Development of an Application-Based Framework for Information Security Management in SMEs

Abstract

In an increasingly interconnected and sustainability-driven digital landscape, effective risk management and robust information security practices are essential not only for protecting organizational assets but also for ensuring long-term operational resilience and regulatory compliance, especially for small and medium-sized enterprises (SMEs), which aim to grow but have limited resources. This paper presents the development of a practical framework and a supporting application—GestionAVR—for implementing an Information Security Management System (ISMS) that integrates structured risk management processes. The research presents some theoretical insights and practitioners’ input, with a focus on the needs of SMEs. The framework includes a predefined set of categorized risks across four key areas: organizational, personnel, physical, and technological. Designed for usability and adaptability, the GestionAVR application facilitates risk identification, prioritization, monitoring, and continuous improvement. Validated through a case study in the engineering sector, the solution proved to be effective in enhancing decision-making, reducing time spent on planning, and minimizing overlooked vulnerabilities. Future developments include integration of sustainability indicators aligning with recent updates to ISO 27001 standards, AI-based data analysis and automated reporting. This research offers a customizable and cost-effective tool that supports information security and sustainable organizational development.

1. Introduction

Digital technologies play a vital role in advancing sustainable manufacturing by enhancing the efficiency of production systems and enabling cleaner, more environmentally responsible processes. Increasingly, innovative approaches to sustainability depend on the strategic use of digital tools and solutions [1].

In an increasingly information technology and digitization-driven society, this transformation brings both competitive advantages and significant risks. On the one hand, digitalization offers opportunities for improving sustainability [2] (reducing paper use, integrating people from different locations, etc.) and enhancing organizational efficiency. On the other hand, there are also risks, such as vulnerabilities to cyberattacks, data loss, or breaches of confidentiality, which require the careful management of information security [3,4].

In today’s interconnected world, information has become one of the most valuable assets for businesses of all sizes [5,6,7]. The rapid digital transformation, fueled by advancements in technology, offers vast opportunities for small enterprises to expand globally. However, with these opportunities comes the ever-present challenge of ensuring robust information security. The need for comprehensive information security practices has never been more urgent, as cyber threats continue to evolve and pose significant risks to business operations, reputation, and growth potential. As organizations increasingly rely on electronically stored and processed information, there is a growing and urgent need to safeguard this data through the implementation of various information security management tools and practices [8].

Information security (IS) represents one of the most significant challenges in the contemporary business landscape. The security of information systems, and by extension, the management of information as a critical resource, is a significant concern that affects organizations across all industries [9].

For small enterprises seeking to internationalize, the lack of information security can present a major barrier [10]. Without secure systems to protect sensitive data, companies may face compliance challenges, increased vulnerability to cyberattacks, and the erosion of trust among international customers and partners [11,12].

In recent years, the implementation of Information Security Management Systems (ISMS) has become a critical factor for organizations seeking to safeguard their assets and ensure compliance with regulatory requirements. However, small and medium-sized enterprises (SMEs) face distinct challenges, including limited resources, lack of specialized expertise, and the complexity of existing standards, which often hinder the adoption and effective management of an ISMS. This study addresses these issues by investigating the needs and constraints of SMEs and developing a practical framework and tool to support them in this process.

Based on this context, theoretical research is guided by the following questions:

RQ1: What are the specific needs and requirements of SMEs for adopting and maintaining an effective Information Security Management System (ISMS)?

RQ2: What are the principal challenges that SMEs encounter in the implementation of an ISMS?

Therefore, the objective of the empirical study is to design a customized ISMS framework and develop a supporting software tool that addresses the unique challenges of SMEs, enabling the efficient implementation and management of information security processes.

To answer these questions, the paper is structured as follows: the first section of this paper (Section 1) presents a theoretical foundation by reviewing the key concepts to Information Security Management Systems (ISMS). Section 2 outlines the research methodology and introduces the proposed framework for approaching information risk management in a small and medium-sized enterprise (SME), and the developed application to be used in practice. Subsequently, a case study is provided to demonstrate the practical use of the developed application within a factory of an SME from the mechanical engineering sector. The paper concludes with a discussion of the main findings after the implementation of the application and the potential benefits its use can bring to an organization.

2. Theoretical Background

2.1. Information Security

Although various definitions of information security exist, one widely accepted definition is provided by Whitman and Mattord (2011): “Information security is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information” [13]. Information security focuses on safeguarding information by ensuring its confidentiality, integrity, and availability [14]. IS is essential due to the risks inherently introduced by the technologies used to process, store, and transmit information [15].

The primary objective of information security is to protect organizational operations from potential threats while supporting the successful execution of daily activities. This is achieved by ensuring confidentiality, integrity, availability, and non-repudiation [16], while ISO standard identifies the CIA triad as the core principles, to which authenticity, accountability, and reliability may also be added [17].

Already in their 2002 work, Blakley, McDermott &Geer [15] emphasized that the importance of information security is directly linked to the degree to which an organization depends on information technology. Consequently, when organizational information is subject to risk, the implementation of information security measures becomes both necessary and justified [15].

