Next Article in Journal
Ontology Quality Improvement in the Semantic Web: Evidence from Educational Knowledge Graphs
Previous Article in Journal
A Domain-Specific Modeling Language for Production Systems in Early Engineering Phases
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Systems
Volume 14
Issue 2
10.3390/systems14020151
systems-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Modelling Cyber Resilience in SMEs as a Socio-Technical System: A Systemic Approach to Adaptive Digital Risk Management

by
Alona Bahmanova
* and
Natalja Lace
Faculty of Engineering Economics and Management, Riga Technical University, Kalnciema iela 6, 1048 Riga, Latvia
*
Author to whom correspondence should be addressed.
Systems 2026, 14(2), 151; https://doi.org/10.3390/systems14020151 (registering DOI)
Submission received: 27 December 2025 / Revised: 27 January 2026 / Accepted: 29 January 2026 / Published: 31 January 2026
(This article belongs to the Section Systems Practice in Social Science)
Browse Figures
Versions Notes

Abstract

Small and medium-sized enterprises (SMEs) increasingly rely on digital technologies in everyday operations, often without having sufficient resources or structured mechanisms to manage the cyber risks that accompany this dependence. As digitalization deepens, cyber incidents in SMEs are shaped not only by technical vulnerabilities but also by human behavior and organizational practices. However, much of the existing research still approaches cyber resilience through fragmented technological or managerial lenses. This study takes a conceptual and theory-driven approach to examine cyber resilience in SMEs as a socio-technical system. Building on systems theory and adaptive management, the analysis draws on a structured synthesis of interdisciplinary literature to develop a systemic model of adaptive digital risk management. The model is developed through a structured conceptual process combining systematic exploration of interdisciplinary literature, analytical synthesis of recurring conceptual patterns, and system-level model construction informed by systems theory and adaptive management principles. Cyber resilience is therefore interpreted as a dynamic capability that develops over time, especially in digital environments characterized by increasing automation and evolving forms of human–technology interaction. The study contributes to cyber resilience research by offering a system-oriented perspective and provides SMEs with a conceptual basis for strengthening adaptive approaches to digital risk management.

1. Introduction

SMEs increasingly rely on digital technologies to support daily operations, coordination, and market competitiveness. Digital tools enable SMEs to scale activities, optimize processes, and participate in global value chains with relatively limited resources. At the same time, this growing dependence on digital infrastructure exposes SMEs to a broad range of cyber risks, including data breaches, ransomware attacks, system disruptions, and failures linked to human interaction with digital systems. Compared to large organizations, SMEs typically operate under tighter financial constraints, informal governance structures, and limited access to specialized cybersecurity expertise, which significantly amplifies their vulnerability to digital threats.
In response to these challenges, research on cyber resilience has expanded rapidly over the past decade. Cyber resilience is increasingly understood as an organization’s ability not only to protect digital assets but also to withstand, recover from, and adapt to cyber incidents while maintaining essential business functions. However, much of the existing literature approaches cyber resilience through fragmented perspectives, focusing predominantly on technological safeguards, such as security controls and infrastructure robustness, or on managerial instruments, including policies, compliance, and governance frameworks. While these approaches provide valuable insights, they often treat technical systems, human behavior, and organizational practices as largely separate domains. This fragmentation limits the ability to explain how cyber resilience actually develops and functions within real organizational settings, particularly in SMEs where roles, responsibilities, and technologies are closely intertwined.
Despite extensive research on SME cybersecurity and resilience frameworks, most existing approaches remain largely fragmented and checklist-oriented, focusing on predefined controls, maturity levels, or compliance requirements, and therefore offer limited explanation of how cyber resilience actually emerges, adapts, and evolves over time through socio-technical interactions within SME contexts. As a result, the underlying mechanisms through which technological, human, and organizational subsystems interact, learn from disruptions, and generate adaptive capacity remain insufficiently theorized, particularly in resource-constrained SME environments.
These theoretical gaps became particularly visible during the COVID-19 pandemic, which acted as a large-scale systemic stress test for SMEs’ digital infrastructures, organizational routines, and human decision-making. The abrupt shift toward remote work, accelerated digitalization, and increased reliance on outsourced and automated digital services expanded SMEs’ cyber risk exposure and revealed critical weaknesses in governance structures, feedback mechanisms, and organizational learning processes. Importantly, many of these changes did not revert after the crisis but instead shaped a post-pandemic digital environment in which adaptive cyber resilience is increasingly required as an ongoing capability rather than a temporary response to disruption.
In previous work, the authors proposed an initial conceptual model of cyber resilience for SMEs that focused on identifying core structural elements, including company security, cyber risks, cybersecurity, incident response, and digital maturity [1]. That study contributed to clarifying the conceptual boundaries of cyber resilience in the SME context and provided an element-based foundation for understanding its composition. At the same time, the model primarily addressed what constitutes cyber resilience, rather than how resilience emerges, adapts, and evolves over time through interaction among system components. Building on this earlier foundation, the present study advances the analysis by shifting from a structural representation toward a systemic and dynamic conceptualization of cyber resilience.
From a systems perspective [2], cyber resilience cannot be reduced to the presence of specific technologies or formalized procedures. Instead, it emerges from continuous interaction between technological infrastructures, human actors, organizational routines, and the surrounding digital environment. These interactions are increasingly shaped by transitional dynamics in contemporary digital systems, where traditional human–computer interaction coexists with growing levels of automation and inter-computer communication. Broader interdisciplinary discussions on the evolution of digital information networks suggest that decision-making and coordination processes are progressively delegated to interconnected digital systems. As argued by Harari (2024), contemporary digital systems are evolving toward autonomous networks capable of exchanging information, making decisions, and influencing socio-economic processes with diminishing reliance on direct human cognition [3]. In such contexts, the role of humans may gradually shift from active decision-makers toward system supervisors or, potentially, more peripheral actors within complex digital ecosystems. While such transformations are not yet fully realized in SME contexts, the current transitional phase already intensifies systemic cyber risks arising from the interaction of human judgment, organizational practices, and increasingly automated digital processes.
Taken together, these dynamics highlight the limitations of static, control-oriented approaches to cyber risk management in SMEs and underscore the need for a systemic and mechanism-based perspective capable of explaining how cyber resilience emerges, adapts, and matures over time under conditions of ongoing digital transformation.
The aim of this study is to develop a systemic and mechanism-based conceptual model of adaptive digital risk management for SMEs by explaining how cyber resilience emerges, adapts, and matures over time through feedback-driven interactions between technological, human, and organizational subsystems within transitional digital environments. Drawing on systems theory, socio-technical systems thinking, and adaptive management principles, the study conceptualizes cyber resilience as a dynamic capability that evolves through feedback loops, learning mechanisms, and maturity processes. By adopting a system-oriented perspective, the paper seeks to advance theoretical understanding of cyber resilience in SMEs and to provide a conceptual foundation for more adaptive and context-sensitive approaches to managing digital risks in complex and evolving digital environments.

