Cyber Risk Analysis and Causal Factors Influence the Cybersecurity Readiness Capability for Small and Medium Enterprises in Thailand

1. Introduction

In the contemporary digital landscape, organizations are increasingly reliant on technological systems to enhance operational efficiency and productivity. While this technological integration offers significant advantages, it concurrently exposes organizations to a spectrum of cyber threats that have become an omnipresent concern in modern business environments. Recent trends indicate a surge not only in the frequency of cyberattacks but also in their complexity—partly fueled by advancements in Artificial Intelligence (AI), which enable attackers to develop more sophisticated and harder-to-detect methods. Such threats can lead to severe repercussions, including operational disruptions, exfiltration of sensitive data, and erosion of customer trust. Therefore, alongside leveraging digital innovations, organizations must prioritize robust cybersecurity strategies to mitigate potential risks [1].

Small and Medium Enterprises (SMEs) in Thailand represent a crucial segment of the national economy, contributing approximately 35% to the Gross Domestic Product (GDP). Despite their economic significance, many SMEs face challenges related to resource constraints, limited cybersecurity expertise, and low awareness of cyber risks, which frequently result in inadequate preparedness. Furthermore, some SMEs tend to underestimate their vulnerability, assuming their small size shields them from targeted cyberattacks [2]. As digital reliance grows, SMEs heavily engaged in online operations and digital platforms remain particularly vulnerable to cyber threats. According to the Kaspersky Cyberthreat Live Map (January 2025), Thailand experiences approximately 28,000 cyberattacks daily, with the incidence steadily increasing. This underscores the importance of strengthening cybersecurity resilience within SMEs to safeguard their continuity and growth [3].

In response to these issues, this study centers on exploring internal factors influencing cybersecurity preparedness among Thai SMEs, articulated through four primary objectives. First, it assesses cyber risk factors across financial, operational, governance, personnel, and reputational dimensions using the Fuzzy Analytic Hierarchy Process (Fuzzy AHP) approach [4], facilitating the prioritized allocation of resources. Second, it examines how internal organizational components—specifically personnel, processes, and technology—affect cybersecurity readiness, guided by the Resource-Based View (RBV) theory [5], which emphasizes the strategic value of internal resources. Third, the research develops measurable indicators for evaluating cybersecurity preparedness within these key areas. Lastly, it proposes a tailored framework aimed at enhancing SMEs’ cyber resilience by integrating insights derived from internal factor analysis with established international standards, notably the NIST Cybersecurity Framework 2.0 [6] and ISO/IEC 27001:2022 [7], considering the resource limitations often faced by SMEs.

Achieving these objectives promises significant contributions to advancing cybersecurity readiness in SMEs, especially within developing economies. These include: (1) providing a prioritized cyber risk profile through Fuzzy AHP to support effective risk management; (2) identifying critical internal factors influencing cybersecurity capacity; (3) establishing foundational indicators for assessing organizational preparedness across personnel, processes, and technology; and (4) presenting a comprehensive, standards-aligned framework specifically adapted to the context and constraints of SMEs.

2. Literature Review

2.1. Cybersecurity Readiness of SMEs

Compared to larger enterprises, SMEs generally demonstrate lower levels of cybersecurity readiness. Research by [8] reveals that SMEs with more advanced adoption of digital technologies and stronger cybersecurity preparedness often utilize technological measures such as malware protection, encryption techniques, firewalls, and routine software updates to safeguard their systems. Conversely, SMEs with limited digital engagement tend to rely mainly on basic protections like software patches and firewall implementation, which are insufficient to address the full spectrum of cyber threats.

Despite these differences, both groups commonly lack comprehensive cybersecurity management frameworks. This includes gaps in staffing dedicated to security, the execution of audit mechanisms, formal cybersecurity policies, and the practical application of cybersecurity standards. These shortcomings largely stem from a lack of sufficient information and limited commitment from management to establish and maintain resilient cybersecurity practices.

To improve cybersecurity readiness in SMEs, there is a need to strengthen internal organizational components. [9] highlighted five essential internal factors that can drive effective cybersecurity readiness in SMEs within developing countries: adequate operational funding, strong organizational support from management, cybersecurity knowledge and expertise, appropriate information technology infrastructure, and adherence to personnel-related policies and regulations.

Drawing upon the Resource-Based View (RBV) theory [5], which suggests that organizations gain competitive advantages by leveraging valuable, rare, inimitable, and non-substitutable resources, this study focuses on analyzing internal factors specifically through the lenses of personnel, processes, and technology. These elements represent critical internal resources that enable SMEs to craft cybersecurity strategies that are not only effective but also efficient. Emphasizing these three aspects helps ensure that SMEs can maximize the use of their existing assets in a cost-effective manner, thus unlocking greater organizational potential [10].

2.2. Cyber Risks of SMEs

While digital technologies offer opportunities for SMEs to gain competitive advantages, they also expose these businesses to various cyber threats. Cybercriminals constantly refine and enhance their attack techniques, often focusing on SMEs due to their comparatively weaker defenses, making them easier targets than larger firms. [11] emphasize that one of the primary reasons SMEs face elevated cyber risks is their limited awareness of these threats. Many SMEs do not fully recognize or prioritize cyber risks, lack the necessary knowledge to protect themselves adequately, and struggle to establish effective cybersecurity programs. Resource limitations further hamper their ability to sustain robust cybersecurity measures.

This study analyzes cyber risks faced by SMEs using two key frameworks: the Risk Assessment in Practice framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) [12] and the ISO/IEC 27005:2018 standard, which provides guidelines on information security risk management [13]. Building upon these frameworks, the research identifies SME-relevant risk factors covering financial risk, operational risk, governance risk—including compliance with laws and regulations—personnel risk, and reputational risk. These identified risks are then systematically evaluated and ranked using the Fuzzy Analytic Hierarchy Process (Fuzzy AHP) technique to prioritize their impact.

2.3. Fuzzy Analytic Hierarchy Process

The Fuzzy Analytic Hierarchy Process (Fuzzy AHP) is a hybrid decision-making method that merges the traditional Analytic Hierarchy Process (AHP) with principles from Fuzzy Set Theory to better handle uncertainty and ambiguity in evaluations [14,15]. This method proves especially valuable when experts or decision-makers find it difficult to assign exact numerical values—known as crisp numbers—during pairwise comparisons, and instead express their preferences as intervals or degrees of confidence [16].

