Cyber Resilience Key Metrics in Small and Medium-Sized Enterprises
Abstract
Introduction. Cyber security is a dynamic, human-made environment where information, processes, and technologies converge, making cyber resilience essential for sustainable economic development. Cyber security incidents impede national security, economic stability, and digital transformation, underscoring the need to strengthen cyber capacity globally, especially among small and medium enterprises (SMEs), where each participant’s responsibility is essential in the cyber security landscape. Cyber security, being transdisciplinary, necessitates effectively managing the risks, compliance, and socioeconomic impact of cyber security incidents.
Aim and tasks. This study introduces a cyber resilience metrics framework that consolidates security controls by functional areas, aligns them with incident lifecycle stages, and clarifies the purpose and tasks of each stage.
Results. This study offers an approach for implementing and validating a comprehensive set of cyber security measures, emphasising continuous testing and proactive updates. The cyber resilience metrics framework makes compliance in the evolving cyber security landscape mandatory using a reliability assessment based on Cronbach’s alpha, which measures internal consistency reliability and the credibility of the item set. Frameworks confirm a significant correlation observed in the process of resolving cyber incidents, which means that the more accurate the information acquisition (based on metrics data), the less time is required to resolve the overall incident. Expert validation confirmed that these metrics promote compliance, competitiveness, and effective risk mitigation within a cost-effective framework. The cyber security exercise was conducted in five stages. Cyber simulation exercises and analytical hierarchy processes (AHP) are interconnected as they use a hands-on approach to the hierarchical analysis of cyber security requirements as critical elements.
Conclusions. This study identified key areas of cyber resilience based on the protection of critical infrastructure and the financial sector, using both regular testing of business continuity plans and assessments of cyber capabilities. Experimental studies adopt quantitative and qualitative data to create reliable metrics and frameworks for enhancing SMEs' cyber resilience. Thus, using the optimal cyber resilience metric framework and experiment, cyber resilience metrics can help identify organisational weaknesses in decision-making and resolve cyber incidents.
Keywords:
resilience, metrics, cyber security, experiment, risk management.References
Awojana, T., & Chou, T. (2019, February), Overview of Learning Cybersecurity Through Game Based Systems Paper presented at 2019 CIEC, New Orleans, LA. 10.18260/3-2-370-31521
Babbie, E. (2017). The practice of social research (14th ed.). Cengage Learning.
Björck, F., Henkel, M., Stirna, J., & Zdravkovic, J. (2015). Cyber resilience – Fundamentals for a definition. In A. Rocha, A. Correia, S. Costanzo, & L. Reis (Eds.), New contributions in information systems and technologies (Vol. 353, pp. 159-166). Springer. https://doi.org/10.1007/978-3-319-16486-1_31
Cano, J. (2019). The human factor in information security. ISACA Journal, 5, 1-8.
Creswell, J. W., & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and mixed methods approaches (5th ed.). SAGE Publications, Inc.
Creswell, J.W. & Poth, C.N. (2018). Qualitative Inquiry and Research Design Choosing among Five Approaches. 4th Edition, SAGE Publications, Inc., Thousand Oaks.
Dunn Cavelty, M., Eriksen, C., & Scharte, B. (2023). Making cyber security more resilient: adding social considerations to technological fixes. Journal of Risk Research, 26(7), 801–814. https://doi.org/10.1080/13669877.2023.2208146
Edgar, T. W., & Manz, D. O. (2017). Research methods for cyber security. Syngress.
Erdogan, G., Halvorsrud, R., Boletsis, C., Tverdal, S., & Pickering, B. (2023). Cybersecurity awareness and capacities of SMEs. In Proceedings of the 9th International Conference on Information Systems Security and Privacy (ICISSP) (pp. 296–304). SciTePress. https://doi.org/10.5220/0011609600003405
European Parliament. (2022a). Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cyber security across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 (NIS2). Official Journal of the European Union, L333, 80–140.
European Parliament. (2022b). Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC. Official Journal of the European Union, L333, 27.12.2022.
European Parliament. (2022c). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, and (EU) No 909/2014 (DORA). Official Journal of the European Union, L333, 1–79.
Field, A. (2013). Discovering statistics using IBM SPSS statistics (4th ed.). SAGE Publications.
Fowler, F. J. (2014). Survey Research Method (5th ed.). Centre for Survey Research, University of Massachusetts.
Furnell, S., Fischer, P., & Finch, A. (2017). Can’t get the staff? The growing need for cyber-security skills. Computer Fraud & Security, 2017(2), 5–10. https://doi.org/10.1016/s1361-3723(17)30013-1
Garmezy, N. (1990). Closing note: Reflections on the future. In J. Rolf, A. Masten, D. Cicchetti, K. Nuechterlein, & S. Weintraub (Eds.), Risk and protective factors in the development of psychopathology (pp. 527–534). Cambridge University Press.
Hair, J. F., Black, W. C., Babin, B. J., & Anderson, R. E. (2014). Multivariate data analysis (7th ed.). Pearson.
Hendrix, M., Al-Sherbaz, A., & Bloom, V. (2016). Game based cyber security training: Are serious games suitable for cyber security training? International Journal of Serious Games, 3(1), 53–61. https://doi.org/10.17083/ijsg.v3i1.107
Jeimy, J., & Cano, M. (2023). FLEXI - A conceptual model for enterprise cyber resilience. Procedia Computer Science, 219, 11–19. https://doi.org/10.1016/j.procs.2023.01.258
Lazar, J., Feng, J. H., & Hochheiser, H. (2017). Research methods in human-computer interaction. Morgan Kaufmann.
Mardani, A., Zavadskas, E. K., Khalifah, Z., Jusoh, A., & Nor, K. M. (2015). Multiple criteria decision-making techniques in transportation systems: a systematic review of the state of the art literature. Transport, 31(3), 359–385. https://doi.org/10.3846/16484142.2015.1121517
MITRE. (2018). Cyber security metrics catalogue: Technical guidelines.
NIST. (2020). Cybersecurity. Retrieved from https://www.nist.gov/cybersecurity
Patton, M. (2015) Qualitative Research and Evaluation Methods. 4th Edition, Sage Publications, Thousand Oaks.
Rutter, M. (1990). Psychosocial Resilience and Protective Mechanisms. In J. Rolf, A. S. Masten, D. Cicchetti, K. H. Nuechterlein, & S. Weintraub (Eds.), Risk and Protective Factors in the Development of Psychopathology (pp. 181-214). New York: Cambridge University Press. https://doi.org/10.1017/CBO9780511752872.013
Schlette, D., Caselli, M., & Pernul, G. (2021). A comparative study on cyber threat intelligence: The security incident response perspective. IEEE Communications Surveys & Tutorials, 23(4), 2525-2556. http://dx.doi.org/10.1109/COMST.2021.3117338
Shadish, W. R., Cook, T. D., & Campbell, D. T. (2002). Experimental and quasi-experimental designs for generalized causal inference. Houghton, Mifflin and Company.
Vykopal, J., Vizvary, M., Oslejsek, R., Celeda, P., & Tovarnak, D. (2017). Lessons learned from complex hands-on defence exercises in a cyber range. 2017 IEEE Frontiers in Education Conference (FIE) (pp. 1–9). https://doi.org/10.1109/FIE.2017.8190592
Wilson, M., & McDonald, S. (2025). One size does not fit all: exploring the cybersecurity perspectives and engagement preferences of UK-Based small businesses. Information Security Journal A Global Perspective, 34(1), 15–49. https://doi.org/10.1080/19393555.2024.2357310
Yevseiev, S., Milov, O., Opirskyy, I., Dunaievska, O., Huk, O., Pogorelov, V., Bondarenko, K., Zviertseva, N., Melenti, Y., & Tomashevsky, B. (2022). Development of a concept for cybersecurity metrics classification. Eastern-European Journal of Enterprise Technologies, 4(4 (118)), 6–18. https://doi.org/10.15587/1729-4061.2022.263416
If the article is accepted for publication in the journal «Economics. Ecology. Socium» the author must sign an agreementon transfer of copyright. The agreement is sent to the postal (original) or e-mail address (scanned copy) of the journal editions.