2. Materials and Methods

2.1. Research Design and Conceptual Approach

This study adopts a conceptual and theory-building research design aimed at developing a systemic model of cyber resilience in SMEs. Rather than testing predefined hypotheses or analyzing empirical datasets, the research focuses on integrating and synthesizing existing theoretical and empirical insights to advance understanding of cyber resilience as a socio-technical and adaptive system. This approach is particularly suitable for addressing complex phenomena characterized by interdependence, non-linearity, and continuous change, such as cyber risks in digitally transforming SMEs.
The conceptual framework of the study is grounded in systems theory, socio-technical systems thinking, and adaptive management principles. These perspectives provide a foundation for analyzing how technological infrastructures, human actors, and organizational processes jointly shape resilience outcomes. Systems theory enables the examination of cyber resilience as an emergent system property arising from interactions and feedback loops, rather than as a static outcome of isolated controls. Socio-technical systems thinking emphasizes the joint optimization of social and technical subsystems, while adaptive management highlights learning, feedback, and continuous adjustment under conditions of uncertainty. Methodologically, this study follows a theory-building and conceptual synthesis approach, which is appropriate for investigating complex and under-theorized phenomena. Conceptual framework development through systematic integration and abstraction of prior research is a recognized methodological strategy in non-empirical studies [4,5,6]. In line with systems-based research traditions, this approach enables the identification of emergent properties, feedback mechanisms, and dynamic interactions that cannot be captured through reductionist or purely empirical designs.
The research design follows a structured process of conceptual development, consisting of systematic literature exploration, analytical synthesis of key conceptual patterns, and model construction informed by system-level reasoning. This process ensures methodological transparency and allows other researchers to replicate, refine, or extend the proposed conceptual model.