Effective information security requires management to define strategy and objectives, assess risks’ business impact, establish supporting organizational conditions, and provide adequate resources for IT and security operations [18]. Information security is an ongoing process to identify and mitigate risks, implemented through a strategically designed ISMS tailored to an enterprise’s objectives, requirements, and structure [19].

2.2. Risk Management and Information Security

Burggräf et al. (2021) who realized a review of the risk management approaches in factory planning, concluded that there is a lack of comprehensive risk management approaches and methods that address the unique needs of a factory [20]. In business terms, risk refers to the potential occurrence of an event that could negatively impact the value of the organization, event that is called an adverse event [15]. Information security failures are unequivocally adverse events that can lead to significant business losses. As such, information security should be understood as a risk management discipline, aimed at controlling and minimizing the cost of information-related risks to the organization [15].

Risk management should not be centered on avoiding risks at all costs, but instead on promoting transparency and awareness of risks, and searching to use the opportunities. This perspective is commonly adopted in North America, but not in other countries of the world (for example Germany) [20]. A key priority should be to determine the barriers to implementing risk procedures in SMEs and to increase awareness of the benefits offered by risk management and control practices [21].

Based on the finding that traditional approaches to information security often address individual aspects in isolation, thereby overlooking the complex interdependencies among internal and external threats, system vulnerabilities, and defense mechanisms, a recent study proposes a multi-method framework that integrates System Dynamics (SD) and Agent-Based Modeling (ABM), which allows a comprehensive analysis of the complex interactions within information security systems, considering both insider and outsider threats [20]. Based on a study on information security and risk assessment practices among professionals, highlighting key challenges, practices and roles, tools like Business Impact Analysis, Penetration Tests, Security Scanners, and Bowtie Diagrams emerged as the most frequently used and cost-effective methods across organizational levels [16].

On the other hand, there are a lot of researchers which emphasize the importance of training people and developing a risk-oriented culture. According to Qiu et al. (2024), enterprises must not only implement an effective Information Security Management System but also prioritize the development of employee awareness and skills [22]. Strengthening information security awareness training is essential to enhancing staff competencies and fostering a security-conscious organizational culture [13,22] and equally important to motivate them to take security issues seriously and to consider information security an important aspect of their duties [18]. The author Katsikas focused on identifying the training needs of personnel employed in health care establishments regarding the information security system [23].

This research started from the premise that all the employees need training no matter their seniority, because the challenges in the information security management are updated periodically and new and updated responses and actions need to be known by all. Furthermore, the knowledge should be refreshed. Besides that, new risks can occur in a factory, especially with its development, so the people working there should be prepared to face them.

Other studies highlights that the engagement and awareness of top management are critical to recognizing the importance and effective implementation of the Information Security Management System [8,24,25]. Moreover, for an efficient implementation of ISMS the management should provide adequate resources to support the necessary processes, enabling the organization to achieve appropriate levels of information security [26].

A variety of heterogeneous factors, including human and organizational characteristics, technology, processes, and the business environment, contribute to the development of a resilient and robust security strategy [27]. Therefore, one objective of the present research was to propose a way to manage the variations introduced by these factors by developing a standardized framework for effective risk mitigation.

The question of how to effectively approach risk management in information security remains a subject of continued discussions, as there is no homogenous approach across diverse strands of the literature.

2.3. Information Security Management Systems (ISMS)

The development and implementation of an Information Security Management System (ISMS) has become the preferred approach for systematically managing information security risks. An ISMS offers a structured framework comprising actionable requirements, policies, guidelines, and process definitions that assist organizations in aligning with their specific information security objectives. A fundamental component of any ISMS is Information Security Risk Management (ISRM), which ensures that information security risks are consistently identified, evaluated, and addressed in accordance with the organization’s defined risk appetite and governance principles [14].

According to more researchers, implementing and using a structured process for information security in an organization has benefits on more levels: organizational performance, financial results, branding, reputation [9,22], but there is a need for future research to investigate various organizational contexts and industries in order to gain a more nuanced understanding of ISMS practices and their influence on organizational agility [9].

As cyber threats and internal security breaches become more frequent, implementing a risk-based ISMS has become essential—not only to reduce information security risks but also to strengthen competitiveness on the global market [28]. Having an Information Security Management system or approach is nowadays a prerequisite for an organization aiming to grow [29]. ISMS deals with threats from internal and external sources, which can be caused by both human and non-human actions. Usually, these systems are used as tool for assessing the risks associated with perceived and actual threats [27].

Small and medium-sized enterprises (SMEs) face unique needs and constraints when adopting and managing an Information Security Management System (ISMS). Addressing RQ1 this study identifies several key considerations. SMEs require solutions that are cost-effective, easy to manage, and aligned with their limited financial and human resources. Research highlights the need for simplified, rapid, and maintainable security management models, supported by short-term implementation plans to facilitate adoption [30]. SMEs often struggle with the complexity of existing standards, which are not always approachable or practical for smaller organizations. To address this, methodological guidance is essential, providing clear instructions on how to define, introduce, and operate an ISMS [31,32]. This includes offering practical starting points, such as predefined risk lists, as well as supporting tools and templates that reduce implementation effort and costs while remaining aligned with ISO/IEC 27001 [17] to ensure a smooth certification process. Ultimately, SMEs need a systemic and progressive approach to risk management that supports business growth, sustainability, and long-term competitiveness [33].

