Enhancing Cybersecurity Readiness in Non-Profit Organizations Through Collaborative Research and Innovation—A Systematic Literature Review

Abstract

Non-profit organizations (NPOs) are crucial for building equitable and thriving communities. The majority of NPOs are small, community-based organizations that serve local needs. Despite their significance, NPOs often lack the resources to manage cybersecurity effectively, and information about them is usually found in nonacademic or practitioner sources rather than in the academic literature. The recent surge in cyberattacks on NPOs underscores the urgent need for investment in cybersecurity readiness. The absence of robust safeguards and cybersecurity preparedness not only exposes NPOs to risks and vulnerabilities but also erodes trust and diminishes the value donors and volunteers place on them. Through this systematic literature review (SLR) mapping framework, the existing work on cyber threat assessment and mitigation is leveraged to make a framework and data collection plan to address the significant cybersecurity vulnerabilities faced by NPOs. The research aims to offer actionable guidance that NPOs can implement within their resource constraints to enhance their cybersecurity posture. This systematic literature review (SLR) adheres to PRISMA 2020 guidelines to examine the state of cybersecurity readiness in NPOs. The initial 4650 records were examined on 6 March 2025. We excluded studies that did not answer our research questions and did not discuss the cybersecurity readiness in NPOs. The quality of the selected studies was assessed on the basis of methodology, clarity, completeness, and transparency, resulting in the final number of 23 included studies. Further, 37 studies were added investigating papers that referenced relevant studies or that were referenced by the relevant studies. Results were synthesized through quantitative topic analysis and qualitative analysis to identify key themes and patterns. This study makes the following contributions: (i) identify and synthesize the top cybersecurity risks for NPOs, their service impacts, and mitigation methods; (ii) summarize affordable cybersecurity practices, with an emphasis on employee training and sector-specific knowledge gaps; (iii) analyze organizational and contextual factors (e.g., geography, budget, IT skills, cyber insurance, vendor dependencies) that shape cybersecurity readiness; and (iv) review and integrate existing assessment and resilience frameworks applicable to NPOs.

1. Introduction

Non-profit organizations (NPOs) play a crucial role in fostering community resilience and equity, addressing essential needs such as food security, education, and healthcare [1]. With more than 1 million NPOs operating in the United States, over a period of 2007–2022, the sector has had a steady employment of 10% as a percentage of total employment [2]. Even though these organizations are instrumental in driving both social impact and economic growth [1,2], the most recent report by ref. [3] that provides insights into NPO trends is from 2021. Furthermore, despite their importance, many NPOs find themselves at a critical juncture regarding cybersecurity preparedness. They manage a wealth of sensitive information, including donor details, health records, and financial data, making them prime targets for cybercriminals, and for a long period of time [4]. Recent analyses describe NPOs as “cyber-poor, target-rich” actors because they combine limited security capacity with high-value data and mission-critical services [5,6]. NPO reports estimate that 27–60% of NPOs have experienced a cyberattack in the past few years, with many lacking dedicated cybersecurity budgets or formal security policies [7,8]. At the same time, national breach statistics show a record number of data compromises in 2023, with supply-chain and zero-day attacks rising sharply [9].

The rise in cyberattacks targeting NPOs reveals a pressing need for enhanced cybersecurity measures. A research study [10] indicates that more than 45% of NPO employees express intentions to leave their roles within the next five years, leading to significant knowledge loss regarding cybersecurity practices and that continues to the present day. Compounding this issue is the financial strain many NPOs face, particularly in rural areas, where budget constraints limit their ability to invest in essential cybersecurity infrastructure, training, and support [11]. Empirical work on NPOs and small-organization security readiness consistently finds that dedicated IT or security staff, rather than organizational size alone, is the strongest predictor of adopting basic safeguards such as multi-factor authentication (MFA) and structured access controls [6,12]. In practice, this means that even mission-driven organizations with substantial budgets may remain exposed if cybersecurity responsibilities are fragmented or informal.

This paper aims to characterize the current state of cybersecurity readiness among NPOs such that we could help enhance it and understand all the constraints when doing so. Before conducting comprehensive assessments, it is necessary to identify specific NPOs in need of assistance, profiling their unique vulnerabilities and challenges. We believe that leveraging this systematic literature review (SLR) and utilizing data from the TaxExemptWorld.com [13] and the National Council of Nonprofits [14], it is possible to create a nuanced understanding of the cybersecurity landscape within this sector. In parallel, recent guidance from nonprofit associations and security alliances emphasizes that NPOs should adopt risk-management frameworks such as the NIST Cybersecurity Framework 2.0 and related sector-specific toolkits in a tailored, cost-effective manner rather than attempting to implement full enterprise profiles [5,6,14,15,16]. These documents converge on a set of “minimum viable” controls (MFA, backups, least-privilege access, phishing-resistant workflows) that are both technically feasible and aligned with resource constraints for small organizations [5,15,17]. Parallels between NPOs cybersecurity challenges and similar constraints in other sectors reinforce the argument for lightweight, scalable solutions. Lessons from resource-constrained environments which are bridging cybersecurity gaps with digital twin technology [18,19] can inform future NPOs cybersecurity strategies.

Furthermore, we uncover a framework that not only evaluates the cybersecurity posture of these organizations but also provides actionable solutions tailored to their specific contexts. This framework will encompass best practices for safeguarding sensitive information, strategies for implementing multi-factor authentication, and guidelines for establishing robust data breach protocols. In designing this framework, we explicitly build on emerging NPO-focused readiness playbooks and empirical studies that integrate NIST CSF 2.0 and zero-trust principles into lightweight assessment and improvement cycles for small organizations [6,17]. Through our findings and recommendations, we hope to empower NPOs to enhance their cybersecurity readiness, thereby protecting their missions and the communities they serve. By strengthening the cybersecurity infrastructure of NPOs, we aim to foster a more resilient NPO sector, ensuring that these vital organizations can continue their essential work without compromising the trust and safety of their stakeholders.

The contribution and novelty is thus threefold: first, it is the first NPO-focused SLR on cybersecurity readiness. Second, it synthesizes fragmented research into a cohesive evidence base and identifies unique NPO challenges such as resource constraints, high staff turnover, and rural connectivity. Third, it introduces a computational readiness assessment pipeline leveraging natural language processing (NLP) and knowledge graphs, which has not been proposed in prior NPO cybersecurity literature.

The remainder of this paper is structured as follows. Section 2 provides a background on NPO profiling, cybersecurity readiness solutions, and  SLR. Section 3 presents the SLR methodology, research questions, and a high-level overview of the selected studies. Answering research questions for evaluating cybersecurity readiness in the extracted studies is presented in Section 4. Section 4 also discusses the results and study limitations, drawing a road map for future research, while Section 5 summarizes the findings.

2. NPO Cybersecurity Readiness Background

Research on NPO cybersecurity readiness is dispersed across multiple disciplines without forming a cohesive body of literature. Publications addressing this topic appear in cybersecurity journals, information systems research, nonprofit management studies, grey literature from practitioner organizations, and policy reports. In contrast to well-established research areas such as corporate cybersecurity, critical infrastructure security and protection, or healthcare information security, NPO-specific cybersecurity readiness research lacks dedicated publication venues, specialized research communities, or sustained academic attention.