2.2. Literature Search and Selection Strategy

To strengthen theoretical transparency, the reviewed literature was analytically synthesized into three interrelated research streams that collectively inform the conceptualization of cyber resilience in SMEs. Rather than treating cyber resilience as a singular construct, this synthesis highlights how existing research has approached the phenomenon from distinct but partially disconnected perspectives, each emphasizing different system components while leaving the underlying adaptive mechanisms insufficiently explained. These streams include SME-focused cyber resilience and cybersecurity frameworks, socio-technical systems and resilience engineering perspectives, and adaptive management and post-disruption organizational resilience.
The first research stream focuses on SME-oriented cybersecurity and cyber resilience frameworks, which typically emphasize capability assessment, maturity models, and structured control sets. Prominent contributions in this stream propose staged or checklist-based approaches to improving cybersecurity readiness and resilience in resource-constrained organizations. While these frameworks provide practical guidance and benchmarking value, they tend to conceptualize resilience as a static outcome or capability level, offering limited insight into how resilience dynamically emerges and adapts through everyday socio-technical interactions within SMEs.
The second stream draws on systems theory, socio-technical systems thinking, and resilience engineering to conceptualize resilience as an emergent system property arising from interactions, feedback, and learning processes. This body of literature emphasizes that organizational resilience cannot be reduced to individual components but must be understood through dynamic relationships between human actors, technological infrastructures, and organizational routines. However, these perspectives are often developed at a high level of abstraction and are not explicitly operationalized for SME cyber risk contexts, leaving a gap between systemic theory and SME-specific cyber resilience practice.
The third research stream addresses adaptive management, learning-oriented risk governance, and organizational resilience under conditions of disruption and uncertainty. This literature highlights feedback, experiential learning, and continuous adjustment as central mechanisms enabling organizations to cope with shocks and evolving risk environments. Although highly relevant to cyber resilience, these contributions are rarely integrated with SME cybersecurity research or socio-technical system models, limiting their explanatory power in digital risk management contexts.
To make this synthesis explicit and to clarify how the present study integrates and advances these partially disconnected research streams toward a unified socio-technical explanation of cyber resilience, Table 1 summarizes their primary focus, key limitations identified in the literature, and the specific theoretical contribution offered by the proposed mechanism-based model of cyber resilience in SMEs.
The synthesis presented in Table 1 demonstrates that while existing research offers valuable insights into SME cybersecurity, socio-technical resilience, and adaptive management; these streams remain only partially integrated and insufficiently focused on the mechanisms through which cyber resilience dynamically emerges and evolves. Addressing this gap requires a conceptual shift from aggregating isolated capabilities toward modeling cyber resilience as a socio-technical system governed by feedback-driven interactions, learning processes, and adaptive reconfiguration. Accordingly, the next section develops an integrated conceptual model that operationalizes this synthesis by explicitly linking technological, human, and organizational subsystems through adaptive feedback mechanisms.
The literature review was conducted using a structured, multi-stage search strategy designed to capture the breadth and diversity of research relevant to cyber resilience in SMEs. The Scopus database served as the primary source of peer-reviewed academic literature due to its comprehensive coverage of computer science, engineering, management, decision sciences, and social sciences. To reflect the evolution of cyber resilience research, the search focused on publications from the last decade, while selectively incorporating earlier foundational works in systems theory and socio-technical research.
Search queries were applied to titles, abstracts, and author keywords and included combinations of terms related to cyber resilience, cybersecurity, cyber risks, SMEs, socio-technical systems, and adaptive or dynamic risk management. Rather than relying on strict exclusion criteria or quantitative thresholds, the selection process prioritized conceptual relevance and theoretical contribution. Publications that addressed cyber resilience solely from narrow technical or compliance-oriented perspectives without broader organizational or systemic implications were screened out at later stages.
The staged search process resulted in a heterogeneous body of literature spanning technological, organizational, and socio-technical perspectives. To illustrate the thematic structure and conceptual breadth of the reviewed literature, Figure 1 presents a synthesized landscape of the research field, highlighting major clusters and their interrelations. This visualization serves as a methodological artifact that reflects the scope and structure of the literature informing the conceptual model, rather than as an empirical result.
The initial literature search resulted in approximately 130 publications identified through keyword combinations applied to titles, abstracts, and author keywords in the Scopus database. After screening for relevance to SMEs, cyber resilience, socio-technical systems, and adaptive risk management, around 60 sources were retained for in-depth conceptual analysis. Following deeper qualitative analysis, a core set of 32 peer-reviewed sources was identified as the most conceptually relevant and theoretically influential for model development and synthesis. These sources span fields such as information systems, cybersecurity, management, decision sciences, and systems engineering. Figure 1 synthesizes the conceptual structure derived from this reviewed literature corpus.
In addition to peer-reviewed journal articles, selected books and policy-oriented publications were consulted to contextualize emerging themes and theoretical developments. These sources were used selectively to support conceptual framing and theory development.

2.3. Conceptual Model Development

The conceptual model of adaptive digital risk management was developed through an iterative process of synthesis and abstraction. Insights derived from the literature were first grouped into recurring conceptual themes related to technological safeguards, human behavior, organizational structures, learning mechanisms, and environmental dynamics. These themes were then examined through a systems lens to identify interdependencies, feedback relationships, and dynamic interactions among system components.
Building on socio-technical approach, the model distinguishes between technological, human, and organizational subsystems while emphasizing that cyber resilience emerges from their interaction rather than from the performance of any single element. Systems theory informed the identification of feedback loops that connect system disturbances, such as cyber incidents or near-misses, with learning, behavioral adjustment, and organizational adaptation. Adaptive management principles guided the integration of learning and maturity processes, framing cyber resilience as an evolving capability rather than a fixed state.
The resulting model captures cyber resilience as a dynamic socio-technical system operating within transitional digital environments characterized by increasing automation and evolving patterns of human–technology interaction. The model was refined through multiple iterations to ensure internal consistency, conceptual clarity, and alignment with the theoretical foundations outlined above.

2.4. Methodological Scope and Limitations

This study is conceptual in nature and does not involve empirical data collection, experiments, or intervention research involving human or animal subjects. Consequently, no ethical approval was required. The materials underpinning the study consist exclusively of publicly available academic literature and theoretical sources.
The proposed model is intended as a general analytical framework applicable to a broad range of SME contexts rather than as a sector-specific or region-specific solution. While this enhances its conceptual generalizability, it also implies that contextual factors such as industry characteristics, regulatory environments, or organizational culture are not explicitly modeled. Future research may build on this framework by empirically validating or adapting the model to specific contexts.
During the preparation of this manuscript, generative artificial intelligence tools were used exclusively for language-related support. The authors are not native English speakers, and AI assistance was applied solely to improve grammar, clarity, and readability of the text. The use of generative AI did not involve study design, data collection, analysis, interpretation, or development of the conceptual model. The authors reviewed and edited the final manuscript and take full responsibility for its content.

3. Results

Based on the structured literature review and conceptual synthesis described in Section 2, this section presents the results of the study in the form of an integrated systemic model of cyber resilience in SMEs. Rather than reporting empirical measurements, the results reflect the outcomes of theory integration, system abstraction, and comparative analysis across multiple strands of cyber resilience, socio-technical systems, and adaptive risk management literature.
The primary result of this research is the identification of cyber resilience in SMEs as an emergent property of a socio-technical system composed of interacting technological, human, and organizational subsystems. This finding aligns with prior work emphasizing the limitations of fragmented cybersecurity approaches in SMEs and supports calls for more holistic and systems-oriented resilience frameworks [7,8,9].

