electronics

Article
ProtectingSmall and Medium Enterprises: A Specialized
Cybersecurity Risk Assessment Framework and Tool
Mohammed El-Hajj *,† and Zuhayr Aamir Mirza †

Department of Semantics, Cybersecurity & Services, University of Twente, 7522 Enschede, The Netherlands
* Correspondence: [email protected]
† These authors contributed equally to this work.

Abstract: As the number of Small and Medium Enterprises (SMEs) rises in the world, the amount of
sensitive data used also increases, making them targets for cyberattacks. SMEs face a host of issues
such as a lack of resources and poor cybersecurity talent, resulting in multiple vulnerabilities that
increase overall risk. Cybersecurity risk assessment frameworks have been developed by multiple
organizations such as the National Institute of Science and Technology (NIST) and the International
Organization for Standardization (ISO), but they are complicated to understand and challenging to
implement. This research aimed to create an effective cybersecurity risk assessment framework specif-
ically for SMEs while considering their limitations. This was achieved by first identifying common
threats and vulnerabilities and categorizing them according to their importance and risk. Secondly,
popular frameworks like the NIST CSF and ISO 27001/2 were analyzed for their proficiencies and
deficiencies while identifying relevant areas for SMEs. Finally, novel techniques catered to SMEs
were explored and incorporated to create an effective framework for SMEs. This framework was also
developed in the form of a tool, providing an interactive and dynamic environment. The tool was
effective, and the framework is a promising start but requires more quantitative analysis.

Keywords: SMEs; risk assessment; cybersecurity framework; NIST; ISO; risk mitigation

Citation: El-Hajj, M.; Mirza, Z.A.

Protecting Small and Medium 1. Introduction
Enterprises: A Specialized
Over the past few years, the number of cyberattacks has skyrocketed, with around 62%
Cybersecurity Risk Assessment
of Australian Small and Medium Enterprises (SMEs) being victims of cybercrimes [1]. The
Framework and Tool. Electronics 2024,
impact of these cyberattacks on SMEs can be severe and multifaceted. Financially, SMEs
13, 3910. https://doi.org/10.3390/
often face significant costs associated with data breaches, including immediate response
electronics13193910
costs, regulatory fines, and long-term remediation expenses. According to recent studies,
Academic Editors: Orhan Ermiş the average cost of a data breach for SMEs can exceed USD 200,000, a substantial sum that
and Carlos Serrão many small businesses cannot afford [1].
Received: 22 August 2024
Operationally, cyberattacks can disrupt normal business activities, leading to down-
Revised: 30 September 2024 time and loss of productivity. For instance, ransomware attacks can lock critical data,
Accepted: 1 October 2024 halting business operations until a ransom is paid, which can lead to extended periods of
Published: 2 October 2024 downtime and loss of revenue. Additionally, recovering from such attacks often requires
extensive IT resources and time, further exacerbating operational challenges [2].
Reputationally, the consequences of cyberattacks can be devastating. SMEs may suffer
from a loss of customer trust and damage to their brand reputation, which can have long-
Copyright: © 2024 by the authors.
term effects on customer loyalty and market position. A survey found that 60% of SMEs
Licensee MDPI, Basel, Switzerland.
that experience a significant data breach go out of business within six months due to the
This article is an open access article
combined financial and reputational damage [3].
distributed under the terms and
SMEs are incredibly vulnerable due to several constraints. Many SMEs do not possess
conditions of the Creative Commons
the financial capability to invest in cybersecurity, with their main focus being revenue.
Attribution (CC BY) license (https://
This limitation is complemented by the lack of cybersecurity talent available [4]. The
creativecommons.org/licenses/by/
4.0/).
financial strain caused by cyberattacks often exacerbates existing vulnerabilities, making

Electronics 2024, 13, 3910. https://doi.org/10.3390/electronics13193910 https://www.mdpi.com/journal/electronics

Electronics 2024, 13, 3910 2 of 24

it even more challenging for SMEs to recover and strengthen their cybersecurity posture.
Consequently, SMEs may struggle to implement effective cybersecurity measures, further
increasing their susceptibility to future attacks.
Due to this complexity, a large number of SMEs tend to ignore parts of the framework
and employ a ‘fail-safe’ approach, where they attempt to cover most bases to avoid critical
errors [5]. Moreover, there are numerous threats to SMEs which can be categorized as
physical, psychological, and technical [6]. It has been reported that one in three startups that
are affected by a cyberattack end up shutting down due to financial loss and the inability to
recover [6]. This grim statistic reflects the need for a framework that can better protect SMEs
while being easy to implement. It is important to note that these threats are not unique to
SMEs; large organizations also face similar types of threats. However, the scale and impact
of these threats can differ significantly. For example, while large organizations may also be
vulnerable to physical attacks, psychological manipulation, and technical breaches, they
often have more resources and established protocols to manage and mitigate these risks. In
contrast, SMEs may experience more acute consequences due to limited resources and less
robust security measures. Consequently, the same types of threats can affect both SMEs
and large organizations, but the extent and nature of the impact can vary [7].
Several cybersecurity frameworks aim to provide a structure for firms to protect them-
selves from cyber threats. Examples of such frameworks include the NIST Cybersecurity
Framework, ISO 27001/2 [8], Essential Eight, and PCI-DSS. Each of these frameworks has
advantages and disadvantages but does not completely cater to SMEs, since they can be
notoriously difficult to implement and understand [9]. They are complex for SMEs since
they utilize a lot of technical language, which is unfamiliar to non-security professionals.
Furthermore, creating new processes and systems requires resources and a properly built
infrastructure, which may not always be the case for SMEs.
Despite their comprehensive nature, existing frameworks are generally designed with
large organizations in mind. They require significant expertise, financial resources, and
dedicated personnel for successful implementation. SMEs, on the other hand, often lack
these resources and struggle with scalability issues that prevent them from fully leveraging
these frameworks [5]. As a result, many SMEs adopt a ‘fail-safe’ approach, covering only
critical areas and leaving significant gaps in their overall cybersecurity posture.
This research bridges this gap by developing a tailored cybersecurity risk assessment
framework specifically for SMEs. Our framework takes into consideration the resource
constraints and unique operating environments of SMEs while simplifying the implementa-
tion process without sacrificing effectiveness. By analyzing popular frameworks like NIST
CSF and ISO 27001/2, we identified areas where these frameworks excel but also have
limitations when applied to SMEs. The contributions of this paper include the following:
• A comparative analysis of existing frameworks (NIST CSF, ISO 27001/2) to highlight
their proficiency in addressing general cybersecurity threats and their shortcomings
in adapting to SME-specific requirements.
• The identification and categorization of common threats to SMEs, prioritizing risks
based on impact and likelihood, specifically focusing on malware, phishing, and
web-based attacks.
• The development of novel, resource-efficient cybersecurity techniques tailored to
SMEs, incorporating elements from existing frameworks but optimizing them for
simplicity and ease of use.
• The creation of an interactive tool that dynamically guides SMEs through the cyber-
security assessment process, providing clear, actionable steps based on their specific
risk profile.

2. Problem Statement
This section provides a short description of the problems that SMEs are facing, along
with an introduction to the research questions.
Electronics 2024, 13, 3910 3 of 24

2.1. Problem Introduction

SMEs are incredibly important since they can represent 90% of companies in some
regions, creating economic opportunities for many individuals [10]. A survey conducted by
the authors of [11] discovered that only 40% of companies have an employee directly respon-
sible for security issues, meaning that the majority of businesses are largely underequipped,
increasing vulnerability. Mainstream cybersecurity frameworks have international recogni-
tion and are used by various large enterprises, but they lack scalability for SMEs. Despite
their large attack surfaces, large enterprises have the resources to better equip themselves
with the necessary defenses [1]. Therefore, it is clear that the frameworks mostly cater to
these larger enterprises.
The disparity in resources between small and large firms leads to a poorer com-
prehension of these frameworks, resulting in a lower motivation to properly implement
good cybersecurity posture [12]. Cybersecurity posture can be defined as the strength
of cybersecurity protocols for preventing, predicting, and handling attacks while they
are happening and their aftermath [13]. The frameworks largely provide ideas of good
practices and structures that could be set in place to counter certain threats. Based on these
threats, it is prudent to combine elements of established frameworks with promising ideas
for adaptability.

2.2. Research Questions

Based on the problem statement defined in Section 2.1, the main goal of this research
paper is to answer the following consolidated research questions:
1. RQ1: What are the key cybersecurity threats and challenges faced by SMEs, and how
do existing frameworks address these challenges?
2. RQ2: What techniques or approaches can be implemented to develop a tailored
cybersecurity risk assessment methodology for SMEs?
3. RQ3: How can the effectiveness of the developed framework and tool be evaluated
and validated in real-world SME environments?

3. Background
This section aims to provide an overview of the literature review exploring RQ1
and RQ2. This will provide knowledge to develop the framework by considering spe-
cific vulnerabilities faced by SMEs and examining the advantages and disadvantages of
popular frameworks.

