{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,13]],"date-time":"2026-05-13T19:40:52Z","timestamp":1778701252868,"version":"3.51.4"},"reference-count":32,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T00:00:00Z","timestamp":1769817600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"EU Recovery and Resilience Facility","award":["5.2.1.1.i.0\/2\/24\/I\/CFLA\/003"],"award-info":[{"award-number":["5.2.1.1.i.0\/2\/24\/I\/CFLA\/003"]}]},{"DOI":"10.13039\/501100007060","name":"Riga Technical University","doi-asserted-by":"crossref","award":["ID 1101"],"award-info":[{"award-number":["ID 1101"]}],"id":[{"id":"10.13039\/501100007060","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Systems"],"abstract":"<jats:p>Small and medium-sized enterprises (SMEs) increasingly rely on digital technologies in everyday operations, often without having sufficient resources or structured mechanisms to manage the cyber risks that accompany this dependence. As digitalization deepens, cyber incidents in SMEs are shaped not only by technical vulnerabilities but also by human behavior and organizational practices. However, much of the existing research still approaches cyber resilience through fragmented technological or managerial lenses. This study takes a conceptual and theory-driven approach to examine cyber resilience in SMEs as a socio-technical system. Building on systems theory and adaptive management, the analysis draws on a structured synthesis of interdisciplinary literature to develop a systemic model of adaptive digital risk management. The model is developed through a structured conceptual process combining systematic exploration of interdisciplinary literature, analytical synthesis of recurring conceptual patterns, and system-level model construction informed by systems theory and adaptive management principles. Cyber resilience is therefore interpreted as a dynamic capability that develops over time, especially in digital environments characterized by increasing automation and evolving forms of human\u2013technology interaction. The study contributes to cyber resilience research by offering a system-oriented perspective and provides SMEs with a conceptual basis for strengthening adaptive approaches to digital risk management.<\/jats:p>","DOI":"10.3390\/systems14020151","type":"journal-article","created":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T09:48:08Z","timestamp":1770025688000},"page":"151","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Modelling Cyber Resilience in SMEs as a Socio-Technical System: A Systemic Approach to Adaptive Digital Risk Management"],"prefix":"10.3390","volume":"14","author":[{"given":"Alona","family":"Bahmanova","sequence":"first","affiliation":[{"name":"Faculty of Engineering Economics and Management, Riga Technical University, Kalnciema iela 6, 1048 Riga, Latvia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1154-839X","authenticated-orcid":false,"given":"Natalja","family":"Lace","sequence":"additional","affiliation":[{"name":"Faculty of Engineering Economics and Management, Riga Technical University, Kalnciema iela 6, 1048 Riga, Latvia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2026,1,31]]},"reference":[{"key":"ref_1","first-page":"73","article-title":"Conceptual Model of the Company\u2019s Cyber Resilience Elements","volume":"23","author":"Bahmanova","year":"2025","journal-title":"J. Syst. Cybern. Inform."},{"key":"ref_2","unstructured":"von Bertalanffy, L. (1968). General System Theory: Foundations, Development, Applications, George Braziller."},{"key":"ref_3","unstructured":"Harari, Y.N. (2024). Nexus: A Brief History of Information Networks, Penguin Random House."},{"key":"ref_4","unstructured":"Dubin, R. (1978). Theory Building, Free Press."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"490","DOI":"10.2307\/258554","article-title":"What constitutes a theoretical contribution?","volume":"14","author":"Whetten","year":"1989","journal-title":"Acad. Manag. Rev."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1177\/160940690900800406","article-title":"Building a conceptual framework: Philosophy, definitions, and procedure","volume":"8","author":"Jabareen","year":"2009","journal-title":"Int. J. Qual. Methods"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"174200","DOI":"10.1109\/ACCESS.2020.3026063","article-title":"Systematic approach to cyber resilience operationalization in SMEs","volume":"8","author":"Borges","year":"2020","journal-title":"IEEE Access"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"53","DOI":"10.7250\/csimq.2022-33.04","article-title":"Cybersecurity readiness: A model for SMEs based on the socio-technical perspective","volume":"33","author":"Perozzo","year":"2022","journal-title":"Complex Syst. Inform. Model. Q."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Brezav\u0161\u010dek, A., and Baggia, A. (2025). Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review. Systems, 13.","DOI":"10.3390\/systems13010052"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"e70050","DOI":"10.1002\/smr.70050","article-title":"CyberESP: An integrated cybersecurity framework for SMEs","volume":"37","author":"Herranz","year":"2025","journal-title":"J. Softw. Evol. Process"},{"key":"ref_11","unstructured":"National Institute of Standards and Technology (NIST) (2018). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, National Institute of Standards and Technology."