Addressing RQ2 several key factors emerge from the literature and practice. SMEs operate in a complex environment with limited resources, often facing systems with multiple levels of exigency and lacking centralized tools to manage information security efficiently [34]. Managers not only require evidence that risk mitigation measures are implemented but also that they are effective and cost-saving [35]. The average knowledge of employees involved in ISMS implementation is generally lower in SMEs than in large organizations, where skilled staff can be hired specifically for management systems. In SMEs, internal employees typically incorporate ISMS responsibilities into their regular duties [32]. Management support can also be a critical challenge: if leadership perceives an ISMS as long, costly, or unnecessary, they may refuse to fund its implementation. Solution proposed in the study of Valdevit et al. (2009) include obtaining a written management commitment to ensure understanding and acceptance of ISMS requirements, implications, and responsibilities [32].

Further challenges arise from complex compliance requirements and limited access to guidance or support. SMEs may face a collateral risk, where the enterprise must operate without a security management system due to resource constraints [36]. Barlette and Fomin (2010) highlight additional difficulties associated with ISO 27000 standards, including their generality and static nature, the complexity of interpreting abstract requirements, an overemphasis on checklists while neglecting human and social factors, and limited scalability, making it difficult for smaller organizations to implement the standards effectively [37]. Supporting this, empirical research reported that it took nearly two years to fully implement and certify an SME for ISO compliance, underscoring the practical challenges involved [32].

Upon reviewing the literature, it becomes evident that the needs and challenges of SMEs are closely interconnected. Many of the specific requirements identified—such as simplified, cost-effective approaches, methodological guidance, and practical tools—directly correspond to solutions for the challenges SMEs encounter during ISMS implementation, highlighting the reciprocal relationship between what SMEs require and the obstacles they must overcome.

Only a limited number of ISMS approaches specifically tailored for SMEs have been investigated and proposed. Sanchez et al. (2008) proposed an ISMS tool and validated it on 2 companies from manufacturing sector [38]. The developed ISMS tool is specifically designed to support SMEs by reducing system implementation costs and increasing the success rate of deployments [30,38]. Unlike traditional approaches, it grants smaller businesses access to security maturity models that were previously exclusive to large companies. Valdevit et al. (2009) developed a guide for implementing an ISO 27001 [17]-compliant ISMS in SMEs, drawing on practical experience from certifying a small enterprise using iterative improvement cycles [32]. In addition to the guide, the authors created templates, documentation tools, and a risk assessment tool, the latter serving as a practical instrument to identify, evaluate, and manage information security risks within SMEs. In contrast to prior approaches, Brunner et al. (2018) [31] proposed a tool—ADAMANT, which emphasizes a continuous and evolutionary ISMS. It actively integrates stakeholders from multiple domains to ensure timely responses to changes in the threat landscape or organizational environment [31]. The framework is supported by a multi-user web application that facilitates stakeholder collaboration, enforces intra-organizational workflows, and automates key ISMS tasks. However, the tool has not validated in a real-world setting, but in a simulated SME environment [31,39].

Based on the studies reviewed, the authors of present study aimed to complement the existing literature through a practical approach that is particularly valuable for SMEs in the growth phase, especially for those with limited financial resources and at the early stages of implementing an Information Security Management System (ISMS).

In developing this model, the study of the literature revealed that fundamental knowledge and understanding of risk management practices and methods is often lacking among employees, or there are too few individuals with sufficient expertise to apply these methods effectively. This is particularly evident in SMEs, where it is often not feasible to have multiple specialized departments or staff. As a result, one employee may have to take on multiple roles. Based on this observation—and supported by personal experience—the authors aimed to design an application that is as simple and user-friendly as possible, yet still comprehensive in terms of the risks it covers and effective in achieving its objectives.

3. Research

3.1. Research Methodology

The research methodology consisted of multiple complementary steps (see Figure 1). First, a literature review was conducted to identify existing challenges and gaps in information security risk management, particularly within small and medium-sized enterprises. This was followed by interviews and informal discussions with practitioners and SME’s employees, alongside insights drawn from the authors’ own professional experience, to better understand the specific needs and limitations related to the adoption of an ISMS. Based on these findings, a practical framework with a structured set of implementation steps and the application GestionAVR (version 1)were developed, accompanied by a concise, one-page instructional guide intended to facilitate employee training and ease of use. Finally, a case study was conducted to validate the application’s functionality and relevance in a real-world SME context.