3.1. Common Threats and Vulnerabilities Faced by SMEs

The European Union Agency for Cybersecurity (ENISA) releases reports for threat
landscapes in cybersecurity. Their most recent report in 2020 detailed the top 15 cybersecu-
rity threats to businesses around the European Union and the globe. The top three threats
discussed were malware, web-based attacks, and phishing [14]. These threats can be further
placed into categories. Malware and web-based attacks represent a technical threat, through
the use of software. Malware can represent any hardware or software that is intentionally
placed into a system for a harmful purpose, such as stealing sensitive data [15]. Web-based
attacks revolve around finding weaknesses and vulnerabilities in the web applications that
SMEs use like servers [16]. Phishing can be categorized as a psychological threat, where an
attacker uses social engineering techniques to steal personal data through different means,
commonly e-mail or SMS, while posing as a legitimate entity [17]. In addition to these
traditional threats, the increasing use of cloud services by SMEs has introduced new cyber-
security challenges. Cloud services, while offering numerous benefits such as scalability
and cost efficiency, also come with their own set of vulnerabilities. For example, data stored
in the cloud can be exposed to unauthorized access if proper security measures are not in
place. Misconfigurations of cloud storage and inadequate encryption practices can lead
to data breaches and leakage [18]. Furthermore, reliance on third-party cloud providers
introduces risks related to the security practices of these providers, including potential
Electronics 2024, 13, 3910 4 of 24

breaches in their infrastructure or policies [19]. As SMEs continue to adopt cloud solutions,
addressing these cloud-specific security issues becomes crucial. Ensuring robust cloud
security involves implementing strong access controls, regularly reviewing configurations,
and employing encryption for data in transit and at rest. This aspect of cybersecurity is
vital for SMEs to mitigate the risks associated with their growing use of cloud technologies.
These three threats can have serious consequences for SMEs since ENISA has also
reported that the frequency of such attacks will rise over time [14]. Each of the threats
also corresponds to common vulnerabilities that SMEs face, such as a lack of expertise
in cybersecurity and poor cybersecurity posture. The technical threats are a direct result
of having poor security throughout their system by failing to implement a framework.
Phishing directly targets employees lacking proper training, and it can cause data breaches
through links, presenting a serious challenge [17]. Section 3.1.1 highlights one of the most
important vulnerabilities for SMEs.

3.1.1. Employee Attitudes

Robust security is essential for businesses but is compromised in the event of human
error or apathy. Therefore, another threat to SMEs is the attitude of their employees
and their work environment. Employee attitudes are important in understanding how
cyber-secure a business is. A study conducted by the authors of [20] (2021) found that a
majority of employees felt helpless when protecting themselves. They also felt that their
company and assets were not important enough to be targeted. This approach automatically
increases their vulnerability, since this mindset can lead to lax security measures. This idea
indicates that individuals would rather leave security with security specialists, not realizing
that they also have a large role in protecting the attack surface of the company through
their actions [20]. The feeling of helplessness is also a major concern, since it decreases
motivation towards training and reduces engagement with security policies [20].
Recommendations from this study include raising awareness, empowering employees,
and helping them understand how to recover lost information or reset systems [20]. These
recommendations are crucial for the framework, since a firm can have a high degree of
security, but can be susceptible due to human error, which is preventable. By improving
the work environment and the attitudes of employees, they can collectively become better
at maintaining a functional security level. Table 1 provides a general overview of the three
threats and the corresponding vulnerabilities at SMEs. It is important to note that there are
more threats than those mentioned in Table 1 and that many vulnerabilities overlap.

Table 1. Overview of threats and vulnerabilities.

Attack Common Types SME Vulnerabilities

Lack of awareness increases vulnerability to ransomware
attacks [11].
Ransomware.
Lack of security professionals prevents timely detection
Malware Adware.
and mitigation of malware [22].
Spyware [21].
Cyberslacking allows malware entry through unautho-
rized access [22].
Lack of employee training leads to susceptibility to de-
ceptive phishing attempts.
Deceptive phishing [23]. Absence of warning systems for flagging phishing at-
Phishing
Malware-based phishing [23]. tempts and lack of reporting mechanisms [20].
No process for verification exposes SMEs to malware-
based phishing attacks [23].
No input sanitization makes SMEs vulnerable to SQL
Cross-site scripting (XSS) [24].
injections [22].
SQL injection [25].
Web-based Lack of firewalls exposes companies to DDoS attacks [11].
Distributed Denial of Service
Poor coding practices lead to exploitation of
(DDoS) [25].
XSS vulnerabilities.
Electronics 2024, 13, 3910 5 of 24

3.1.2. Main SME Vulnerabilities

As mentioned in Table 1, SMEs have distinct vulnerabilities that render them suscepti-
ble to different types of attacks. Therefore, it is important to specifically discuss some of
these vulnerabilities for targeted solutions.
An overarching trend with most SMEs is the lack of preparation they have, which
directly correlates to whether they have an employee with security experience. Many
companies do not consider security in their day-to-day businesses, which is backed up by
the lack of specialized security professionals [11].
A survey conducted by [11] discovered that 40% of companies have an employee
directly responsible for security issues and that only 25% of companies have involved
security in their auditing process. This indicates a serious lack of consideration for security
in SMEs, leaving them vulnerable to malware, web-based, and phishing attacks. Without
security professionals, firms cannot create a proper security policy or training simulations
to serve as preparation for their employees.
Without training or awareness, firms are especially vulnerable to many forms of
phishing, as this technique is used as a stepping stone for an attacker to utilize malware or
web-based attacks. For example, malware can be embedded within a phishing link and can
be activated once the link is clicked upon. Attackers have recently created more elaborate
phishing techniques through spear phishing, which is a more targeted technique. Generally,
malicious actors create a template for a phishing email and send it in mass to as many
addresses as possible, hoping that someone will click on the link in the email. This approach
relies on statistics; by sending a large amount of emails, the probability that an individual
will click on the link is much higher. Spear phishing is a type of phishing attack that targets
specific individuals in an organization through customized emails [26]. These attacks have
a higher success rate since they are designed to target specific individuals, and it can be
very difficult to differentiate between an authentic email and a fake one. Information about
individuals can be received from the Internet or social media like LinkedIn. It was also
observed that spear phishing attacks have a success rate of 19% compared to 5% for a
standard phishing approach [26]. Even individuals with previous training can fall for this
advanced phishing technique, highlighting a need for it to be part of employee training.

3.2. Review of Popular Frameworks

Many cybersecurity frameworks have been credited with developing strong defenses
for firms. However, the authors of [27] (2023) conducted a study that researched multiple
articles and concluded that no framework assessed the cybersecurity maturity level for
startups. This is damaging for startups since they cannot verify their cybersecurity posture,
opening themselves up to vulnerabilities [27]. However, it is still important to discuss
frameworks and understand their limitations for SMEs.
The NIST CSF is a voluntary framework built upon industry standards and govern-
ment information, providing five main functions, namely, Identify, Protect, Detect, Respond,
and Recover [28]. Each of these functions corresponds to processes that businesses take to
protect themselves, such as risk assessment and response planning [1].
Another commonly used framework is the ISO 27001/2, which provides specifications
for firms to create an Information Security Management System (ISMS) to protect their
information [29]. ISO 27002 extends the previous framework by adding more details for
security controls [1]. This makes it a technical and detailed framework, but one that can
help establish appropriate defenses.
CIS Controls is another framework that provides a recommended set of best practices
and techniques to combat common cybersecurity threats [30]. A series of steps are provided
to set up a secure system, provided there is a team to implement them. The challenge with
this framework is that it requires the business to have a cybersecurity team that has a good
level of experience.
COBIT is another framework that focuses on the realm of auditing and IT gover-
nance. It focuses on aligning the IT practices of a business with its goals [31]. However,
Electronics 2024, 13, 3910 6 of 24

the challenges associated with this framework are similar to previous ones. It is quite
comprehensive and can be difficult to implement for small businesses since a lot of key
indicators like stakeholders, scope, and goals need to be established.
ISO/IEC 27701 is an extension of ISO 27001/2 in the domain of GDPR compliance
and data privacy. The extension upgrades the ISMS to a Privacy Information Management
System (PIMS) which demonstrates GPDR compliance since the company is handling their
private data and the data of others in a compliant manner [32]. However, since this is an
extension of the ISO 27001/2, this means that the implementation of the IS0 27001/2 is a
pre-requisite. Implementing the ISO 27001/2 is already a difficult task for SMEs, meaning
that this framework is a bit of an unrealistic option.
Table 2 shows an overview of the frameworks with their advantages, their disadvan-
tages, their focus, and their key components.

Table 2. Overview of frameworks.