3.1. Structural Components of the SME Cyber Resilience System

The literature synthesis reveals that cyber resilience in SMEs consistently emerges at the intersection of three core subsystems:
  • Technological subsystem, encompassing digital infrastructure, information systems, cybersecurity tools, automation mechanisms, and interconnectivity with external digital environments [10,11,12].
  • Human subsystem, including employees’ cybersecurity awareness, risk perception, decision-making behavior, informal practices, and adaptive responses to digital threats [13,14].
  • Organizational subsystem, consisting of governance structures, managerial decision processes, policies, resource allocation, and learning routines that shape how cyber risks are interpreted and managed within the enterprise [15,16].
Across the reviewed literature, these subsystems are rarely analyzed in isolation. Instead, cyber incidents and resilience outcomes are shown to arise from misalignments, feedback failures, or reinforcing interactions between social and technical elements. This observation supports a socio-technical interpretation of cyber resilience consistent with systems theory and resilience engineering perspectives [17,18,19].

3.2. Adaptive Feedback Loops as the Core Mechanism of Cyber Resilience

The conceptual synthesis indicates that adaptive feedback loops constitute the core mechanism through which cyber resilience emerges and evolves in SMEs. From a systems theory perspective, resilience does not arise from isolated system components but from recurrent feedback processes that regulate system behavior, enable learning, and support adaptation in response to disturbances [2,17,20].
Within the proposed model, feedback loops operate across and between the technological, human, and organizational subsystems, transforming cyber incidents and operational disruptions into inputs for system-level learning. These loops collectively structure the continuous cycle of detection, response, recovery, and adaptation, which has been widely recognized as a foundational logic of resilience engineering and cyber resilience [18,19,21].
Three analytically distinct but interrelated categories of feedback loops are identified. Incident feedback loops are triggered by cybersecurity events such as data breaches, ransomware attacks, or system outages. Such events generate signals within the technological subsystem that initiate response and recovery actions while simultaneously producing information that feeds into human awareness and organizational decision-making. Prior research emphasizes that organizations treating incidents as learning opportunities rather than isolated technical failures exhibit higher resilience and adaptive capacity [1,7,22].
Behavioral feedback loops link human actions to system outcomes. Employee behavior, including compliance with security practices, responses to phishing attempts, and reliance on informal workarounds, directly influences system vulnerability. Feedback from security outcomes reshapes individual and collective risk perception, influencing future behavior and decision-making. Numerous studies highlight the human factor as a critical driver of cyber risk in SMEs, particularly in contexts characterized by limited formalization and resource constraints [13,14,23].
Managerial feedback loops connect system performance to organizational governance and strategic adjustment. Information derived from incidents, audits, and observed behavioral patterns informs managerial decisions related to policy refinement, resource allocation, and investments in technological or human capabilities. SME-focused research consistently notes that flatter organizational structures enable rapid managerial feedback and adaptation, while simultaneously increasing reliance on managerial judgment and situational awareness [15,16].
Together, these feedback loops form a self-reinforcing adaptive cycle through which the SME cyber resilience system maintains functional stability and undergoes continuous adjustment in response to evolving digital risks. The analysis indicates that weak or delayed feedback is associated with limited learning and repeated vulnerabilities, whereas well-integrated feedback mechanisms are associated with anticipatory capacity, adaptation, and long-term system evolution [19,21].

3.3. Transitional Dynamics of Human-Technology Interaction

A further result of the conceptual analysis concerns the transitional nature of contemporary SME digital environments, characterized by a gradual shift from predominantly human–computer interaction toward increasingly automated and inter-computer communication. Advances in automation, artificial intelligence, and interconnected digital infrastructures are reshaping how decisions are generated, risks propagate, and responses are executed within organizational systems [24,25].
The reviewed literature indicates that SMEs currently operate in hybrid socio-technical configurations, where human-driven and automated processes coexist. From a systems perspective, such hybrid arrangements are characterized by ongoing reconfiguration of control authority, accountability, and feedback pathways. The synthesis of socio-technical cyber risk management literature suggests that transitional configurations are associated with amplified vulnerabilities when feedback mechanisms do not adequately integrate human oversight and automated system behavior [8,9].
Within the proposed model, transitional dynamics influence all three core subsystems. In the technological subsystem, increased interconnectivity accelerates the speed and scale at which disruptions propagate across systems. In the human subsystem, the transition challenges existing mental models, requiring new forms of trust, oversight, and sense-making. In the organizational subsystem, governance mechanisms must adapt to redistribute decision rights and redefine responsibility in environments where actions may increasingly be initiated by automated or algorithmic processes [18,19].
As illustrated in Figure 2, this transition spans from human–computer interaction toward emerging inter-computer communication, reshaping feedback mechanisms and altering the balance between human oversight and machine-driven processes. Broader discussions on the evolution of information networks emphasize that failure to manage this transition effectively may result in loss of control, reduced transparency, and cascading systemic risks [20].

3.4. Resulting Conceptual Model of SME Cyber Resilience

Synthesizing the identified subsystems, feedback mechanisms, and transitional dynamics, this study proposes an integrated systemic model of cyber resilience in SMEs, presented in Figure 2. The model conceptualizes cyber resilience as an emergent property of a socio-technical system embedded within an external digital environment and regulated through adaptive feedback loops.
The technological, human, and organizational subsystems are represented as interdependent components whose interactions are shaped by external pressures such as the cyber threat landscape, regulatory and legal frameworks, market conditions, and technological evolution. Similar environmental influences are acknowledged in existing SME cybersecurity and resilience frameworks, including those proposed by [7,11,12], though often without explicit systemic integration.
At the core of the model, adaptive feedback loops operationalize detection, response, recovery, and adaptation processes, transforming disturbances into learning opportunities and enabling continuous system reconfiguration. This conceptualization aligns with resilience-oriented approaches that frame cyber resilience as a dynamic capability rather than a static security state [19,21].
Rather than prescribing fixed controls or maturity checklists, the model emphasizes dynamic alignment, learning, and adaptation across socio-technical components. Emergent cyber resilience manifests in the form of system stability, adaptive capacity, and resilience maturity, reflecting the system’s ability to absorb shocks while sustaining essential business functions. By explicitly integrating systems theory, socio-technical interaction, and transitional digital dynamics, the model extends existing SME cyber resilience frameworks and provides a coherent foundation for adaptive digital risk management [9,15].