3.2. Framework Description

As Aleksandrov & Aleksandrova (2021) stated, the implementation of an ISMS based on the ISO 27000 standards and the PDCA model represents the most effective systematic approach to managing information security [8,26], therefore the authors proposed an Information Security Management System (ISMS) designed to also meet the training requirements of a mechanical engineering company, in accordance with current ISO standards (ISO/IEC 27001:2022 [17] “Information security, cybersecurity and privacy protection—Information security management systems—Requirements”). Inspired also by the approach proposed by Pipkin (2000), with an information security process model consisting of five aspects: inspection, protection, detection, reaction and reflection [40], the application designed details the steps of developing an ISMS-based training regime that complies with the Plan Do Check Act (PDCA) process (Figure 2).

The first step of the PDCA process is the system verification which must be done continuously to determine the needs of the organization. Users must be informed about

• The ongoing importance of security for the organization;
• The fact that they are responsible for their actions;
• The possible consequences that may arise from a violation of existing and applicable policies, standards or procedures at the organization level.

The application developed allows the users for continuous improvements. It actually forces them to periodically monitor and check the ISMS, to update the existing information, to evaluate the potential risks and based on this, to adjust or to plan the ISMS within the organization.

So, one important part of the model is the training aspect—the organization’s employees must be trained at the beginning in general aspects of risk management and then in using the application.

The application developed and used for risk management was called GestionAVR (Gestionarea Amenințărilor, Vulnerabilităților și Riscurilor—engl. Threat, Vulnerability and Risk Management). Risk management is approached as a systematic and iterative process [41,42] for optimizing resources in accordance with the organizational risk management policy. Risk management is integrated into daily activities through defined roles and responsibilities in all areas of activity and helps to include risk treatment aspects in management practices and decision-making throughout the entire life cycle of the organization’s activities. The tool GestionAVR could support across all phases of the risk management lifecycle: from risk identification, risk assessment, mitigation planning, implementation and monitoring, stakeholder communication to continuous improvement.

This application was designed and generated in Visual Studio (Figure 3). It presents some restrictions as the database is on a MySQL server and the report files are generated in PDF format.

To effectively address the challenges of information security risk management within organizations—particularly SMEs—a structured implementation approach was developed and applied. This approach aims to tailor information security measures to the specific context of an organization by combining theoretical insights with practical, context-specific data. The implementation process involves several key steps, from understanding the organizational environment to applying and continuously improving security measures based on identified risks and operational realities.

Step 1: Organizational Understanding and Context Analysis

This initial step focuses on gaining a comprehensive understanding of the organization. It includes

• Theoretical research conducted to define relevant security concepts and models.
• Discussions with internal stakeholders such as managers, operators, and employees to collect key information regarding

  -

  The current security system and organizational structure;

  -

  IT systems in use;

  -

  Previously encountered risks, threats, and incidents.

Step 2: IT Infrastructure Mapping

To assess vulnerabilities accurately, a detailed overview of the existing IT infrastructure is essential. This step involves

• Describing the architecture of the IT environment.
• Documenting system components, data flows, and technical dependencies.
• Laying the groundwork for identifying potential threats and mitigation strategies.

Step 3: Risk Identification Across Organizational Levels

Risks are identified across four key dimensions: organizational, personnel-related, physical, and technological. This step includes

• Employing qualitative methods such as brainstorming sessions, focus groups with staff, employee surveys, and structured interviews [43];
• Systematically categorizing and analyzing the collected data with the involvement of the research team and working groups.

Step 4: Operational Analysis and Contextual Risk Assessment

This step involves the identification of specific risks arising from day-to-day operations involving information systems. It focuses on

• Understanding how systems are used in practice;
• Assessing how operational practices influence security risks and potential impacts on the organization.

Step 5: Application of the Proposed Security Model

Based on the findings from the previous steps, the proposed security measures and model components are applied to the organizational context. This includes

• Providing the tool GestionAVR and training to employees for its use.

Step 6: Evaluation, Feedback, and Continuous Improvement

The final phase involves reflecting on the implementation through

• Gathering feedback from users;
• Evaluating the effectiveness of the applied measures;
• Identifying lessons learned and refining the approach for continuous improvement.

3.3. Case Study

For testing the validity of the proposed framework and of the developed application, the authors conducted a practical study on a mechanical engineering company that builds, installs, maintains and designs bearings, located in Brasov, Romania. It is an enterprise that has grown over time from a few workstations in a peer-to-peer network, to a multi-level Active Directory domain, with virtual private network (VPN) tunnels and remote sites.

However, this rapid evolution has also created certain security gaps and threats to the enterprise, against which decision-makers must take certain measures. The organization does not have any ISMS in place or a structured risk management protocol. This problem can affect the company’s goal of developing as a global partner in the field of mechanical engineering and beyond. This case study explores the methods necessary to verify and secure all services but especially IT of a mechanical engineering company, but these are applicable also to other business and security areas.

Securing an organization begins with knowledge of the specific industry, knowledge of the technology used in the organization, and knowledge of the security system. A careful examination of the organization can create a point of view on possible security breaches and preventive measures to implement immediately. For that, the authors have conducted several meetings and discussions with the managers and some key operators of the organization.

