{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T07:32:54Z","timestamp":1776411174617,"version":"3.51.2"},"reference-count":46,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2021,4,8]],"date-time":"2021-04-08T00:00:00Z","timestamp":1617840000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"IAPMEI","award":["POCI-02-0853-FEDER-026352"],"award-info":[{"award-number":["POCI-02-0853-FEDER-026352"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>Information security plays a key role in enterprises management, as it deals with the confidentiality, privacy, integrity, and availability of one of their most valuable resources: data and information. Small and Medium-sized enterprises (SME) are seen as a blind spot in information security and cybersecurity management, which is mainly due to their size, regional and familiar scope, and financial resources. This paper presents an information security and cybersecurity management project, in which a methodology based on the well-known ISO-27001:2013 standard was designed and implemented in fifty SMEs that were located in the center region of Portugal. The project was conducted by a business association located at the center of Portugal and mainly participated by SMEs. The Polytechnic of Leiria and an IT auditing\/consulting team were the other two entities that participated on the project. The characterisation of the participating enterprises, the ISO-27001:2013 based methodology developed and implemented in SMEs, as well as the results obtained in this case study, are depicted and analysed in the paper. The attained results show a clear benefit to the audited and intervened SMEs, being mainly attested by the increasing of their information security management robustness and collaborators\u2019 cyberawareness.<\/jats:p>","DOI":"10.3390\/jcp1020012","type":"journal-article","created":{"date-parts":[[2021,4,8]],"date-time":"2021-04-08T10:34:39Z","timestamp":1617878079000},"page":"219-238","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":60,"title":["Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal"],"prefix":"10.3390","volume":"1","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3448-6726","authenticated-orcid":false,"given":"M\u00e1rio","family":"Antunes","sequence":"first","affiliation":[{"name":"Computer Science and Communication Research Centre (CIIC), School of Technology and Management, Polytechnic of Leiria, 2411-901 Leiria, Portugal"},{"name":"INESC TEC, CRACS, 4200-465 Porto, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1212-7864","authenticated-orcid":false,"given":"Marisa","family":"Maximiano","sequence":"additional","affiliation":[{"name":"Computer Science and Communication Research Centre (CIIC), School of Technology and Management, Polytechnic of Leiria, 2411-901 Leiria, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0438-9119","authenticated-orcid":false,"given":"Ricardo","family":"Gomes","sequence":"additional","affiliation":[{"name":"School of Technology and Management, Polytechnic of Leiria, 2411-901 Leiria, Portugal"}]},{"given":"Daniel","family":"Pinto","sequence":"additional","affiliation":[{"name":"School of Technology and Management, Polytechnic of Leiria, 2411-901 Leiria, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2021,4,8]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Ikeda, K., Marshall, A., and Zaharchuk, D. (2019). Agility, skills and cybersecurity: Critical drivers of competitiveness in times of economic uncertainty. Strategy & Leadership, Emerald Publishing.","DOI":"10.1108\/SL-02-2019-0032"},{"key":"ref_2","unstructured":"Huang, K., Madnick, S., and Johnson, S. (2021, March 07). Framework for Understanding Cybersecurity Impacts on International Trade. Available online: https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=3555341."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"150","DOI":"10.1504\/IJCIS.2020.107265","article-title":"Information technology governance and cybersecurity at the board level","volume":"16","year":"2020","journal-title":"Int. J. Crit. Infrastruct."},{"key":"ref_4","unstructured":"(2021, March 07). ENISA Threat Landscape. Available online: https:\/\/www.enisa.europa.eu\/topics\/threat-risk-management\/threats-and-trends\/."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"102248","DOI":"10.1016\/j.cose.2021.102248","article-title":"Cyber security in the age of covid-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic","volume":"105","author":"Lallie","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Ahmad, T. (2021, March 07). Corona Virus (Covid-19) Pandemic and Work from Home: Challenges of Cybercrimes and Cybersecurity. Available online: https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=3568830.","DOI":"10.2139\/ssrn.3568830"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1125","DOI":"10.1177\/0263774X15610058","article-title":"The wealth of regions: Quality of government and SMEs in 172 European regions","volume":"33","author":"Nistotskaya","year":"2015","journal-title":"Environ. Plan. Gov. Policy"},{"key":"ref_8","unstructured":"(2021, March 07). Small Business Standards. Available online: https:\/\/www.sbs-sme.eu\/sme-involvement\/standards-and-smes."},{"key":"ref_9","unstructured":"Kertysova, K., Frinking, E., van den Dool, K., Mari\u010di\u0107, A., and Bhattacharyya, K. (2018). Cybersecurity: Ensuring Awareness and Resilience of the Private Sector Across Europe in Face of Mounting Cyber Risks-Study, European Economic and Social Committee, The Hague Centre for Strategic Studies. Available online: https:\/\/www.eesc.europa.eu\/en\/our-work\/publications-other-work\/publications\/cybersecurity-ensuring-awareness-and-resilience-private-sector-across-europe-face-mounting-cyber-risks-study#downloads."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Boletsis, C., Halvorsrud, R., Pickering, J.B., Phillips, S., and Surridge, M. (2021, January 8\u201310). Cybersecurity for SMEs: Introducing the Human Element into Socio-technical Cybersecurity Risk Assessment. Proceedings of the 16th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications (VISIGRAPP 2021), Vienna, Austria.","DOI":"10.5220\/0010332902660274"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Ozkan, B.Y., and Spruit, M. (2021). Cybersecurity Standardisation for SMEs: The Stakeholders\u2019 Perspectives and a Research Agenda. Research Anthology on Artificial Intelligence Applications in Security, IGI Global.","DOI":"10.4018\/978-1-7998-7705-9.ch056"},{"key":"ref_12","unstructured":"Whitehead, G. (2020). Investigation of Factors Influencing Cybersecurity Decision Making in Irish SME\u2019s from a Senior Manager\/Owner Perspective. [Ph.D. Thesis, National College of Ireland]."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Saleem, J., Adebisi, B., Ande, R., and Hammoudeh, M. (2017, January 19\u201320). A state of the art survey-Impact of cyber attacks on SME\u2019s. Proceedings of the International Conference on Future Networks and Distributed Systems, Cambridge, UK.","DOI":"10.1145\/3102304.3109812"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"174200","DOI":"10.1109\/ACCESS.2020.3026063","article-title":"Systematic Approach to Cyber Resilience Operationalization in SMEs","volume":"8","author":"Borges","year":"2020","journal-title":"IEEE Access"},{"key":"ref_15","first-page":"800","article-title":"Risk management guide for information technology systems","volume":"800","author":"Stoneburner","year":"2002","journal-title":"Nist Spec. Publ."},{"key":"ref_16","first-page":"536","article-title":"Cybersecurity is not just a \u2018big business\u2019 issue","volume":"69","author":"Bell","year":"2017","journal-title":"Gov. Dir."},{"key":"ref_17","unstructured":"(2021, February 02). ISO-ISO\/IEC 27000:2009\u2014Information Technology\u2014Security Techniques\u2014Information Security Management Systems\u2014Overview and Vocabulary. Available online: https:\/\/www.iso.org\/standard\/41933.html."},{"key":"ref_18","unstructured":"Stallings, W. (2006). Cryptography and Network Security, Pearson Education India. [4th ed.]."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Mohammed, A.M., Idris, B., Saridakis, G., and Benson, V. (2020). Information and communication technologies: A curse or blessing for SMEs. Emerging Cyber Threats and Cognitive Vulnerabilities, Elsevier Press.","DOI":"10.1016\/B978-0-12-816203-3.00008-3"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"269","DOI":"10.1080\/10919392.2018.1484598","article-title":"Exploring SME cybersecurity practices in developing countries","volume":"28","author":"Kabanda","year":"2018","journal-title":"J. Organ. Comput. Electron. Commer."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Naradda Gamage, S.K., Ekanayake, E., Abeyrathne, G., Prasanna, R., Jayasundara, J., and Rajapakshe, P. (2020). A Review of Global Challenges and Survival Strategies of Small and Medium Enterprises (SMEs). Economies, 8.","DOI":"10.3390\/economies8040079"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Alahmari, A., and Duncan, B. (2020, January 15\u201319). Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. Proceedings of the 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, Ireland.","DOI":"10.1109\/CyberSA49311.2020.9139638"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"e00346","DOI":"10.1016\/j.heliyon.2017.e00346","article-title":"Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours","volume":"3","author":"Hadlington","year":"2017","journal-title":"Heliyon"},{"key":"ref_24","unstructured":"(2021, February 02). ISO-ISO\/IEC 27001:2013\u2014Information Technology\u2014Security Techniques\u2014Information Security Management Systems\u2014Requirements. Available online: https:\/\/www.iso.org\/standard\/54534.html."},{"key":"ref_25","unstructured":"(2021, February 02). Information Security Management System|ISMS.online. Available online: https:\/\/www.isms.online\/information-security-management-system-isms\/."},{"key":"ref_26","unstructured":"(2021, February 02). ISO-ISO\/IEC 27005:2018\u2014Information Technology\u2014Security Techniques\u2014Information Security Risk Management. Available online: https:\/\/www.iso.org\/standard\/75281.html."},{"key":"ref_27","unstructured":"(2021, March 07). ISO-ISO\/IEC 27037:2012\u2014Information Technology\u2014Security Techniques\u2014Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence. Available online: https:\/\/www.iso.org\/standard\/44381.html."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Javaid, M.I., and Iqbal, M.M.W. (2017, January 19\u201321). A comprehensive people, process and technology (PPT) application model for Information Systems (IS) risk management in small\/medium enterprises (SME). Proceedings of the International Conference on Communication Technologies (ComTech), Rawalpindi, Pakistan.","DOI":"10.1109\/COMTECH.2017.8065754"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"2631","DOI":"10.5958\/0976-5506.2018.02112.5","article-title":"ISO\/IEC 27001 Implementation in SMEs: Investigation on Management of Information Assets","volume":"9","author":"Muthaiyah","year":"2018","journal-title":"Indian J. Public Health Res. Dev."},{"key":"ref_30","unstructured":"Wanyonyi, V. (2020). Information Security Management Toolkit for ISO\/IEC 27001 Standard, Case of Small-to-Medium Sized Enterprises (SMEs). [Ph.D. Thesis, University of Nairobi]."},{"key":"ref_31","unstructured":"Renvall, A. (2021, March 07). Improving Cybersecurity through ISO\/IEC 27001 Information Security Standard in the Context of SMEs. Available online: https:\/\/www.theseus.fi\/handle\/10024\/157277."},{"key":"ref_32","unstructured":"Ozkan, B.Y., and Spruit, M. (2020). Assessing and Improving Cybersecurity Maturity for SMEs: Standardization aspects. arXiv."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Ponsard, C., Grandclaudon, J., and Dallons, G. (2018, January 2\u201324). Towards a Cyber Security Label for SMEs: A European Perspective-. Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), Madeira, Portugal.","DOI":"10.5220\/0006657604260431"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Ponsard, C., Massonet, P., Grandclaudon, J., and Point, N. (2020, January 7\u201311). From Lightweight Cybersecurity Assessment to SME Certification Scheme in Belgium. Proceedings of the 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy.","DOI":"10.1109\/EuroSPW51379.2020.00019"},{"key":"ref_35","unstructured":"Henson, R., and Sutcliffe, D. (2017). An insurance-based approach to improving SME Cyber Security. Special Topics in Economics & Management: An Introduction, ATINER."},{"key":"ref_36","unstructured":"Hassinen, T. (2021, March 07). Enhancing Cyber Security for SME Organizations through Self-Assessments: How Self-Assessment Raises Awareness. Available online: https:\/\/www.theseus.fi\/handle\/10024\/125437."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Rae, A., and Patel, A. (2019, January 26\u201328). Defining a new composite cybersecurity rating scheme for smes in the uk. Proceedings of the International Conference on Information Security Practice and Experience, Kuala Lumpur, Malaysia.","DOI":"10.1007\/978-3-030-34339-2_20"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Ponsard, C., and Grandclaudon, J. (2018, January 22\u201324). Survey and guidelines for the design and deployment of a cyber security label for SMEs. Proceedings of the International Conference on Information Systems Security and Privacy, Madeira, Portugal.","DOI":"10.1007\/978-3-030-25109-3_13"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1108\/JIC-05-2019-0128","article-title":"Modelling adaptive information security for SMEs in a cluster","volume":"21","author":"Ozkan","year":"2019","journal-title":"J. Intellect. Cap."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"119","DOI":"10.3390\/jcp1010007","article-title":"The Cybersecurity Focus Area Maturity (CYSFAM) Model","volume":"1","author":"Ozkan","year":"2021","journal-title":"J. Cybersecur. Priv."},{"key":"ref_41","unstructured":"Auyporn, W., Piromsopa, K., and Chaiyawat, T. (2020, January 1\u20134). Critical Factors in Cybersecurity for SMEs in Technological Innovation Era. Proceedings of the ISPIM Conference Proceedings, The International Society for Professional Innovation Management (ISPIM), Bangkok, Thailand."},{"key":"ref_42","unstructured":"Mubarak, S., Heyasat, H., and Wibowo, S. (2019, January 9\u201311). Information Security Models are a Solution or Puzzle for SMEs? A Systematic Literature Review. Proceedings of the Australasian Conference on Information Systems, Perth, Australia."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Teufel, S., Teufel, B., Aldabbas, M., and Nguyen, M. (2020, January 25\u201326). Cyber Security Canvas for SMEs. Proceedings of the International Information Security Conference, Pretoria, South Africa.","DOI":"10.1007\/978-3-030-66039-0_2"},{"key":"ref_44","unstructured":"Zec, M. (2015). Cyber Security Measures in SME\u2019s: A Study of IT Professionals\u2019 Organizational Cyber Security Awareness, Linnaeus University. Available online: https:\/\/www.diva-portal.org\/smash\/get\/diva2:849211\/ATTACHMENT01.pdf."},{"key":"ref_45","first-page":"41","article-title":"Cybersecurity Standardisation for SMEs: The Stakeholders\u2019 Perspectives and a research agenda","volume":"17","author":"Ozkan","year":"2019","journal-title":"Int. J. Stand. Res."},{"key":"ref_46","unstructured":"(2021, March 07). Organizations in Cooperation with ISO\u2014SBS\u2014Small Business Standards. Available online: https:\/\/www.iso.org\/organization\/5100110.html."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/2\/12\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,13]],"date-time":"2025-10-13T13:26:38Z","timestamp":1760361998000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/2\/12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,4,8]]},"references-count":46,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2021,6]]}},"alternative-id":["jcp1020012"],"URL":"https:\/\/doi.org\/10.3390\/jcp1020012","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,4,8]]}}}