2.1. Existing Research Landscape

Current literature on NPO cybersecurity readiness is broadly categorized into four streams, none of which presents a comprehensive synthesis:

• Practitioner-Oriented Resources: Organizations such as the Nonprofit Technology Enterprise Network (NTEN) [20], TechSoup, and the National Council of Nonprofits [14] publish cybersecurity guides and toolkits. These resources offer checklists and templates but typically lack empirical validation or comparative analysis.
• Incident Reports and Threat Intelligence: Cybersecurity breach databases, vendor-generated threat reports, and media coverage document cyberattacks targeting NPOs [4]. These sources focus on incident response rather than proactive readiness assessment, offering limited guidance for prevention.
• Corporate and Enterprise Security Research: The academic cybersecurity literature predominantly examines large organizations with dedicated IT departments. While frameworks such as NIST’s [21] or ISO 27001 [22] offer valuable guidance, their application to resource-constrained NPOs requires significant adaptation that the existing literature does not address.
• NPO Technology Research: Studies examining technology adoption in the NPO sector tend to focus on digital fundraising, social media, and donor management systems. Cybersecurity readiness, when mentioned, is typically treated as a secondary concern.

This fragmented landscape is further complicated by operational realities, particularly in rural areas, where financial limitations [11] and high employee turnover [23] lead to persistent knowledge loss and underinvestment in cybersecurity readiness. The COVID-19 pandemic exacerbated this, as the rapid shift to remote work expanded NPO attack surfaces while budgets were constrained.

2.2. Lack of Synthesized, Actionable Reviews

Despite this dispersed body of work, a comprehensive examination of existing systematic literature reviews reveals a critical gap. While systematic reviews exist for corporate security, small-to-medium enterprises (SMEs), and other sectors, none comprehensively address the unique challenges and constraints of NPOs.

Similarly, existing reviews of NPO technology primarily address digital transformation or fundraising, rather than information security. To the best of our knowledge, no comprehensive SLR synthesizes actionable, resource-appropriate cybersecurity guidance specifically for NPOs.

2.3. Specific Knowledge Gaps in Current Literature

• Limited Sub-Sector and Geographic Analysis: There is little research examining how readiness varies by NPO sub-sector or geographic location (urban vs. rural) [11,24]. Specifically, while rural Pennsylvania NPOs face “severe financial strain” [11], this region serves as a critical microcosm for the broader urban–rural digital divide. Validating our framework within this diverse demographic allows us to test the “Geographic & Resource Disparities” gap empirically.
• Impact of High Turnover: Research has not adequately explored how high staff turnover [23] and subsequent “knowledge loss” impact the sustainability of security practices.
• Lack of Scalable Frameworks: Research on adapting existing frameworks (like NIST) for small NPOs with limited technical expertise is scarce.
• Absence of Practical Quantification: There is little academic guidance on practical, effective cyber-risk assessment models for this sector, which often defaults to vague “high-medium-low” estimates.

2.4. Justification for This Systematic Review

Given the fragmented research, the absence of a prior NPO-focused SLR, and the specific knowledge gaps identified, conducting a systematic review is essential. This SLR is designed to fill this critical gap by providing a synthesized evidence base. It moves beyond corporate frameworks and practitioner guides to specifically identify actionable, resource-appropriate solutions and practical assessment models while also considering organizational factors like training and high turnover. The ultimate goal is to move beyond general advice and synthesize specific, low-friction controls (e.g., MFA, cloud configurations) that require minimal capital investment, directly addressing the “resource-appropriate” gap tailored to the specific, resource-limited realities of the NPO sector.

3. Systematic Literature Review Mapping Methodology

In many scientific fields, there exist standards for literature reviews, as SLRs are the best way to understand the background for developing rigorous research projects. The somewhat-related operations research literature provides a taxonomy of SLRs [25], and our SLR fits into the tutorial as it is selective towards the cybersecurity readiness for NPOs’ problems. As we are trying to understand how to compare assessment models and organizational factors in a resource-limited reality of NPOs, it fits into a broad, comprehensive, computational review as well. As the cybersecurity community does not have an established SLR standard, we use the methodology based on standards established in closely related fields of software engineering [26] and the medical field that requires strong ethical principles [27,28]. This review was performed in accordance with the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) guidelines defined from [27,28]. In the remainder of this section, we show the SLR methodology by explaining the following:

• Objectives and research questions;
• Search strategy;
• Search criteria;
• Inclusion and exclusion criteria;
• Search and selection procedure;
• Data extraction and synthesis;
• Important characteristics of selected primary studies.

3.1. Objectives and Research Questions

We planned the review process by refining the research objectives into a set of research questions. The approach that we followed in generating the research questions was based on categorizing them in a way in which they were mutually exclusive and collectively exhaustive in representing the scope of our research objective. They cover distinct aspects of our research and collectively cover the study’s objective comprehensively. Our objectives to summarize and categorize the “state-of-the-art” methods, benchmark test instances, and comparison methodology could be accomplished through the following questions:

• RQ1. What are the top cybersecurity risks for NPOs, how do these risks impact their services, and what are the methods to identify and fix these issues?
• RQ2. What affordable cybersecurity practices, especially in employee training, can NPOs with limited resources adopt? How do knowledge gaps differ across NPO sectors?
• RQ3. What factors influence cybersecurity readiness in NPOs, like location (urban vs. rural), budgets, and IT skills? How do things like cyber insurance and third-party agreements affect their security?
• RQ4: How can NPOs assess their cybersecurity preparedness and resilience?

These questions fully cover four distinct aspects, which constitute identifying cybersecurity risks, affordable cybersecurity practices, factors influencing cybersecurity readiness, and assessing cybersecurity preparedness, for NPOs. In order to facilitate answering every question, the envisioned analyses and visualizations are provided in Section 4.

3.2. Search Strategy

We utilized the PennState LionSearch tool to investigate the available manuscripts. LionSearch serves as an integrated search engine that aggregates resources from approximately 1000 databases, including books, journal articles, conference papers, and other publications, with a focus on operations research, optimization, and applied mathematics. This tool is managed and provided by the Pennsylvania State University Library.

For our search strategy, we established the following parameters: we aimed to locate peer-reviewed articles published in English across categories, including journal articles, book chapters, conference proceedings, and books/eBooks. The specified search domains included computer science, engineering, mathematics, and general sciences. To ensure exhaustive coverage, we applied the search to the full text, allowing for the inclusion of relevant studies that may not feature keywords in their titles or abstracts. Additionally, no time frame was imposed to maximize the selection of pertinent publications.

3.3. Search Criteria

Each of the defined research questions was first broken down into four broader categories that are mutually exclusive. From those categories, keywords were developed in order to cover all possible academic papers, making them collectively exhaustive. The search query would then include these keywords, paired with logical operators (OR, AND) to precisely select the literature that aligned with the paper.

The following were the four broad mutually exclusive and collectively exhaustive categories that we came up with:

• Cybersecurity;
• NPOs;
• What practices we implement;
• How we assess readiness.