3.3.1. Organizational Structure

The organizational structure of the entity is made up of the following departments (functional organizational structures), which are typical for most organizations of this type and size:

The Superior Management body: the board of directors or a supervisory board;

Executive Management: made up of a management committee, executive directors, general manager or other form that ensures the management of the entity’s current activities and carries out the decisions of the superior management body;

Customer Relationship department (front office, sales, investors, policyholders, participants, members, etc.): carries out activities related to the relationship with external persons of the entity in order to fulfill the main object of activity (the provision of authorized, regulated and supervised services);

Operations—Technological and Production department: carries out all current activities related to the entity’s core activity. This organizational structure covers all operational functions of the entity;

Financial-Accounting department: carries out activities related to financial-accounting and reporting operations related to accounting records;

Key Functions of the entity departments: This section mentions several distinct organizational structures that ensure the following key functions, as appropriate: internal audit, internal control, compliance, risk management, actuarial function, etc.;

Information Technology department: carries out specific activities for the administration and development of information systems (software, hardware and communications), including the organization’s websites;

Support departments: carries out marketing, legal, human resources, research and development, analysis and other similar activities.

Before defining the risks related to the information security, the team has identified the IT infrastructure architecture, which is shown in Figure 4:

3.3.2. IT Infrastructure Architecture

In order to describing the organization’s activity regarding information systems, the IT architecture (two providers, IDP/IPS, antivirus, firewall, servers, etc.) and the existence of a BCP (Business Continuity Plan) were identified and taken into account. The BCP enables the business functions to continue at an alternative site until the primary site is able to resume work [44] and it includes

• The identification of critical applications whose replication is necessary within the recovery center;
• The description of the IT infrastructure within the organization;
• The description of the disaster recovery system implemented;
• The description of the personnel available within the organization;
• The analysis of risks and their impact;
• The definition of guidelines for concluding Service Level Agreements (SLA), in order to ensure QoS (Quality of Service) both with equipment suppliers and with communication system suppliers;
• The description of the method of monitoring the disaster recovery system in current operation;
• The definition of critical disaster-type events;
• Defining the activities, steps and procedures that make up the BCP;
• The existence of an alternative data processing location;
• Performing back-ups according to existing procedures;
• The existence of an information security policy with the following objectives:

  -

  Information security management: Information security management measures will be implemented and enforced in accordance with the information security objectives, statements, policies, standards and procedures established by the organization’s management.

  -

  Classification of information, systems and resources: Information, systems and resources will be classified according to the level and type of protection required.

  -

  Identification and authentication: all information and systems with which the institution enforces its own identification and authentication of employees, other users, third parties and systems.

  -

  Confidentiality: the confidentiality of all data, information, systems, documents and software that is enforced.

  -

  Integrity: The integrity of data, information, systems, documents and software that is implemented, depending on how critical the resource is to the organization’s activity.

  -

  Accountability: Accountability and responsibility for user actions must be clearly defined and permanently implemented.

  -

  Availability: All information and systems must be available to authorized users, when needed. They are considered timely, complete and accurate with the recovery of any data, information, software or systems lost due to unwanted and unexpected events (e.g., system interruption in the event of a disaster).

  -

  Nonrepudiation: It is a concept for ensuring that an injured party in a dispute cannot be repudiated, or challenged by a statement of validity. Systems must ensure that an information transaction cannot be subsequently rejected (rejected) by that injured party.

  -

  Physical and logical access control: All information and systems will be appropriately and rigorously secured with physical and logical access controls.

  -

  Risk assessment: The assessment of threats, impacts and vulnerabilities of information processing utilities and the probability of their occurrence.

  -

  Risk management: The process of identifying, reviewing and reducing or eliminating security risks that may affect information systems at an acceptable cost.

  -

  Information security training and awareness: All employees will undergo information security training and awareness programs.

  -

  Roles and responsibilities: The roles, responsibilities and decision-making rights for all parties who have access to information resources are clearly defined and communicated.

  -

  Compliance: Staff as well as other users must be familiar with and comply with the information security procedures and policies.

  -

  Information security monitoring and reporting: Monitoring and reporting of information security measures will be established to detect and report actual and suspected breaches and ensure remedial actions are taken.

3.3.3. Risk Identification

Risk management is easier to apply within an organization that has established a culture oriented towards risk management.

In this applicative study, the standard model was used, based on an operational risk register structured into four categories (Figure 5):

• External/Organization;
• People/HR Personnel;
• Physical/Processes;
• Systems/Technology

Each organization can choose to begin with the modules most relevant to their immediate needs and priorities, gradually expanding the implementation over time as resources and capabilities allow. This flexible structure ensures that SMEs can adopt the system progressively, based on their specific context and growth stage.

Further, risks were identified across the following categories: the organization’s external environment, personnel, physical infrastructure and processes, as well as systems and technology. The risk categories presented in

Table 1. Identified risks into categories.

