Risk-Management Framework and Information-Security Systems for Small and Medium Enterprises (SMEs): A Meta-Analysis Approach

: Information-technology (IT) security standards are regularly updated in a rapidly changing technological world to maintain pace with advanced technologies. This study was motivated by the realization that established IT risk-management frameworks might provide an adequate defence for small-and medium-sized enterprises (SMEs), especially those actively adopting new technologies. We reviewed that a dynamic IT risk-management framework, updated to reﬂect emerging technological changes, would offer improved security and privacy for SMEs. To evaluate this, we conducted a systematic literature review spanning 2016 to 2021, focusing on IT risk-management research in various application areas. This study revealed that, while established frameworks like NIST have their beneﬁts, they need to be better suited to the unique needs of SMEs due to their high degree of abstractness, vague guidelines, and lack of adaptability to technological advancements. The ﬁndings suggest a pressing need to evolve IT risk-management frameworks, particularly by incorporating advanced methods such as system dynamics, machine learning, and technoeconomic and sociotechnological models. These innovative approaches provide a more dynamic, responsive, and holistic approach to risk management, thereby signiﬁcantly improving the IT security of SMEs. The study’s implications underscore the urgency of developing ﬂexible, dynamic, and technology-informed IT risk-management strategies, offering novel insights into a more practical approach to IT risk management.


Introduction
Cyber and information security are the need of the hour for SMEs because society and the economy have become more data-driven and managers are focusing on creating valuebased services for their clients [1].However, information is a critical asset and organizations are underinvesting in its protection.The rapid development of new technologies and the widespread use of cloud computing and platform-based services are creating more and more advancements in information systems [2].It follows that the vulnerability of computer networks also increases and it is not trivial to address this in an increasingly complex system with interdependent components [3].The role of digital technologies has been further grown following the COVID-19 pandemic, which puts more pressure on organisations with weaker security policies for information-technology (IT) systems.At the same time, there exist a variety of risk-management frameworks that are aimed to help organisations in assessing and managing cybersecurity risk [4].
Maintaining pace with the transformational shifts is crucial in a rapidly evolving technological era, particularly for the SMEs that need security and privacy.However, existing information-technology (IT) security standards often need more dynamism, proving to be a critical challenge for SMEs attempting to leverage new technology [5].Not only are the current standards failing to address the complexities of advanced technology, but their implementation also brings high costs and lesser efficacy in IT risk management [2,6].As digitalisation expands, organisations face an escalating number of IT threats, a scenario that has been particularly aggravated in the post-COVID-19 landscape [7][8][9].The limitations of existing IT risk-management frameworks are becoming increasingly evident, with significant drawbacks including outdated methodologies, complicated implementation processes, excessive focus on compliance, and the need for hybrid approaches to bridge gaps between controls and compliance requirements [10,11].This situation warrants a thorough assessment of the effectiveness of current IT risk-management frameworks.
The issue becomes even more prominent in the context of small-and mediumsized enterprises (SMEs), for which the costs of implementing security standards are prohibitively high.The "one-size-fits-all" approach of existing frameworks often fails to accommodate SMEs' unique processes and needs, leading to higher administrative costs during implementation [12].Hence, there is an urgent need for adaptable, cost-effective risk-management solutions that navigate the evolving technological landscape [13][14][15].Despite several recent studies on IT risk management, the literature reveals a significant gap, with most studies focusing on specific contexts such as cloud computing, SMEs, or ISO/IEC 27001 and failing to provide a broad overview of the efficacy of existing IT risk-management frameworks [1][2][3]6,[16][17][18][19].This lack of systematic analysis creates a compelling research problem, to which this paper responds.
One of the reasons why SMEs in developing countries need help to grow and remaining sustainable is their inability to manage risks effectively.This could be explained by the limited guidelines available on pillars and underlying principles for risk management and information systems and the mapping of the factors that drive risk management in SMEs, despite decision makers' attempts to tackle the root causes of security failure, including access to financing and technology, as well as a regulatory environment for SMEs.Therefore, there is still an inadequate development of risk management and information systems in SMEs [20].Internal control affects an organisation's efficiency by increasing the availability of high-quality information and reducing inappropriate behaviour [21].Additionally, SMEs could not function effectively and efficiently without having a good form of information system in place [22].
Existing literature reviews on IT risk management and risk-assessment frameworks have primarily focused on specific environments and contexts.However, a comprehensive study of the recent literature across various sectors, including public administration, academia, business, and management, can provide valuable insights.This study examines various sources from computer science, cybersecurity, security standards, security management, and security frameworks.The proposed approach involves identifying previous literature reviews to contextualize this paper within the existing body of research, examining studies that compare multiple IT risk-management frameworks, and investigating studies focusing on a single framework; covering both established a framework.The research problem is to assess the adequacy of established IT risk-management frameworks in addressing organisations' challenges.The contributions of this study to the existing literature include providing a detailed understanding of the current state of IT risk management, identifying potential gaps or limitations in established frameworks, and offering recommendations for future research and development for SMEs.By addressing these issues, this study aims to enhance the effectiveness and adaptability of IT risk-management frameworks for organisations operating in diverse contexts and facing various risk-management challenges.Therefore, the study aims to bridge this gap, providing a holistic evaluation of the effectiveness of established IT risk-management frameworks across various contexts, and emphasising their applicability and cost-effectiveness for SMEs.

•
How does an IT risk-management framework enhance the security standards across information systems in SMEs?

•
What is necessary to establish an effective IT risk-management framework in SMEs?

•
How are emerging IT risk-management frameworks addressing the shortcomings of established standards for SMEs?
The rest of the paper is structured as follows.Section 2 presents the related work covering system security specification and existing studies on IT risk management.Section 3 describes major IT risk-management frameworks.Section 4 outlines the research methodology that was used in conducting the systematic literature review.Section 5 presents a comparison of the effectiveness of cybersecurity risk frameworks.Section 6 presents information on studies that focused on a single existing or newly developed framework.Section 7 discusses the results of the survey and provides recommendations for future work.Finally, Section 8 concludes the findings of the study.