We combined the four categories with an (AND) and (OR) within a category. The final query that we searched for is the following: ((cybersecurity) OR (cyberdefense) OR (IT security) OR (cyber threats) OR (cyber attacks)) AND ((nonprofits) OR (charitable organizations) OR (NPOs) OR (nonprofit budgets)) AND ((cybersecurity training) OR (employee cybersecurity programs) OR (IT security training) OR (cybersecurity best practices)) AND ((cybersecurity risk assessment) OR (cyber readiness) OR (cybersecurity preparedness) OR (cybersecurity resilience assessment))

3.4. Search Filter Criteria

The studies initially obtained from electronic databases were evaluated according to the search filter criteria detailed in this section.

Search filters:

• It was published within the last five years (post-COVID-19).
• It is an article or a journal article.
• It is within the domain of computer science, engineering, library and information science, mathematics, and statistics.
• It is written in English.
• It is peer-reviewed.
• It is a full text.

Through these search keywords and filters, the search returned 250 articles.

3.5. Inclusion and Exclusion Criteria

The studies initially obtained from electronic databases were evaluated according to the inclusion and exclusion criteria detailed in this section.

Inclusion criteria:

• IC1: It is written in English.
• IC2: It is relevant and applicable to NPOs.
• IC3: It is within the scope of the research questions.
• IC4: It belongs to a group of recognized research studies.
• IC5: It is a technical report, journal, or a conference paper.

Exclusion criteria:

• EC1: The paper does not meet all the inclusion criteria.
• EC2: The paper does not address cybersecurity readiness.
• EC3: The paper’s focus is not primarily on or applicable to NPOs.

The papers that satisfy at least one exclusion criterion are excluded from the SLR.

3.6. Search and Selection Procedure

The full text of each document was reviewed thoroughly by at least two team members. The team consisted of co-authors, but also professors and students working on the project. We held weekly meetings to discuss progress and review findings. The last phase was evaluating the methodological robustness of the chosen studies by using a set of selection criteria. The following were the quality standards employed by us:

• QC1: Is the study’s focus on cybersecurity issues unique to NPOs? (1 or 0);
• QC2: Does the research offer useful information or suggestions that are pertinent to NPOs? (1 or 0);
• QC3: Are the research findings backed up by definite facts or evidence? (1 or 0);
• QC4: Does the study make sense given NPOs’ resource constraints? (1 or 0).

For a study to be included in the final review, it had to score at least two out of four. We calculated Cohen’s Kappa = 0.82, indicating strong agreement between reviewers. This metric enhances transparency and methodological rigor.

After an initial broad query in the Penn State University Libraries Online returned 4650 records, we iteratively refined the Boolean expression and applied strict filters (peer-reviewed journal articles, English, and a five-year window). We then executed the finalized advanced query in an automated tool, which yielded a deduplicated corpus of 250 records. Two reviewers independently screened titles/abstracts and then full texts against the predefined inclusion/exclusion rules and the quality criteria (QC1–QC4), retaining 23 primary studies. Next, we conducted backward and forward snowballing from these 23 papers (reference lists and citing articles). As we were applying the same eligibility and quality thresholds, this process contributed an additional 37 total identified records, a final evidence base of 60 extracted studies, and a final deduplicated corpus of 287 studies to start with. The whole process is visually explained in Figure 1.

4. Findings

This section presents the findings from the systematic literature review, organized according to the four research questions that guided this study. The synthesis draws on 60 primary studies [2,3,4,10,11,13,14,20,21,22,23,24,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69] identified through the selection process described in Section 3. In addition to the narrative synthesis of the studies, we also constructed a set of descriptive visualizations from the structured extraction sheet in order to (i) verify that the corpus aligns with the stated research questions, (ii) surface temporal and document-type biases in the available evidence, and (iii) make visible where the literature is thin or uneven.

4.1. Visualization Rationale and Reading Guide

Before turning to each research question, we briefly explain the highlights and how we obtained those highlights. We refer to the visualizations that you will encounter and how they should be read in the context of a systematic review of a relatively small, recent, and topically concentrated literature set.

• Temporal coverage. We first plotted the number of publications per year from 2003 to 2025 and the total citations per year for the same period. Together, these two figures are presented in this section. The figures let us distinguish between volume-driven growth in NPO cybersecurity scholarship and influence-driven scholarship (i.e., papers that the field actually cites).
• Alignment with research questions. Because our protocol was driven by four research questions (RQ1–RQ4), we needed to test whether the 60 papers actually “landed” on those questions. We therefore built (a) a simple count of how many articles address each RQ shown in Section 4.2; (b) a share-of-corpus view showing the same information as percentages shown in Section 4.2; and (c) a document-type vs. RQ heatmap shown in Section 4.3 to detect whether, for example, guidance documents systematically answer different questions than empirical papers.
• Source/database provenance. Because the NPO cybersecurity literature is fragmented across computer science, information systems, public administration, and policy outlets, we wanted to know where the included studies came from. The paired panel in Section 4.5 shows both the long-tail reality (a few venues supply most of the studies) and the near-field view after removing the two large aggregators.
• Quality/attention signals. Citation counts for small and young corpora are noisy, so instead of using citation counts to rank papers, we summarized the distributions of citations for papers that answered each research question (Section 4.4). This is especially useful because some research questions (notably RQ1) sit closer to operational security practice and are more likely to be cited soon after publication, while others (RQ4) lag.
• RQ coverage over time. Finally, we asked whether the field “moves” in unison or whether attention drifts between questions over time. We normalized share of yearly papers so that we can see that 2023 is a clear inflection point in which more than one RQ is being answered in the same year.
• Document-type growth. To connect the SLR narrative (that NPOs increasingly rely on fast, web-available guidance) to the actual corpus we found, we plotted stacked counts of document types per year. This confirms that the spike in 2024 is not only more papers, but also more journal articles and more federal/quasi-federal guidance.

We emphasize that 2025 is a partial year in the corpus (papers accepted or made available early), so all figures, including 2025, should be interpreted as provisional trend indicators, not as a completed year. The visualizations should therefore be read as corroborating and illuminating the textual findings below, not as replacing the qualitative synthesis.

Interpretation (Figure 2). The production of NPO—cybersecurity scholarship is sparse and episodic from 2003 to 2018 (mostly a single papers per year), followed by a clear step change beginning in 2019. Output rises from 3 (2019) to 3 (2020) and then to 6 (2021), dips slightly to 4 (2022), and accelerates sharply thereafter to 9 (2023) and then a peak of 14 (2024), with 12 in 2025. The 2024 peak and 2025’s slight decline are best interpreted as a recency effect rather than a reversal, since 2025 is a partial year in our corpus. Substantively, the post-2021 climb aligns with two field-level dynamics we observed during selection: (i) heightened practitioner and philanthropic attention to ransomware and identity compromise in mission-driven sectors and (ii) an uptick in special issues and conference tracks targeting cybersecurity for small, public, and NPOs. For the narrative below, we reference this figure once in the introduction to Section 4 to motivate recency and growth and again in the Discussion/Limitations to caution the reader about temporal bias introduced by partial-year 2025 data.