3.5. Propositions Derived from the Conceptual Model

To enhance the explanatory clarity and theoretical usefulness of the proposed conceptual model, this section formulates a set of propositions that articulate the key mechanisms through which cyber resilience emerges and evolves in SMEs. These propositions are not intended as hypotheses to be statistically tested within this study but as analytically grounded statements that can guide future empirical research and theory development.

3.5.1. Emergence of Cyber Resilience

Cyber resilience in SMEs emerges as an emergent property of a socio-technical system rather than as the sum of isolated technological controls or managerial practices. This proposition reflects the system-level nature of cyber resilience, emphasizing that resilience outcomes depend on interactions between technological infrastructures, human behavior, and organizational routines. SMEs with similar security tools may therefore exhibit different resilience levels depending on how these subsystems interact in practice.

3.5.2. Role of Feedback Loops

Adaptive feedback loops linking cyber incidents, human responses, and managerial decision-making constitute the primary mechanism through which cyber resilience develops and is sustained in SMEs. Incident-driven feedback transforms disruptions into learning inputs, enabling behavioral adjustment, governance refinement, and system reconfiguration. Weak or delayed feedback limits learning and increases the likelihood of repeated vulnerabilities.

3.5.3. Human–Technology Interaction in Transitional Digital Environments

P3. In transitional digital environments characterized by increasing automation, misalignment between human oversight and automated system behavior amplifies cyber risk and constrains the development of cyber resilience in SMEs. Hybrid configurations combining human-driven and automated processes require effective integration of feedback, transparency, and accountability. Where such integration is lacking, automation may introduce new systemic vulnerabilities rather than resilience gains.

3.5.4. Organizational Learning and Resilience Maturity

The maturity of cyber resilience in SMEs is determined by the organization’s capacity to institutionalize learning from cyber incidents through formal and informal governance mechanisms. SMEs that embed learning into routines, decision-making, and resource allocation are more likely to transition from reactive responses toward anticipatory and adaptive cyber resilience over time.

3.5.5. Trade-Offs in Adaptive Cyber Resilience

Adaptive cyber resilience in SMEs involves inherent trade-offs, whereby mechanisms that enable rapid adaptation (e.g., informal practices or automation) may simultaneously generate latent vulnerabilities if not governed through effective feedback and oversight. This proposition highlights that resilience-enhancing mechanisms are not universally beneficial and must be balanced to avoid reinforcing hidden risks within socio-technical systems.

4. Discussion

This section discusses the implications of conceptualizing cyber resilience in SMEs as a socio-technical and adaptive system, as proposed in the resulting model (Figure 2). The discussion situates the model within existing cyber resilience, socio-technical systems, and systems theory literature, highlighting its theoretical contributions, points of convergence with prior frameworks, and areas of conceptual advancement. While cyber resilience in SMEs has been discussed in the literature for more than a decade, existing studies predominantly focus on technological controls, maturity models, or governance instruments in isolation. The present study builds on this body of research by integrating these perspectives into a unified socio-technical and system-oriented framework.

4.1. Cyber Resilience as an Emergent Socio-Technical System

The proposed model reinforces and extends existing research that frames cyber resilience as more than a purely technical or managerial function. Prior SME-focused studies have acknowledged the importance of combining technological safeguards with organizational and human considerations yet often treat these dimensions as loosely connected components rather than as an integrated system [8,13].
By explicitly grounding cyber resilience in systems theory, this study aligns with foundational work by von Bertalanffy [2] and Ashby [17], which emphasize that system-level properties emerge from interactions, feedback, and dynamic relationships rather than from isolated elements. In this context, cyber resilience emerges not from individual controls or policies but from the coordinated functioning of technological, human, and organizational subsystems.
Compared to existing SME cyber resilience frameworks—such as those proposed by Carías et al. [7,15] and NIST [11,12]—the proposed model shifts attention from capability inventories and maturity checklists toward system behavior and adaptive processes. This systemic framing helps explain why SMEs with similar technical controls may exhibit markedly different resilience outcomes depending on how socio-technical interactions unfold in practice.

4.2. Feedback Loops, Learning, and Adaptive Capacity

A central contribution of the model lies in its explicit emphasis on adaptive feedback loops as the primary mechanism through which cyber resilience is formed and sustained. While feedback and learning are widely discussed in resilience engineering [18,19], their role in SME cyber resilience has often remained implicit or underdeveloped [26,27,28]. The identification of incident, behavioral, and managerial feedback loops builds on and integrates insights from cyber resilience metrics and adaptive risk management research [21,22]. In contrast to static risk management approaches, which emphasize prevention and compliance, the proposed model conceptualizes cyber incidents as sources of information and learning, consistent with adaptive management principles articulated by [20] and with the notion of anticipatory organizational capacity, where learning from disturbances supports forward-looking and adaptive decision-making in complex socio-technical systems [29]. This perspective is particularly relevant for SMEs, which frequently lack the resources required to implement comprehensive security architectures. Prior studies indicate that SMEs often compensate for resource limitations through informal learning, experiential knowledge, and rapid decision-making [23,30]. The model captures these dynamics by embedding informal and formal feedback mechanisms within a unified socio-technical structure.