Risks Related to Organization’s External Environment

losses due to catastrophic events/natural disasters

losses generated by factors outside the organization

interruptions in the provision of services contracted with external suppliers

external fraud and criminal activities

exposures to external factors of system security

terrorist or cyber attacks

economic and/or cyber crime

power outages

disaster recovery risks

external back-up location

inadequate testing of disaster recovery

Risks related to organization’s personnel

lack of a clear delimitation between the roles of the people who access/manage/develop the information systems

data alteration

changes in information or data in reports, without appropriate documentation

failure to comply with processes, procedures or work instructions

errors in manual entry or inappropriate use of information systems

conflict of interest between the personnel who develops and administrates the information systems or between their users

insufficient staff

dependence on key employees

lack of communication and cooperation between employees

failure to report errors or mistakes related to information systems

complacency of personnel

fraud

money laundering and financing of terrorism

non-compliance with the international sanctions’ regime

Risks related to physical level and the processes

Model risks

lack of organizational processes (at least regarding change management, incidents, problems, service levels, various versions, capacity, availability and projects)

methodological or model errors

evaluation errors

availability of reserves to cover losses

complexity of models

inadequate process control

software inappropriate to the business objectives

insufficient corporate governance in this area

Transactional risks

execution errors

recording errors

inadequate data and information management

machine errors

product complexity

capacity risks

evaluation risks

confidentiality risks

fraud

Risks related to the control of operations

lack of separation of rights and duties (segregation)

exceeding limits

volume risks

security risks

reporting risks

risks of inadequate accounting records

inadequate control of outsourced activities

disruption of service provision

misidentification of operations in question based on risk indicators and predefined analytical variables

Risks related to locations

miscommunication

supply chain disruptions

quality control issues

cultural risks

workforce management and coordination

Risks related to systems/technology

inadequate technology and security management system

lack of development and testing methodologies

insufficient processing capacity

system outages (hardware, software, storage, telecommunications)

network outages

interruptions in the provision of services provided by external providers

inadequate systems

inadequate protection against malware

compatibility risks

risks generated by suppliers/vendors

inadequate technology update system

outdated systems

inadequate system support services

programming errors

data corruption

were specifically selected to align with the context of SMEs and have already been applied and validated within the case study. The intention was to keep the table concise and practical to facilitate usability for smaller organizations like the one involved in the study, which often have limited resources and expertise in risk management. However, the risks identified in Table 1 could be a starting point for further exploration and refinement based on the organization’s area of activity. For organizations seeking a broader and more comprehensive risk catalog, the ISO/IEC 27005:2022 [43] standard provides detailed methodological guidance [45,46]. In particular, its appendix includes an extensive set of example threats, vulnerabilities, and scenarios that can support more advanced and integrated risk assessments beyond the scope of this study.

3.3.4. Application GestionAVR

The application GestionAVR provides the ability to restrict user access during initial configuration, allowing permissions to be assigned according to four predefined categories, which can be further extended if necessary.

The application GestionAVR has various management interfaces (Figure 6): for identifying, editing and evaluating critical resources; for identifying, editing and evaluating threats, security incidents or unwanted events; for identifying, assessing and editing vulnerabilities, interface for handling risks and identifying measures.

The interface for identifying, editing and evaluating critical resources is designed to guide the user through a structured workflow. Users first select or define assets using fields such as: assets nomenclature, domain allocation, asset name, minimum impact, maximum impact, purchase price, replacement or restoration cost, risk mitigation cost.

To determine the value of resources and operations, only IT resources and operations that have interaction with these resources were taken into account. The value of resources/operations was defined using the following scale of values depending on their impact on the organization: less important, necessary, vital.

To determine the values, the following aspects are analyzed: the importance, the degree of dependence on the resource/operation and the danger it represents for the organization’s processes, for the organization in general and for its customers, when the information or resource loses its integrity, confidentiality and availability.

Similarly, the interface for identifying, editing and evaluating threats, security incidents or unwanted events guides users to input the threat nomenclature, threat name, threatened assets and processes and the level of threat manifestation (minimum, maximum).

To assess the risks and associated levels for each undesirable event that may have an impact on the activities carried out by the organization, information systems or information, a risk level matrix is created. The risk level is a function of the probability of an undesirable event occurring and the level of vulnerability to the activities, information or information systems of the organization:

Risk level = f (undesirable event %, vulnerability)

(1)

The interface for identifying, assessing and editing vulnerabilities interface allows user to input information in the following fields: vulnerability nomenclature, vulnerability name, vulnerable assets, activities and processes, level of vulnerability. The interface is designed to ensure that users systematically link each vulnerability to the relevant organizational elements, supporting consistent evaluation.

The interface for handling risks and identifying measures includes the following fields: domain, vulnerable assets, activities and processes, asset/person/process/activity and risk name.

To identify risk factors, a list of all applicable threats was conceived, and for each threat, the existing vulnerabilities were identified.

To calculate the risk, the Probability of Risk (the probability of exploiting the vulnerability) was defined. The probability to take place under the given conditions was evaluated as follows (

Table 2. Description of probabilities.

