Small and medium enterprises (SMEs) account for over 90\% of businesses worldwide yet remain disproportionately vulnerable to cyberattacks, largely because cybersecurity awareness is absent at governance level. Established frameworks such as NIST CSF 2.0, ISO 27001, and NIS2 provide solid technical and capability foundations, but they are too complex and costly for most SMEs and do not address the prior question of how a board becomes aware enough to initiate cybersecurity action. Following a Design Science Research methodology grounded in a literature review, this thesis develops the Cybersecurity Awareness Governance framework: a seven phase, sector independent process, that guides SMEs board and senior decision-makers from contextual self-assessment and regulatory mapping, through board-level accountability, maturity evaluation, and organisation-wide role structuring to role-tailored training and continuous organisational learning. The framework synthesises independently validated models, including the Five Lines of Accountability, the CICGM maturity model, the CARE and KAB measurement frameworks, into a single accessible governance guide. Positioned as a prerequisite governance layer beneath existing technical frameworks such as CyberESP and ASMAS, the CSA governance framework addresses the foundational awareness gap that prevents their adoption, creating the conditions under which downstream cybersecurity tools become actionable.
Cybersecurity Awareness Governance Framework: A Board-Level Cybersecurity Framework for SMEs
Edoardo Carlini
2026-01-01
Abstract
Small and medium enterprises (SMEs) account for over 90\% of businesses worldwide yet remain disproportionately vulnerable to cyberattacks, largely because cybersecurity awareness is absent at governance level. Established frameworks such as NIST CSF 2.0, ISO 27001, and NIS2 provide solid technical and capability foundations, but they are too complex and costly for most SMEs and do not address the prior question of how a board becomes aware enough to initiate cybersecurity action. Following a Design Science Research methodology grounded in a literature review, this thesis develops the Cybersecurity Awareness Governance framework: a seven phase, sector independent process, that guides SMEs board and senior decision-makers from contextual self-assessment and regulatory mapping, through board-level accountability, maturity evaluation, and organisation-wide role structuring to role-tailored training and continuous organisational learning. The framework synthesises independently validated models, including the Five Lines of Accountability, the CICGM maturity model, the CARE and KAB measurement frameworks, into a single accessible governance guide. Positioned as a prerequisite governance layer beneath existing technical frameworks such as CyberESP and ASMAS, the CSA governance framework addresses the foundational awareness gap that prevents their adoption, creating the conditions under which downstream cybersecurity tools become actionable.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.



