International Cybersecurity Law Review, 5, 169–212.
📄 Kianpour, M., Davis, P. A. E., & Windekilde, I. M. (2025). Digital sovereignty and NIS2 directive. International Journal of Information Security, 24, 245–267.
📄 Kumar, A. (2022). Buyer–supplier relationships and sustainability. Annals of Operations Research, 322, 157–181.
📄 Le, T. D., Le Dinh, T., & Uwizeyemungu, S. (2025). Cybersecurity framework for SMEs. Enterprise Information Systems, 19, 10.
📄 Luiz, J., Magada, T., & Mukumbuzi, R. (2021). Strategic responses to institutional voids. Management International Review, 61, 681–711.
📄 Melville, N., Kraemer, K., & Gurbaxani, V. (2004). IT and organizational performance. MIS Quarterly, 28, 283–322.
📄 Monzon Baeza, V., Parada, R., Concha Salor, L., & Monzo, C. (2025). AI integration in tactical communication systems. Systems, 13, 752.
📄 Nugraha, Y., & Martin, A. (2022). Cybersecurity service level agreements. Journal of Cybersecurity, 8, 1.
📄 Ozkan, B. Y., & Spruit, M. (2022). Adaptable security maturity assessment. Information Systems Management, 39, 325–342.
📄 Papathanasiou, A., Liontos, G., Katsouras, A., Liagkou, V., & Glavas, E. (2025). Cybersecurity guide for SMEs. Journal of Information Security, 16, 1–43.
📄 Pavlou, P. A., & El Sawy, O. A. (2011). Dynamic capabilities. Decision Sciences, 42, 239–273.
📄 Poppo, L., & Zenger, T. (2002). Contracts and relational governance. Strategic Management Journal, 23, 707–725.
📄 Proudfoot, J., Cram, W., & Madnick, S. (2024). Cybersecurity regulations and organizations. European Journal of Information Systems, 34, 1–24.
📄 Shaffique, M. R. (2024). Cyber Resilience Act. Computer Law & Security Review, 54, 106009.
📄 Spence, M. (1973). Job market signaling. Quarterly Journal of Economics, 87, 355–374.
📄 Suchman, M. (1995). Managing legitimacy. Academy of Management Review, 20, 571–610.
📄 Teece, D. J., Pisano, G., & Shuen, A. (1997). Dynamic capabilities. Strategic Management Journal, 18, 509–533.
📄 Trist, E. (1981). The evolution of socio-technical systems. Toronto: Ontario Quality of Working Life Centre.
📄 Wade, M., & Hulland, J. (2004). Resource-based view and IS research. MIS Quarterly, 28, 107–142.
📄 Wallis, T., & Dorey, P. (2024). Cybersecurity in supply chains. Applied Sciences, 14, 5805.
📄 Wilson, M. (2025). Cybersecurity perspectives of UK SMEs. Information Security Journal, 34, 1–35.
📄 World Bank. (2015). SMEs, age, and jobs: A review of the literature. Washington, DC: World Bank.
📄 Yeoh, W., & Popovič, A. (2022). Cybersecurity critical success factors. Computers & Security, 118, 102724.
📄 Zaheer, A., McEvily, B., & Perrone, V. (1998). Does trust matter? Organization Science, 9, 141–159.
📄 Zaheer, A., & Venkatraman, N. (1995). Relational governance strategy. Strategic Management Journal, 16, 373–392.
📄 Zacharias, J., von Zahn, M., Chen, J., & Hinz, O. (2022). Explainable AI feature selection. Electronic Markets, 32, 2159–2184.

Similar Articles

1-10 of 26

You may also start an advanced similarity search for this article.