Framework Advantages Disadvantages Focus Key Components

Fifty-five-page manual.
Flexible. Improving cybersecurity Five core functions: Iden-
New terminology for SMEs.
NIST CSF Common terminology. risk management and re- tify, Protect, Detect, Re-
Self-assessment (no clear stan-
Reduces confusion [1]. silience. spond, Recover.
dards) [33].
Highly technical. Establishing and main-
Robust.
Complex adoption process. taining an information se- Risk management and
ISO 27001/2 Creation of ISMS.
Knowledge gap in implementa- curity management sys- continual improvement.
Effective security measures [1].
tion [34]. tem (ISMS).
A total of 18 controls,
Simple and actionable.
Not as comprehensive as other Practical security for mit- including asset man-
Mapped to real-world threats.
CIS Controls frameworks. igating common cyber agement, access con-
Prioritized
Requires regular updates. threats. trol, and vulnerability
recommendations [30].
management [30].
Aligns IT with business goals. Complex implementation for Five governance domains,
IT governance and man-
COBIT Detailed governance frame- small organizations. including Evaluate, Direct,
agement.
work [31]. Expensive and time-consuming. and Monitor (EDM) [31].
Expands ISO 27001 for privacy Managing privacy risks Data privacy, risk as-
Complicated integration with ex-
information management. and implementing a Pri- sessment, and con-
ISO/IEC 27701 isting systems.
Structured approach to GDPR vacy Information Manage- troller/processor respon-
High implementation costs.
compliance [32]. ment System (PIMS) [32]. sibilities.

3.3. Key Findings

The literature review has provided a foundation by answering the first two research
questions. The vulnerabilities that SMEs possess for specific attacks have been explored and
identified in Section 3.1.2. A lack of structure, training, and focus leads to vulnerabilities.
Phishing is commonly used as a precursor for these attacks. In terms of frameworks, the
strengths and weaknesses of numerous frameworks have also been explored, mention-
ing that despite their detailed structure, their complexity can pose challenges for SMEs.
Through this literature review, we have identified the common vulnerabilities that SMEs
possess and how they are used by attackers for their malicious intentions. We have also
looked at multiple popular frameworks to identify their strengths, weaknesses, focus,
and key components. Through this, it was observed that a large number of them are too
complex and resource-intensive for SMEs to implement, even though they provide a high
level of security. This emphasizes the fact that novel techniques specifically constructed for
SMEs are needed on the market.

4. Related Work
This section specifically covers academic research that concerns the design of a new
cybersecurity risk assessment framework for SMEs. These solutions take into account
the resource constraints faced by SMEs. It is crucial to explore solutions that have been
developed, to combine their advantages and build upon their limitations. This section
Electronics 2024, 13, 3910 7 of 24

contains solutions that build upon previous information discussed in the literature review.
These solutions target SME vulnerabilities to improve their defenses while building upon
the weaknesses of previously discussed popular frameworks as well. This results in novel
solutions, specifically made for SMEs.

4.1. Promising Solutions for SMEs

Firstly, a solution that extends the NIST CSF was proposed in [33], where a Cybersecu-
rity Evaluation Tool (CET) was created which draws upon 35 standards in the NIST CSF.
The CET uses current academic literature and industry experience from experts to provide
a platform for organizations to rate themselves, after which they receive a recommendation
for a certain standard with costs and benefits [33].
Another solution proposed in [12] uses employee motivation through Self-Determination
Theory (SDT) to create a threat-based risk assessment framework, in an app. A threat-
based risk assessment framework identifies potential threats to systems while making
a plan to counter them. It focuses on identifying areas with the highest risk in terms
of potential impact and consequently developing a solution. SDT is used to motivate
individuals through an interface displaying potential threats and to implement defensive
strategies [12]. With this approach, employees can be more proactive with security, trying
to be more secure. A data model was used to correctly evaluate threats and provide
recommendations with the GEIGER app that was developed by a European Union-funded
Horizon group [12]. However, the application is a prototype and requires further testing to
be used by SMEs.
Ref. [35] explores the use of Least Cybersecurity Controls Implementation (LCCI),
a framework using the Confidentiality, Authentication, and Integrity (CIA) triad to help
businesses identify their Mission-Critical Assets (MCAs) while simultaneously providing
recommendations. The framework creates different security levels based on which princi-
ples of the CIA triad have been implemented. For example, Level 1 has been reached if only
confidentiality has been integrated, and reaching Level 3 means that all three principles of
the CIA triad have been implemented. By condensing the idea of security into three easily
definable terms, security can be simplified for SMEs. A useful part of the framework is
that it is specifically built for SMEs; therefore, there are different levels of basic security
that SMEs can implement, according to their resource constraints [35]. However, it is a
relatively new framework and needs quantitative feedback to determine whether it can be
used by SMEs.
Ref. [5] proposes using a more holistic approach to securing SMEs, through the lens of a
cyber-resilience framework. Cyber-resilience moves away from the traditional cybersecurity
aspect of ‘fail-safe’ methodologies where all errors are avoided to protect the system and
instead moves towards ‘safe-fail’ methodologies to maintain business systems, regardless
of attacks [5]. Most SMEs use the ‘fail-safe’ methodology since cyber-resilience requires
more investment, therefore making them more reactive, which can lead to issues when
facing an unknown attack. However, this is a relatively new concept, and the framework
has only been evaluated qualitatively, thus suggesting a need for quantitative analysis.
In [36], the authors conducted a study of 124 e-tailing SMEs to rank different risk
scenarios for SMEs to explore how they prioritize risk. They discovered that SMEs do not
focus on the risks of security but rather risks in terms of the legal, strategic, and employee
domains, indicating a lack of focus on cybersecurity in general. For example, identity
theft and DDoS attacks were not considered to be on the same level as strategy-related
challenges. This means that SMEs are focused more on other areas and do not provide the
same level of concern towards securing themselves from common cybersecurity challenges.
However, in [36], the authors explored SME challenges through the domain of research
to find techniques to protect them. They discovered that most of the research conducted
in the domain of SMEs is qualitative and that there is a real lack of empirical studies for
SMEs. Only around 3% of data collection techniques were experimental, highlighting a
real lack of quantitative relationships between research and its effect on protecting SMEs.
Electronics 2024, 13, 3910 8 of 24

In [37], the authors proposed an analysis of the cybersecurity challenges faced by Small-
to-Medium-sized enterprises (SMEs), highlighting the importance of robust cybersecurity
practices in the digital era. While SMEs form a critical part of global economies, many are
ill-equipped to handle cyber threats, making them vulnerable to attacks. The study reviews
current research on SME cybersecurity and examines how well it aligns with established
frameworks, such as the National Institute of Standards and Technology (NIST) and the
Cybersecurity Framework (CSF). The authors note that most studies focus heavily on the
‘Identify’ and ‘Protect’ functions of the NIST CSF, with insufficient attention paid to the
other crucial activities—‘Detect’, ‘Respond’, and ‘Recover’. This lack of balance leaves
SMEs unprepared to effectively respond to or recover from cyber incidents. The paper calls
for future research to strike a more balanced approach and encourages the use of rigorous
mathematical models to test cybersecurity strategies. Additionally, it urges governments
and academic institutions to provide incentives for researchers to expand the scope of
cybersecurity studies, particularly in areas relevant to SMEs.

4.2. Techniques for the Framework

Building upon these promising solutions can aid the development of a cybersecurity
risk methodology that is tailored to SME resource constraints. For example, the solution
proposed in [12] (2021) directly considers these constraints, suggesting that using threat-
based risk assessment in conjunction with self-determination will motivate employees
to research threats on their own and work harder to protect their systems. The LCCI
framework developed in [35] (2022) creates a system of three levels of security that SMEs
can implement based on their resources. The levels also have descriptors to verify whether
the security requirement for a certain level has been met.
Therefore, after considering these solutions for RQ3, the framework described in this
research utilizes a combination of SDT, threat-based risk assessment, and LCCI. This results
in a detailed and specific framework for SMEs, which can be used to target specific threats
and create a reasonable cybersecurity posture. This can mitigate certain threats, preventing
unnecessary consequences.

5. Framework
This section of the research covers all aspects of the framework that was constructed
based on the literature review about SME vulnerabilities, established frameworks, and
promising solutions. It provides a brief overview of the framework, later diving into
each section and explaining its rationale. Figure 1 shows the start of the framework. The
framework not only provides SMEs with guidance on addressing cybersecurity threats
but also integrates practical tools that SMEs can use to implement these solutions. One of
the key aspects of this framework is its focus on actionable measures through the use of
digital tools, such as the URL classifier. The developed tool brings the framework to life
by allowing SMEs to combat specific threats, such as phishing, which is highlighted in the
framework’s tier-based solutions for web-based attacks. The URL classifier exemplifies how
the framework’s advice on security posture, including threat-based risk assessment and
LCCI, can be translated into a practical, user-friendly tool that directly aids in mitigating
potential threats. By integrating this tool with the framework, SMEs can efficiently opera-
tionalize the guidance offered, ensuring that their employees are better equipped to detect
and avoid phishing attacks. This approach makes the framework not just a theoretical
construct but a comprehensive solution that provides both guidance and practical tools for
daily use.
Electronics 2024, 13, 3910 9 of 24

Figure 1. Start of developed framework.