Interpretation (Figure 3). When we compare Figure 2 and Figure 3, we again see a strong asymmetry driven by citation dynamics over time. The series is dominated by a single outlier in 2021 (>$1.1\times {10}^4$ citations), which is explained by the inclusion of a highly cited methodological guideline (PRISMA 2020) rather than a NPO–cybersecurity study per se. Earlier peaks in 2007 and 2011 likewise reflect legacy standards/guidelines with broad, cross-domain impact (e.g., EBSE, usability methods), not a field-specific influence. This is a classic citation-lag pattern: earlier, general-purpose references have simply had more time—and a wider audience—to accumulate citations. By contrast, the NPO–cyber corpus after 2019 shows modest, rising attention that remains orders of magnitude below 2021, and the low values in 2024–2025 are consistent with recency (papers have not yet had time to be cited). Accordingly, we interpret Figure 3 with robust statistics (medians, distributional views) and avoid overweighting 2021; substantive claims about “what the field believes” rely on 2020–2023 NPO-focused work and on triangulation with our RQ-level analyses.

4.2. RQ1: Top Cybersecurity Risks for NPOs

What Are the Top Cybersecurity Risks for NPOs, How Do These Risks Impact Their Services, and What Are the Methods to Identify and Fix These Issues?

Across the included studies, the most frequently observed initiating events in NPO incidents are social engineering campaigns that lead to credential theft, unauthorized mailbox access, and subsequent misuse of donor or beneficiary data [54,68,70]. Ransomware consistently appears as a consequential outcome because even brief service interruptions disrupt program scheduling, outreach, and case management while diverting limited resources to recovery efforts [34,68]. The prevalence of legacy operating systems, delayed patching, and informal device management increases the likelihood that a single foothold expands laterally or yields exfiltration from shared cloud repositories [34,65].

Weak password practices and persistent use of shared accounts complicate identity governance in high-turnover environments and create uncertainty about access revocation when staff or volunteers depart [68,70]. Default-permissive cloud and software-as-a-service configurations further enlarge the blast radius of a compromised account by exposing third-party integrations and shared folders beyond the principle of least privilege [54,70].

The immediate effects most often documented include interruptions to critical client services, loss of case notes and scheduling artifacts, and reactive communications with donors and partners under time pressure [34,51,65,68]. Long-term impacts are reflected in reputational harm, which can hinder future grant cycles and volunteer recruitment, particularly when incidents become public or must be reported to regulators [51,65].

Mitigation guidance converges on establishing a current asset inventory, enforcing multi-factor authentication, adopting a password manager, and instituting a routine update cadence for endpoints and SaaS platforms [54,68,70]. Several studies emphasize strengthening email protections such as SPF, DKIM, and DMARC, as well as promoting safe-link handling practices and clear procedures for reporting phishing incidents to reduce the duration and severity of credential-based compromises [34,65,68]. Resilience hinges on the ability to recover with confidence: tested backups with defined recovery objectives, ransomware tabletops, and periodic restore drills translate written procedures into operational capability [68,70]. When aligned with accessible frameworks such as CIS Controls Implementation Group 1 or profiles of the NIST Cybersecurity Framework, these practices can be implemented through short, resource-conscious sprints that incrementally strengthen maturity over time [51,54,65,70].

The top cybersecurity risks for NPOs are a combination of data-oriented attacks, human vulnerabilities, and specific technical intrusions. The single greatest challenge identified is data privacy and security [37]. NPOs and Social Enterprises (SEs) are “notable targets” for this because, unlike commercial firms, they often hold highly sensitive and personal data on the vulnerable individuals they serve, such as personal information, medical conditions, or criminal records [34].

The most frequently cited risk is the “human element” [34,46]. People are described as “one of the weakest links” in an organization’s security [45,46]. This human vulnerability makes NPOs highly susceptible to social engineering attacks [34] and phishing, which is a primary threat vector [42]. This risk is intensified by the NPO sector’s dependence on low-skilled or volunteer staff who may not be adequately trained to identify such threats [34]. Beyond social attacks, the literature points to insider threats (both malicious privilege misuse and simple human error) as a significant risk [41].

Ransomware is a prominent threat [32]. A 2017 survey of NPOs and NGOs revealed that fifty percent had already experienced a ransomware event [40]. Other specific technical attacks identified as risks for SMEs and NPOs include TCP port scans, FTP/SSH intrusions, ICMP flood (Denial-of-Service) attacks, and malicious file uploads [39].

NPOs can face severe consequences because of cyberattacks. A successful attack can cause irreparable damage to the organization’s reputation and, therefore, to donor trust [34,41]. This is a critical vulnerability for a sector that relies on public donations for funding [41]. On an operational level, a ransomware attack can lead to significant service disruption and downtime as the organization attempts to restore backups [40]. Furthermore, a “gateway” risk exists for NPOs and SEs that contract with the public sector. A breach at the NPOs could serve as a “gateway for accessing important government systems,” jeopardizing their partnerships and public funding [34].

Where the Visualizations Fit for RQ1

RQ1 is among the most frequently addressed questions in the dataset, as can be seen in Figure 4 and Figure 5 below. This is not accidental: RQ1 corresponds to problem discovery and threat articulation, which is the most common entry point for NPO-oriented cybersecurity work. Notably, the updated corpus shows very tight clustering across RQ1–RQ4 (all in the mid-to-high 40 s out of 60), with RQ2 only slightly lower than the others. To make this visible in the manuscript, see Figure 4, immediately after the first paragraph of RQ1 (i.e., after the sentence ending with “…identified through the selection process described in Section 3” or, to stay closer to the narrative, after the second paragraph that lists the most frequent initiating events). This provides instant confirmation that the corpus is balanced across the four questions while still pivoting around risk identification.

Critical reading (Figure 4). The updated counts show near-parity across research questions, with only a small spread of a few papers between the highest and lowest bars. This tells us two things: (i) the field does not only write about threats, it also produces material on readiness, training, and assessment, and (ii) any impression from the narrative that “risk papers dominate” is actually more a reflection of how such papers are written (they tend to be longer, more detailed, and more prescriptive) than of their raw frequency. This near-balance is important because it justifies our choice to allocate substantial space to RQ2–RQ4, even if RQ1 is the natural starting point.

To show the same information to a reader who prefers proportions, see the pie chart right after the bar chart, but it can also be seen at the end of Section 4.2 as a visual recap.

Critical reading (Figure 5). The pie view shows a fairly balanced distribution. The small advantage for RQ1 is consistent with the practical importance of threat identification, but the field is not over-concentrated. This also weakens the argument that “we only have descriptive papers” instead, we have a modestly plural literature.

Finally, RQ1 is also the question for which we observe the broadest document-type participation: conference papers, journal articles, and books all contribute to threat/risk articulation.

4.3. RQ2: Affordable Cybersecurity Practices and Training

What Affordable Cybersecurity Practices, Especially in Employee Training, Can Nonprofits with Limited Resources Adopt? How Do Knowledge Gaps Differ Across Nonprofit Sectors?