4.3. Human Factors and Organizational Dynamics in SME Cyber Resilience

The discussion of behavioral and managerial feedback loops highlights the central role of human factors in shaping cyber resilience outcomes. Consistent with socio-technical cybersecurity research, human behavior is shown to be neither a peripheral nor purely problematic element but a constitutive component of the resilience system [13,14].
Empirical studies repeatedly demonstrate that many cyber incidents in SMEs arise from everyday practices such as phishing susceptibility, insecure workarounds, and misconfigurations rather than from advanced technical failures [23,31]. The proposed model advances this literature by situating such behaviors within feedback-driven system dynamics, thereby explaining how human actions both shape and are shaped by technological and organizational conditions.
At the organizational level, the model aligns with research emphasizing governance flexibility and managerial sense-making in SMEs [15,16]. By framing managerial decision-making as part of an adaptive feedback loop, the model highlights how governance structures can either amplify or dampen cyber risks over time.

4.4. Transitional Dynamics and the Evolution of Human–Technology Interaction

A distinctive contribution of this study lies in explicitly incorporating transitional dynamics in human–technology interaction into the conceptualization of cyber resilience. While existing frameworks often assume relatively stable human–computer relationships, emerging research increasingly points to the growing role of automation, artificial intelligence, and inter-computer communication in cybersecurity contexts [24,25]. The model situates SMEs within an intermediate phase characterized by hybrid socio-technical configurations, where human oversight coexists with automated decision-making. This perspective resonates with broader analyses of digital evolution and information networks, which suggest that decision-making and communication processes are progressively shifting away from direct human control [3].
Importantly, the model does not interpret automation as inherently resilience-enhancing. Instead, it emphasizes that poorly integrated automation may introduce new systemic risks, particularly when feedback loops fail to provide transparency, interpretability, or effective intervention points. This insight complements recent calls for human-centric and socio-technical approaches to cybersecurity governance [8,9,29].

4.5. Positioning the Model Within Existing Cyber Resilience Frameworks

When compared to established cyber resilience frameworks-such as NIST [11,12], CR-SAT [15], and CyberESP [10], the proposed model does not seek to replace operational tools or assessment instruments. Instead, it provides a theoretical meta-framework that explains why and how such tools function within broader socio-technical systems.
By integrating systems theory, socio-technical interaction, feedback dynamics, and transitional digital contexts, the model addresses several limitations identified in recent systematic reviews of cybersecurity maturity and resilience frameworks [9,32]. In doing so, it offers a unifying conceptual foundation capable of informing both empirical research and practical framework development.

5. Conclusions

This study sets out to advance the understanding of cyber resilience in SMEs by conceptualizing it as a socio-technical and adaptive system. Responding to limitations in existing research that frequently treats technological, human, and organizational dimensions in isolation, the paper developed an integrated conceptual model grounded in systems theory, socio-technical systems thinking, and adaptive digital risk management.
The primary contribution of the study lies in framing cyber resilience as an emergent system property, arising from dynamic interactions and feedback loops rather than from static controls or isolated capabilities. Drawing on foundational systems theory [2,17], and resilience engineering [18,19] the proposed model demonstrates how adaptive feedback mechanisms—spanning detection, response, recovery, and adaptation—enable SMEs to learn from disturbances and continuously reconfigure their socio-technical systems.
By explicitly integrating technological, human, and organizational subsystems, the model extends existing SME-focused cyber resilience frameworks such as those proposed by Carías et al. [7,15] and the NIST Cybersecurity Framework [11,12]. Unlike compliance-oriented or maturity-based approaches, the proposed framework emphasizes system behavior, learning processes, and adaptive capacity, offering a holistic explanation of why resilience outcomes vary across SMEs with similar technical safeguards.
A further contribution of the study is the incorporation of transitional dynamics in human–technology interaction. The model situates SME cyber resilience within an intermediate phase of digital evolution, characterized by the coexistence of human–computer and emerging inter-computer communication. In line with recent research on automation and AI-driven cybersecurity [24,25] and broader reflections on the evolution of information networks [3], the study highlights that resilience in this context depends on the effective integration of human oversight and automated system behavior rather than on technological autonomy alone.
From a practical perspective, the proposed model suggests that SMEs can strengthen cyber resilience by deliberately designing learning-oriented feedback loops that translate cyber incidents into organizational learning, governance adjustment, and capability development, rather than relying solely on static security controls. This perspective is particularly relevant for resource-constrained organizations, where adaptive capacity often emerges from informal practices, experiential learning, and rapid decision-making [13,23].
This study is conceptual in nature, which limits the empirical grounding of the proposed mechanisms and transitional dynamics. While this enhances theoretical generality, it also implies sensitivity to contextual factors such as industry characteristics, digital maturity, and ecosystem dependencies, including reliance on outsourced IT and cybersecurity services. These limitations point to the need for future empirical validation across diverse SME contexts.

Future Research Directions

While this study offers a comprehensive conceptual framework, several directions for future research emerge. First, empirical validation of the proposed model is needed. Future studies could employ qualitative case studies, surveys, or mixed-method approaches to examine how feedback loops and socio-technical interactions shape cyber resilience across different SME contexts.
Second, the application of system dynamics modeling or agent-based simulation could provide deeper insight into non-linear interactions, delayed feedback effects, and cascading failures within SME cyber resilience systems. Such approaches would allow researchers to explore how changes in one subsystem influence overall system behavior over time, extending prior work on cyber resilience metrics and adaptive risk modeling [21].
Third, future research could refine the model for sector-specific or regional contexts, accounting for differences in regulatory environments, digital maturity, and organizational culture. Comparative studies across industries or countries would further enhance understanding of contextual influences on cyber resilience, particularly in relation to governance structures and external digital environments.
Finally, as automation and inter-computer communication continue to advance, longitudinal research is needed to examine how evolving human roles, algorithmic decision-making, and governance mechanisms reshape cyber resilience over time. Such research would be particularly valuable for understanding how SMEs can maintain transparency, control, and adaptability in increasingly autonomous digital ecosystems.
In conclusion, by adopting a systemic and socio-technical perspective, this study contributes to both theory and practice by offering a coherent framework for analyzing and strengthening cyber resilience in SMEs. The proposed model provides a foundation for future empirical research and supports the development of adaptive digital risk management strategies aligned with the complexity and uncertainty of contemporary digital environments.

