Overcoming the challenges of SME’s and research organization’s Cyber Security management: The case of Smart Innovation Norway

A.M. Belay, M. Lerario, S. Reardon, H. Tuiskula
Smart Innovation Norway,

Keywords: cybersecurity system, compliance, risk, mitigation, SMEs, research, framework, innovation


The paper investigates the challenges and state of art cybersecurity management systems of SME and research institutes and develops an ad hoc management framework. It explored and identified the sources and types of cybersecurity challenges with their associated risks and mitigations methods. The case of Smart Innovation Norway (research organization) was considered as a case and analyzed different types of data collected from its 5 different innovation platforms during a year. For the analysis purpose, various statistical methods and visualization dashboards are used. The data is broadly categorized in Public, Internal, Internal Confidential, and Strictly confidential, based on the sources. In the analysis, we extracted usage data from the organization’s Microsoft tenant using the dedicated tools for compliance and data management. The results based on the Microsoft 365 compliance center showed an increase in compliance compared to the previous year of 51% for a total of 85% compliance rating. We also investigated the main causes of improvements as best practices. One main reason was a series of tests and awareness training with all employees that took into consideration different rules to follow when managing data, hardware, and general security owned by the company. Another reason is the implementation of a more secure spam filtering policy which significantly reduced the amount of Phishing and spamming E-mails received, this can be seen as the filtering policy has already been blocking malware contained in E-mails. By considering the positive results and improvements gained from this research, the paper proposed a generic framework that can help similar organizations with similar challenges. The framework constitutes sources of incoming data, initial assessment, data classifications/categorization, types of risks, mitigation actions, and compliance reports. The paper lays a foundation and has implications in managing cybersecurity not only for the SME and research organization but also for start-ups that have limited resources to invest in cybersecurity infrastructure.