The literature consistently finds that awareness and behavior change initiatives deliver the highest return on investment for nonprofits, particularly when training is brief, recurring, and directly aligned with daily donor engagement or program operations [51,56,63]. Micro-learning modules, calibrated phishing simulations, and rapid feedback loops improve recognition of deceptive prompts and increase reporting by non-technical staff and volunteers [56,63,71,72]. Leadership endorsement is repeatedly associated with higher adoption of day-to-day security practices such as password-manager use and multi-factor prompts, as expectations are framed as routine rather than optional [51,56].

Cost-effective technical safeguards are widely accessible: enabling multi-factor authentication on email and mission-critical SaaS, configuring automatic updates, standardizing secure file-sharing defaults, and limiting local administrator privilege reduce credential theft and inadvertent data exposure in measurable ways [63,71,72,73].

Sectoral differences often reflect regulatory context and operational complexity. NPOs operating in the health and education sectors tend to adopt encryption, incident handling procedures, and formalized training earlier due to data protection obligations, whereas small, rural NPOs show greater variability in cybersecurity hygiene and rely more heavily on default cloud settings [72,73,74]. Materials tailored to local realities such as printable quick-reference guides for low-bandwidth sites or brief onsite sessions tied to community events improve completion and retention without requiring dedicated security staff [51,56,63]. Several studies also document the practical value of NPO licensing programs, community toolkits, and university partnerships that provide workshops and assessment clinics, enabling baselines that might otherwise be financially out of reach [73,74].

Collectively, these findings suggest that sustained improvement occurs when concise, actionable policies are reinforced through concrete tools and a predictable rhythm of reinforcement, making secure behavior an integrated part of organizational culture [51,56,63,71].

Large-scale survey evidence reinforces these findings. A multi-industry study of 187 individuals across 18 countries found a significant gap between in-role and extra-role cybersecurity behavior, indicating that security must be embedded in organizational culture rather than confined to IT roles [75]. This is particularly relevant for NPOs where high turnover necessitates that cybersecurity become everyone’s responsibility [51,56].

Given that NPOs and SMEs operate with a “relative lack of resources” [41], affordable and sustainable practices are essential. The most low-cost and effective practices involve establishing strong “cyber-hygiene controls,” which are often “free to adopt” [40]. These include basic but critical measures such as ensuring segmentation of duties, implementing clear access policies [40], and making the best use of security features already present in existing hardware and software [40]. Organizations can also leverage freely available guidelines from bodies like OWASP and NIST to build a security framework without high costs [40]. Another “resource-efficient” practice is the adoption of lightweight security solutions built with “open-source tools,” such as the HoneyLite honeypot, which is designed to operate with minimal overhead [39].

Employee training is identified as a critical and affordable practice to mitigate the “people factor,” which is often the weakest link in security [45]. NIST Special Publication 800-50 provides a comprehensive life-cycle approach for building a training program, which includes four key steps: Design, Development, Implementation, and Post-Implementation [45]. This document outlines a “learning curve” that all organizations can follow [45]. This continuum begins with Awareness, which serves to focus employee attention on security; advances to Training, which builds specific skills to perform a function; and finally mentions Education, which integrates all security skills into a common body of knowledge for security professionals [45]. For NPOs with an informal and participatory culture [41], an Action Research (AR) methodology is recommended [41]. This approach engages staff directly in the process of improving security, which simultaneously educates them and builds organizational buy-in, making the security practices more sustainable [41]. A more novel technique for motivating “extra-role” security behaviors, like reporting phishing [42], is security gamification, which uses leaderboards and incentives to encourage participation [42].

Knowledge gaps differ based on organizational characteristics rather than by specific NPO sectors. The size of the SME in terms of employees and education levels were the two most significant factors impacting their cybersecurity awareness [38]. Factors such as an employee’s age, gender, or specific role did not show a statistically significant impact [38]. A crucial knowledge gap identified in Social Enterprises is that managers often underestimate their risk profile [34]. They tend to believe they are not valuable targets because they do not hold “commercially valuable data” [34], failing to recognize that the sensitive personal data they possess on vulnerable populations is, in itself, a high-value target [34]. Similarly, needs and knowledge gaps differ based on an SME’s role in the digital ecosystem [32], which can be categorized as start-ups, digitally dependent, digitally based, or digital enablers [32,36].

Where the Visualizations Fit for RQ2

Even though RQ2 is slightly less frequent than the other RQs (about 23.5%, 43/60), it is the most sector-sensitive question, and this shows up in the heatmap in Figure 6. Conference papers and federal security guidance both show uniform coverage across all four RQs (1.00 in each cell), while journal articles are broadly strong but a bit lower on RQ2 (∼0.76) relative to RQ1/RQ3/RQ4 (∼0.85/0.88/0.82). Books/chapters contribute selectively (about 0.80/0.80/0.70/0.80), and standards emphasize readiness/assessment (0.50/0.50/1.00/1.00). This pattern matches the applied, often pilot-style character of practice/training studies. We recommend seeing Figure 6 at the end of RQ2 (i.e., after the paragraph on sectoral differences) and explicitly drawing your attention to the fact that conference papers and federal guidance answer all four RQs in our dataset (noting that guidance has a smaller absolute count).

Critical reading (Figure 6). Three points deserve emphasis.

• Conference papers and guidance as integrators. Both categories exhibit uniformly high coverage (1.00) across RQ1–RQ4, indicating that comprehensive treatments of risks, practices, readiness, and assessment are available in these outlets. For guidance, note the smaller absolute count—coverage is high within type, not necessarily in volume.
• Journal articles as depth providers with a slight RQ2 dip. Journal articles show ∼0.85 (RQ1), 0.76 (RQ2), 0.88 (RQ3), and 0.82 (RQ4). This matches intuition: deeper methodological/governance questions tend to appear in journals, while affordable-practice (RQ2) content is a touch more dispersed across conferences/theses.
• Type-specific emphases. Books/chapters are balanced but lighter on RQ3 (0.70). Standards lean strongly toward RQ3–RQ4 (1.00 each) versus RQ1–RQ2 (0.50/0.50). Theses/dissertations are strongest on RQ1 and RQ4 (1.00) but lower on RQ2–RQ3 (0.67). Research article items in this corpus show 0.00 across cells, and “Other” exhibits partial coverage (0.50 on RQ2–RQ4). Together, these patterns explain why RQ2 appears more sector-sensitive: evidence for affordable practices and training is concentrated in venues that emphasize implementation and short-cycle evaluation.

4.4. RQ3: Factors Influencing Cybersecurity Readiness

What Factors Influence Cybersecurity Readiness in NPOs, Like Location (Urban vs. Rural), Budgets, and IT Skills? How Do Things Like Cyber Insurance and Third-Party Agreements Affect Their Security?

Readiness trajectories in NPOs are shaped by structural capacity and the complexity of digital ecosystems combining donor platforms, accounting systems, and collaboration suites [29,61,74]. Stable funding, clear governance, and assigned technology ownership correlate with more predictable progress on identity, backup, and configuration baselines than contexts that rely on episodic grants and ad hoc volunteer support [61,74]. Budget limitations and thin staffing remain the most frequently cited barriers to timely patching, centralized device management, and routine access reviews, especially for teams distributed across multiple sites [29,61,76].