5.1. Overview
This custom framework for SMEs combines aspects from promising solutions such
as threat-based risk assessment, LCCI, and SDT to create a framework for SMEs. The
framework is organized in such a way as to first provide general advice to establish a
decent cybersecurity posture, based on advice from established frameworks and current
research. These are basic security principles that all firms should generally follow.
The framework aims to aid SMEs in understanding their business on multiple levels,
such as identifying their assets, potential vulnerabilities, and administrative processes, and
examining the employee work environment. Moreover, the framework offers tier-based
solutions for phishing, malware, and web-based attacks. The legal section offers advice to
firms about the General Data Protection Regulation (GDPR) and cyber insurance. Finally,
the support section discusses the opportunity for firms to collaborate for common solutions.
The general overview/structure for these sections can be seen in Figure 2. For the three
threats, levels of security will be established, which can be applied by SMEs, depending on
their resource limitations. This is a combination of both threat-based risk assessment and
LCCI, incorporating two promising solutions.
Threat-based risk assessment allows companies to create specific plans for the potential
threats in their business. By first identifying the relevant threats/risks, they can take steps to
mitigate and prevent them from occurring. LCCI is also important because it has different
levels of security that can be implemented by SMEs. Firms first identify their MCAs, after
which a solution that properly fits within their parameters and implementation is chosen.
These levels also make it possible for SMEs to scale up their security structure as they grow.
Figure 2 showcases interactions between the components of the framework.
Electronics 2024, 13, 3910 10 of 24

Fundamentals
of URL
Information Classifier
Security Solutions to
Common
Problems
Practical Tool

Support and
Community
Cyber
Insurance

Legal Consid-
Framework erations

General
Data
Protection
Threat-Based Regulation
Risk (GDPR)
Assessment
Business
Level
Tier-Based
Solutions

Administrative Employee
Level Level

Figure 2. Key components of framework.

5.2. Fundamentals of Information Security

This section of the framework offers the most basic tips for companies to adhere to.
SMEs should implement these tips first, ensuring a basic structure, before implementing
advanced layers. These should also be provided to employees for a secure lifestyle. Exam-
ples of these tips include maintaining strong passwords, regularly backing up data, and
using Virtual Private Networks (VPNs).
With these tips, SMEs can protect their assets and reduce preventable incidents. It was
found that 43% of individuals are using the same or slightly modified password across
different accounts, representing a security lapse [38]. A random password generator that
creates robust passwords can mitigate this lapse [39]. For example, when combining strong
passwords with Multi-Factor Authentication (MFA), 99% of attacks regarding compromised
accounts can be prevented [40]. This highlights how a simple security technique can greatly
elevate the cybersecurity safety level of employees at a firm.
The inclusion of the CIA triad in the framework is important so that SMEs can under-
stand its fundamental principles. Since the CIA triad is an important pillar of information
security, it has been embedded within the Fundamentals of Information Security section
of the framework. Confidentiality will ensure that information is only accessible to those
who are authorized to access [41]. Integrity will ensure that information and data remain
consistent over their lifetime, meaning that unauthorized changes will not be made [41].
Finally, availability will ensure that information must remain accessible to users with
proper authorization [41]. If this triad of principles is incorporated into a cybersecurity
policy, it will improve the security of the systems in the business. By deeply understanding
these three principles, companies can evaluate their systems by verifying whether each one
is upheld.

5.3. Cybersecurity Levels

The framework has been divided into different levels, which are described below.
Electronics 2024, 13, 3910 11 of 24

5.3.1. Business Level

This level focuses on key business activities and MCAs. It provides steps for identi-
fying the business as a whole while recognizing which systems are being used. Mapping
out the entire business and identifying key goals is a key part of understanding which
systems may be more vulnerable to certain threats. Other examples of activities on this
level include creating an inventory of systems, especially the software and hardware that
are used on the business and customer sides. A process to conduct periodic reviews should
be created and adhered to, ensuring that necessary systems are updated. A key activity
is to create a hierarchy of individuals with IT/security experience to create a clear chan-
nel for communication. If there are no individuals with security experience within the
company, it is highly encouraged to fund courses or training for current IT employees. By
conducting the activities on this level, businesses will ensure that they can have a focused
cybersecurity posture.

5.3.2. Administrative Level

This level focuses on understanding the administrative process. It also has a range of
activities and procedures that should be put in place at companies for a good cybersecurity
posture. This involves creating an incident response plan in the event of a cyber incident.
This plan is extremely important to avoid panic and attempt to recover data that were
lost. Another key activity is to create a smooth management process for each system and
determine the administrators for them. This also involves implementing Role-Based Access
Controls, which refers to the idea of assigning permissions to employees based on their
roles in the company [42]. This approach verifies that employees cannot access data or
make changes that are not permitted within their roles. Finally, AAA principles such as
authentication, authorization, and accounting should be used while maintaining logs for
auditing [43]. Logs are important to keep track of changes being made and what systems are
being used. In the event of an incident, the logs can be checked to maintain accountability.

5.3.3. Employee Level

This level focuses on evaluating and improving both the work environment and
cybersecurity training for employees. It also seeks to provide information about employee
best practices and how to support them through SDT and intrinsic motivation. To fully
realize the effects of this level, the business should have a cybersecurity professional
who can provide the necessary workshops and training for these employees. Without
this plan, it will become difficult to motivate employees. Therefore, training should be
up to date and relevant for the business. Once this is established, employees must be
encouraged to act like a team and be intrinsically motivated to uphold proper security
protocols and continually practice them. For example, if employees consider themselves to
be an important part of the business, better security is better for the business, providing a
source of intrinsic motivation.
The work environment also has a great effect on employee attitudes. If there is a
lax attitude towards security in the majority of the business, this will trickle down to the
employees, who will in turn maintain a lax attitude. Therefore, there should be positive
encouragement in the work environment to ask questions and report potential security
risks. Employees unfamiliar with cybersecurity should be encouraged to ask as many
questions as possible, to protect themselves and the business. Even if a company has
great cybersecurity mechanisms, they are entirely useless in the event of human error. By
continually preparing employees, the probability of human error leading to an attack can
be reduced.

5.4. Threat-Based Risk Assessment

This level first provides information about phishing, malware, and web-based attacks.
Symptoms of these attacks and their consequences for firms are also discussed so that
firms do not underestimate their impact. For each attack, the common systems they target
Electronics 2024, 13, 3910 12 of 24

and the common ways that they enter these systems are also discussed. Finally, tier-based
solutions are offered based on different resource requirements, with each solution building
upon the previous one.

5.5. Legal Considerations

This section of the framework discusses the necessary legal considerations that SMEs
should take. This involves steps to ensure that they are securely handling data and insur-
ance in the event of an incident.

5.5.1. GDPR
The General Data Protection Regulation is a document that sets out a formal process
and guidance for firms to handle the data of EU citizens in an organized and secure manner.
This involves allowing data subjects to provide and rescind consent for their data usage at
any time. Therefore, companies that are based in the EU or manage EU citizens’ data need
to be familiar with the GDPR and ensure that its principles are being upheld; otherwise,
they will face punishment in the form of fines.

5.5.2. Cyber Insurance

Cyber insurance exists so that companies can transfer their risk onto another company,
in this case, an insurance company. This means that in the event of an incident, their costs
will be borne by the insurance company, and they will be reimbursed. This can be valuable
for SMEs since a single incident can potentially derail their business, making it difficult for
a fiscal recovery. However, they can be quite costly, meaning the SMEs have to consider
the pros and cons depending on their likelihood of being targeted for an attack. It is also
important to verify whether or not SMEs are over-insured to avoid extra costs. Cyber
insurance companies have their requirements for businesses that they can insure; therefore,
it is always important for companies to verify this to avoid unnecessary consequences.

5.6. Support and Community

This section of the framework discusses the creation of a community forum where
SMEs can communicate to collaborate on creating protective measures and offering advice
about new threats.

6. Tool
This section provides an overview of the tool that was developed with the framework,
while also diving into design choices, limitations, and future extensions. This tool creates
a practical version of the framework, in this case, combating phishing through the use
of a URL classifier. The URL classifier tool serves as a practical implementation of the
framework’s core principles. By developing a tool that enables SMEs to classify and identify
potentially malicious URLs, the framework moves beyond theoretical guidance and equips
businesses with a hands-on solution to one of the most prevalent cybersecurity threats.
The tool supports the framework’s aim of improving SMEs’ cybersecurity posture by
automating aspects of threat detection and allowing employees to take immediate action
based on real-time classification results. This reinforces the framework’s focus on scalable,
actionable solutions that SMEs can adopt within their resource constraints.

6.1. Overview
The tool represents the framework digitally in the form of a web-based application, to
improve interactivity and accessibility for users. The tool contains a machine learning (ML)
model that can be used to classify URLs. Users can input links, and the application will
classify them using the model. Implementing a threat detection model is important since
phishing has become increasingly complicated to detect for employees. Protection is vital
since phishing can be a precursor to malware and web-based attacks. Employees can use a
Electronics 2024, 13, 3910 13 of 24

practical tool to check any links that they have received, thus providing another layer of
security.

