Files and links (1)
CC BY V4.0, Open Access
Journal article
Beyond Self-Reporting: Uncovering the Operational Realities of SME Cybersecurity Through Expert Assessment
Computers & security, Vol.164, 104839
2026
Abstract
This study builds upon the foundational research of Chidukwani et al. (2022, 2024) to critically examine and validate cybersecurity assertions made by small and medium-sized enterprises (SMEs). Through a mixed-method multiple case study design, the research employed a comprehensive methodology to gain firsthand insights into SME cybersecurity postures. Central to this study is the introduction of the Validated Cybersecurity Posture Assessment Framework (VCPAF), a novel multi-layered methodology tailored to the SME context. VCPAF integrates self-reported assessments, expert-led interviews, technical vulnerability scanning, artifact and documentation review, and a triangulated scoring and gap analysis. This holistic and iterative approach enables a more accurate and context-sensitive validation of cybersecurity practices, bridging the gap between perceived and actual security postures.
Fieldwork included site visits, inspections, direct observations, and in-depth interviews with key personnel to validate initial survey responses from Chidukwani et al. (2024). Benchmarking against the NIST Cybersecurity Framework (CSF), the study revealed significant disparities between SMEs’ self-reported cybersecurity practices and evidence from expert assessments. SMEs consistently overstated their cybersecurity maturity, often conflating IT support with cybersecurity services. Overestimations were particularly notable across the NIST CSF’s five core functions: Identify, Protect, Detect, Respond, and Recover with critical weaknesses identified in asset management, patch management, network security, access control, monitoring, and incident response. Additionally, misunderstandings regarding IT provider responsibilities and regulatory obligations were found to exacerbate vulnerabilities.
We conclude that self-reporting alone is insufficient for accurately assessing SME cybersecurity posture. To close the gap between perceived and actual security practices, independent validation and tailored frameworks are critical. We advocate for sector-specific adaptations of established standards, transparent service provider agreements, and mandatory employee training. Additionally, introducing an industry standardised terminology and taxonomy similar to those used in healthcare insurance would simplify service offerings, and improve SME understanding of cybersecurity responsibilities.
Details
- Title
- Beyond Self-Reporting: Uncovering the Operational Realities of SME Cybersecurity Through Expert Assessment
- Authors/Creators
- ALLADEAN Chidukwani - School of Information Technology, College of Science, Technology, Engineering and Mathematics, Murdoch University 90 South St, Murdoch, Western Australia, 6150SEBASTIAN Zander - Murdoch University, School of Information TechnologyPOLYCHRONIS Koutsakis - Murdoch University, School of Information Technology
- Publication Details
- Computers & security, Vol.164, 104839
- Publisher
- Elsevier Ltd.
- Number of pages
- 23
- Identifiers
- 991005861092207891
- Copyright
- © 2026 The Author(s).
- Murdoch Affiliation
- School of Information Technology
- Language
- English
- Resource Type
- Journal article
Metrics
1 Record Views