Literature Review
Because the current study is concerned with risk management, it is beneficial to review related literature on how to specify system security.Since the purpose of this study is to conduct a systematic review of the current literature, it is essential to look at evaluations of information-technology risk management that have been published in the last five years.The review that follows places the current research in context, allowing for easier comparisons with previous literature and highlighting the contributions of the current study to the field of psychology.

Cybersecurity and Information-Security Threats
The importance of robust IT risk-management frameworks for SEMs is overstated in today's increasingly digital and interconnected world.These frameworks are vital in identifying, assessing, addressing, and monitoring risks within information systems [23].Adopting an established framework offers multiple benefits, including creating a prioritized roadmap toward improved IT security practices, fostering a common language for discussing IT risk challenges, setting security standards for future legal rulings, and promoting proactive IT risk management rather than reactive compliance [24].However, the underlying concepts of security and risk are the bedrock upon which all IT security frameworks are built.The security of information systems is understood in terms of 'confidentiality, integrity, or availability' [25].The landscape of IT security threats is vast and continually evolving.They can range from reconnaissance and information gathering to phishing attacks, creating spoof websites, producing counterfeit certificates, and delivering malware to internal information systems [26][27][28][29].Such threats pose significant challenges to maintaining the security of information systems.
As for information security, it deals with preserving the confidentiality, integrity, and availability of information by applying risk-management procedures and assuring that the information is protected against unauthorized access, disclosure, alteration, destruction, and disruption [18].Risk management involves identifying, assessing, and controlling threats to SMEs' digital assets, including information, networks, and systems [1].Risk assessment, a significant part of risk management, involves identifying hazards, vulnerabilities and threat vectors, assessing the impact and probability of identified risks, and providing a basis for risk-mitigation decisions [23].Despite the diverse risk-management frameworks available, their core objective remains to protect the SME's information assets by reducing risk to an acceptable level while maximizing the SME's business value [10].
Adversarial threats are defined as dangers originating from persons or organisations that wish to take advantage of the reliance on information systems and information resources [25].Individuals are represented by outsiders or insiders, depending on their position.Competitive organisations, suppliers, partners, and customers are all examples of organisations.Accidental threats arise from erroneous actions taken by individual users or administrators.Structural threats correspond to equipment and control failures that occur due to circumstances outside of the expected operating parameters [26].In particular, failures are caused by resource depletion, equipment ageing, or software malfunction.Structural threats cover storage, processing, communications, display, sensor, and controller equipment, as well as power supply, operating systems, networking, and mission-specific software.Finally, environmental threats describe natural disasters and failures of infras-tructures that are external to the organisation but are critical to its operations [25].This may include failure of telecommunications infrastructures, electrical power outages, and natural or man-made disasters such as fire, flood, hurricane, earthquake, and bombing.