6.2. Methodology to Develop Model

Developing an effective model for URL threat detection requires a systematic approach
that involves multiple steps. The process begins with the clear identification of the problem
and the specific objectives that the model aims to achieve. Understanding the nature
of the threats and the characteristics of the URLs is crucial in guiding the subsequent
steps. Once the goals are established, the selection of an appropriate machine learning
model is critical to ensuring that the predictions are both accurate and reliable. The chosen
model must be capable of handling the complexity and variability of the data while also
being efficient enough to process large datasets commonly encountered in cybersecurity.
This methodology outlines the key stages in developing a robust classification model for
detecting malicious URLs, starting with goal identification and model selection, followed
by the implementation and testing phases.

6.2.1. Identifying the Goal

Before choosing a model and extraction features, the first step is to set a goal. The
threat detection of URLs is based on their classification into different labels. For this model,
the four classifications are benign, malware, phishing, and defacement. Benign URLs are
neutral and the most common. Malware URLs usually contain malicious code that will
be executed upon interaction. Phishing URLs are deceptive and will redirect users to fake
websites. Finally, defacement URLs are links to websites that have been altered, with the
content posing as a legitimate entity.

6.2.2. Choosing a Model

The task is to classify URLs, thus requiring a model that can support this. Several
different models were considered and tested such as Neural Networks, Support Vector
Machines, and XGBoost, but the best fit was the Random Forest Classifier. It is a type of
supervised learning algorithm that builds various decision trees, later combining them to
create a more accurate prediction [44]. The advantages of this model are that it does not
overfit with trees and is versatile. However, this increases computation time and does not
describe relationships within data well [44].

6.3. Data Selection, Sampling, and Distribution

The dataset for URLs was chosen from Kaggle [45]. It contained URLs labeled benign,
malware, phishing, and defacement. Each of these labels was provided a number so that
the model could learn with them and the extracted features. Since the dataset was quite
large, data were sampled randomly using Python 3. For this model, the data were sampled
equally with a total of 120,000 entries, 30,000 for each classification. The limitations of this
approach are also discussed and justified in Section 6.5. Figure 3 shows the distribution of
labels in the original dataset.

6.4. Extracted Features

The ML model extracts features from the dataset to create patterns and relationships
between them. The model learns from the features to classify the URLs into their categories.
Below, the features and their relevance to the model are described. Some features were
created by and used by the researchers themselves, while others were adapted from a
standard list describing aspects of URLs [46]. A mix of features was used to cover a wide
range of aspects of these URLs.
1. URL length: extremely long and short URLs can be a sign of phishing or concealing
information.
2. Number of digits: a URL with a large number of digits can be a sign of redirection or
malicious intent.
Electronics 2024, 13, 3910 14 of 24

3. Number of special characters: a large number of special characters can be an indication

of malicious intent.
4. Has IP address: the presence of an IP address usually means redirection to an unse-
cured location.
5. Has HTTPS: if a website contains HTTP, it has a secure and encrypted connection.
6. Number of periods: URLs with many dots mean there are multiple subdomains, a
common trick to look legitimate.
7. Domain length: very long or short domain lengths can potentially be an indicator of a
malicious website.
8. Port number: it is unusual for a URL to contain a port number.
9. Number of subdomains: a large number of subdomains can be an indicator of a
malicious website.
10. Has redirection: redirection to another website can be an attempt to conceal
malicious intent.
11. Path length: varying path lengths can be an indicator of phishing or malware.

Figure 3. Distribution of original dataset.

6.5. Limitations with Dataset

As seen in Figure 3, the original dataset retrieved from Kaggle has a large imbalance,
leaning towards mainly benign URLs [45]. This reflects the real world, where benign URLs
are much more common. However, for an ML model, this means that performance for
detecting malicious URLs will be poor, since they are a minority class, potentially leading
to misclassification. This is a result of the model being biased towards the majority dataset,
in this case, benign URLs.
A solution to this problem is to balance the dataset by sampling equal amounts of
data from the original dataset. The advantage of this approach is that the model will
become better at generally classifying all classes equally, instead of being biased towards
the majority class. However, the disadvantage of this approach is the lack of realism. The
model could classify benign URLs as malicious, which is not realistic. Nevertheless, it is
better to be on the safe side. It is more favorable for SMEs to misclassify a benign URL as a
malicious one, rather than the other way around. One approach simply has more tangible
consequences for the business.
Electronics 2024, 13, 3910 15 of 24

7. Results
This section of the article covers both qualitative and quantitative results for the frame-
work and the tool. It is important to note that most research conducted for frameworks is
usually qualitative, meaning that their actual effectiveness is unknown. To properly assess
a framework, quantitative assessments need to be conducted to verify its impact on firms.
Therefore, a structured pilot assessment proposal is explored at the end of the section.

7.1. URL Classifier

The URL classifier was developed using the ML model and trained on the features
mentioned above. The classification matrix in Figure 4 shows the precision, recall, and
F1-score for each of the labels in the dataset. Precision measures how many positive
predictions are correct [47]. Recall measures how many positive predictions made are
correct [47]. The F1-score is essentially a mean of both precision and recall [47]. Based
on the extracted features, the accuracy of the model was 98%, meaning that it was very
accurate in classifying URLs. Figure 5 shows how this classifier can be used by employees
at the firm to check links. Once the employee places the link and clicks on classify, the
pre-trained model makes a prediction and returns information about the link.

Figure 4. Classification report.

Figure 5. Developed URL classifier.

In the literature, various URL-based classification algorithms have been proposed,

such as those utilizing different feature sets, machine learning models, and hybrid ap-
Electronics 2024, 13, 3910 16 of 24

proaches [48–50]. Compared to these existing approaches, our classifier offers several
specific contributions:
• The use of a novel feature set tailored to the specific needs of our dataset significantly
enhances the model’s ability to differentiate between malicious and benign URLs.
• An improved accuracy of 98%, which surpasses the performance of some traditional
classifiers, demonstrating its effectiveness in practical applications.
• A user-friendly interface that integrates seamlessly with existing workflows, allowing
employees to classify URLs efficiently and make informed decisions about link safety.
Our classifier’s performance and practical integration distinguish it from other models
and highlight its specific contributions to the field of URL classification.

7.2. SWOT Analysis

It is always important to critically analyze frameworks, to properly understand their
strengths, weaknesses, and opportunities for improvement. This can be performed in the
form of a SWOT analysis. A SWOT (strengths, weaknesses, opportunities, and threats)
analysis is an assessment framework that can be used to evaluate the key parts of an
initiative or project [51]. It is useful to conduct such an analysis for the framework to find
areas where it excels and those where it suffers. Table 3 showcases a SWOT analysis of the
framework that was conducted by the researchers.

Table 3. SWOT analysis.

Strengths Weaknesses
• Modular structure. • Untested with SMEs about utility.
• Tier-based security solutions based • Focused on three common threats.
on resources. • Dependence on compliant and
• Focus on practical employee training. consistent employees.
• Focus on common threats. • Still technical for readers without background
• Encourages creation of support network for knowledge.
SMEs. • Higher-tier solutions can be resource-intensive.
• Offers legal information.
Opportunities Threats
• Continuous evolution of threat landscape.
• Large market of SMEs for potential use.
• Need for periodic review and updates to
• Can be scalable for businesses.
prevent obsolescence.
• Tool offers a practical use of the framework.
• Competition with established frameworks.
• Integration with other tools opens more
• SMEs may not be comfortable shifting
pathways.
frameworks/policies.

7.3. Expert Feedback

Upon consultation with an individual with experience in the cybersecurity field, the
following evaluation of the framework was made. The methodology to find a professor was
to contact experts in the university’s Semantics, Cybersecurity, and Services group. This
group is composed of experts in a multitude of fields, including cybersecurity. Multiple
experts were contacted, and eventually, a discussion was held with one. During this meet-
ing, different components of the framework were presented, and feedback was requested
during the consultation. This interaction was cleared by the ethics committee of the home
institution. The rationale behind the framework was discussed, emphasizing the need for
specific techniques for SMEs.

7.3.1. Advantages
The detailed inclusion of the fundamentals of information security and focus on
employee training were positives. The tier-based system for threats was also highlighted
as a positive. The structure of the framework with interconnected sections and the use
of a practical tool were also positives since they could be used by employees throughout
a business.
Electronics 2024, 13, 3910 17 of 24

7.3.2. Disadvantages
However, as with any novel framework, clear disadvantages were also noted. Limiting
the framework to three threats provides a narrow focus since businesses can face threats
outside this domain, leading them to be potentially unprepared. The need for quantitative
analysis further emphasizes the need for a pilot assessment with SMEs. Finally, the depen-
dence on employee compliance and training can be a pitfall without the proper procedures
to facilitate SDT and intrinsic motivation.

7.3.3. Recommendations
Properly motivating employees to be cyber-secure can be achieved through incen-
tivization using quizzes or gameifying cybersecurity training. By motivating employees
with a reward, they may attain more knowledge and make an extra effort to learn principles
from the framework.