Author Contributions

Conceptualization, A.B. and N.L.; methodology, A.B.; formal analysis, A.B.; investigation, A.B.; resources, A.B.; data curation, A.B.; writing—original draft preparation, A.B.; writing—review and editing, A.B. and N.L.; visualization, A.B.; supervision, N.L.; project administration, A.B. All authors have read and agreed to the published version of the manuscript.

Funding

This work has been supported by the EU Recovery and Resilience Facility within the Project No. 5.2.1.1.i.0/2/24/I/CFLA/003 “Implementation of consolidation and management changes at Riga Technical University, Liepaja University, Rezekne Academy of Technology, Latvian Maritime Academy and Liepaja Maritime College for the progress towards excellence in higher education, science and innovation” academic career doctoral grant (ID 1101).

Data Availability Statement

The data presented in this study are available on request from the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

References

  1. Bahmanova, A.; Lace, N. Conceptual Model of the Company’s Cyber Resilience Elements. J. Syst. Cybern. Inform. 2025, 23, 73–83. [Google Scholar] [CrossRef]
  2. von Bertalanffy, L. General System Theory: Foundations, Development, Applications; George Braziller: New York, NY, USA, 1968. [Google Scholar]
  3. Harari, Y.N. Nexus: A Brief History of Information Networks; Penguin Random House: London, UK, 2024. [Google Scholar]
  4. Dubin, R. Theory Building; Free Press: New York, NY, USA, 1978. [Google Scholar]
  5. Whetten, D.A. What constitutes a theoretical contribution? Acad. Manag. Rev. 1989, 14, 490–495. [Google Scholar] [CrossRef]
  6. Jabareen, Y. Building a conceptual framework: Philosophy, definitions, and procedure. Int. J. Qual. Methods 2009, 8, 49–62. [Google Scholar] [CrossRef]
  7. Carías, J.F.; Borges, M.R.S.; Labaka, L.; Arrizabalaga, S.; Hernantes, J. Systematic approach to cyber resilience operationalization in SMEs. IEEE Access 2020, 8, 174200–174221. [Google Scholar] [CrossRef]
  8. Perozzo, H.; Zaghloul, F.; Ravarini, A. Cybersecurity readiness: A model for SMEs based on the socio-technical perspective. Complex Syst. Inform. Model. Q. 2022, 33, 53–66. [Google Scholar] [CrossRef]
  9. Brezavšček, A.; Baggia, A. Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review. Systems 2025, 13, 52. [Google Scholar] [CrossRef]
  10. Calvo-Manzano, J.; San Feliu, T.; Herranz, Á.; Fredlund, L.-Å.; Moreno, A. CyberESP: An integrated cybersecurity framework for SMEs. J. Softw. Evol. Process 2025, 37, e70050. [Google Scholar] [CrossRef]
  11. National Institute of Standards and Technology (NIST). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2018. [Google Scholar]
  12. National Institute of Standards and Technology (NIST). Cybersecurity Framework, Version 2.0; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar]
  13. van Haastrecht, M.; Yigit Ozkan, B.; Brinkhuis, M.; Spruit, M. Respite for SMEs: A systematic review of socio-technical cybersecurity metrics. Appl. Sci. 2021, 11, 6909. [Google Scholar] [CrossRef]
  14. Kioskli, K.; Seralidou, E.; Polemi, N. A practical human-centric risk management methodology. Electronics 2025, 14, 486. [Google Scholar] [CrossRef]
  15. Carías, J.F.; Arrizabalaga, S.; Labaka, L.; Hernantes, J. Cyber resilience self-assessment tool (CR-SAT) for SMEs. IEEE Access 2021, 9, 80741–80762. [Google Scholar] [CrossRef]
  16. Rawindaran, N.; Jayal, A.; Prakash, E. Cybersecurity framework addressing resiliency in SMEs for digital transformation and Industry 5.0. J. Cybersecur. Priv. 2025, 5, 17. [Google Scholar] [CrossRef]
  17. Ashby, W.R. An Introduction to Cybernetics; Chapman & Hall: London, UK, 1956. [Google Scholar]
  18. Hollnagel, E.; Woods, D.D.; Leveson, N. Resilience Engineering: Concepts and Precepts; Ashgate Publishing: Aldershot, UK, 2006. [Google Scholar]
  19. Woods, D.D. Four concepts for resilience and the implications for the future of resilience engineering. Reliab. Eng. Syst. Saf. 2015, 141, 5–9. [Google Scholar] [CrossRef]
  20. Meadows, D.H. Thinking in Systems: A Primer; Chelsea Green Publishing: White River Junction, VT, USA, 2008. [Google Scholar]
  21. Linkov, I.; Eisenberg, D.A.; Plourde, K.; Seager, T.P.; Allen, J.; Kott, A. Resilience metrics for cyber systems. Environ. Syst. Decis. 2014, 34, 471–476. [Google Scholar] [CrossRef]
  22. Mantas, E.; Papadopoulos, D.; Fernandez, C.; Litke, A.; Athanasiou, G. Practical Autonomous Cyberhealth for Resilient Micro, Small and Medium-Sized Enterprises. In Proceedings of the IEEE Mediterranean Conference on Communications and Networking, Athens, Greece, 7–10 September 2021; IEEE: New York, NY, USA, 2021; pp. 500–505. [Google Scholar]