Fuzzy Set Theory introduces the idea of a “degree of membership,” which ranges continuously from 0 to 1, allowing for the representation of imprecise or vague information [15]. In Fuzzy AHP applications, the Triangular Fuzzy Number (TFN) is widely used to capture uncertainty in a simple triangular form, defined by three parameters: the lower bound (l), the most likely or median value (m), and the upper bound (u) [17].

2.4. Factors Influencing the Cybersecurity Readiness Capability

2.4.1. Personnel Readiness

Personnel are fundamental to building a robust cybersecurity system since organizational operations involve the interaction of people with digital technologies and online platforms. The attitudes, beliefs, and behaviors of employees have a strong impact on the overall cybersecurity posture of an organization [18]. Employees lacking awareness of cyber threat severity can inadvertently expose their organizations to risks. Even when some staff members possess high awareness, operational challenges may still occur—such as the accidental leakage of confidential information—demonstrating what is known as the “knowing-doing gap,” where individuals’ actions do not align with their knowledge [19]. Thus, improving cybersecurity awareness and skills through targeted training programs equips employees to use technology more securely and helps reduce errors caused by human factors [20].

Moreover, fostering a collaborative culture within the organization’s research and development network, especially when working alongside external partners like government agencies and academic institutions, encourages ongoing learning and the sharing of information about cybersecurity practices and new threats. This collaboration supports the continual adaptation and enhancement of cybersecurity strategies, boosting their overall effectiveness [21]. Based on this, the study proposes the following hypothesis:

H1. 

Personnel readiness has a positive effect on the cybersecurity readiness capability of SMEs.

2.4.2. Process Readiness

Organizations that heavily depend on digital technologies and online platforms tend to show higher cybersecurity readiness. However, simply having superior resources or cutting-edge technology does not automatically translate into a competitive edge from cybersecurity efforts [22]. To effectively counter cyber threats, organizations need well-designed cybersecurity management systems that maximize the use of their resources and technological tools [23].

Strong operational processes play a key role in achieving organizational success [24]. Effective cybersecurity processes help reduce risks from attacks that could interrupt business operations or cause harm, while also building confidence among customers and business partners. [25] argue that cybersecurity efforts should go beyond mere prevention and adopt a proactive stance. This includes establishing a resilient infrastructure, maintaining flexibility, continuously monitoring for threats, and being able to adapt and improve over time. Furthermore, aligning operational strategies with recognized cybersecurity frameworks can help SMEs overcome limitations in resources and expertise, enabling them to detect weaknesses and strengthen their security posture [26]. Based on these points, the following hypothesis is proposed:

H2. 

Process readiness positively affects the cybersecurity readiness capability of SMEs.

2.4.3. Technology Readiness

Technology is a vital component in managing cybersecurity effectively, as it equips organizations to address cyber threats more efficiently. The development of an organization’s personnel and processes related to cybersecurity should be aligned with its level of technology readiness. Organizations that combine skilled human resources with competent technology management tend to achieve stronger cybersecurity results [1]. Research by Berlilana et al. (2021) highlights that higher technology readiness can significantly decrease cybersecurity risks, thereby boosting operational security, enhancing the organization’s reputation, and increasing customer confidence. On the other hand, many SMEs suffer from limited technological expertise or insufficient proficiency, which negatively impacts their cybersecurity capabilities [27].

SMEs with well-developed technological readiness gain several advantages, such as smoother digital operations and the ability to create products that better satisfy customer needs with improved quality and lower costs [28], alongside stronger cybersecurity defenses. Based on this understanding, the following hypothesis is proposed:

H3. 

Technology readiness positively influences the cybersecurity readiness capability of SMEs.

3. Methodology

This research was carried out in four consecutive phases. The first phase focused on ranking cybersecurity risks faced by SMEs using the Fuzzy Analytic Hierarchy Process (Fuzzy AHP). In the second phase, structural equation modeling (SEM) was employed to analyze internal factors—specifically personnel, processes, and technology—that affect SMEs’ cybersecurity readiness capabilities. The third phase involved developing measurement indicators for cybersecurity readiness related to personnel, processes, and technology through Exploratory Factor Analysis (EFA). Finally, in the fourth phase, a framework for enhancing cybersecurity readiness was created by integrating these indicators with the NIST Cybersecurity Framework 2.0 and ISO/IEC 27001:2022 standards.

3.1. Fuzzy AHP

The prioritization of cybersecurity risks for SMEs using the Fuzzy Analytic Hierarchy Process was conducted in four stages: (1) Planning, (2) AHP Execution, (3) Fuzzy Calculations, and (4) Ranking [29].

3.1.1. Planning

The identification of cybersecurity risk factors relevant to SMEs was based on guidelines from the Risk Assessment in Practice framework [12] and the ISO/IEC 27005:2018 standard for information security risk management [13]. Five key categories of cyber risk were selected: financial, operational, governance, personnel, and reputational risks. To validate these factors, detailed interviews were conducted with cybersecurity professionals, chosen via purposive sampling with criteria including: (1) cybersecurity expertise, (2) experience with SME operations, and (3) educational background in information technology. The interview findings supported the relevance of the five identified risk categories.

3.1.2. AHP Execution

Experts performed pairwise comparisons of the five risk factors to assess their relative importance, with results presented in Table 1. The consistency of these evaluations was verified using the Consistency Ratio (CR), where values below 0.1 indicate acceptable consistency.

AHP Operation includes the following procedure:

• Pairwise Comparison: Experts evaluate the relative importance of each risk factor by comparing them in pairs. When one risk (risk i) is judged to be more significant than another (risk j), a numerical value representing this importance is assigned to the corresponding cell at row i, column j. Conversely, the reciprocal of this value is placed in the cell at row j, column i. An example of this comparison matrix is shown in Table 2.
• Calculation of the Consistency Ratio (CR)

• Calculate the sum of each column as shown in equation (1).

$$\sum _{i=1}^n{a}_{ij} \forall i,j$$

(1)

where

$a_{ij}$ is the importance value comparing criterion $i$ with criterion $j$ n is total number of criteria

Normalization as shown in equation (2).

$${a\text{'}}_{ij}={\displaystyle \frac{a_{ij}}{{\sum }_{i=1}^n{a}_{ij}}} \forall i,j$$

(2)

Where

${a\text{'}}_{ij}$is normalized value

Calculate the eigenvector by computing the average of each row to obtain the weights of the factors, as shown in the equation (3).

$$w_i={\displaystyle \frac{{\sum }_{i=1}^n{a\text{'}}_{ij}}{n}}$$

(3)

Where

$w_i$ is the weight or relative importance of the criterion $i$

Calculate eigenvalue λ_max as shown in the equation (4).

$${\lambda }_{max}=\sum _{i=1}^n{\displaystyle \frac{{Aw}_i}{{nw}_i}}$$

(4)

Where

$A$ is the original pairwise comparison matrix

$w$ is the weight vector obtained from the equation (3)

${Aw}_i$ is the value obtained from multiplying matrix $A$ by vector $w$

Calculate the consistency ratio according to equation (5).

$$CR={\displaystyle \frac{{\lambda }_{max}-n}{RI (n-1)}}$$

(5)

Where

${\lambda }_{max}$ is maximum eigenvalue

$n$ is matrix size (number of criteria)

$RI$ is random consistency index as shown in the Table 3

3.1.3. Fuzzy Operation

In the fuzzy operation step, Triangular Fuzzy Numbers (TFN) are used to convert the uncertain opinions of experts or decision-makers into data in the form of fuzzy numbers, as shown in Table 4.