7.4. Usability Testing

To gain a better understanding of the framework, usability testing was performed.
Participants were asked to read the framework shown in Figure 5 and then review its
different traits to measure effectiveness. They also tested the software by using different
links. A total of 10 participants (chosen at random) were asked to perform this experiment,
and ethical clearance was granted by the home institution. The framework was reviewed
for four different traits, which were clarity, scope, utility, and practicality. Each of these
was defined in the scope of SMEs. Clarity is a measure of how easy it is to go through the
framework and understand the technical language. The scope is a measure of how the
framework covers essential aspects of cybersecurity. Utility is a measure of how useful
the framework is in terms of tips and solutions. Finally, practicality is a measure of how
achievable the processes and solutions are in the framework; do they consider resource
constraints? Figure 6 shows the distribution of responses. The closer a number is to 5,
the better the score for each aspect. The closer a number is to 0, the worse the score for
the aspect.

4
3.5
3 3
Mean Score

3
2.5

0
Clarity Scope Utility Practicality
Trait
Figure 6. Mean scores for framework traits.

7.5. Pilot Assessment

7.5.1. Setup
During this phase, SMEs selected for the assessment would be provided with the
framework and documentation to familiarize themselves with it. In this way, they have a
foundation upon which they can implement the framework, while simultaneously creating
a plan of action for execution. Their initial setup will also be documented.
Electronics 2024, 13, 3910 18 of 24

7.5.2. Implementation and Monitoring

During this phase, the SMEs will implement the framework according to the plan that
they made, while monitoring their process and collecting data. During this phase, incidents
related to cybersecurity will also be observed and correlated to parts of the framework.
Data will also be gathered using a combination of qualitative and quantitative techniques
such as surveys, interviews, and reports to gather information about the effectiveness of
the framework.

7.5.3. Evaluation
During this phase, the data gathered will be evaluated on different metrics such
as security incidents faced by the SMEs, employee awareness of cybersecurity, and the
SMEs’ feedback on the framework itself. At the end of this phase, the framework’s ef-
fectiveness in a real-world situation can be evaluated and can be improved based on the
feedback received.

8. Discussion
The discussion section aims to critically evaluate the findings from the development
and implementation of the cybersecurity framework and tool designed for SMEs. This sec-
tion will explore the strengths and limitations of the proposed solutions, providing insights
into their practical applicability and effectiveness in real-world settings. By analyzing the
qualitative and quantitative data gathered from various assessments, we can determine
the overall impact and potential areas for improvement. The discussion will also address
the broader implications of the framework and tool, considering the evolving nature of
cybersecurity threats and the unique challenges faced by SMEs. Through this analysis, we
seek to offer a comprehensive understanding of the contributions made by this research
and identify opportunities for future work to further enhance the security posture of SMEs.

8.1. Framework
The framework was developed by combining promising solutions from academic
literature with basic structures employed by established frameworks. Nevertheless, it was
important to verify its effectiveness objectively to see if it possesses valuable information
for SMEs. The SWOT analysis shows that the structure of the framework provides multiple
advantages since it focuses on the fundamentals of cybersecurity, emphasizing employee
training as a big part. However, it does have weaknesses, such as a dependence on em-
ployee training, a narrow threat focus, and technical language associated with cybersecurity.
There is a need for periodic review, as the threat landscape is ever-evolving, so that the
framework is not rendered obsolete. The usability report also indicated that although the
framework has practical and useful information, participants found the technical language
and lack of depth challenging. The lack of depth was due to the focus on three threats and
the need for more descriptions. However, these results are qualitative, and quantitative
analysis could provide a more tangible interpretation of the effectiveness of the framework.
Therefore, the proposed pilot assessment can be a good method to quantitatively measure
its effectiveness.

8.2. Tool
The tool was developed using Flask [52], which is a micro web framework known
for its simplicity and flexibility in building web applications. Flask was chosen because
of its lightweight nature and ease of integration with the pre-trained model on the back
end. When a user attempts to classify a URL, a request is made to the back end to predict
the URL, after which it is displayed on the front end. The model had an accuracy of 98%
in properly classifying URLs into different categories. This high accuracy demonstrates
the model’s reliable performance across various categories, making it a valuable tool for
SMEs. Figure 4 shows that the model has a reliable performance across different categories,
meaning that it can be used by SMEs. This classification report demonstrates that the model
Electronics 2024, 13, 3910 19 of 24

exhibits reliable performance across different categories (benign, phishing, defacement, and
malware), making it suitable for Small and Medium-sized Enterprises (SMEs) to utilize.
• High precision across categories: The precision for all categories (benign, phishing,
defacement, malware) is very high, with values ranging from 0.96 to 1. This indicates
that the model is highly accurate in identifying relevant categories with few false
positives. For SMEs, this accuracy is essential in avoiding unnecessary alerts or
incorrect classifications, which could lead to wasted resources or overlooked threats.
• High recall for threat categories: Recall measures how well the model correctly iden-
tifies actual threats. The recall values are 1 for benign, defacement, and phishing
categories and 0.97 for malware. This shows the model’s low rate of missing actual
threats, crucial for SMEs where undetected attacks can have severe consequences.
• Balanced F1-score: The F1-score, which balances precision and recall, is similarly
high across categories, ranging from 0.97 to 0.99. This balance ensures that the model
performs well in distinguishing between benign and harmful categories. For SMEs,
a reliable F1-score means they can trust the model to handle a variety of threats
effectively.
• Consistent performance across categories: The model does not show significant drops
in performance between categories. This consistency indicates that the model is not
biased towards any specific category, ensuring that SMEs can rely on it to handle
multiple types of cyber threats (e.g., phishing, malware, defacement) with equal
effectiveness.
• Scalability for SMEs: Given that SMEs often face resource limitations, they need re-
liable tools that perform well with minimal intervention. The high precision, recall,
and F1-scores across different categories suggest that SMEs can effectively imple-
ment this model without excessive fine-tuning, making it a scalable solution for their
cybersecurity needs.
In summary, the model’s robust performance metrics (precision, recall, and F1-scores
all near 1) across various threat categories ensure that SMEs can confidently rely on it to
enhance their cybersecurity posture.
However, SMEs will have to adjust the model and its dataset depending on the URLs
they encounter. For example, this model will have difficulty in recognizing the top-level
domains of some countries because of the sampled dataset. This means that the model will
need to be adapted based on the specific data used by the SME. The tool has also focused
on combating phishing, which is not the only threat that is faced by SMEs. The reason
for focusing on phishing is that it often serves as a precursor to other attacks, making it
a critical point of intervention. By reducing the probability of human error leading to a
phishing attack, we can significantly improve overall security.

8.3. Addressing Research Questions

This subsection reviews how each research question has been addressed throughout
the manuscript.

8.3.1. RQ1: What Are the Key Cybersecurity Threats and Challenges Faced by SMEs, and
How Do Existing Frameworks Address These Challenges?
In Section 3.2, we explored common cybersecurity threats such as malware, web-based
attacks, and phishing, which are significant challenges for SMEs. The limitations of existing
frameworks like NIST CSF and ISO 27001/2 in addressing these specific challenges were
also discussed. We identified that these frameworks, while robust, do not fully account for
the unique vulnerabilities of SMEs. This exploration helps in understanding the specific
threats and limitations that SMEs face.
Electronics 2024, 13, 3910 20 of 24

8.3.2. RQ2: What Techniques or Approaches Can Be Implemented to Develop a Tailored

Cybersecurity Risk Assessment Methodology for SMEs?
Section 7 provides insights into the development of the URL classifier tool and its
application for SMEs. This tool represents a practical technique to address one aspect of
cybersecurity—phishing. The tool’s features and effectiveness, as discussed, offer a tailored
approach to improving cybersecurity for SMEs. Further, the proposed pilot assessment
and SWOT analysis provide a comprehensive methodology for evaluating and refining the
framework to suit SME needs.

8.3.3. RQ3: How Can the Effectiveness of the Developed Framework and Tool Be
Evaluated and Validated in Real-World SME Environments?
In addressing this research question, we plan to handle the evaluation of the frame-
work and tool through a structured pilot assessment in future work. This pilot assessment
will be conducted over 6–8 months, involving SMEs from various industries to ensure
a diverse dataset. The pilot will include phases for setup, implementation, monitoring,
and evaluation, allowing us to gather both quantitative and qualitative feedback on the
framework’s effectiveness. This approach will ensure a comprehensive validation of the
framework and tool’s impact in real-world SME environments, although the detailed
execution of this pilot is beyond the current scope of the research.

9. Limitations and Future Work

The research presented in this paper provides valuable insights into developing a
cybersecurity framework and tool tailored specifically for SMEs. However, like any study,
there are inherent limitations that must be acknowledged. Understanding these limitations
is crucial for accurately interpreting the results and identifying areas that could benefit from
further exploration. Additionally, this section will outline potential future work that could
build upon the findings of this study, addressing the limitations identified and expanding
the scope of the research to enhance its applicability and effectiveness in securing SMEs
against evolving cyber threats. By recognizing both the constraints and opportunities, we
aim to contribute to the continuous improvement of cybersecurity practices for SMEs.