Cybersecurity Risk-Management Frameworks
Small-and medium-sized enterprises (SMEs) face unique challenges in the contemporary business landscape, making risk management an essential focus [30].The theoretical framework delineated in ( [24], Figure 1) identifies five pivotal stages in risk management: identify (ID), project (PR), detect (DE), respond (RS), and recover (RC).At the identification stage, SMEs must ascertain potential threats and vulnerabilities, ranging from financial volatility and operational disruptions to cyber risks (Bannister and Remenyi, 2000).The projection phase requires businesses to anticipate identified risks' likelihood and potential impact [31].Upon detection, timely recognition of emerging threats, especially in rapidly changing environments, is paramount [5].Response mechanisms, both proactive and reactive, play a pivotal role in SMEs' ability to mitigate and manage risks [32].Lastly, the recovery phase emphasizes the need for SMEs to bounce back postincidence, often requiring robust continuity plans and adaptability [33].Across all these stages, the literature underscores the importance of a structured and comprehensive approach to risk management tailored to SMEs' unique needs and constraints.One of the key elements of the SP 800-39 is the multitiered structure of I management [8].Three major tiers are distinguished, as Tier 1 corresponds to the s level and describes strategic risk.The organisation decides on the risk-tolerance which informs decision-making in lower tiers [34].Tier 2 is associated with bu processes and information flows given in ([26], Figure 2).The relationship between information systems and organisational processes necessitates an integrated risk-management framework, offering a holistic approach to managing cybersecurity risks at an organisational level while considering the interconnections of the systems, processes, and employed information systems.The landscape of such frameworks is vast; however, two dominant ones commonly employed by organisations are from NIST and ISO.The NIST has offered pivotal contributions to IT security standards, with two exceptional standards being NIST SP 800-39 and NIST SP 800-30 (Revision 1).SP 800-39 provides a comprehensive blueprint for information-security risk management [8].The standard's focus is managing risk at the organisational level, offering a consistent approach that allows for enhanced governance and an improved understanding of IT security impacts on SMEs' operations [23].
The objectives of the SP 800-39 standard are multifaceted.They emphasize the crucial role of IT risk management, advocate for the creation of robust governance processes, promote the application of risk management at various levels, and seek to foster a profound understanding of the effects of IT security risks on SME processes [26].They also underscore the importance of accountability in decision-making related to cybersecurity risk management, emphasizing the importance of each stakeholder's role in maintaining a secure IT environment [27].
One of the key elements of the SP 800-39 is the multitiered structure of IT risk management [8].Three major tiers are distinguished, as Tier 1 corresponds to the system level and describes strategic risk.The organisation decides on the risk-tolerance level which informs decision-making in lower tiers [34].Tier 2 is associated with business processes and information flows given in ([26], Figure 2).One of the key elements of the SP 800-39 is the multitiered structure of IT risk management [8].Three major tiers are distinguished, as Tier 1 corresponds to the system level and describes strategic risk.The organisation decides on the risk-tolerance level which informs decision-making in lower tiers [34].Tier 2 is associated with business processes and information flows given in ([26], Figure 2).Tier 3 corresponds to information systems and tactical risk.Information flowing up allows top managers to better understand system-wide risks and adjust risk-tolerance policies accordingly.While this structure ensures that the risk executive function (REF) of the organisation is properly implemented, the NIST standard does not mandate any specific form of the REF.The REF allows stakeholders to direct resources in an excellent way that accounts for the strategic objectives of the organisation [25].
The SP 800-39 standard describes risk management in terms of four components, namely risk framing, risk assessment, risk-response strategy, and risk monitoring [34].Risk framing aims to produce an actionable strategy for managing IT security risk.This step considers risk within the established environment which serves as the context for risk-based decision-making [27].Risk framing identifies risk in terms of assumptions, constraints, tolerance, and priorities and trade-offs.In particular, risk tolerance is understood as the acceptable degree of risk [8].Risk framing translates into a risk-management strategy which covers risk assessment, risk monitoring, and response strategies.The risk assessment step allows for identifying threats, vulnerabilities, potential damage, and likelihood of exploits.The SP 800-30 (Revision 1) standard is the corresponding NIST framework for IT security risk assessment.Finally, a risk-management strategy covers risk monitoring, which is responsible for consistent verification of compliance and assessment of the effectiveness of ongoing risk responses [35].The risk-assessment component of risk management is responsible for fully determining an IT security risk in terms of the likelihood of occurrence and the potential damage [23].The standard contains information on preparing for and conducting a risk assessment as well as monitoring assessment processes.Risk assessment is linked to the three tiers of risk management described in the SP 800-39 standard [27].The standards proposed by the International Organisation for Standardisation (ISO) and the International Electro Technical Commission (IEC), namely the ISO/ICE 27000 series, cover IT security.Most notably, the ISO/IEC 27005 standard describes information risk security.It proposes a continuous process of activity sequences that covers establishing context, assessing information, treating and monitoring risks, and informing the organisation's stakeholders [8].Since the ISO/IEC 27005 standard only provides general guidelines for IT risk management, it can be applicable to a variety of organisations including SMEs, nonprofit organisations, and government agencies [36].The key structural difference between it and the NIST standard is the lack of any specific recommended method for risk management.In addition to ISO/IEC 27005, the ISO/IEC framework provides policies and procedures to implement a holistic approach to establishing, monitoring, and improving IT security in accordance with general organisational risk management.A high-level overview of the ISO/IEC 27005 standard is shown in ( [37], Figure 3) below.The graphic shown in [37, Fig. 3] depicts how the International Organization for Standardization (ISO) uses an iterative approach to undertaking risk assessment [38].First and foremost, the risk-management context should be established in order to specify the criteria for identifying risks, determining responsibility, determining consequences, determining the availability of information, and developing a methodology for evaluating risk impacts and likelihood [39].The second step is risk assessment which comprises several stages, namely risk identification, risk analysis, and risk evaluation [37].The iterative nature of the framework implies that the procedure of risk assessment is repeated if the information produced by previous a risk assessment is insufficient for making riskmanagement decisions [38].For example, another iteration of the risk-assessment block is conducted with revised risk-evaluation or risk-impact criteria [37].
The result of risk assessment is a risk treatment which takes the form of avoiding, modifying, sharing, or retaining the risk [23].The risk-treatment step is cyclical and involves several procedures, including assessment of the treatment, estimation of residual risk levels, adjustment of the treatment in cases when residual risk levels are unacceptable, and assessment of the treatment's effectiveness (ISO 2018).This allows for changing context parameters, such as the risk-acceptance criteria, and producing another iteration The graphic shown in [37], Figure 3 depicts how the International Organization for Standardization (ISO) uses an iterative approach to undertaking risk assessment [38].First and foremost, the risk-management context should be established in order to specify the criteria for identifying risks, determining responsibility, determining consequences, determining the availability of information, and developing a methodology for evaluating risk impacts and likelihood [39].The second step is risk assessment which comprises several stages, namely risk identification, risk analysis, and risk evaluation [37].The iterative nature of the framework implies that the procedure of risk assessment is repeated if the information produced by previous a risk assessment is insufficient for making riskmanagement decisions [38].For example, another iteration of the risk-assessment block is conducted with revised risk-evaluation or risk-impact criteria [37].
The result of risk assessment is a risk treatment which takes the form of avoiding, modifying, sharing, or retaining the risk [23].The risk-treatment step is cyclical and involves several procedures, including assessment of the treatment, estimation of residual risk levels, adjustment of the treatment in cases when residual risk levels are unacceptable, and assessment of the treatment's effectiveness (ISO 2018).This allows for changing context parameters, such as the risk-acceptance criteria, and producing another iteration of the treatment.The ISO 27005 framework emphasises that communication and consultation should be conducted throughout all steps of the risk-assessment process [37].In particular, risks and treatments should be communicated to operational staff and managers to help mitigate risks and reduce potential damage.The framework specifies that the controls should be risk based.This captures the dynamic nature of risks and highlights the role of the risk-monitoring step.The standard also provides information on typical threats, constraints affecting organisation and scope, asset valuation, assessment of vulnerabilities, and risk modification (ISO 2018).
An alternative approach to establishing security requirements is incorporating them into requirements engineering as a part of project development.The Security Quality Requirements Engineering (SQUARE) methodology was developed at the Carnegie Mellon University (CMU) to provide a means for identifying and prioritising security requirements of IT systems [40].The key advantage of this approach is that security concepts are built into the early development stages of the system [41].The SQUARE model comprises nine key steps, including identification of safety and security goals, categorisation of requirements by level, and risk assessment, as well as prioritisation and inspection of requirements [42].

Surveys on IT Risk Management
The literature reviews [1,16] showed that established cybersecurity assessment frameworks are not well-suited for cloud computing.While recent research has investigated risks arising from using cloud services, it was suggested that the literature has paid little attention to risk assessment among cloud providers themselves.To address this gap, [16] proposed a new quantitative risk assessment model and found that evaluating cloud-platform risk requires dynamic models that would capture the degree of interconnectedness of complex cloud networks.It was noted that there is no consensus in the industry on how to assess cloud risks due to the lack of an appropriate framework and the dynamic nature of cloud systems.Similar findings for the IoT were reported [43].It was noted that few quantitative approaches to cybersecurity risk management exist and that none of the established frameworks account for the IoT security ecosystem.
The literature review on the implementation of the ISO/IEC 27001 standard [18] suggested that there is a gap between the contributions of related studies and the requirements of the framework.The paper used semiquantitative analysis to identify research gaps.It was found that the majority of approaches offered in the related literature over the 2005-2018 period provide limited support in adopting the ISO/IEC 27001 standard.Furthermore, few of the examined studies considered the analysis and application of the risk-management system.The abstract nature of prominent IT security frameworks has been commonly noted to be a roadblock to implementing the guidelines in practice [18], which appears to be further exacerbated by the lack of research that would be relevant to practitioners.Similar findings were reported [3] from the surveyed the general academic literature on the ISO/IEC 27001 standard.The scholars noted that academia still perceives ISO/IEC 27001 as a technical topic and very little research exists that provides a managerial perspective.In a similar vein, the surveys [30,44] showed that the solutions provided in the academic literature lack empirical validation and real implementation.Furthermore, the literature was found to focus on common threats such as denial-of-service or phishing suggesting that there is a gap between emerging vulnerabilities and existing research.The gap was partially addressed [45] reporting that emerging threats are associated with the areas of cloud computing, IoT, and smartphones.
Several literature reviews focused on risk-management tools for SMEs [17] emphasised that SMEs lack resources for implementing available risk-management solutions.In particular, smaller firms have no dedicated personnel responsible for cybersecurity.The study developed a new framework that contained essential policies for SMEs.Testing the framework in three case studies supported the effectiveness of the model.However, it was also noted that the framework should be complementary to established cybersecurity standards and frameworks.As such, the problem of implementing more complex 'one size fits all' systems, such as NIST, is still relevant.Similar findings for SMEs were reported [6,19].Ref. [2] reviewed the literature for a specific case of IT security management in higher education institutions.The scholars used existing standards including ISO 27001, NIST, COBIT, and ITIL as a baseline to develop recommendations for creating a framework for such organisations.The problem of outdated standards was explored by [46] proposing new definitions for the information-security classification.The search was limited to publications from 2016 to 2021.The study targeted the Scopus database and Google Scholar for finding the studies on keywords "Cybersecurity Risk Management", "IT Risk Management", "Cybersecurity Risk Assessment", and "IT Risk Assessment".The data was gathered by collecting all research articles that were related to the security of information systems.The extended literature suggests several focal points for exploring IT security risk management.Primarily, several studies target SMEs, revealing potential inadequacies of established frameworks that need to be more intricate or rigid for SMEs [8,48].These findings hint at a chasm between conventional IT risk-management methodologies and SMEs' unique challenges.However, the applicability of these findings to larger organisations is questionable, thereby underscoring the need for an approach that transcends the size of organisations [7,17].Simultaneously, other researchers focus narrowly on individual standards like ISO/IEC 27001 or NIST, which, although reflective of their pervasive use, can narrow the understanding of these standards' efficacy relative to their alternatives [17].In contrast, our research embraces an array of IT security standards, aiming to furnish a more holistic comprehension of whether current risk-management frameworks effectively respond to the practical requirements of organisations operating within various information systems.This integrated perspective can potentially offer crucial insights, driving the evolution of risk-management frameworks to be more adaptable, efficient, and effective for various organisations navigating the complex landscape of cybersecurity, information security, and risk management.

Systematic Literature Review
This study employed a systematic literature review, a strategy renowned for its traceability and transparency, to scrutinize academic papers on risk management within SMEs.This methodology, extensively utilized in computer science and engineering, ensures a comprehensive and unbiased topic exploration.Key research phrases used during the review encompassed "Cybersecurity Risk Management", "IT Risk Management", "Cybersecurity Risk Assessment", and "IT Risk Assessment".Focusing on these critical elements in the broader field of risk management and information security systems, this study delivers a focused, in-depth examination of the prevailing discourse on IT risk in the contemporary information landscape.

Database and Population
With this study, we hope to find out how well-established information technology (IT) risk-management frameworks perform.Refs.[1][2][3]6,17,19,49] organized the literature review in the same manner.A wide range of sources is used to cover important articles from business, public administration, academia, and management, including papers from a variety of fields.The systematic literature review covers a variety of academic disciplines including cybersecurity, computer science, security standards, security management, and security frameworks.The search in the literature has been performed using such keywords as "Cybersecurity Risk Management", "IT Risk Management", "Cybersecurity Risk Assessment", and "IT Risk Assessment".The search was limited to publications from 2016 to 2021.Several publication databases are used, including Google Scholar, IEEE Xplore, Springer Link, Elsevier, and Science Direct.The study targeted the Scopus database and Google Scholar for finding the studies on the keywords "Cybersecurity Risk Management", "IT Risk Management", "Cybersecurity Risk Assessment", and "IT Risk Assessment".The data was gathered by collecting all research articles that were related to the security of information systems.The study used those articles and research papers which were related to the keywords "Cybersecurity Risk Management", "IT Risk Management", "Cybersecurity Risk Assessment", and "IT Risk Assessment".

Including and Excluding Criteria
The identified publications were organized into three main categories.The first category comprised the previous literature studies, serving as a benchmark to position our review within the existing body of literature.The second category includes the studies that conducted comparative analyses of various IT risk-management frameworks, which contributed to addressing the research questions Q1 and Q2.The final category focuses on the studies that examined a single framework and are further subdivided into those using an established framework and those developing novel models.These studies served to illuminate the research questions Q2 and Q3.As per our knowledge, there need to be more recent research articles and technical papers that encapsulate a comprehensive review of the literature on IT risk management from 2016 to 2022.Therefore, our review constitutes an important initiative towards systematically identifying the weaknesses of current IT frameworks and deciphering the essential features for future adaptations and emerging models.

Sample Size
Initially, 168 articles were found by the researcher using journal websites, the Scopus database, and Google Scholar.After that, 76 research articles were found to comply with both the inclusion and the exclusion criteria and, from those, the most pertinent articles were chosen.Both papers that were identical to others and book reviews were removed from consideration.This particular investigation looked at a total of 29 different studies.Therefore, the study examined these 29 studies to determine what kind of writing and research has been done on risk management and information-security systems in SMEs.The 29 studies included those that had established SME risk management and information systems, frameworks, and models emphasizing the simplified risk-management framework implementation for SMEs.Additionally, the risk-management processes and marketing strategies were individually scrutinized to determine a commonality on the subject.