Aggregation of Fuzzy Matrix Sums

This is a crucial step in calculating the sum of each column for the lower (L), middle (M), and upper (U) values of the Fuzzy Pairwise Comparison Matrix. These sums represent the overall fuzzy importance level of each factor and are calculated as shown in equation (6).

For column $j$ in Fuzzy Matrix

$$L_{\mathrm{s}\mathrm{u}\mathrm{m},j}=\sum _{i=1}^n{L}_{ij},M_{\mathrm{s}\mathrm{u}\mathrm{m},j}=\sum _{i=1}^n{M}_{ij},U_{\mathrm{s}\mathrm{u}\mathrm{m},j}=\sum _{i=1}^n{U}_{ij}$$

(6)

Where

$L_{\mathrm{s}\mathrm{u}\mathrm{m},j}$ is the sum of the lower (L) values of column $j$

$M_{\mathrm{s}\mathrm{u}\mathrm{m},j}$ is the sum of the middle (M) values of column $j$

$U_{\mathrm{s}\mathrm{u}\mathrm{m},j}$ is the sum of the upper (U) values of column $j$

Fuzzy Normalization

Is the process of adjusting the fuzzy values (L, M, U) in the Fuzzy Pairwise Comparison Matrix to be within the range of 0 to 1, in order to prepare for the calculation of the fuzzy weights of each factor, as shown in equation (7).

For the position ($i, j$) in the fuzzy matrix,

$$L_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij}={\displaystyle \frac{L_{ij}}{U_{\mathrm{s}\mathrm{u}\mathrm{m},j}}}, M_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij}={\displaystyle \frac{M_{ij}}{M_{\mathrm{s}\mathrm{u}\mathrm{m},j}}}, U_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij}={\displaystyle \frac{U_{ij}}{L_{\mathrm{s}\mathrm{u}\mathrm{m},j}}}$$

(7)

Where

$L_{ij} , M_{ij} , U_{ij}$ is fuzzy value $(L, M,U)$ in the position of $i, j$

$L_{\mathrm{s}\mathrm{u}\mathrm{m},j}, M_{\mathrm{s}\mathrm{u}\mathrm{m},j}, U_{\mathrm{s}\mathrm{u}\mathrm{m},j}$ is the sum of lower value ($L$), middle value ($M$), and higher value ($U$) of column $j$

Meaning of the Equation

$L_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij}$ is normalize value of lower value ($L$) for the factors of $(i,j)$

$M_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij}$ is normalize value of middle value ($M$)

$U_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij}$ is normalize value of higher value ($U$)

Fuzzy Weights Calculation

This is a crucial step in the Fuzzy AHP process, which enables the determination of the relative weights of each factor in the form of Triangular Fuzzy Numbers (TFNs). Using the Normalized Fuzzy Matrix obtained from the previous step, the weights can be calculated as shown in equation (8) for each factor $i$.

$$L_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t},i}={\displaystyle \frac{{\sum }_{j=1}^n{L}_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij} }{n}}, M_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t},i}={\displaystyle \frac{{\sum }_{j=1}^n{M}_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij} }{n}}, U_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t},i}={\displaystyle \frac{{\sum }_{j=1}^n{U}_{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m},ij} }{n}}$$

(8)

Where

$L_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t},i}$ is the lower weight $\left(L\right)$ of factor $i$

$M_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t},i}$ is the middle weight $\left(M\right)$ of factor $i$

$U_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t},i}$ is the upper weight $\left(L\right)$ of factor $i$

3.1.4. Ranking

Defuzzification of Fuzzy Weights

This step in the Fuzzy AHP process involves converting values expressed as Triangular Fuzzy Numbers (TFNs) ($L, M, U$) into a single specific value (Defuzzified Weight), which is then used to rank the importance of the factors, as shown in equation (9).

$${\mathrm{D}\mathrm{e}\mathrm{f}\mathrm{u}\mathrm{z}\mathrm{z}\mathrm{i}\mathrm{f}\mathrm{i}\mathrm{e}\mathrm{d} \mathrm{W}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t}}_i={\displaystyle \frac{L_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t}+}{M}_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t}+}{U}_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t} }}{3}}$$

(9)

Where

$L_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t}}$ is the lower weight of the factor.

$M_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t}}$ is the middle weight of the factor.

$U_{\mathrm{w}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{t}}$ is the higher weight of the factor.

3.2. Structural Equation Modeling Analysis

This research employed Confirmatory Factor Analysis (CFA) and Structural Equation Modeling (SEM) using Jamovi software, version 2.6.44.0. The process began by assessing construct validity and discriminant validity of the measurement model, followed by hypothesis testing and detailed presentation of the results.

3.2.1. Population and Sample

The target population consists of SMEs across Thailand, divided into four main industry categories: trade (1,346,641 units), services (1,304,004 units), manufacturing (515,759 units), and agriculture (59,339 units), totaling 3,225,743 SMEs. The sample size was determined by applying the rule of thumb suggesting a minimum of ten times the number of questionnaire items [31]. With 18 items included in the survey, a minimum sample size of 180 participants was set. To reflect the proportional distribution of SMEs across these sectors, the Probability Proportional to Size (PPS) sampling technique was used, resulting in quotas of 75 for trade, 73 for services, 29 for manufacturing, and 3 for agriculture.

In total, 313 valid responses were gathered from SME employees with IT or digital roles, surpassing the initially required sample size. The breakdown of respondents by sector was as follows: 124 from trade, 111 from services, 73 from manufacturing, and 5 from agricultural businesses.

3.2.2. Instrument

The survey instrument consisted of an 18-item questionnaire measured on a 5-point Likert scale ranging from 1 (Strongly disagree) to 5 (Strongly agree). The items assessed four latent constructs: Personnel readiness was evaluated using 3 items adapted from [32]; Process readiness was measured with 6 items adapted from [32,33,34]; Technology readiness comprised 6 items adapted from [32,33]; and Cybersecurity readiness of SMEs was assessed with 3 items.

3.3. Indicator Development

The creation of indicators measuring the cybersecurity capability readiness of Thai SMEs was carried out through Exploratory Factor Analysis (EFA), which verified the construct validity and reliability of these measures. A total of 15 items, representing the latent constructs of personnel readiness, process readiness, and technology readiness, were examined using EFA with a fresh sample drawn from Thai SMEs [35]. This analysis aimed to explore the internal relationships among items within each construct, identifying those that best reflect their designated categories for effective practical use.

3.4. Development of the Capability Readiness Framework for Cybersecurity Protection

Following the establishment of readiness indicators, and through a comprehensive review of established cybersecurity frameworks—including the NIST Cybersecurity Framework 2.0 [6] and ISO/IEC 27001:2022 [7] —the researcher designed an actionable framework to bolster cybersecurity preparedness in SMEs. This framework structures the organization into three distinct levels:

• Tier 1: Management System, aligned with ISO/IEC 27001:2022, targeting senior leadership and governance roles;
• Tier 2: Operational System, derived from the NIST Cybersecurity Framework 2.0, focusing on day-to-day cybersecurity operations and procedures;
• Tier 3: Internal Enablers, addressing the management of resources necessary to support readiness.

To ensure the framework is clear and practical for real-world application, redundant and overlapping elements across these tiers were carefully streamlined, producing a coherent and manageable model for SMEs to implement.

4. Results

4.1. Cybersecurity Risk Analysis Results

Fifteen experts assessed the relative importance of five cybersecurity risk categories: financial, operational, governance, personnel, and reputational risks. Their pairwise comparison data were transformed into Triangular Fuzzy Numbers (TFNs) to capture uncertainty in judgments. These fuzzy values were then combined, normalized, weighted, and defuzzified to generate definitive weights for each risk factor. The outcome is a ranked hierarchy of cybersecurity risks derived using the Fuzzy Analytic Hierarchy Process (Fuzzy AHP), aimed at guiding improvements in cybersecurity defenses.

The average priority rankings from the pairwise comparisons of the five risk factors are summarized in Table 5.

Results of Converting the Pairwise Comparison Matrix into a Fuzzy Pairwise Comparison Matrix

The researcher converted the Averaged Pairwise Comparison Matrix into a Scaled Pairwise Comparison Matrix using Saaty’s scale. This Scaled Pairwise Comparison Matrix was then transformed into Triangular Fuzzy Numbers (TFNs) to address uncertainty in the data. The results are presented in Table 6, Table 7 and Table 8.

Results of the aggregation of fuzzy matrix sums are presented in Table 9.

Results of fuzzy normalization of values in the fuzzy matrix are presented in Table 10.

Results of the fuzzy weights calculation are presented in Table 11.

The results of defuzzifying the fuzzy weights are presented in Table 12.

Summary of analysis results (Conclusion)

From the analysis of the prioritization of cybersecurity risks affecting Thai SMEs using the Fuzzy AHP decision-making process, it was concluded that financial risk is the most significant. This is followed in descending order by operational risk, personnel risk, reputational risk, and Monitoring risk, as shown in Table 13.

4.2. Results of the Analysis of Internal Factors Affecting SMEs’ Cybersecurity Readiness Capability

4.2.1. Validity and Reliability

To ensure the robustness and accuracy of the constructed model and hypotheses, the validity and reliability of the study’s variables and questionnaire items were thoroughly examined. The model includes four latent variables: Personnel Readiness (PP), Process Readiness (PC), and Technology Readiness (TR) as independent (exogenous) variables, and SME Cybersecurity Readiness (SMER) as the dependent (endogenous) variable. The PP variable comprises 3 questionnaire items, PC has 6 items, TR includes 6 items, and SMER contains 3 items.

All 18 questionnaire items underwent validity and reliability testing by evaluating Factor Loadings, Average Variance Extracted (AVE), Composite Reliability (CR), and Cronbach’s Alpha. The findings confirmed that each item satisfied the established statistical thresholds, as detailed in Table 14.

Following this, discriminant validity was assessed through the Heterotrait-Monotrait ratio (HTMT) and the Fornell-Larcker criteria. The HTMT evaluates the correlation between indicators across different constructs and within the same construct, with acceptable values below 0.90. Meanwhile, the Fornell-Larcker criterion requires that the square root of each variable’s AVE exceed its correlation coefficients with other variables. Table 15 illustrates that all variables conform to these criteria, demonstrating satisfactory discriminant validity.

4.2.2. Hypothesis Testing

Structural Equation Modeling (SEM) analysis was performed using Jamovi version 2.6.44.0, as depicted in Figure 1. The findings reveal that personnel readiness significantly and positively influences cybersecurity readiness (Estimate = 0.184, p = 0.019), providing support for hypothesis H1. Similarly, process readiness shows a significant positive effect on cybersecurity readiness (Estimate = 0.351, p = 0.001), confirming hypothesis H2. Furthermore, technology readiness also demonstrates a significant positive impact on cybersecurity readiness (Estimate = 0.438, p = 0.001), thereby supporting hypothesis H3. Model fit was evaluated using multiple indices: Comparative Fit Index (CFI), Tucker-Lewis Index (TLI), Non-Normed Fit Index (NNFI), Relative Noncentrality Index (RNI), Normed Fit Index (NFI), Relative Fit Index (RFI), and Incremental Fit Index (IFI), with values above 0.90 to 0.95 considered indicative of a good fit. Additionally, Standardized Root Mean Square Residual (SRMR) and Root Mean Square Error of Approximation (RMSEA) values below 0.08 signify acceptable fit [36,37]. The Parsimony Normed Fit Index (PNFI) exceeding 0.50 suggests improved model parsimony [38], and a chi-square to degrees of freedom ratio (χ²/df) under 3 is indicative of good model fit. Detailed model fit indices are summarized in Table 16, while the hypothesis testing outcomes are presented in Table 17.

In Table 18, the Measurement Model presents the unstandardized factor loadings of the items. The factor loadings for items in the PP construct range from .787 to .846, those in the PC construct range from .792 to .857, items in the TR construct range from .814 to .893, and items in the SMER construct range from .784 to .849. Considering the z-statistics and p-values, all item loadings are shown to be statistically significant.

4.3. Indicators of Cybersecurity Readiness Capability for SMEs

The validity and reliability of 15 indicators measuring the cybersecurity readiness capability of SMEs were evaluated using Exploratory Factor Analysis (EFA) across three core components. The assessment criteria included Factor Loadings greater than 0.5, a Kaiser–Meyer–Olkin (KMO) value exceeding 0.7, and a significant Bartlett’s test of sphericity (p < 0.05). All indicators satisfied these criteria, with each item demonstrating a Factor Loading above 0.5. The overall KMO measure was 0.949, and Bartlett’s test indicated statistical significance (χ² = 4201, p < .001), confirming the data’s suitability for factor analysis.

Collectively, these indicators explained 72.3% of the total variance, reflecting strong correlations among the items within each construct, as detailed in Table 19. Interestingly, one indicator initially assigned to the Process Readiness component showed a higher Factor Loading in the Technology Readiness component, prompting its reassignment.

Accordingly, the final set of cybersecurity readiness capability indicators for SMEs comprises 3 indicators for Personnel Readiness, 5 for Process Readiness, and 7 for Technology Readiness.

4.4. Framework for Developing Cybersecurity Readiness Capability for SMEs

Based on the analysis of cybersecurity risks and readiness, the researcher developed a framework to enhance the cybersecurity readiness capability of SMEs to address risks arising from cyber threats. The framework comprises three interconnected levels that encompass and link the operations of SMEs, beginning with policy formulation at the management level (TIER 1: Management System), and the development of resource capabilities foundational to operations (TIER 3: Internal Enablers), which connect to the implementation of cybersecurity operations (TIER 2: Operational System). This framework is illustrated in Figure 2., with detailed guidance on its application provided in Table 20.

4.4.1. Description of Framework Implementation

Table 20. Description of framework implementation.

Framework	Description
TIER 1: Management System
Leadership
Leadership and Commitment	Senior management must demonstrate leadership and prioritize the implementation of the cybersecurity management system by establishing policies and objectives aligned with the SME’s strategic direction. They should integrate the system into various processes, allocate necessary resources, communicate the importance of the system, support personnel, promote continuous improvement, and encourage other managers to fulfill their respective roles.
Organizational roles, responsibilities and authorities	Senior management must ensure that clear roles, responsibilities, and authorities related to cybersecurity within the SME are defined and communicated. They should delegate these responsibilities to designated individuals who can ensure the system’s compliance with requirements and appropriately report the system’s performance to senior management.
Support
Resources	SMEs must allocate sufficient and appropriate resources to support the implementation, maintenance, and continuous improvement of the cybersecurity system to ensure effective and sustainable outcomes.
Competence	SMEs must define, assess, and develop the competencies of personnel responsible for information security to ensure they possess appropriate knowledge, skills, or experience through continuous training and development, while maintaining documented evidence to verify competencies in accordance with requirements.
Communication	SMEs must establish clear communication guidelines both internally and externally regarding the cybersecurity system, specifying what information will be communicated, when, by whom, and through which channels, to ensure understanding and effective implementation.
Documented information	SMEs must create, control, and maintain documented information related to the cybersecurity system to support operations and demonstrate compliance with requirements. This includes ensuring that the documentation is appropriate, comprehensive in detail, properly formatted, stored securely, approved, and accessible, as well as controlling against loss, alteration, or unauthorized use.
TIER 2: Operational System
Govern
Organizational Context	SMEs must understand the organization’s mission and use it as a guideline for managing cyber risks. They need to identify and comprehend the expectations of both internal and external stakeholders, including relevant legal requirements, and clearly communicate the SME’s context to these stakeholders.
Risk Management Strategy	SMEs must establish a clear approach to cyber risk management by defining the objectives of risk management, setting the acceptable risk levels (Risk Appetite), and determining risk tolerance levels. These must be communicated effectively to employees and relevant stakeholders to ensure a shared understanding. Additionally, risk management activities should align with organizational policies and take into account the potential cyber impacts on business operations.
Oversight	The monitoring and evaluation of risk management and cybersecurity performance must be conducted regularly. The outcomes of risk management strategies should be communicated to relevant stakeholders and used to inform improvements in the organization’s strategies and direction, ensuring alignment with actual circumstances. Existing strategies must be continuously reviewed and developed.
Cybersecurity Supply Chain Risk Management	SMEs should establish clear guidelines for managing cybersecurity risks within the supply chain, especially concerning external service providers or partners. This includes defining roles and responsibilities, clearly communicating cybersecurity requirements, establishing agreements or contracts that comprehensively address security issues, continuously monitoring and evaluating partner performance, as well as developing response and recovery plans in the event of an incident.
Identify
Asset Management	SMEs should maintain a comprehensive asset inventory covering hardware, software, systems, data, services, and personnel related to business operations. This inventory must identify all assets relevant to cybersecurity risk management, be regularly updated, and categorize assets to facilitate access control and management. Additionally, the importance of each asset should be assessed to prioritize risks accordingly.
Risk Assessment	SMEs should conduct systematic cybersecurity risk assessments to identify weaknesses or vulnerabilities in assets, personnel, and operational systems. They should regularly monitor cyber threat intelligence from reliable sources and evaluate potential impacts on both business operations and organizational reputation. Furthermore, emphasis should be placed on risk prioritization, response planning, thorough inspection of software and hardware to ensure no critical vulnerabilities exist, and assessment of third-party service providers.
Improvement	SMEs should establish guidelines for the continuous improvement of processes, workflows, and activities related to cybersecurity. This should be based on assessment results, user feedback, and lessons learned from past security incidents. Additionally, the outcomes of these improvements must be clearly communicated to all relevant stakeholders.
Protect
Identity Management, Authentication, and Access Control	SMEs must define and control access to systems, data, and services, granting permissions only to authorized personnel or systems. This requires systematic user account management, assigning access rights based on roles and responsibilities, and enforcing multi-factor authentication to enhance security. Clear policies for access rights management should be established, periodic access reviews conducted, unauthorized access prevented, and permissions promptly revoked when no longer needed.
Data Security	SMEs must implement measures to ensure the confidentiality, integrity, and availability of data, such as encryption, access control, and validation of data accuracy before use. Additionally, storage systems should be tested regularly to ensure they are operational when needed. Any data transferred outside the organization’s systems must be protected according to its level of sensitivity.
Platform Security	SMEs must establish clear guidelines for managing the security of platforms, including hardware, software, operating systems, and applications. They should define and implement secure configuration practices and regularly maintain, update, and replace outdated equipment or software. Additionally, SMEs should retain log data to enable timely analysis of anomalous events and ensure that only licensed software is installed.
Technology Infrastructure Resilience	SMEs should establish a flexible technology infrastructure that can continuously withstand threats or disruptions. Equipment, systems, and environments must be protected against unauthorized access. Additionally, preparedness for emergencies such as power outages, system failures, or natural disasters should be in place. This includes having backup resources or alternative solutions available for temporary use to enable rapid recovery and resumption of operations.
Detect
Continuous Monitoring	SMEs should have continuous monitoring and anomaly detection systems in all parts of their infrastructure, including networks, endpoints, environments, and user behaviors, to promptly identify indicators of compromise and enable rapid response actions.
Adverse Event Analysis	SMEs should have a systematic approach for analyzing cybersecurity incidents or anomalies. When a suspicious event or potential attack occurs, relevant data should be thoroughly collected and analyzed to identify the cause, origin, and impact of the incident, as well as to assess any connections with other threats.
Response & Recover
Incident Management	SMEs must develop a response plan for potential cybersecurity incidents, clearly specifying the response procedures, events that require notification, and responsible personnel. When an incident occurs, there should be systematic reporting, investigation, and response processes in place, including thorough management of evidence and assessment of the incident to prioritize its severity.
Incident Recovery Plan Execution	SMEs should have a clear and actionable recovery plan to restore systems and services to normal operation following a cybersecurity incident. The recovery plan should clearly define roles and responsibilities, prioritize the assets that need to be recovered first, and include regular drills or tests to assess preparedness.
TIER 3: Internal Enablers
People Readiness
Awareness	SMEs must promote cybersecurity awareness among personnel at all levels by organizing training sessions or providing information about cyber threats. They should clearly communicate organizational policies and practices, regularly conduct educational activities or awareness campaigns, and continuously evaluate employees’ understanding.
Training & Learning	SMEs must promote continuous training and learning for personnel in cybersecurity, focusing on developing skills, knowledge, and competencies aligned with their roles. For example, technical training should be provided for IT staff, while security best practice training should be offered to general users.
Research & Development	SMEs should promote research and development in cybersecurity by collaborating with research institutes, universities, or external organizations to exchange knowledge. This enables personnel to stay updated on new technologies, emerging threat trends, and modern prevention approaches, which can then be applied to their operations.
Process Readiness
Policy, Strategy & Plan	The formulation of policies, strategies, and plans for cybersecurity must be clear. Policies should demonstrate the management’s commitment to protecting information and information systems. Strategies should align with the SME’s objectives, and plans must specify operational actions within defined timeframes, such as risk assessment, prevention, incident response, and system recovery. This ensures that cybersecurity efforts are purposeful and continuous.
Cybersecurity Evaluation	Cybersecurity assessments must be conducted regularly to measure the levels of risk, vulnerabilities, and the effectiveness of implemented measures. These assessments may include system testing (e.g., penetration testing), vulnerability analysis, compliance audits with policies or standards, and ongoing performance
Cybersecurity Framework	SMEs should establish a clear and systematic cybersecurity management framework that at minimum encompasses the approaches for prevention, detection, response, and recovery from cyber incidents. This framework should be based on international standards or best practices tailored to the specific characteristics of each SME, ensuring that cyber risk management is conducted in a structured manner, aligned with business operations, and practically implementable.
Cybersecurity Coordination	SMEs should ensure effective coordination of cybersecurity efforts both within their organization and with relevant external agencies to enable a rapid and consistent response to threats. This coordination should include clearly defined roles and responsibilities, incident notification, joint incident management, and continuous communication of security-related information to strengthen defense systems and minimize risks arising from communication gaps.
Cybersecurity Improvement	The improvement and development of the cybersecurity system must be carried out continuously, based on evaluation results, identified vulnerabilities, incidents that have occurred, and changes in technology or threats. These improvements should encompass policies, processes, technology, and personnel.
Technology Readiness
Quality & Quantity	The allocation of tools, equipment, and technology used for cybersecurity must be sufficient in quantity and appropriate in quality, such as computers with antivirus software, backup systems, and monitoring tools.
Modern & Efficient	The devices, tools, and technologies used must be capable of responding rapidly to emerging threats. Utilizing modern and efficient technologies and equipment enhances the effectiveness of cybersecurity defenses and allows for future improvements as needed.
Protecting Devices	SMEs must have measures in place to protect devices such as computers, servers, and network equipment by installing antivirus systems, firewalls, encryption software, and access controls. These measures help prevent attacks, data leaks, and unauthorized use, thereby reducing the risk of devices becoming vulnerabilities for cyber threats.
Detect & Response	SMEs should have systems and processes that support the rapid detection of cyber incidents or anomalies, along with a clear response plan when threats are identified. This is to limit the impact, restore operations, and prevent recurrence.
Updating Devices	Digital devices and tools must have their software and operating systems regularly updated to close security vulnerabilities that could be exploited by cyber threats. Updates should be continuous and up-to-date for both core systems and supporting programs to ensure that all devices remain secure and function efficiently.
Accessible devices for personnel	SMEs must allocate secure and appropriate devices and systems that personnel can access conveniently, both during normal operations and in the event of a security threat. Access controls should be in place, such as secure authentication and permission settings, to prevent unauthorized access to data or systems.
Cybersecurity Infrastructure	SMEs must have appropriate infrastructure to support cybersecurity, such as secure network systems, intrusion prevention systems, data backup, and secure data storage. This infrastructure should effectively support threat prevention, incident detection, and system recovery.

Table 20. Description of framework implementation.