These resource constraints are empirically confirmed by the 2022 National Cybersecurity Review of 3681 organizations, which found that 79% had fewer than five cybersecurity staff and 72% cited insufficient funding as a primary barrier [12]. However, the data also reveals a maturity effect: organizations participating in structured assessments for eight consecutive years scored 41% higher than first-time participants, demonstrating that sustained engagement yields measurable improvements despite resource limitations [12].

Geography introduces additional variation. Rural organizations face limited broadband and a smaller pool of service providers, slowing incident response and increasing reliance on unmanaged personal devices. In contrast, urban organizations typically manage larger identity footprints and a greater number of interconnected platforms that expand their potential attack surface [29,76,77].

Cyber insurance appears as both an incentive and an indicator of maturity because applications typically require multi-factor authentication, tested backups, endpoint protection, and basic incident documentation as preconditions for coverage [76,77,78]. However, several studies caution that checklist compliance is not a substitute for operational capability unless organizations test restores, rehearse decision making, and validate permission scopes on a fixed schedule [66,77,78].

Vendor relationships add a defining layer of risk. Donor management systems, grant portals, mailing tools, and fiscal agents create significant dependencies that must be governed by explicit access boundaries and breach-notification terms to prevent propagation of compromise across organizational interfaces [29,61,74]. Feasible mitigations include lightweight vendor assessments, explicit role scoping, and periodic offboarding of stale integrations, which can be implemented without a formal procurement process [66,78]. Finally, board visibility into risk posture, the assignment of security ownership, and the inclusion of simple performance indicators in regular reviews are associated with sustained improvements even when budgets remain constrained [29,61,76].

A NPOs’ cybersecurity readiness is influenced by a complex set of internal and external factors. The authors in [33] organize these factors into three traditional categories—Technology, Organization, and Environment—and adds two new ones specific to cybersecurity: “cyber catalysts” (such as cyber risk and vulnerability) and “practice standards” (such as legal and ethical requirements). The authors of [34] identify a similar list of factors, including the enterprise’s characteristics (its size and nature), management characteristics (such as “absorptive capacity” or “overload,” which limits their ability to take on new information), the organization’s cyber history (past experience with attacks), and its IT usage (such as reliance on cloud platforms) [34].

Budgets and IT skills are overwhelmingly cited as the most significant factors, typically falling under the category of “resource constraints” [34]. This lack of resources is a “key similarity” between NPOs and SMEs [41]. Budget constraints are directly linked to the inability to hire specialized staff [40] or afford dedicated security departments [40]. A study of Welsh SMEs statistically confirmed that an employee’s education level and the size of the SME itself were the two factors with the most significant impact on cybersecurity awareness and readiness [43]. While some of the provided research included informants from diverse geographical locations (e.g., Alston Moor, a village) [34], the documents do not offer a direct comparison or analysis of how urban versus rural locations specifically influence the cybersecurity readiness of NPOs.

Cyber insurance is identified as one potential, though complicated, factor in readiness. Authors in [44] framed it as a risk transfer countermeasure. One small firm used cyber-liability insurance as its main contingency plan in place of technical solutions [33]. However, its utility for NPOs is questioned, as financial compensation may not be a “meaningful support” for a socially motivated organization [34], and it is difficult to insure against the full scope of reputational or social-mission-related damage [34].

Third-party agreements are a critical environmental factor. NPOs and SMEs must consider the supply chain [33], and it is recommended that they establish security policies before engaging with partners or granting vendors access to their networks. For NPOs, data privacy and security concerns related to sharing information are often their single greatest challenge [37]. A proposed data governance model for NPOs is designed specifically to manage these third-party relationships by creating a data access matrix that defines clear policies for data sharing [37].

Where the Visualizations Fit for RQ3

RQ3 is about variation: why do some NPOs progress while others remain stagnant? Three of the visualizations are especially useful here:

• the RQ coverage over time plot (Figure 7);
• the citation distributions per RQ plot (Figure 8);
• the document types per year stacked bar (Figure 9).

Together, they let us argue that readiness (RQ3) became a more explicit concern only after 2023 and that the papers dealing with readiness are not necessarily the most cited ones (which again maps to the fact that readiness work is harder, more contextual, and often local).

Critical reading (Figure 7). The plot shows a sparse, step-like pattern in the early years (small n per year), followed by a concurrent rise of RQ1–RQ4 in 2023. This pattern suggests that earlier contributions were episodic and topic-specific, but as the literature matured, multiple streams (risks, affordable practices, readiness, and assessment) began to be published in the same calendar year. The modest dips in 2024 and 2025 should not be misread as declining interest: they are a denominator effect created by many more total papers per year, so each RQ’s share falls even if absolute counts rise. In short, Figure 7 signals breadth expansion rather than fatigue, with 2023 marking the point at which all four RQs are simultaneously salient.

Figure 7. RQ coverage over time (line chart; share of yearly papers, normalized within each year). 2023 is a turning point where multiple RQs are concurrently addressed; 2024–2025 show declining shares not because of disinterest but because of a much larger denominator (more total papers). Note that early years with very few papers produce step-like values near 0 or 1.00, so apparent spikes there reflect small-n effects rather than substantive shifts.

Figure 7. RQ coverage over time (line chart; share of yearly papers, normalized within each year). 2023 is a turning point where multiple RQs are concurrently addressed; 2024–2025 show declining shares not because of disinterest but because of a much larger denominator (more total papers). Note that early years with very few papers produce step-like values near 0 or 1.00, so apparent spikes there reflect small-n effects rather than substantive shifts.

Figure 8. Citation distributions for articles addressing each RQ. Orange line = median; green triangle = mean; circles = outliers.

Figure 8. Citation distributions for articles addressing each RQ. Orange line = median; green triangle = mean; circles = outliers.

Critical reading (Figure 8). Citations are heavy-tailed across all RQs: each distribution has a long right tail with a few highly cited items (hundreds of citations, e.g., widely referenced frameworks or methodology papers), while the medians remain low (typical of a young, practice-facing literature). For RQ3 (readiness), the mean is noticeably higher than the median, indicating that a small subset of readiness papers captures a disproportionate share of attention. This supports our decision in RQ3 to foreground large-scale or repeatedly administered assessments (e.g., national surveys, standard-aligned audits), since such designs tend to generate the sustained citations visible in the upper tails. Overall, the boxplots confirm that influence is concentrated in a few anchor works while most contributions receive modest early uptake.

Figure 9. Document types per year (2003–2025; 2025 is partial). Stacked bars show yearly counts by normalized type (top six types plus “Other”). Journal Articles dominate the 2024 surge and remain high in 2025, while Conference Papers are steady; Books/Chapters, Standards, and Theses/Dissertations appear intermittently.

Figure 9. Document types per year (2003–2025; 2025 is partial). Stacked bars show yearly counts by normalized type (top six types plus “Other”). Journal Articles dominate the 2024 surge and remain high in 2025, while Conference Papers are steady; Books/Chapters, Standards, and Theses/Dissertations appear intermittently.