  23. Rombaldo Junior, C.; Becker, I.; Johnson, S. Unaware, unfunded and uneducated: A systematic review of SME cybersecurity. arXiv 2023, arXiv:2309.17186. [Google Scholar] [CrossRef]
  24. Fernandez de Arroyabe, J.C.; Arroyabe, M.F.; Fernandez, I.; Arranz, C.F.A. Cybersecurity resilience in SMEs: A machine learning approach. J. Comput. Inf. Syst. 2024, 64, 711–727. [Google Scholar] [CrossRef]
  25. Fysarakis, K.; Lekidis, A.; Mavroeidis, V.; Spanoudakis, G.; Koufopavlou, O. PHOENI2X: A European cyber resilience framework with AI-assisted orchestration. In Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, Venice, Italy, 31 July–2 August 2023; IEEE: New York, NY, USA, 2023; pp. 538–545. [Google Scholar]
  26. Gupta, A.; Kumar Singh, R. Managing resilience of micro, small and medium enterprises (MSMEs) during COVID-19: Analysis of barriers. Benchmarking 2023, 30, 2062–2084. [Google Scholar] [CrossRef]
  27. Kumar, V.; Verma, P.; Mittal, A.; Tuesta Panduro, J.A.; Singh, S.; Paliwal, M.; Sharma, N.K. Adoption of ICTs as an emergent business strategy during and following COVID-19 crisis: Evidence from Indian MSMEs. Benchmarking 2023, 30, 1850–1883. [Google Scholar] [CrossRef]
  28. Varma, D.; Dutta, P. Restarting MSMEs and start-ups post COVID-19: A grounded theory approach to identify success factors to tackle changed business landscape. Benchmarking 2023, 30, 1912–1941. [Google Scholar] [CrossRef]
  29. Vélez Martell, J.E. Strategic foresight and its contribution to improving corporate social responsibility practices: A systematic review. Ceniiac 2025, 1, e0007. [Google Scholar] [CrossRef]
  30. Hoppe, F. Cyber Risk Management in Small and Medium-Sized Enterprises: Insights from Industry Surveys. J. Inf. Secur. 2021, 12, 1–15. [Google Scholar]
  31. Awan, M.; Alam, A.; Kamran, M. Cybersecurity Challenges in Small and Medium Enterprises: A Scoping Review. J. Cyber Secur. Risk Audit. 2025, 3, 89–102. [Google Scholar] [CrossRef]
  32. Arrizabalaga, S.; Labaka, L.; Hernantes, J. Systematic Approach to Cyber Resilience in Small and Medium-Sized Enterprises. Available online: https://dadun.unav.edu (accessed on 20 January 2026).
Systems 14 00151 g001
Figure 1. Literature landscape on cyber resilience in SMEs.
Figure 1. Literature landscape on cyber resilience in SMEs.
Systems 14 00151 g001
Systems 14 00151 g002
Figure 2. Conceptual model of cyber resilience in SMEs as a socio-technical adaptive system.
Figure 2. Conceptual model of cyber resilience in SMEs as a socio-technical adaptive system.
Systems 14 00151 g002
Table 1. Synthesis of research streams informing the conceptual model.
Table 1. Synthesis of research streams informing the conceptual model.
Research StreamPrimary FocusKey Limitations Identified in the LiteratureContribution of the Present Study
SME cyber resilience and cybersecurity frameworksSecurity controls, maturity models, capability assessment, governance instrumentsFragmented and checklist-oriented; limited explanation of dynamic adaptation and learning processesShifts focus from static capability inventories to feedback-driven mechanisms explaining how resilience emerges and evolves
Socio-technical systems and resilience engineeringEmergent system behavior, feedback loops, interaction between social and technical subsystemsHigh level of abstraction; limited application to SME cyber risk contextsTranslates socio-technical and systems theory into an SME-specific cyber resilience model
Adaptive management and post-disruption organizational resilienceLearning, adaptation, governance under uncertainty and disruptionRarely integrated with cybersecurity and SME digital risk managementIntegrates adaptive management logic into cyber resilience through explicit feedback mechanisms
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Bahmanova, A.; Lace, N. Modelling Cyber Resilience in SMEs as a Socio-Technical System: A Systemic Approach to Adaptive Digital Risk Management. Systems 2026, 14, 151. https://doi.org/10.3390/systems14020151

AMA Style

Bahmanova A, Lace N. Modelling Cyber Resilience in SMEs as a Socio-Technical System: A Systemic Approach to Adaptive Digital Risk Management. Systems. 2026; 14(2):151. https://doi.org/10.3390/systems14020151

Chicago/Turabian Style

Bahmanova, Alona, and Natalja Lace. 2026. "Modelling Cyber Resilience in SMEs as a Socio-Technical System: A Systemic Approach to Adaptive Digital Risk Management" Systems 14, no. 2: 151. https://doi.org/10.3390/systems14020151

APA Style

Bahmanova, A., & Lace, N. (2026). Modelling Cyber Resilience in SMEs as a Socio-Technical System: A Systemic Approach to Adaptive Digital Risk Management. Systems, 14(2), 151. https://doi.org/10.3390/systems14020151

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop