Small and medium-sized enterprises (SMEs) need support with their cyber security posture. Limited resources, unclear priorities, and unsuitable existing solutions lead to ineffective prevention and response. Existing literature is sparse and often disconnected. This review maps relevant literature, provides an overview of what is known and identifies areas for further research. To identify, present and map peer-reviewed literature on SME cyber incident prevention and response, and to categorise open problems into a People, Process, Technology (PPT) framework. The scoping review was conducted according to the JBI methodology. Searches were performed across Scopus, the Web of Science Core Collection, IEEE Xplore and the ACM Digital Library for peer-reviewed English-language studies published from 2017 onwards. Screening, data extraction and charting were conducted using Covidence. Themes were identified qualitatively. A total of 195 studies met inclusion criteria. Most of the literature focused on prevention, with incident response under-represented. Key unresolved problems included limited awareness and training, leadership and resource constraints, misconceptions about cyber risk, difficulty prioritising controls, inadequate preparedness and a lack of tailoring between SME contexts and existing frameworks. Proposed solutions identified emphasised simplified and tailored models, role clarification, leadership engagement, cultural development and more efficient resource planning. The literature is fragmented and highly prevention-focused. There is an opportunity to establish SME-tailored solutions through empirically validated research for strengthening SME prevention and response capabilities.
Michalek et al. (Fri,) studied this question.