This paper presents a novel categorization and maturity model for Small and Micro Enterprises (SMEs), designed to address their unique cybersecurity challenges. Based on a detailed analysis of 40 cybersecurity audits, the proposed model categorizes SMEs into five levels of IS/IT usage: Basic, Minimal, Competitive, Integrated, and Strategic. Each level identifies specific risks, threats, knowledge requirements, and cybersecurity controls, providing a clear roadmap for SMEs to enhance their cybersecurity maturity. The model not only simplifies cybersecurity evaluation for non-technical SME owners but also equips auditors with a standardized framework for assessing preparedness This study makes significant theoretical contributions by extending maturity model literature to the SME context, emphasizing the sociotechnical interplay of technology adoption and organizational readiness. Practically, it provides actionable guidance for resource allocation, promotes proactive cybersecurity cultures, and fosters ecosystem collaboration through partnerships with universities and Managed Service Providers (MSPs). These collaborations offer SMEs cost-effective access to expertise, training, and advanced tools, enabling them to mitigate vulnerabilities and ensure compliance with regulatory standards. The findings emphasize the growing importance of addressing SME-specific cybersecurity needs, particularly in critical sectors such as healthcare and childcare. Future research will focus on incorporating emerging technologies, such as AI and IoT, and expanding the model’s applicability to diverse geographic and industrial contexts.

Alahmari, A., and Duncan, B. (2020, June). Cybersecurity risk management in small and medium-sized enterprises: A systematic review of recent evidence. In 2020 international conference on cyber situational awareness, data analytics and assessment (CyberSA) (pp. 1-5). IEEE.

Alharbi, F., Alsulami, M., Al-Solami, A., Al-Otaibi, Y., Al-Osimi, M., Al-Qanor, F., and Al-Otaibi, K. (2021). The impact of cybersecurity practices on cyberattack damage: The perspective of small enterprises in Saudi Arabia. Sensors, 21(20), 6901.

Antunes, M., Maximiano, M., Gomes, R., and Pinto, D. (2021). Information security and cybersecurity management: A case study with SMEs in Portugal. Journal of Cybersecurity and Privacy, 1(2), 219-238.

Ashley, C., and Preiksaitis, M. (2022). Strategic Cybersecurity Risk Management Practices for Information in Small and Medium Enterprises. Business Management Research and Applications: A Cross-Disciplinary Journal, 1(2), 109-157

Argyris, C., and Schön, D. A. (1997). Organizational learning: A theory of action perspective.

de Arroyabe, J. C. F., Arroyabe, M. F., Fernandez, I., and Arranz, C. F. (2023). Cybersecurity resilience in SMEs. A machine learning approach. J. Comput. Inf. Syst., 1-17

Auyporn, W., Piromsopa, K., and Chaiyawat, T. (2020). Critical factors in cybersecurity for SMEs in technological innovation era. In ISPIM Conference Proceedings (pp. 1-10). The International Society for Professional Innovation Management (ISPIM).

Babb, J., Hoda, R., and Nørbjerg, J. (2014). Embedding reflection and learning into agile software development. IEEE software, 31(4), 51-57.

Bada, M., and Nurse, J. R. (2019). Developing cybersecurity education and awareness programmes for small-and medium-sized enterprises (SMEs). Information & Computer Security, 27(3), 393-410.

Becker, J., Knackstedt, R., and Pöppelbuß, J. (2009). Developing maturity models for IT management: A procedure model and its application. Business & Information Systems Engineering, 1, 213-222.

Becker, J., Niehaves, B., Poeppelbuss, J., and Simons, A. (2010). Maturity models in IS research.

Carías, J. F., Borges, M. R., Labaka, L., Arrizabalaga, S., and Hernantes, J. (2020). Systematic approach to cyber resilience operationalization in SMEs. IEEE access, 8, 174200-174221

Chidukwani, A., Zander, S., and Koutsakis, P. (2022). A survey on the cyber security of small-to-medium businesses: challenges, research focus and recommendations. IEEE Access, 10, 85701-85719.

Van Dijk, V. (2022). A Cybersecurity Standard for SME. Masters Thesis, Amsterdam Management School. Retrieved on May 22, 2025 from https://www.securityscientist.net/content/files/2022/07/
Vincent-van-Dijk---ACybersecurity-Standard-for-SME---2020-2022.pdf.