Framework	Description
TIER 1: Management System
Leadership
Leadership and Commitment	Senior management must demonstrate leadership and prioritize the implementation of the cybersecurity management system by establishing policies and objectives aligned with the SME’s strategic direction. They should integrate the system into various processes, allocate necessary resources, communicate the importance of the system, support personnel, promote continuous improvement, and encourage other managers to fulfill their respective roles.
Organizational roles, responsibilities and authorities	Senior management must ensure that clear roles, responsibilities, and authorities related to cybersecurity within the SME are defined and communicated. They should delegate these responsibilities to designated individuals who can ensure the system’s compliance with requirements and appropriately report the system’s performance to senior management.
Support
Resources	SMEs must allocate sufficient and appropriate resources to support the implementation, maintenance, and continuous improvement of the cybersecurity system to ensure effective and sustainable outcomes.
Competence	SMEs must define, assess, and develop the competencies of personnel responsible for information security to ensure they possess appropriate knowledge, skills, or experience through continuous training and development, while maintaining documented evidence to verify competencies in accordance with requirements.
Communication	SMEs must establish clear communication guidelines both internally and externally regarding the cybersecurity system, specifying what information will be communicated, when, by whom, and through which channels, to ensure understanding and effective implementation.
Documented information	SMEs must create, control, and maintain documented information related to the cybersecurity system to support operations and demonstrate compliance with requirements. This includes ensuring that the documentation is appropriate, comprehensive in detail, properly formatted, stored securely, approved, and accessible, as well as controlling against loss, alteration, or unauthorized use.
TIER 2: Operational System
Govern
Organizational Context	SMEs must understand the organization’s mission and use it as a guideline for managing cyber risks. They need to identify and comprehend the expectations of both internal and external stakeholders, including relevant legal requirements, and clearly communicate the SME’s context to these stakeholders.
Risk Management Strategy	SMEs must establish a clear approach to cyber risk management by defining the objectives of risk management, setting the acceptable risk levels (Risk Appetite), and determining risk tolerance levels. These must be communicated effectively to employees and relevant stakeholders to ensure a shared understanding. Additionally, risk management activities should align with organizational policies and take into account the potential cyber impacts on business operations.
Oversight	The monitoring and evaluation of risk management and cybersecurity performance must be conducted regularly. The outcomes of risk management strategies should be communicated to relevant stakeholders and used to inform improvements in the organization’s strategies and direction, ensuring alignment with actual circumstances. Existing strategies must be continuously reviewed and developed.
Cybersecurity Supply Chain Risk Management	SMEs should establish clear guidelines for managing cybersecurity risks within the supply chain, especially concerning external service providers or partners. This includes defining roles and responsibilities, clearly communicating cybersecurity requirements, establishing agreements or contracts that comprehensively address security issues, continuously monitoring and evaluating partner performance, as well as developing response and recovery plans in the event of an incident.
Identify
Asset Management	SMEs should maintain a comprehensive asset inventory covering hardware, software, systems, data, services, and personnel related to business operations. This inventory must identify all assets relevant to cybersecurity risk management, be regularly updated, and categorize assets to facilitate access control and management. Additionally, the importance of each asset should be assessed to prioritize risks accordingly.
Risk Assessment	SMEs should conduct systematic cybersecurity risk assessments to identify weaknesses or vulnerabilities in assets, personnel, and operational systems. They should regularly monitor cyber threat intelligence from reliable sources and evaluate potential impacts on both business operations and organizational reputation. Furthermore, emphasis should be placed on risk prioritization, response planning, thorough inspection of software and hardware to ensure no critical vulnerabilities exist, and assessment of third-party service providers.
Improvement	SMEs should establish guidelines for the continuous improvement of processes, workflows, and activities related to cybersecurity. This should be based on assessment results, user feedback, and lessons learned from past security incidents. Additionally, the outcomes of these improvements must be clearly communicated to all relevant stakeholders.
Protect
Identity Management, Authentication, and Access Control	SMEs must define and control access to systems, data, and services, granting permissions only to authorized personnel or systems. This requires systematic user account management, assigning access rights based on roles and responsibilities, and enforcing multi-factor authentication to enhance security. Clear policies for access rights management should be established, periodic access reviews conducted, unauthorized access prevented, and permissions promptly revoked when no longer needed.
Data Security	SMEs must implement measures to ensure the confidentiality, integrity, and availability of data, such as encryption, access control, and validation of data accuracy before use. Additionally, storage systems should be tested regularly to ensure they are operational when needed. Any data transferred outside the organization’s systems must be protected according to its level of sensitivity.
Platform Security	SMEs must establish clear guidelines for managing the security of platforms, including hardware, software, operating systems, and applications. They should define and implement secure configuration practices and regularly maintain, update, and replace outdated equipment or software. Additionally, SMEs should retain log data to enable timely analysis of anomalous events and ensure that only licensed software is installed.
Technology Infrastructure Resilience	SMEs should establish a flexible technology infrastructure that can continuously withstand threats or disruptions. Equipment, systems, and environments must be protected against unauthorized access. Additionally, preparedness for emergencies such as power outages, system failures, or natural disasters should be in place. This includes having backup resources or alternative solutions available for temporary use to enable rapid recovery and resumption of operations.
Detect
Continuous Monitoring	SMEs should have continuous monitoring and anomaly detection systems in all parts of their infrastructure, including networks, endpoints, environments, and user behaviors, to promptly identify indicators of compromise and enable rapid response actions.
Adverse Event Analysis	SMEs should have a systematic approach for analyzing cybersecurity incidents or anomalies. When a suspicious event or potential attack occurs, relevant data should be thoroughly collected and analyzed to identify the cause, origin, and impact of the incident, as well as to assess any connections with other threats.
Response & Recover
Incident Management	SMEs must develop a response plan for potential cybersecurity incidents, clearly specifying the response procedures, events that require notification, and responsible personnel. When an incident occurs, there should be systematic reporting, investigation, and response processes in place, including thorough management of evidence and assessment of the incident to prioritize its severity.
Incident Recovery Plan Execution	SMEs should have a clear and actionable recovery plan to restore systems and services to normal operation following a cybersecurity incident. The recovery plan should clearly define roles and responsibilities, prioritize the assets that need to be recovered first, and include regular drills or tests to assess preparedness.
TIER 3: Internal Enablers
People Readiness
Awareness	SMEs must promote cybersecurity awareness among personnel at all levels by organizing training sessions or providing information about cyber threats. They should clearly communicate organizational policies and practices, regularly conduct educational activities or awareness campaigns, and continuously evaluate employees’ understanding.
Training & Learning	SMEs must promote continuous training and learning for personnel in cybersecurity, focusing on developing skills, knowledge, and competencies aligned with their roles. For example, technical training should be provided for IT staff, while security best practice training should be offered to general users.
Research & Development	SMEs should promote research and development in cybersecurity by collaborating with research institutes, universities, or external organizations to exchange knowledge. This enables personnel to stay updated on new technologies, emerging threat trends, and modern prevention approaches, which can then be applied to their operations.
Process Readiness
Policy, Strategy & Plan	The formulation of policies, strategies, and plans for cybersecurity must be clear. Policies should demonstrate the management’s commitment to protecting information and information systems. Strategies should align with the SME’s objectives, and plans must specify operational actions within defined timeframes, such as risk assessment, prevention, incident response, and system recovery. This ensures that cybersecurity efforts are purposeful and continuous.
Cybersecurity Evaluation	Cybersecurity assessments must be conducted regularly to measure the levels of risk, vulnerabilities, and the effectiveness of implemented measures. These assessments may include system testing (e.g., penetration testing), vulnerability analysis, compliance audits with policies or standards, and ongoing performance
Cybersecurity Framework	SMEs should establish a clear and systematic cybersecurity management framework that at minimum encompasses the approaches for prevention, detection, response, and recovery from cyber incidents. This framework should be based on international standards or best practices tailored to the specific characteristics of each SME, ensuring that cyber risk management is conducted in a structured manner, aligned with business operations, and practically implementable.
Cybersecurity Coordination	SMEs should ensure effective coordination of cybersecurity efforts both within their organization and with relevant external agencies to enable a rapid and consistent response to threats. This coordination should include clearly defined roles and responsibilities, incident notification, joint incident management, and continuous communication of security-related information to strengthen defense systems and minimize risks arising from communication gaps.
Cybersecurity Improvement	The improvement and development of the cybersecurity system must be carried out continuously, based on evaluation results, identified vulnerabilities, incidents that have occurred, and changes in technology or threats. These improvements should encompass policies, processes, technology, and personnel.
Technology Readiness
Quality & Quantity	The allocation of tools, equipment, and technology used for cybersecurity must be sufficient in quantity and appropriate in quality, such as computers with antivirus software, backup systems, and monitoring tools.
Modern & Efficient	The devices, tools, and technologies used must be capable of responding rapidly to emerging threats. Utilizing modern and efficient technologies and equipment enhances the effectiveness of cybersecurity defenses and allows for future improvements as needed.
Protecting Devices	SMEs must have measures in place to protect devices such as computers, servers, and network equipment by installing antivirus systems, firewalls, encryption software, and access controls. These measures help prevent attacks, data leaks, and unauthorized use, thereby reducing the risk of devices becoming vulnerabilities for cyber threats.
Detect & Response	SMEs should have systems and processes that support the rapid detection of cyber incidents or anomalies, along with a clear response plan when threats are identified. This is to limit the impact, restore operations, and prevent recurrence.
Updating Devices	Digital devices and tools must have their software and operating systems regularly updated to close security vulnerabilities that could be exploited by cyber threats. Updates should be continuous and up-to-date for both core systems and supporting programs to ensure that all devices remain secure and function efficiently.
Accessible devices for personnel	SMEs must allocate secure and appropriate devices and systems that personnel can access conveniently, both during normal operations and in the event of a security threat. Access controls should be in place, such as secure authentication and permission settings, to prevent unauthorized access to data or systems.
Cybersecurity Infrastructure	SMEs must have appropriate infrastructure to support cybersecurity, such as secure network systems, intrusion prevention systems, data backup, and secure data storage. This infrastructure should effectively support threat prevention, incident detection, and system recovery.