Grade	1	2	3
Probability	Negligible	Low	High
Description	Practically impossible to occur under normal conditions. No historical records have been made.	It may occur under normal conditions, but the frequency of occurrence is rare.	It is likely to occur. This risk is reasonable to occur in the immediate future.

):

A 3 × 3 matrix was created corresponding to the following risk levels: Low Risk; Medium Risk; High Risk (

Table 3. Risk matrix.

VULNERABILITY	HIGH	Medium Risk	High Risk	High Risk
	MEDIUM	Low Risk	Medium Risk	High Risk
	NEGLIGIBLE	Low Risk	Low Risk	Medium Risk
		NEGLIGIBLE	LOW	HIGH
		PROBABILITY

). The 3 × 3 risk matrix was chosen to meet the needs of SMEs, offering a simple, practical, and standardized approach suitable for organizations with limited resources and no dedicated risk management staff. While larger organizations may require more granular frameworks, such as a 5 × 5 matrix, the primary objective in this context is to identify and address the most significant information security risks rather than quantify every possible variation. Moreover, a simpler structure avoids creating a misleading sense of precision and ensures standardization across different SMEs using the tool. A holistic, integrated approach to corporate risk management would require consistent scales across different risk domains. In this sense, the current matrix can serve as a practical starting point, which could be expanded or adapted in future based on organization’s capabilities, allowing alignment of information security risks with other organizational risks.

This interface (Figure 7) allows to select and view the assessment carried out in the past for an organization. Thus, it will be possible to view the table with the four important categories (resources, threats, vulnerabilities and risks) and the characteristics of information security risks. Also, for the selected history, a report with its data can be generated.

The application allows the transition to the new assessment, with the transfer of untreated risks, information about the factors that generated these risks, but also of resources not highlighted in the analysis, such as critical resources that were not exposed by the threat agents. Thus, the remaining critical resources will be reanalyzed, and new ones will be introduced. At least annually or whenever necessary, the heads of organizational structures ensure the analysis of the implementation status of control measures, their effectiveness, as well as the reassessment of risks in their area of responsibility. As part of the review process, it is analyzed whether

• The risks persisted;
• New risks have emerged;
• The impact and probability of risks have undergone changes, in which case the risk levels are revised;
• New risk control measures and deadlines for their implementation are necessary;
• Risks need to be reprioritized.

Also, the application allows us to export various reports: for risks and for measures. The report for risk management and review includes two distinct sections related to: risks with a high and very high exposure level, which could affect the achievement of the specific objectives of the organizational structures, and the stage of plan’s implementation, at the reporting date.

3.4. Results and Limitations

To collect information regarding the use of the application, one researcher was directly involved on-site, observing users as they interacted with the app. Following the successful implementation of the model in practice, several short interviews were conducted to gather valuable insights on its functionality and user experience.

The questionnaire was designed using the two core constructs of the Technology Acceptance Model (TAM)—Perceived Usefulness (PU) and Perceived Ease of Use (PEOU)—and was further extended by incorporating Results Demonstrability (RD), a factor introduced in TAM2, with the purpose of assessing the Effectiveness in Risk Management and the Organizational Impact. Following the recommendations of TAM and the similar approach of Brunner et al. (2018) [31], responses were measured using a 7-point Likert scale (1—strongly disagree, 7—strongly agree), allowing for a structured assessment of user perceptions. Specifically, participants were asked to share their opinion on these three items: (Q1) “The tool GestionAVR helps me organize and manage the company’s information and security tasks”, (Q2) “The tool GestionAVR is simple to use and easy to understand”, and (Q3) “Using this tool helps prevent problems and reduce risks in the company”.

The questionnaire results show that users perceive the tool as highly useful, with a mean score of 6.29 for the first statement. This suggests that the tool effectively supports participants in structuring and handling information security processes, indicating strong alignment with the primary goals of the system. The ease-of-use rating of 5.93 for Q2 indicates that most users find the interface and functionality approachable. While slightly lower than the usefulness score, it still reflects a generally positive experience, suggesting that the tool is accessible even for users with limited prior experience, though there may be minor areas where usability could be refined. These results are in line with the observations formulated by the participants during the discussions. The application was found to be user-friendly. The interface was perceived as intuitive and easy to navigate. The results demonstrability score of 5.57 indicates that participants acknowledge tangible benefits of the tool in supporting risk management. However, during follow-up discussions, they noted that risk reduction is inherently a long-term process, and while the tool facilitates this process, ongoing monitoring by managers is necessary to ensure the effective implementation of risk mitigation measures. On the other hand, users reported noticeable improvements in risk management, including: an increased identification of risks; more systemic organization of identified risks; the development of a greater number of mitigation measures; better prioritization of these measures; more efficient use of time allocated to addressing risk; enhanced monitoring capabilities for ongoing risk management.

The developed application demonstrated ease of implementation within an organization, requiring only a brief training session. This is further evidenced by the fact that the application’s deployment did not present significant challenges. The primary requirement for successful adoption was appropriate training for the involved personnel. It is noteworthy that the users were mostly employees with basic knowledge in the areas of quality management, risk management, and information security, as indicated by their self-assessments.