Dimopoulos, V., Furnell, S., Jennex, M.E., and Kritharas, I., (2004). "Approaches to IT Security in Small and Medium Enterprises," 2nd Australian Information Security Management Conference, November 2004.

Drucker, P. (1989). Sell the mailroom. Wall Street Journal, 25.

Eilts, D. (2020). An empirical assessment of cybersecurity readiness and resilience in small businesses.

Gamma, E., Helm, R., Johnson, R., and Vlissides, J. Design Patterns: Abstraction and Reuse of Object-Oriented Design.

Van Haastrecht, M., Yigit Ozkan, B., Brinkhuis, M., and Spruit, M. (2021). Respite for SMEs: A systematic review of socio-technical cybersecurity metrics. Applied sciences, 11(15), 6909.

Jennex, M.E., Addo, T.B.A., and Walters, A., (2004). "SMEs and Knowledge Requirements for Operating Hacker and Security Tools" Information Resource Management Association Conference 2004, IRMA2004, Idea Group Publishing, May 2004.

Jennex, M.E. and Babb, J., (2024). “Observations and Learnings From Cybersecurity Audits of SMEs.” 23rd Annual Security Conference. April 3, 2024. Retrieved from https://www.google.com/url?q=https://029e2c6.netsolhost.com/IIProceedings/
2024/14.pdf&sa=D&source=editors&ust=1717822517141451
&usg=AOvVaw1E6qG7MHOUR2h7wukTDLFs on June 7, 2024.

Junior, C. R., Becker, I., and Johnson, S. (2023). Unaware, unfunded and uneducated: a systematic review of SME cybersecurity. arXiv preprint arXiv:2309.17186.

Kajiyama, T., Jennex, M.E., and Addo, T.A., (2017). "To Cloud or Not To Cloud: How Risks And Threats Are Affecting Cloud Adoption Decisions." Information and Computer Security, 25(5), pp. .634-659.

Kosar, T., Martı, P. E., Barrientos, P. A., and Mernik, M. (2008). A preliminary study on various implementation approaches of domain-specific language. Information and software technology, 50(5), 390-405.

Mettler, T. (2011). Maturity assessment models: a design science research approach. International Journal of Society Systems Science, 3(1-2), 81-98.

Mettler, T., and Ballester, O. (2021). Maturity Models in Information Systems: A Review and Extension of Existing Guidelines. In ICIS.

Nagahawatta, R., Lokuge, S., Warren, M., and Salzman, S. (2021). Cybersecurity Issues and Practices in a Cloud Context: A Comparison Amongst Micro, Small and Medium Enterprises. arXiv preprint arXiv:2111.05993. Presented at the Australasian Conference on Information Systems, Sydney, Australia, 2021.

Pawar, S., and Palivela, H. (2022). LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). International Journal of Information Management Data Insights, 2(1), 100080.

Perozzo, H., Ravarini, A., and Zaghloul, F. (2021). Assessing cybersecurity readiness within smes: proposal of a socio-technical based model. Proceedings http://ceur-ws.org. ISSN, 1613, 0073.

Poeppelbuss, J., Niehaves, B., Simons, A., and Becker, J. (2011). Maturity models in information systems research: literature search and analysis. Communications of the Association for Information Systems, 29(1), 27.

Röglinger, M., Pöppelbuß, J., and Becker, J. (2012). Maturity models in business process management. Business process management journal, 18(2), 328-346.

Schön, D. A. (1979). Generative metaphor: A perspective on problem-setting in social policy. Metaphor and thought, 2, 137-163.

Schön, D. A. (2017). The reflective practitioner: How professionals think in action. Routledge.

Shojaifar, A., and Järvinen, H. (2021, August). Classifying SMEs for approaching cybersecurity competence and awareness. In Proceedings of the 16th International Conference on Availability, Reliability and Security (pp. 1-7).

Wilson, M., McDonald, S., Button, D., and McGarry, K. (2023). It won't happen to me: Surveying sme attitudes to cyber-security. Journal of Computer Information Systems, 63(2), 397-409.