9.1. Limitations
Firstly, the framework focuses on SMEs and is not completely applicable to larger
enterprises, which have a larger attack surface. Solution scalability may be an issue,
but the information should not be disregarded. Companies can still verify their existing
cybersecurity structure.
Secondly, this framework focuses on the top three threats listed by ENISA, which were
malware, web-based attacks, and phishing [14]. However, this list contained 15 threats,
meaning that the framework can be expanded to include these threats. Sections for each
new threat can be added to the framework, along with their corresponding information
and tutorials, as needed. However, this can lead to the problem of high complexity. An
issue with the NIST CSF and ISO 27001/2 is their high technical complexity, leading to a
lack of understanding and motivation. Therefore, it is necessary to ensure the framework
maintains the same level of simplicity.
This research also focused on two frameworks, the NIST CSF and ISO 27001/2. However,
with the large number of frameworks available that may possess better techniques for
certain threats, there is an emphasis on the need for periodic review.

9.2. Future Work

This research is highly valuable for SMEs since it can aid them in creating appro-
priate defenses against cyberattacks. However, the limitations mentioned above can be
expanded upon.
Future work can be conducted to develop more quantitative feedback for the frame-
work and the tool. The main issue with developing solutions for SMEs is that they are
Electronics 2024, 13, 3910 21 of 24

mainly qualitative without a metric of effectiveness. These solutions have been tested
qualitatively through user testing and expert testimonials. Quantitative feedback is yet to
be implemented but is needed to identify whether there is a positive or negative effect. In
addition, obtaining more qualitative feedback from SME owners and leaders could provide
valuable insights into the practical challenges and user experiences associated with the
tool. This qualitative feedback could help in understanding context-specific issues that may
not be fully captured by quantitative measures alone. Conducting detailed interviews or
surveys with SME stakeholders could yield deeper insights into the usability and impact of
the framework, as well as identify additional areas for improvement.
A proposed pilot assessment of the framework could be conducted over 6–8 months,
involving several SMEs from various industries. Selecting SMEs with diverse characteristics,
such as size, focus, and number of employees, would ensure a comprehensive evaluation.
This assessment would provide both qualitative and quantitative data on the framework’s
effectiveness and usability in real-world settings.
The tool could have more checklists to improve its customization and more practicality,
such as a password strength checker and IP assistance.

10. Conclusions
This research addressed the increasing cybersecurity challenges faced by Small and
Medium Enterprises (SMEs) due to their growing reliance on sensitive data, making
them prime targets for cyberattacks. SMEs often struggle with limited resources and
inadequate cybersecurity expertise, leading to significant vulnerabilities that elevate their
overall risk profile. While existing cybersecurity risk assessment frameworks, such as
those developed by the National Institute of Standards and Technology (NIST) and the
International Organization for Standardization (ISO), offer robust guidelines, they are often
too complex for SMEs to effectively implement.
The primary goal of this research was to develop a tailored cybersecurity risk as-
sessment framework specifically designed to meet the needs and limitations of SMEs. To
achieve this, the study began by identifying and categorizing common threats and vulner-
abilities, focusing on those most relevant to SMEs. The research then analyzed existing
frameworks like the NIST Cybersecurity Framework (CSF) and ISO 27001/2, evaluating
their strengths and weaknesses in the context of SMEs.
Based on these insights, the research introduced a novel cybersecurity risk assessment
framework that incorporates effective techniques such as Security Development Tools
(SDTs) and Lightweight Cybersecurity Controls for SMEs (LCCI), with a particular empha-
sis on employee training as a critical component. This framework was further enhanced
by the development of a practical tool, designed to provide an interactive and dynamic
environment for SMEs to assess and manage their cybersecurity risks.
The framework and tool offer a promising start in addressing the cybersecurity needs
of SMEs, but further analysis is required to quantify their effectiveness. The proposed pilot
assessment is a key step in this direction, providing a method for quantitative evaluation.
As the threat landscape continues to evolve, it will be essential to periodically review and
update the framework to ensure its ongoing relevance and effectiveness. This research
lays the foundation for a more accessible and effective approach to cybersecurity for
SMEs, bridging the gap between existing frameworks and the unique challenges faced by
smaller enterprises.

Author Contributions: Conceptualization, M.E.-H. and Z.A.M.; methodology, M.E.-H.; software,

Z.A.M.; validation, M.E.-H. and Z.A.M.; formal analysis, M.E.-H. and Z.A.M.; investigation, M.E.-H.
and Z.A.M.; resources, Z.A.M.; data curation, Z.A.M.; writing—original draft preparation, M.E.-H.
and Z.A.M.; writing—review and editing, M.E.-H. and Z.A.M.; visualization, Z.A.M.; supervision,
M.E.-H.; project administration, M.E.-H.; funding acquisition, M.E.-H. All authors have read and
agreed to the published version of the manuscript.
Funding: This research received no external funding.
Electronics 2024, 13, 3910 22 of 24

Data Availability Statement: Data are contained within the article.

Conflicts of Interest: The authors declare no conflicts of interest.

Abbreviations
The following abbreviations are used in this manuscript:

CIA Confidentiality, Authentication, and Integrity

CET Cybersecurity Evaluation Tool
ENISA European Union Agency for Cybersecurity
GDPR General Data Protection Regulation
ISMS Information Security Management System
ISO International Organization for Standardization
LCCI Least Cybersecurity Controls Implementation
MCAs Mission-Critical Assets
MFA Multi-Factor Authentication
NIST National Institute of Science and Technology
SDT Self-Determination Theory
SMEs Small and Medium Enterprises
VPN Virtual Private Networks

References
1. Chidukwani, A.; Zander, S.; Koutsakis, P. A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research
Focus and Recommendations. IEEE Access 2022, 10, 85701–85719. [CrossRef]
2. Corallo, A.; Lazoi, M.; Lezzi, M. Cybersecurity in the context of industry 4.0: A structured classification of critical assets and
business impacts. Comput. Ind. 2020, 114, 103165. [CrossRef]
3. Fernandez De Arroyabe, I.; Fernandez de Arroyabe, J.C. The severity and effects of Cyber-breaches in SMEs: A machine learning
approach. Enterp. Inf. Syst. 2023, 17, 1942997. [CrossRef]
4. Jahankhani, H.; Meda, L.N.K.; Samadi, M. Cybersecurity Challenges in Small and Medium Enterprise (SMEs). In Blockchain and
Other Emerging Technologies for Digital Business Strategies; Jahankhani, H., Kilpin, D.V., Kendzierskyj, S., Eds.; Springer International
Publishing: Cham, Switzerland, 2022; pp. 1–19. [CrossRef]
5. Carías, J.F.; Borges, M.R.S.; Labaka, L.; Arrizabalaga, S.; Hernantes, J. Systematic Approach to Cyber Resilience Operationalization
in SMEs. IEEE Access 2020, 8, 174200–174221. [CrossRef]
6. Saha, B.; Anwar, Z. A Review of Cybersecurity Challenges in Small Business: The Imperative for a Future Governance Framework.
J. Inf. Secur. 2024, 15, 24–39. [CrossRef]
7. Saxena, N.; Hayes, E.; Bertino, E.; Ojo, P.; Choo, K.K.R.; Burnap, P. Impact and key challenges of insider threats on organizations
and critical businesses. Electronics 2020, 9, 1460. [CrossRef]
8. International Organization for Standardization. ISO/IEC 27001:2022 Information Security Management Systems. Available
online: https://www.iso.org/standard/27001 (accessed on 1 May 2024).
9. AL-Dosari, K.; Fetais, N. Risk-Management Framework and Information-Security Systems for Small and Medium Enterprises
(SMEs): A Meta-Analysis Approach. Electronics 2023, 12, 3629. [CrossRef]
10. Islam, M.A.; Khan, M.A.; Obaidullah, A.Z.M.; Alam, M. Effect of Entrepreneur and Firm Characteristics on the Business Success
of Small and Medium Enterprises (SMEs) in Bangladesh. Int. J. Bus. Manag. 2011, 6, 289–299. [CrossRef]
11. Heikkilä, M.; Rättyä, A.; Pieskä, S.; Jämsä, J. Security challenges in small- and medium-sized manufacturing enterprises. In
Proceedings of the 2016 International Symposium on Small-scale Intelligent Manufacturing Systems (SIMS), Narvik, Norway,
21–24 June 2016; pp. 25–30. [CrossRef]
12. van Haastrecht, M.; Sarhan, I.; Shojaifar, A.; Baumgartner, L.; Mallouli, W.; Spruit, M. A Threat-Based Cybersecurity Risk
Assessment Approach Addressing SME Needs. In Proceedings of the 16th International Conference on Availability, Reliability
and Security, New York, NY, USA, 17–20 August 2021; p. ARES ’21. [CrossRef]
13. Chindipha, S.; Irwin, B. Evaluation of the Effectiveness of Small Aperture Network Telescopes as IBR Data Sources. Ph.D. Thesis,
Rhodes University, Faculty of Science, Computer Science, Makhanda, South Africa, 2023. [CrossRef]
14. Lourenco, M.; Marinos, L. Web Application Attacks. 2020. pp. 1–20. Available online: https://www.enisa.europa.eu (accessed
on 1 May 2024)
15. Committee on National Security Systems. CNSSI No. 4009: Committee on National Security Systems (CNSS) Glossary 2015.
Available online: https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf (accessed on 1 May 2024).
16. Singh, A.; Sharma, A.; Sharma, N.; Kaushik, I.; Bhushan, B. Taxonomy of Attacks on Web Based Applications. In Proceedings of
the 2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT), Kerala,
India, 5–6 July 2019; Volume 1, pp. 1231–1235. [CrossRef]
17. Nieles, M.; Dempsey, K.; Yan Pillitteri, V. An Introduction to Information Security. Nist Spec. Publ. 2017, 800, 101. [CrossRef]
Electronics 2024, 13, 3910 23 of 24