Critical reading (Figure 9). The stacked composition clarifies that the 2024 jump is not merely volume—it is driven primarily by Journal Articles, the outlet where readiness and governance constructs are usually formalized. Conference Papers contribute consistently across years, seeding applied ideas that later mature into journal work. Standards and Theses/Dissertations appear in punctuated bursts, aligning with specific initiatives rather than a continuous pipeline. The apparent dip in 2025 reflects partial-year coverage rather than a structural reversal. Together with Figure 7, this mix supports our RQ3 claim that NPO cybersecurity is transitioning from primarily descriptive accounts to more structured, readiness-oriented analyses in venues that reward methodological depth.

4.5. RQ4: Assessing Cybersecurity Preparedness and Resilience

How Can NPOs Assess Their Cybersecurity Preparedness and Resilience?

Assessment practices that are viable for NPOs converge on approaches that are brief, repeatable, and directly linked to action, avoiding tools that require specialist audit training [66,79]. Three models recur across the corpus: (i) control-based self-assessments that adapt profiles of the NIST Cybersecurity Framework or the CIS controls that help small teams identify first-mile gaps in identity, backup, and email hygiene [66,79]; (ii) capability-maturity models that score the identify, protect, detect, respond, and recover functions provide a scaffold for sequencing improvements and for communicating expectations to leadership and funders [48,79]; (iii) short survey instruments tailored to NPO workflows quantify coverage of essential practices such as multi-factor authentication, backup validation, access review cadence, and password-manager use, creating trend lines that boards can review quarterly [48,79,80].

The literature emphasizes that assessment alone does not generate resilience. Findings must translate into time-bound plans with named owners and clear acceptance criteria, and several papers report success with ninety-day sprints that bring a small set of controls to completion [48,80]. The authors also stress the role of rehearsal. Tabletop exercises that simulate a vendor breach, business email compromise, or a ransomware restore expose communication and dependency gaps that static documentation misses and provide practical evidence of progress to leadership [80,81]. Quarterly review cadences that surface a handful of performance indicators encourage incremental investments and normalize security work as part of routine governance rather than a one-time audit event [52,81].

In aggregate, the evidence indicates that resilience is less a function of costly technology and more the product of disciplined measurement, routine practice, and sustained leadership attention over time [66,79].

This recommendation is empirically supported by longitudinal data showing that organizations participating in repeated assessments demonstrate significantly higher readiness scores, with eight-year participants scoring 41% higher than first-time participants [12]. This maturity curve validates the adoption of recurring assessment cycles as a core governance strategy that normalizes security evaluation and facilitates gradual capability building [52,81].

NPOs and SMEs can assess their cybersecurity preparedness and resilience using several proposed frameworks and models that are specifically tailored to their resource-constrained and socio-technical environments. A “one-size-fits-all” approach is considered unsuitable [32]. Instead, assessment methods should be adapted to the organization’s specific needs and digital maturity. Asocio-technical cybersecurity framework that guides assessment by first categorizing the organization into one of four types based on its digital maturity: start-ups, digitally dependent SMEs, digitally based SMEs, or digital enablers is established for SMEs [32]. For the least mature organizations (start-ups and digitally dependent), the framework recommends intuitive, threat-based cybersecurity risk assessment approaches [32]. These methods are more effective for this group because they use real-life threat information and do not require extensive internal cybersecurity expertise, which helps motivate employees and managers who may have low awareness [32]. For more mature organizations (digitally based and digital enablers), the framework advises using more comprehensive risk assessment frameworks and maturity models that can help them work toward and prove compliance with formal standards [32]. Another paper, “Cybersecurity-Standardisation-for,” mentions the CySME maturity model as a specific tool that allows SMEs to perform a self-assessment of their cybersecurity capabilities in a “standards-transparent way” [36]. Another way to frame assessment is through the lens of cyber resilience, which is defined as a continuous, dynamic process rather than a static goal. The  organizations can assess their preparedness by evaluating their capabilities across five interconnected layers. This model includes the Foundational Layer (Company Security), which covers basic safeguards and policies; the Risk Management Layer (Cyber Risks), which involves assessment and prioritization; the Technical Layer (Cybersecurity), which includes threat detection and encryption; the Operational Layer (Operational Resilience), which covers incident response and business continuity; and the Strategic Layer (Digital Maturity), which aligns security with long-term innovation [35]. Preparedness is thus measured by the organization’s ability to maintain the continuous feedback loops between these five layers [35]. Finally, for a formal process of assessment, Multicriteria Decision Analysis (MCDA) [44] could be applied. This method provides a structured and transparent way for NPOs to assess their risk posture and evaluate potential countermeasures by quantifying the three core components of risk: Threat, Vulnerability, and Consequence (TVC) [44].

Where the Visualizations Fit for RQ4

RQ4 links our SLR to the envisioned analysis pipeline (NER → Knowledge Graph → NIST mapping). Two additional visualizations reinforce the “assessment and infrastructure” part of that story:

• The Top sources/databases plot (Figure 10), which in our updated corpus shows a highly fragmented landscape with no single dominant aggregator; most venues contribute 1–2 papers each (e.g., ProQuest, IEEE Transactions on Engineering Management, ACM ICPS, Computers, Journal of Business Research, Land Use Policy, Springer). This matters because assessment tooling for NPOs is often published across heterogeneous outlets rather than within one centralized repository.
• The RQ coverage by document type heatmap (already added as Figure 6) showed that federal standards and guidance are present but thinly coded. This dispersion across sources strengthens the case for our pipeline’s consolidation step (ontology + control graph), which maps disparate guidance back to NIST/CIS so NPO teams can act on it.

Critical reading (Figure 10). Unlike a “winner-takes-most” pattern, our evidence base is spread across general scholarly platforms and domain journals with near-uniform small counts. This is an important limitation: there may be high-quality programmatic material in NPO networks (e.g., TechSoup, NTEN, and sectoral consortia) that does not surface in these databases and thus does not appear in our counts. The updated single-panel view makes the fragmentation explicit and, together with Figure 6, motivates our knowledge-graph approach: by normalizing terms and linking controls to evidence across outlets, the pipeline reduces search friction and helps NPOs assemble complete, actionable assessment checklists from scattered sources.

4.6. Positioning of Visualizations’ Limitations and Biases

The flow of the Findings section becomes:

• General corpus-level orientation: Figure 2 and Figure 3.
• RQ-level coverage: Figure 4 and Figure 5.
• RQ-by-document-type nuance: Figure 6.
• Temporal nuance: Figure 7.
• Quality/attention nuance: Figure 8.
• Source provenance: Figure 10.
• Structural growth of document types: Figure 9.

Placed this way, each visualization “does work”: it either justifies why we gave some RQs more narrative space, or it exposes a bias (recency, source, document type) that motivates the computational framework. The identified limitations of our SLR coincide with the limitations of any SLR and are related to biases in the availability of publications and in the study selection processes, to inaccuracy in the study extraction process, and to misclassification of published results [82].