Findings of the Metadata
Ref. [20] compared several frameworks, including ISO/IEC 27001, NIST CSF, COBIT, OWASP, C2M2, ISO 22301, and ENISA [50,51].It was argued that existing frameworks shared certain shortcomings that are becoming more and more challenging as the frequency of cyberattacks continues to grow.First, these frameworks often require substantial implementation effort.For example, the NIST framework consists of almost 100 standards.The documentation for such frameworks can be overwhelming, which would likely translate into lower effectiveness of implemented risk-management tools.In other words, it can be challenging for organisations to employ established frameworks as guides for cybersecurity management which harms the adoption of universal frameworks and wastes organisational resources.Secondly, management of risk in information systems should shift from cybersecurity to cyberresilience [52].This reflects the focus on compliance in prominent frameworks, such as NIST, noted in similar research [16].Cyber-resilience puts more emphasis on business continuity, the ability to prevent and recover from threats, and the capacity to adapt to the impacts of adverse events.Put differently, cybersecurity frameworks encourage a more reactive approach while cyber-resilience fosters a proactive mentality.
Ref. [53] makes a compelling argument for adopting hybrid IT risk-management frameworks, emphasizing that a balanced approach could provide superior outcomes.While the ISO 27000 series is recognized as an exceptional practice for comprehensive cybersecurity management, it could overwhelm certain cases with its exhaustive details.In such instances, a more straightforward framework like OCTAVE could provide an all-encompassing system that supplements ISO/IEC standards, filtering out inapplicable responses.Its simplified iteration, OCTAVE-S, could cater better to SMEs with a flat organisational structure [53].Moreover, OCTAVE's operational uptime emphasis might be invaluable for manufacturing organisations.Ref. [53] postulates that blending a detailed standard such as ISO or NIST with a broader framework like OCTAVE could be optimal.Furthermore, integrating these risk frameworks with capability maturity modelling might facilitate easier alignment with finance and operational departments [54].
Considering specific threat types and vulnerabilities pertinent to an organisation's environment further enriches the analysis.Recognizing the role of behavioural factors in IT risk management and focusing on insider threats are particularly insightful [55].Ref. [33] examined the risk assessment of insider threats across four frameworks: NIST, FRAP, OCTAVE, and CRAMM.They found NIST to be the most comprehensive, with each step tied to a distinct target and multiple management approaches.Concurrently, frameworks like FRAP and OCTAVE demand less time and resources, potentially boosting cybersecurity risk-management tool adoption among smaller organisations.Focusing on frameworks compatible with IoT services, identified a shortfall in NIST's automated risk quantification tools [56].This diversity of research avenues and perspectives highlights the complexity and multidimensional nature of IT risk management in the context of cybersecurity, information security, and risk assessment.
Similarly, OCTAVE and TARA provided no quantification method for estimating recovery and risk impact.Meanwhile, ISO was reported to not have these weaknesses, although it may be too focused on compliance.Table 2 shows the summary of the studies discussed above.In general, all the literature studies criticised the complexity and the lack of implementation guidelines for major IT risk-management frameworks.The results of the comparisons suggest that poor documentation increases the costs of implementation and reduces the effectiveness of risk-response measures.Several studies noted that a hybrid approach to risk management may be appropriate where an existing standard is complemented by additional models or enabling frameworks.