On the other hand, if users lack fundamental knowledge and adequate training, the use of the application may become perceived as an additional task rather than a value-added tool. Additionally, if organizational management and the cultural approach are not aligned with a focus on risk management, the effectiveness of the application may be limited.

At this stage of development, the application does not support integration with other systems or interfaces. Furthermore, the reports generated by the application are in PDF format, which may pose challenges for importing the data into other systems or processing it efficiently.

Currently, the application is only available in the local language (Romanian), highlighting the need for an English version, particularly for organizations with multiple sites in different countries.

4. Conclusions

The findings from this case study are analytically generalizable: the selected SME reflects typical characteristics of small and medium-sized enterprises, including limited financial and human resources for information security, and a need for practical, cost-effective solutions. Furthermore, the proposed ISMS framework and tool are grounded in established information security management principles and SME-specific challenges identified through the literature review and preliminary data collection. While contextual variations may exist, the underlying concepts of risk identification, control implementation, and continuous monitoring are broadly applicable to SMEs facing similar constraints, thereby supporting the transferability of the results to comparable organizational settings.

The main contribution of the proposed information security risk management model lies in its adaptability and practical utility across various organizational contexts, particularly within SMEs. Designed with a general structure, the model is suitable for replication in companies from the same industry or adaptation in different sectors, addressing a gap identified by Qiu et al. (2024), who notes that the lack of targeted research often leads to ineffective security strategies [22].

One of the distinctive strengths of the model is its inclusion of a pre-defined risk database, developed and validated through application in a company from the engineering sector—making it directly usable or adaptable by similar enterprises. Table 1 presents a concise set of risks tailored specifically to SMEs, focusing on practicality and ease of use. While these risks were applied and validated in the case study, they do not represent the full spectrum of potential information security threats. The risks identified can therefore serve as a starting point for further exploration, and organizations seeking a more comprehensive assessment can refer to ISO/IEC 27005:2022 [43].

The utility of the research is reflected in both the theoretical and practical value which the proposed model and the GestionAVR application bring to organizations, especially small and medium-sized enterprises (SMEs) with limited resources for cybersecurity management. By offering a structured yet flexible framework, the model significantly enhances risk visibility, prioritization, and response planning. Unlike traditional approaches that often rely on experience or fragmented procedures, the proposed solution allows organizations to identify, evaluate, and monitor risks in a systematic and consistent manner.

The application was designed to be user-friendly, requiring minimal training and enabling broader participation among employees, regardless of technical background. This led to improved risk awareness, reduced reliance on frequent meetings, and better time management. Users reported that the tool offered a clearer overview of risk priorities, supported decision-making, and made it easier to track progress on mitigation actions.

Moreover, the model supports continuous improvement by allowing organizations to update risks, adapt assessments, and respond to changes in their environment. It offers a cost-effective solution that strengthens internal processes and aligns risk management with strategic objectives. Overall, the research contributes a flexible and scalable approach that enhances both operational efficiency and organizational resilience, especially for SMEs.

The tool’s cost-effectiveness also contributes to its utility. It provides a robust risk management solution without requiring substantial investment in infrastructure or specialized personnel. Its modular design makes it suitable for scaling, customization, and future enhancements. The ability to share access across teams further democratizes risk management, encouraging cross-functional collaboration and improving organizational resilience.

In summary, the proposed model and tool offer practical, scalable, and effective support for improving risk management processes, particularly in resource-constrained environments. Their ease of implementation, adaptability, and positive impact on decision-making and operational efficiency demonstrate strong potential for broader application across sectors.

Furthermore, the tool enhances strategic oversight by providing top management with actionable insights, aligning with the researchers’ view that integrated management systems enable organizations not only to mitigate risks but also to support long-term strategic planning and asset control [8]. Organizations must first and foremost invest in employee education to ensure they are aware of potential risks and understand how to respond appropriately. Sometimes, even a simple action—such as not opening a phishing email—can be enough to protect the organization’s data.

The presented approach contributes to sustainability by fostering innovation and supporting the growth and continuity of SMEs. The proposed framework and tool are designed to help SMEs, often operating with limited resources, to implement effective information security practices. In doing so, they promote resilience, operational stability, and long-term viability, which are essential pillars of sustainable business practices.

Looking forward, several directions for future research and development have been identified. A longitudinal survey is proposed to evaluate the model’s effectiveness over one to two years, based on feedback from both managers and operational users. Potential improvements include integrating artificial intelligence to automate data collection and analysis, inspired by Zhang et al. (2024), who highlights the value of intelligent technologies in uncovering hidden patterns and enhancing risk prediction [47]. Customizable reporting features, automatic email notifications, and reminders for unresolved risks are also being considered. Additionally, in alignment with the ISO 27001:2024 amendment that emphasizes the integration of climate change considerations into ISMS frameworks, a sustainability module could be developed to generate related reports and indicators, further broadening the application’s utility and strategic relevance [48].