},{"key":"ref_12","unstructured":"National Institute of Standards and Technology (NIST) (2024). Cybersecurity Framework, Version 2.0, National Institute of Standards and Technology."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"van Haastrecht, M., Yigit Ozkan, B., Brinkhuis, M., and Spruit, M. (2021). Respite for SMEs: A systematic review of socio-technical cybersecurity metrics. Appl. Sci., 11.","DOI":"10.3390\/app11156909"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Kioskli, K., Seralidou, E., and Polemi, N. (2025). A practical human-centric risk management methodology. Electronics, 14.","DOI":"10.3390\/electronics14030486"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"80741","DOI":"10.1109\/ACCESS.2021.3085530","article-title":"Cyber resilience self-assessment tool (CR-SAT) for SMEs","volume":"9","author":"Arrizabalaga","year":"2021","journal-title":"IEEE Access"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Rawindaran, N., Jayal, A., and Prakash, E. (2025). Cybersecurity framework addressing resiliency in SMEs for digital transformation and Industry 5.0. J. Cybersecur. Priv., 5.","DOI":"10.3390\/jcp5020017"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Ashby, W.R. (1956). An Introduction to Cybernetics, Chapman & Hall.","DOI":"10.5962\/bhl.title.5851"},{"key":"ref_18","unstructured":"Hollnagel, E., Woods, D.D., and Leveson, N. (2006). Resilience Engineering: Concepts and Precepts, Ashgate Publishing."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/j.ress.2015.03.018","article-title":"Four concepts for resilience and the implications for the future of resilience engineering","volume":"141","author":"Woods","year":"2015","journal-title":"Reliab. Eng. Syst. Saf."},{"key":"ref_20","unstructured":"Meadows, D.H. (2008). Thinking in Systems: A Primer, Chelsea Green Publishing."},{"key":"ref_21","first-page":"471","article-title":"Resilience metrics for cyber systems","volume":"34","author":"Linkov","year":"2014","journal-title":"Environ. Syst. Decis."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Mantas, E., Papadopoulos, D., Fernandez, C., Litke, A., and Athanasiou, G. (2021, January 7\u201310). Practical Autonomous Cyberhealth for Resilient Micro, Small and Medium-Sized Enterprises. Proceedings of the IEEE Mediterranean Conference on Communications and Networking, Athens, Greece.","DOI":"10.1109\/MeditCom49071.2021.9647609"},{"key":"ref_23","unstructured":"Rombaldo Junior, C., Becker, I., and Johnson, S. (2023). Unaware, unfunded and uneducated: A systematic review of SME cybersecurity. arXiv."},{"key":"ref_24","first-page":"711","article-title":"Cybersecurity resilience in SMEs: A machine learning approach","volume":"64","author":"Arroyabe","year":"2024","journal-title":"J. Comput. Inf. Syst."},{"key":"ref_25","unstructured":"Fysarakis, K., Lekidis, A., Mavroeidis, V., Spanoudakis, G., and Koufopavlou, O. (August, January 31). PHOENI2X: A European cyber resilience framework with AI-assisted orchestration. Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, Venice, Italy."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"2062","DOI":"10.1108\/BIJ-11-2021-0700","article-title":"Managing resilience of micro, small and medium enterprises (MSMEs) during COVID-19: Analysis of barriers","volume":"30","author":"Gupta","year":"2023","journal-title":"Benchmarking"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"1850","DOI":"10.1108\/BIJ-11-2021-0685","article-title":"Adoption of ICTs as an emergent business strategy during and following COVID-19 crisis: Evidence from Indian MSMEs","volume":"30","author":"Kumar","year":"2023","journal-title":"Benchmarking"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"1912","DOI":"10.1108\/BIJ-09-2021-0535","article-title":"Restarting MSMEs and start-ups post COVID-19: A grounded theory approach to identify success factors to tackle changed business landscape","volume":"30","author":"Varma","year":"2023","journal-title":"Benchmarking"},{"key":"ref_29","first-page":"e0007","article-title":"Strategic foresight and its contribution to improving corporate social responsibility practices: A systematic review","volume":"1","year":"2025","journal-title":"Ceniiac"},{"key":"ref_30","first-page":"1","article-title":"Cyber Risk Management in Small and Medium-Sized Enterprises: Insights from Industry Surveys","volume":"12","author":"Hoppe","year":"2021","journal-title":"J. Inf. Secur."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"89","DOI":"10.63180\/jcsra.thestap.2025.3.7","article-title":"Cybersecurity Challenges in Small and Medium Enterprises: A Scoping Review","volume":"3","author":"Awan","year":"2025","journal-title":"J. Cyber Secur. Risk Audit."},{"key":"ref_32","unstructured":"Arrizabalaga, S., Labaka, L., and Hernantes, J. (2026, January 20). Systematic Approach to Cyber Resilience in Small and Medium-Sized Enterprises. Available online: https:\/\/dadun.unav.edu."}],"container-title":["Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/2\/151\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T05:14:22Z","timestamp":1770095662000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/2\/151"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,31]]},"references-count":32,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,2]]}},"alternative-id":["systems14020151"],"URL":"https:\/\/doi.org\/10.3390\/systems14020151","relation":{},"ISSN":["2079-8954"],"issn-type":[{"value":"2079-8954","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,31]]}}}