Comparative Analysis
An existing framework is explored in this study towards developing a new framework.Separating the two study groups allows for assessing the gap between existing frameworks and innovative solutions.It is possible that model extensions for specialized applications like cloud computing share the same flaws as the baseline model.In particular, the review of existing literature surveys suggests that academic literature treats the ISO/IEC standards as a theoretic construct and provides few implementation guidelines.As such, it can be valuable to separate the analysis of studies of new frameworks from that of established models.
The vast majority of recent literature has been focusing on extending prominent riskmanagement frameworks and applying them in specific cases, such as SMEs or cloud computing.It could be argued that it has been generally established that the existing standards are lacking, which translates into few recent studies that explicitly assess the effectiveness of basic frameworks such as NIST and ISO/IEC [3,18].One example is the work by Benz and Chatterjee who proposed a tool for evaluating the maturity of SMEs according to NIST standards [8].It was noted that NIST is insufficient for an SME IT leader.Most importantly, it was emphasised that implementing NIST can be overwhelming, as the framework is very complicated.Furthermore, NIST does not provide guidelines for acceptable ratings on each of the standards.SMEs may not have access to data from other organisations which prevents firms from gauging the effectiveness of implemented policies.
In addition, ref. [8] noted that NIST has no recommendations on best practices or directions for improvement.At the same time, it was argued that cybersecurity is still not universally recognised by SMEs as a high priority since executives may not see their businesses as likely targets of cyberattacks.This observation ties in with recent research that highlighted the role of behavioural factors in the effectiveness of IT risk management [57].Similar findings on the shortcomings of NIST were reported [28].The paper argued that NIST was too focused on compliance while quasi-quantitative scoring may give a false impression of rigour and accuracy, leading to lower effectiveness of IT risk management.Another study [29] considered effectiveness as perceived by investors.Cybersecurity awareness was associated with the perceived benefits of a risk-management framework.
The only study [27] that explicitly considered the effectiveness of an IT risk-management framework used the NIST framework with a cost-benefit model, which allowed for determining the cost-effective level of investing in IT security activities and selecting the most cost-effective direction for NIST implementation.It was shown that the cost-effectiveness of a NIST implementation depends on three key factors, namely the value of protected information, the probability of a security breach, and the productivity of the investment in IT security activities.The first two factors correspond to the NIST's definition of a risk, which emphasises the role of the expected damage following attachment and the likelihood of the attack.The presence of the third factor is more interesting and reflects the inability of NIST to capture the importance of human resources.The productivity of cybersecurity investments necessarily depends on human factors including leadership, trust, and behavioural biases.The paper [27] can be linked to recent research on the importance of cybersecurity awareness and trustworthiness in fostering proper security practices [55,58,59].Table 3 shows the summary of studies that explored existing IT risk-management frameworks.Overall, few recent studies have focused on assessing an established IT risk-management framework.The examined literature agrees on the existing standards being too complex and particularly challenging to adopt for smaller organisations.
Several studies focused on a specific area of application of cybersecurity risk management.For example, refs.[5,60] considered cybersecurity risk assessment for value-sensitive medical devices.The MDPC framework was used which adapted the NIST 800-30 standard to medical devices such as insulin pumps.The main idea behind the framework is the shift in perceiving information security as an asset rather than an obligation.However, the standard does not suggest any specific processes or criteria for matching risks with security controls.This shortcoming is shared with the underlying NIST framework and may be a significant roadblock to implementing cybersecurity risk management in complex systems.Nevertheless, the results [60] highlighted how the choice of the framework may articulate the value generated by investing in cybersecurity.
Few studies have considered causal relationships between security-related elements.Notably, [24] used systems dynamics to perform a dynamic and systemic assessment of cybersecurity risks in SMEs.Similar to [27,30,60,61], the employed risk-management framework was based on the NIST standard.More specifically, the Italian National Cyber Security Framework was created as a uniform approach to cybersecurity management for both SMEs and large companies.However, it extends NIST by considering priority levels and maturity levels for organisations and processes.The key result of [24] is illustrating how the benefits of addressing certain threats may systemically propagate to other security components.Nevertheless, the paper did not empirically validate the identified causal relationships which further highlights the gap between available simulation and empirical studies.A more recent paper by [24] expanded on this approach and proposed a new tool for IT risk assessment that relied on the system dynamics methodology.The new SME Cyber Risk Assessment (SMECRA) framework was suggested to address dynamic organisational complexity.This should allow for assessing risks and related processes that vary over time which ties in with other research highlighting the need for dynamic assessment in such areas as cloud computing [16].A simpler approach was used [48,62], adapting the NIST and ISO/IEC 27001 standards to manage cybersecurity risk in SMEs.
Further exploring how academics have tackled the issue of IT risk management in cloud computing reveals that it is necessary to account for risk economic qualification in a holistic technoeconomic model.This [7] proposed how to design an effective, agile, and automatic model of cybersecurity risk assessment for cloud computing which would allow for industrialising risk economic evaluation.Notably, the study found that the three most compliant established models present just below 60 percent of compliance of a theoretical reference model.This suggests that even considering the overlap across major risk-management frameworks, there is a gap of more than 40 percent that should be addressed by future models.Since it may not be clear which of the remaining vulnerabilities have the highest priority, a multicriteria decision analysis tool could be used to conduct a prioritised gap analysis.This [63] developed the CyFEr framework based on the empirical paradigm.The framework can use any base set of standards as controls input, such as NIST or C2M2.The research can be an important step towards better guidelines for implementing complex frameworks as well as automated risk assessment due to the prioritised vulnerability mitigation analysis.Entities that only enact these procedures because of the introduction of the GDPR will almost certainly use the ready-made (template) solutions that are made available by SMEs for risk assessment.This, of course, does not imply that the absence of consideration of the International Organization for Standardization is equivalent to poor quality in the analyses being conducted.On the other hand, one must always be prepared for the possibility that they deviate, albeit only slightly, from the globally recognized standards.
Several studies have highlighted the role of behavioural influences when considering the effectiveness of cybersecurity risk assessment and management.This is consistent with prominent frameworks such as NIST SP 800-39 and SP 800-30 failing to explicitly acknowledge the role of human resources in information systems.Ref. [57] integrated a human-behaviour model into cybersecurity risk assessment.This was aimed to facilitate communication so that users understand and promote informed judgement.It was noted that it may be insufficient to supply accurate risk information for producing an effective risk-management system.Individuals should be able to process and comprehend the risk message so that they may act on it in an informed way.This ties in with the Job Characteristics Model, suggesting that certain task features may foster a sense of responsibility and improve performance [57].Furthermore, the Health Belief Model predicts that higher risk awareness promotes active engagement.
Only [64] explicitly studied the effectiveness of IT risk management.A new model was developed based on fuzzy set theory and machine-learning classifiers.Experimental results suggested that predicting risk types and estimating asset criticality using these tools leads to an effective risk-management practice.However, the paper was limited to cyber-physical systems.A more general approach was used [65] which proposed an architecture for integrating such frameworks as OCTAVE, NIST, ISO, CVSS, CMMI, TARA, and FAIR.It was found that FAIR promoted quantitative risk-based assessment of losses, while NIST and ISO were the most advanced frameworks offering standards for disaster recovery.Ref. [66] capitalised on the quantitative focus of FAIR and extended it using Bayesian networks.It was found that the extended model was more accurate and flexible.Meanwhile, the degree of interconnectedness in IoT and the lack of recovery planning in most of the frameworks could become a significant issue in the future as the adoption of new technologies continues to grow [65].The summary of studies that developed new IT risk-management frameworks is shown in Table 4.The NIST framework and its variants are the most frequently extended or adapted models across the studies, with at least 8 out of 19 papers leveraging it.Refs.[24,60] notably developed extensions of the NIST framework to cater to specific domains, while [44,62] focus specifically on SMEs.This underscores the flexibility and broad applicability of the NIST framework, with researchers continually finding it valuable for different contexts.A broad range of risk domains is under examination, including cloud computing, SMEs, IoT, multicriteria decision-making, and even automotive firms.This reflects the expanding universe of cybersecurity challenges that modern enterprises face.Studies [7,61] offer specialized frameworks for the rapidly growing field of cloud computing.Advanced mathematical and computational techniques, such as system dynamics, Bayesian networks, fuzzy logic, and machine learning, are being integrated into risk-management frameworks.FAIR-based framework using Bayesian networks [66] CRSM with fuzzy logic/machine learning signify the growing intersection of artificial intelligence and risk management [64].
There is a noticeable shift toward recognizing the sociotechnical dimensions of cybersecurity.Ref. [57] emphasizes that integrating the human element can enhance risk communication.There is an evident interest in integrating various existing frameworks, as seen in [65].This integrative approach recognizes the strengths of different frameworks and seeks to synthesize them for comprehensive risk management.Several studies [24,48,62] specifically target SMEs.This focus underscores SMEs' unique risk-management challenges, as opposed to larger enterprises, and the need for tailored approaches.