4.4.2. Evaluation Results of the Capability Development Framework for Cybersecurity Readiness for SMEs

The capability development framework for cybersecurity readiness for SMEs that was developed has been evaluated in terms of suitability, acceptance, and feasibility for implementation by six experts. These experts specialize in cybersecurity across the public sector, private sector, and academia. The evaluation results show that the developed framework is the most suitable, has the highest level of acceptance, and has highly feasibility for implementation, as presented in Table 21.

5. Conclusions

The analysis of cyber risks affecting small and medium-sized enterprises (SMEs) using the Fuzzy Analytic Hierarchy Process (Fuzzy AHP) reveals the prioritization of risks posed by cyber threats, which have the potential to significantly impact SMEs across financial, operational, human resource, reputational, and governance dimensions, respectively. Despite this, SMEs continue to encounter substantial challenges in managing cyber risks and ensuring cybersecurity, primarily due to a shortage of skilled personnel, limited resources, and the absence of a formal cybersecurity strategy [39].

To address these constraints, this study examines internal factors—specifically personnel, processes, and technology—that influence SMEs’ cybersecurity readiness. The findings underscore the critical importance of internal resource management within SMEs [40], particularly in enhancing technological readiness, which has been found to significantly affect operational performance [41]. Furthermore, modernizing operational processes to respond to increasingly sophisticated cyber threats can contribute to risk reduction and improved operational efficiency [42]. Concurrently, developing employees’ cybersecurity knowledge and skills not only supports threat mitigation and seamless operations but also fosters workforce advancement in the digital technology landscape [43].

Thai SMEs, in particular, face difficulties in accessing and adopting advanced technologies due to inadequate knowledge and institutional support [44]. Therefore, strengthening technological capability is a pressing concern, as competitiveness in today’s market increasingly depends on the effective deployment of advanced technologies. However, such technologies often entail complexity and potential security vulnerabilities, especially when used without proper monitoring or maintenance. Conversely, the well-regulated and systematic implementation of modern, sufficient technological tools not only mitigates cybersecurity risks but also enhances confidence that business operations will comply with standards and timelines. This, in turn, facilitates the development of secure and sustainable operational systems [45].

Amid the rapid expansion of technology and electronic devices, organizations—including Thai SMEs—are integrating digital tools to enhance competitiveness. This growing reliance on technology has raised awareness of potential damage from cyberattacks and prompted the adoption of cybersecurity measures. Nevertheless, Thai SMEs still face constraints in adopting standardized cybersecurity frameworks, such as NIST Cybersecurity Framework 2.0 and ISO/IEC 27001:2022. According to [46], key barriers include insufficient financial resources, lack of specialized expertise, and inadequate tools. To overcome these challenges, SMEs must urgently evaluate the adequacy of their existing cybersecurity measures, plan the development of digital infrastructure, and consider engaging external experts to address security vulnerabilities.

In addition to technological and process readiness, human resource development is essential for fostering a culture of cyber-safe practices—particularly in SMEs that have not yet achieved digital maturity. This immaturity often leads to complacency and unsafe use of digital tools in the workplace [47]. Therefore, SMEs should promote cybersecurity awareness, conduct targeted training programs, and seek knowledge and resources for workforce development through collaborative external networks.

Cyber threats are evolving rapidly in complexity and resilience, representing external factors beyond SMEs’ control. Moreover, each SME operates within a unique context, with differing needs in protecting critical assets [48]. This study proposes a framework for enhancing SMEs’ cybersecurity readiness, integrating SME-specific indicators with internationally recognized standards, namely the NIST Cybersecurity Framework 2.0 and ISO/IEC 27001:2022. This framework embeds cybersecurity measures throughout the organizational structure—from executive management to operational and support levels—and has been assessed as highly appropriate, acceptable, and feasible for practical implementation.