18. Khan, N.; Al-Yasiri, A. Identifying cloud security threats to strengthen cloud computing adoption framework. Procedia Comput.
Sci. 2016, 94, 485–490. [CrossRef]
19. Rupra, S.S.; Omamo, A. A cloud computing security assessment framework for small and medium enterprises. J. Inf. Secur. 2020,
11, 201–224. [CrossRef]
20. Pugnetti, C.; Casián, C. Cyber risks and Swiss SMEs: An investigation of employee attitudes and behavioral vulnerabilities.
ZHAW Digit. Collect. 2021, 1, 1–31.
21. Mansfield-Devine, S. Ransomware: Taking businesses hostage. Netw. Secur. 2016, 2016, 8–17. [CrossRef]
22. Luna, A.; Levy, Y.; Simco, G.; Li, W. Proposed Empirical Assessment of Remote Workers’ Cyberslacking and Computer Security
Posture to Assess Organizational Cybersecurity Risks. In Proceedings of the 2022 IEEE High Performance Extreme Computing
Conference (HPEC), Virtual, 19–23 September 2022; pp. 1–2. [CrossRef]
23. Chawla, M.; Chouhan, S.S. A survey of phishing attack techniques. Int. J. Comput. Appl. 2014, 93. [CrossRef]
24. Sangani, N.K.; Vijayakumar, B. Cyber security scenarios and control for small and medium enterprises. Inform. Econ. 2012, 16, 58.
25. López, M.Á.; Enríquez, J.M.L.; López, M.; Jiménez, C.M.A.; Velasco, S.; Braojos, M.A.; García, M.F. Intelligent detection and
recovery from cyberattacks for small and medium-sized enterprises. IJIMAI 2020, 6, 55–62. [CrossRef]
26. Parmar, B. Protecting against spear-phishing. Comput. Fraud. Secur. 2012, 2012, 8–11. [CrossRef]
27. Marican, M.N.Y.; Razak, S.A.; Selamat, A.; Othman, S.H. Cyber Security Maturity Assessment Framework for Technology
Startups: A Systematic Literature Review. IEEE Access 2023, 11, 5442–5452. [CrossRef]
28. Barrett, M. Framework for Improving Critical Infrastructure Cybersecurity, version 1.1; National Institute of Standards and Technology:
Gaithersburg, MD, USA, 2018. [CrossRef]
29. ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—
Requirements. ISO: New York, NY, USA, 2022.
30. Groš, S. A Critical View on CIS Controls. arXiv 2020, arXiv:1910.01721. [CrossRef]
31. Audit, I.S.; Association, C. COBIT 2019 Framework: Governance and Management Objectives; ISACA: Schaumburg, IL, USA, 2018.
32. ISO/IEC 27701:2019; Security Techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management—
Requirements and Guidelines. ISO: New York, NY, USA, 2019.
33. Benz, M.; Chatterjee, D. Calculated risk? A cybersecurity evaluation tool for SMEs. Bus. Horizons 2020, 63, 531–540. [CrossRef]
34. Ganji, D.; Kalloniatis, C.; Mouratidis, H.; Gheytassi, S.M. Approaches to Develop and Implement ISO/IEC 27001 Standard -
Information Security Management Systems: A Systematic Literature Review. Int. J. Adv. Softw. 2019, 12, 228–238.
35. Pawar, S.; Palivela, D.H. LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises
(SMEs). Int. J. Inf. Manag. Data Insights 2022, 2, 100080. [CrossRef]
36. Sukumar, A.; Mahdiraji, H.A.; Jafari-Sadeghi, V. Cyber risk assessment in small and medium-sized enterprises: A multilevel
decision-making approach for small e-tailors. Risk Anal. 2023, 43, 2082–2098. [CrossRef] [PubMed]
37. Ambreen, L.; Jain, M.; Yadav, R.K.; Loonkar, S. Effective cybersecurity risk management practices for small and medium-sized
enterprises: A comprehensive review. Multidiscip. Rev. 2023, 6, e2023ss080. [CrossRef]
38. Tsokkis, P.; Stavrou, E. A password generator tool to increase users’ awareness on bad password construction strategies. In
Proceedings of the 2018 International Symposium on Networks, Computers and Communications (ISNCC), Rome, Italy, 19–21
June 2018; pp. 1–5. [CrossRef]
39. Kubariev, O.; Piatykop, O.; Pronina, O.; Levytska, T. The Research on Methods for Generating Random Passwords. In Proceedings
of the 2023 IEEE International Conference on Information and Telecommunication Technologies and Radio Electronics (UkrMiCo),
Kyiv, Ukraine, 13–18 November 2023; pp. 63–66. [CrossRef]
40. Team, E. Why Are Strong Passwords Still Crucial Even with MFA Enabled?—Enpass—Enpass.io. 2023. Available online:
https://www.enpass.io/blog/security/strong-passwords-still-crucial-with-mfa-enabled/ (accessed on 20 April 2024).
41. Möller, D.P.F.; Vakilzadian, H. Cybersecurity Awareness Training: A Use Case Model. In Proceedings of the 2023 IEEE
International Conference on Electro Information Technology (eIT), Romeoville, IL, USA, 18–20 May 2023; pp. 242–247. [CrossRef]
42. Sandhu, R.S. Role-Based Access Control11Portions of This Chapter Have Been Published Earlier in Sandhu et al. (1996), Sandhu (1996),
Sandhu and Bhamidipati (1997), Sandhu et al. (1997) and Sandhu and Feinstein (1994); Elsevier: Amsterdam, The Netherlands, 1998;
Volume 46, pp. 237–286. [CrossRef]
43. Moses, S.; Rowe, D. Physical Security and Cybersecurity: Reducing Risk by Enhancing Physical Security Posture through
Multi-Factor Authentication and other Techniques. Int. J. Inf. Secur. Res. 2016, 6, 667–676. [CrossRef]
44. Donges, N. Random Forest: A Complete Guide for Machine Learning. 2024. Available online: https://builtin.com/data-science/
random-forest-algorithm (accessed on 10 April 2024).
45. Siddhartha, M. Malicious URLs Dataset—Kaggle.com. 2021. Available online: https://www.kaggle.com/datasets/sid321axn/
malicious-urls-dataset (accessed on 20 April 2024).
46. Abad, S.; Gholamy, H.; Aslani, M. Classification of Malicious URLs Using Machine Learning. Sensors 2023, 23, 7760. [CrossRef]
47. Kanstrén, T. A Look at Precision, Recall, and F1-SCore—Towardsdatascience.com. 2020. Available online: https:
//towardsdatascience.com/a-look-at-precision-recall-and-f1-score-36b5fd0dd3ec (accessed on 20 April 2024).
48. Ilias, L.; Roussaki, I. Detecting malicious activity in Twitter using deep learning techniques. Appl. Soft Comput. 2021, 107, 107360.
[CrossRef]
Electronics 2024, 13, 3910 24 of 24

49. Ahammad, S.H.; Kale, S.D.; Upadhye, G.D.; Pande, S.D.; Babu, E.V.; Dhumane, A.V.; Bahadur, M.D.K.J. Phishing URL detection
using machine learning methods. Adv. Eng. Softw. 2022, 173, 103288. [CrossRef]
50. BOUIJIJ, H.; BERQIA, A. Machine learning algorithms evaluation for phishing urls classification. In Proceedings of the 2021
4th International Symposium on Advanced Electrical and Communication Technologies (ISAECT), Alkhobar, Saudi Arabia, 6–8
December 2021; pp. 1–5.
51. Kenton, W. How To Perform a SWOT Analysis—Investopedia.com. 2024. Available online: https://www.investopedia.com/
terms/s/swot.asp (accessed on 20 April 2024).
52. Copperwaite, M.; Leifer, C. Learning Flask Framework; Packt Publishing Ltd.: Birmingham, UK, 2015.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.
Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.