Discussion
Recent studies have underscored a pressing discord between prevailing IT riskmanagement frameworks and the actual security requirements of organisations.While multiple adaptations and novel frameworks have emerged to bridge evident gaps in IT risk assessment and management, there is a lingering apprehension that these nascent solutions might echo the shortcomings intrinsic to their well-established counterparts.At the heart of this concern is the oft-debated applicability of such frameworks, especially for small-and medium-sized enterprises (SMEs).When juxtaposed with the often-scant IT security budgets of SMEs, the financial burden of adopting intricate standards renders them disproportionately costly [45].This financial strain stems from the inflexibility of generic, "one size fits all" frameworks, notably the NIST, which frequently require modifications beyond the capabilities or needs of SMEs [6].
Despite its pervasive utilization across IT security risk management, the NIST standard has been critiqued for its inherent qualitative nature, often rendering its guidelines more theoretical than actionable [19].A prominent critique highlighted targets the riskassessment component of the NIST standard [16].While it mandates estimations of threat likelihood and the potential consequences of untoward events, it conspicuously needs lucid directives on the estimation procedures.More than a mere oversight, this deficiency has implications for operational effectiveness and could lead to inconsistencies in risk assessments across different SMEs.Ultimately, while the NIST framework provides a panoramic view of risk management's primary constituents, it fails to deliver precise, actionable solutions tailored to IT security challenges.As risk assessors strive to delineate concrete concepts such as weaknesses, threats, and vulnerabilities, they would significantly benefit from a more prescriptive framework that fuses NIST's theoretical robustness with practical guidelines and adaptability.
The dominant standards explain risk assessment too abstractly and give little guidance for implementation [16].This is important for applying standards to cloud settings, which are highly interdependent and continually changing [23].As a result, measuring cloud hazards using qualitative or semiquantitative scales is ambiguous [3].Another outstanding factor has been found that due to the complexity of IT risk management in the presence of multiple cloud service providers; recent research appears to have focused on the organisation in question while ignoring the supplier network and security interdependencies [16].At the same time, established frameworks for cloud security, such as QUIRC, OPTIMIS, and CSPRAM may become too complex and unmanageable if users are involved in all stages of risk assessment.Another possible issue with NIST is the large number of related standards [23].The overarching SP 800-39 framework requires complementary guidance documentation such as SP 800-37 and SP 800-30 [17].It can be challenging for organisations to achieve a clear understanding of the whole framework and to extract information that is relevant to the organisation's processes and security risks [64].SMEs are more likely to encounter this problem and face higher relative costs of implementing the standard, which is a shortcoming shared by a "one size fits all" approach to risk management [6,19].
The findings from the reviewed studies have provided strong insights into the research questions.This study discusses the results concerning each research question.

1.
How does the IT risk-management framework enhance the security standards across information systems in SMEs?
IT risk-management frameworks play a crucial role in enhancing the security standards across information systems in SMEs by providing structured and systematic approaches to identifying, assessing, and managing potential risks.Studies highlighted the importance of established frameworks like NIST and ISO/IEC in providing baselines for effective risk management [8,28].However, the complexity of these frameworks has been noted as a potential deterrent, especially for SMEs with limited resources [8].Customizing and adapting these frameworks to the specific context of SMEs could enhance their applicability and effectiveness.In particular, refs.[27,73] illustrated how frameworks, such as NIST, can be adapted and expanded to suit the needs of SMEs better, indicating that flexibility and adaptability are crucial elements in enhancing security standards.

2.
What is necessary to establish a practical IT risk-management framework in SMEs?
Several necessary elements were identified to establish a practical IT risk-management framework in SMEs.These include the simplicity of implementation, flexibility and adaptability of the framework to specific needs, clear guidelines for improvement, and the acknowledgement of the human aspect of cybersecurity.Simplicity and usability were considered critical, with established frameworks like NIST viewed as complex and overwhelming for SMEs [8].A need for clear guidelines and best practices was also identified to facilitate SMEs in implementing the framework effectively [8].Additionally, several studies emphasized the importance of acknowledging human factors in developing a practical IT risk-management framework.The importance of including human behaviour and awareness in risk management was notably discussed [57] indicating the necessity of frameworks that focus on not only technical aspects but also the human elements of cybersecurity.

3.
How are emerging IT risk-management frameworks addressing the shortcomings of established standards for SMEs?
Emerging IT risk-management frameworks primarily address established standards' shortcomings by focusing on specific application areas, integrating human behavioural aspects, and offering more dynamic and adaptable approaches.For instance, ref. [67] developed the SME Cyber Risk Assessment (SMECRA) framework that addresses dynamic organisational complexity, indicating an emerging focus on the need for frameworks that can adapt and respond to changes over time.In terms of specific areas of application, studies [7,60] focused on value-sensitive medical devices and cloud computing, respectively, highlighting an increasing focus on domain-specific risk-management frameworks.
Additionally, several new frameworks have started integrating human-behaviour models into cybersecurity risk assessment [57], addressing the human-factor shortcoming identified in established models.In conclusion, the ongoing research in IT risk management is leaning towards more specialized, dynamic, and human-centred frameworks, addressing the known shortcomings of established standards and better meeting the needs of SMEs.

Practical Implications
Existing frameworks' silo approach may positively influence risk management of IT systems that use emerging technologies like cloud networks in SMEs.Indeed, this approach indicates that standards analyse a single environment, such as a cloud service provider or a client, while neglecting supply-chain network interdependencies [16].This increases risk exposure which translates SMEs' security standards into lower effectiveness of the risk-management framework.New technologies are rapidly advancing and require a more dynamic approach to risk assessment [18].The gap also highlights the importance of SMEs conducting due diligence on their partners and third-party vendors due to the increasing complexity and interdependence of IT systems.One possible direction for future research is to consider technology-enabled automation in these SMEs [6].Automated risk assessment in those SMEs would allow for a more proactive approach to risk mitigation due to the ability to dynamically monitor cybersecurity threats and vulnerabilities [46].This approach would be suitable for newer technologies, such as cloud computing, which involves indirect assets harmed only through adverse impacts on other assets.Automated tools may also facilitate the shift from qualitative or semiquantitative frameworks, such as NIST, to quantitative assessment that captures the impacts on business losses and costs to recover from an attack [17].
In addition, small and medium enterprises (SMEs) must conduct risk assessments to identify and mitigate IT security risks effectively.This involves identifying the vulnerabilities, threats, and potential impacts of each aspect of their IT infrastructure.Understanding what risks exist is critical to the ability to counteract them.Once the risks have been identified, it is essential to establish a robust cybersecurity framework that aligns with globally recognized standards such as ISO 27001 or the NIST framework.The cybersecurity framework should provide guidelines and procedures to prevent, detect, and respond to cybersecurity risks.Simultaneously, SMEs must invest in relevant security tools such as firewalls, antivirus software, encryption tools, and intrusion detection systems.These tools will help to protect the organisation's data and IT resources from malicious activities.
Moreover, human error or negligence can often be a significant source of security incidents.Therefore, conducting regular staff training on cybersecurity best practices is crucial.Employees must be made aware of common threats, such as phishing attacks and ransomware, and trained to respond effectively.In addition, SMES should review and update their IT policies and procedures regularly.Changes in technology, business environment, or regulatory requirements might necessitate adjustments to ensure ongoing relevance and effectiveness.Finally, having a well-defined and rehearsed incident response plan is another crucial step in mitigating IT security risks.The plan should outline how to respond to an IT security incident swiftly and efficiently to minimize damage and downtime.This also includes having a disaster recovery and business continuity plan to ensure operations can resume quickly after an incident.
All these strategies must be underpinned by a security culture where all stakeholders understand the importance of maintaining strong IT security practices.With an ongoing focus on security, SMEs can significantly reduce their IT security risks.