4.7. Envisioned Analysis to Assess Cybersecurity Readiness

4.7.1. Design Principles

• Evidence-grounded: Map every output to explicit sources (survey responses, documents, or guidance) with provenance so that recommendations are auditable.
• Low-friction + low-cost: Favor brief instruments, automation, and defaults already present in common SaaS stacks (per RQ2).
• Action over inspection: Convert findings into short, sequenced sprints with acceptance criteria (assess → decide → implement → rehearse), reflecting RQ4.
• Uncertainty-aware: Report confidence and data coverage; avoid over-claiming for partial or noisy inputs (citation/recency cautions in Figure 3).

4.7.2. Pipeline Overview

• Instrument and sampling. We adapt the MIT Cybersecurity Clinic survey (17 items) [75] and extend it with micro-indicators surfaced by the SLR (e.g., MFA coverage on mission SaaS; backup and restore drills; vendor offboarding cadence; DMARC enforcement). Items are grouped by NIST CSF 2.0 functions (Identify; Protect; Detect; Respond; Recover) and CIS IG1 sub-controls to enable consistent scoring across organizations and time.
• Data intake, normalization, and privacy. Responses are captured via a lightweight web form. Free text is automatically redacted for PII using deterministic regex + dictionary screening; organizations approve redactions before storage. All responses are normalized to a typed schema (org_profile, control_claims, incidents, vendors) for downstream analysis.
• Sector ontology and control graph. We define a minimalist ontology that links risks (phishing, BEC, ransomware), assets (email, donor CRM, file sharing), and controls (MFA, backups, least privilege). Nodes are aligned to NIST CSF 2.0 categories/subcategories and CIS IG1 safeguards; edges encode risk→control mitigations and control→evidence claims. This “control graph” is populated from our SLR coding so that each edge carries literature-backed rationales.
• Information extraction (hybrid). Open-ended answers and policy snippets are parsed with a hybrid approach: (i) rules for high-precision cues (e.g., “% of accounts with MFA”) and (ii) a compact NER/sequence-labeling model (e.g., bert-base fine-tuned on a small, SLR-derived annotation set) to detect entities such as tool names, configurations, and process verbs (“tested restore”, “quarterly review”). Low-confidence extractions are surfaced for one-click human confirmation (active learning loop).
• Readiness scoring with uncertainty. Each subcategory receives a score $s\in [0,1]$ using

  $$s=w_c·\mathrm{control}\_\mathrm{claim}+w_e·\mathrm{evidence}+w_r·\mathrm{rehearsal}$$

  where claim reflects self-report, evidence reflects corroboration (e.g., screenshot/log snippet), and rehearsal rewards drills (tabletops/restore tests). We propagate confidence intervals from extraction quality and evidence presence. A small number of must-have IG1 safeguards (MFA on email, tested backups, patch/auto-update) gate the overall maturity band.
• Risk- and cost-aware prioritization. Gaps are ranked by a multi-criteria function:

  $$\mathrm{priority}=\alpha ·\mathrm{risk}\_\mathrm{reduction}+\beta ·{\mathrm{implementation}\_\mathrm{effort}}^{-1}+\gamma ·\mathrm{dependency}\_\mathrm{unlock}$$

  with sector-aware weights (health/education vs. small rural NPOs), reflecting RQ3’s context. Defaults target “high impact, low effort” wins first (MFA, password manager, update cadence, DMARC).
• Recommendations and 90-day action plans. For each top-k gap, the system generates a sprint card with control objective (NIST/CIS reference), exact steps in common SaaS suites, owner, due date, acceptance test, and rollback. Where appropriate, we attach templated scripts/policies and a one-page board brief.
• Evaluation and learning. We assess the following to visualize trends at the function/subcategory level: (a) inter-rater reliability on extractions, (b) face validity via expert review, (c) back-testing on known incidents (do recommended controls align with documented failure points?), and (d) outcome tracking to re-administer at 90/180 days to measure deltas. Models are periodically re-tuned as the corpus grows, with drift monitors for vocabulary and control adoption.
• Deliverables and UX. Outputs include a readiness dashboard (scores, confidence, trend lines), a ranked backlog with sprint cards, and a “board view” summarizing 5–7 indicators (MFA coverage, restore success, open vendor tokens, aged accounts, and phishing-report rate). All artifacts carry provenance links back to the underlying answers/evidence and the relevant literature edges in the control graph.
• Ethics and governance. We implement explicit consent, data minimization, and role-based access to organizational data; only aggregate, de-identified benchmarks are shared publicly. The ontology, annotation guidelines, and scoring rubric are open-sourced to enable replication and third-party audits.

Why this advances the field. The pipeline operationalizes three insights from the SLR: (i) behavioral controls and simple configurations produce outsized gains (RQ2); (ii) readiness varies with governance, staffing, and vendor dependence (RQ3); and (iii) assessment drives resilience when tied to rehearsal and short, owned sprints (RQ4). By combining an interpretable control graph with uncertainty-aware scoring and cost-sensitive prioritization, the approach yields recommendations that are both explainable to leadership and actionable by small teams. Finally, the 90/180-day reassessment loop creates the longitudinal signal that the literature associates with measurable maturity improvement.

5. Conclusions

This systematic literature review (SLR) synthesizes evidence from 60 primary studies to address the critical cybersecurity vulnerabilities facing nonprofit organizations (NPOs). Our analysis confirms that phishing, credential theft, and ransomware are the most prevalent threats (RQ1), disproportionately impacting resource-constrained organizations. Contrary to the assumption that security requires expensive enterprise tools, we found that affordable interventions, specifically awareness training, multi-factor authentication, and secure cloud configurations, offer the highest return on investment (RQ2). However, readiness is not uniform; it is heavily stratified by organizational stability, technical governance, and geography, with rural NPOs facing distinct infrastructure deficits compared to their urban counterparts (RQ3). Assessment and resilience were found to depend less on static checklists and more on “disciplined measurement,” such as regular tabletop exercises and lightweight maturity models (RQ4).

Managerial and policy implications, for practitioners and policymakers, imply a shift in strategy. NPOs should prioritize low-cost, high-impact behavioral controls (for instance: regular phishing simulations) over complex technical acquisitions. Embedding cybersecurity awareness into organizational culture through micro-learning and leadership endorsement is needed, as well as encouraging policy frameworks that support resource-constrained NPOs with subsidized training, shared security services, and cyber insurance incentives and advocating for collaborative partnerships between NPOs, academia, and government to sustain long-term cybersecurity capacity building. Founders, funding agencies, and boards must recognize that cyber insurance is a complement to, not a substitute for, operational readiness. Furthermore, the clear urban–rural divide suggests that capacity-building grants must be tailored: rural NPOs need fundamental infrastructure support, while urban organizations require governance for complex vendor ecosystems.

To advance this field, future research must move beyond descriptive studies. We propose a computational framework leveraging natural language processing (NLP) and knowledge graphs to automate the mapping of NPO-specific vulnerabilities to NIST standards. By combining survey data with established frameworks, this approach aims to produce predictive, scalable guidance that bridges the gap between corporate security standards and the reality of the NPO sector. Additionally, lessons from resource-constrained environments can inform future NPO cybersecurity strategies.