Theoretical, Managerial and Societal Implications
The findings from this study serve as a stepping stone in the continually evolving domain of IT risk management.The identified shortcomings and advantages of the established frameworks will stimulate further academic inquiries to address these gaps.It elucidates the dynamic interplay between technological evolution and IT risk-management practices, reinforcing the need for frameworks that can adeptly respond to a rapidly transforming digital landscape.This study fosters an interdisciplinary dialogue beyond the traditional IT security discourse by emphasizing system dynamics, machine learning, and sociotechnological models.Hence, it challenges the scholarly community to consider IT risk management as a static entity and a vibrant, complex system with inherent interactions and feedback loops.From a managerial perspective, this study underscores the necessity of selecting and implementing IT risk-management frameworks congruent with the SME's specific needs and the nature of its information systems.It encourages management to consider the costs and complexities associated with established frameworks, evaluate the efficacy of risk-management strategies, and contemplate the feasibility of emerging frameworks with advanced techniques.Societally, this study underscores the importance of robust IT risk-management practices in maintaining data integrity, privacy, and cybersecurity.By spotlighting the limitations of the current standards and advocating for adaptable, responsive risk-management practices, it aims to foster a safer, more secure digital society.This is particularly critical given the escalating prevalence of digital channels in everyday life, the increasing reliance on interconnected systems, and the rising threats to information security.

Conclusions
The present survey aimed to assess the effectiveness of established IT risk-management frameworks in SMEs.A literature review was performed on IT risk-management research covering the 2016-2021 period, which also highlights the need for information-security standards in SMEs.While established IT risk-management frameworks, such as NIST and ISO, are foundational to enhancing the security of SMEs, their application has shortcomings.Issues related to high-risk uncertainty, subjective probability associations, and a semiquantitative assessment scale potentially contribute to inaccuracies in assessing IT security risks.An essential critique of these frameworks is their focus on compliance rather than proactive security, making them less suitable for smaller organisations.Furthermore, the assumed trustworthiness of entities related to the organisation and the predictability of their behaviour might only sometimes hold, underscoring the need for individualized assessments.These frameworks require continuous updates to cover threats associated with emerging technologies.Despite these limitations, such frameworks remain valuable tools for describing and prioritizing tasks necessary to manage security capabilities and assist in preparation for compliance and other IT audits.Ultimately, a successful risk-management program should enable SMEs to consider the range of risks they are exposed to and understand the potential impacts these could have on their strategic goals.In moving forward, it will be necessary for standards and frameworks to adapt to the changing landscape of IT security threats and for organisations to tailor their use of these frameworks to their specific context and needs.
In addition, the study offers SMEs a risk-management tool that is all encompassing and does not concentrate on a particular functional area or industry.This tool assesses the dimensions of risk within the context of SME information systems.According to the findings of this research, even though SMEs have scarce resources, it may still be possible for them to adopt a holistic approach to their risk management by managing the elements of information democracy.This would be a positive development.This may assist SMEs in risk assessment, reconciling their risk appetite, and utilizing risk-management systems and information systems for their survival and long-term viability.The fact that the research was only focused on internal information is one of its flaws; as a result, it is suggested that future studies examine the information available to the public.The results that were obtained provide an overview of the bigger picture regarding how the process of risk management operates in information security in SMEs.The benefits and drawbacks of utilizing this method are both brought to light here.It has become known that businesses do not place a great deal of importance on the human element of risk assessment or on locating potential hazards that are the result of the actions of workers.The findings of the research should encourage further assertion of businesses in the area of risk management.This will make it possible in the future to estimate this same rate of growth of business entities' knowledge within the scope of their use of suggestions derived from global standards.

Limitations and Future Directions
Despite the extensive literature on established and emerging IT risk-management frameworks, this study has limitations.The broad spectrum of rapidly developing new technologies was not adequately addressed.Thus, future research could focus on assessing the adaptability and effectiveness of these frameworks in response to specific emerging technologies such as AI, quantum computing, or blockchain.Furthermore, the research could explore the development of sector-specific or technology-specific risk-management frameworks to accommodate the unique vulnerabilities and threats inherent to them.Crosssectoral comparisons also yield further insights into how different industries manage IT risk.Moreover, the cultural, geographical, and regulatory contexts of organisations, which may impact the implementation and effectiveness of these frameworks, could be investigated in depth.While this study suggests incorporating advanced techniques, such as system dynamics and machine learning, into risk-management practices, more empirical studies are required to validate this proposition and explore its practical implementation.Finally, in the context of the increased prevalence of remote work and online transactions due to the pandemic, future studies could delve into the new set of IT risks and how risk-management frameworks can be adapted accordingly.Improving the overall language and readability of the manuscript is advised to ensure the information presented is accessible and engaging to academia and industry professionals.

Table 1 .
Summary of existing surveys, their contributions, and limitations.

Table 2 .
Summary of studies that compared existing IT risk-management frameworks.

Table 3 .
Summary of studies that explored existing IT risk-management frameworks.

Table 4 .
Summary of studies that developed new IT risk-management frameworks.