Cybersecurity Strategies for SMEs in the Nordic Baltic Region


  • Morten Falch Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark
  • Henning Olesen Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark
  • Knud Erik Skouby Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark
  • Reza Tadayoni Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark
  • Idongesit Williams Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark



Cybersecurity, Small and Medium Sized Companies (SMEs), Nordic Baltic Region, NIST Framework, Change Management


Cybercrime has become the most widespread kind of economic fraud and is a serious challenge for businesses around the world. The topic of this paper is how SMEs in the Nordic Baltic Region should face this challenge. Possible technical and organisational tasks to be performed by SMEs in order to ensure cybersecurity of their business are analysed. The paper looks at the different types of hackers and their motives. On this background, current cyberthreats and corresponding security measures are presented. It is concluded that awareness, training, and financial incentives are all important elements in defining a cybersecurity strategy for SMEs. The paper is based on research made in the DINNOCAP project funded by EU regional funds.


Download data is not yet available.

Author Biographies

Morten Falch, Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark

Morten Falch is Associate Professor at Center for Communication, Media and Information Technologies (CMI) located at Aalborg University Copenhagen. He holds a PA in Mathematics, a master degree in economics and a Ph.D. and has since 1988 specialised in research on socio-economic issues related to Information and Communication technologies. This includes economic analysis of applications and telecommunication networks and services (e.g. Cost analysis of telecom networks), e-government, regulation of the telecom sector, ICT and industry policy, the role of competition in innovation of new services and frequency management.

Henning Olesen, Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark

Henning Olesen received the master’s degree in electrical engineering in 1980 and the philosophy of doctorate degree in electrical engineering in 1983, both from the Technical University of Denmark (DTU). He is currently working as an Associate Professor at the Department of Electronic Systems, Technical Faculty of IT and Design, Aalborg University. His research areas include digital identities and identity management, cyber security, personal data protection, and service architectures. He has authored or co-authored more than 120 international journal and conference papers and has been serving as a reviewer for many highly-respected journals.

Knud Erik Skouby, Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark

Knud Erik Skouby professor emeritus, Aalborg University. Has a career as a university teacher and within consultancy since 1972; focus on ICT since 1987. Project manager and partner in a number of international, European and Danish research projects. Invited speaker on international conferences; published a number of Danish and international articles, books and conference proceedings. Editor in chief of Nordic and Baltic Journal of Information and Communication Technologies (NBICT); Chair of WGA in Wireless World Research Forum.

Reza Tadayoni, Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark

Reza Tadayoni (b 1962), Associate Professor,, Ph.D., Head of the section, Communication, Media and Information technologies (CMI)/Electronic Systems/Aalborg University. He holds M.Sc.E.E. from DTU (Danish Technical University), specializing in broadband communication, and holds a Ph.D. from DTU in the field of media convergence. His research and teaching areas have, for the last 30 years, been within the ICTs, focusing on media convergence, including technology and business perspectives.

Idongesit Williams, Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark

Idongesit Williams is Assistant Professor at Aalborg University Copenhagen. He holds a Bachelor in Physics, a Master degree in Information and Communications Technologies and a Ph.D. He has since 2010 researched into socio-economic, socio-technical related to Information and Communications Technologies. His research areas include the following. The facilitation of telecom and ICT infrastructure using Public Private Partnerships; the development and the sustenance of Community-Based Networks, and e-government; He has authored more than 60 research publications, including journal papers, books, book chapters, conference papers and magazine articles.


PwC, “PwC’s Global Economic Crime and Fraud Survey 2022,” PwC, 2022.

M. Heidt, J. P. Gerlach and P. Buxmann, “Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments,” Information Systems Frontiers, pp. 1285–1305, 21(6) 2019.

“JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL The EU’s Cybersecurity Strategy for the Digital Decade, Join(2020)18,” 2020.

“NIS2 Directive,” 16 Dec. 2020. [Online]. Available:

Danish Business Authority, “Digital sikkerhed i danske SMV’er (Digital Security in Danish SMEs,” Danish Business Authority, Copenhagen, 2021.

A. Horn, “Why cybersecurity should be a top concern for middle-market companies,” SmallBizDaily, 2017.

T. Tam, A. Rao and J. Hall, “The good, the bad and the missing: A Narrative review of cyber-security implications for australian small businesses,” Computers & Security, 109, 102385. 2021.

“DINNOCAP,” [Online]. Available:

M. Lezzi, M. Lazoi and A. Corallo, “Cybersecurity for Industry 4.0 in the current literature: A reference framework.,” Computers in Industry, pp. 97–110, 2018.

A. Sarri, V. Paggio and G. Bafoutsou, “CYBERSECURITY FOR SMES – Challenges and Recommendations,” European Union Agency for Cybersecurity, ENISA, Heraklion, Greece, 2021.

European Commission, “EUROSTAT,” Brussels, 2022.

C. Paulsen and P. Toth, “Small Business Information Security: The Fundamentals. NISTIR 7621 Revision 1,” NIST, 2016.

“14 Types of Hackers to Watch Out For,” 10 5 2022. [Online]. Available:

S. L. Hald and J. M. Pedersen, “An updated taxonomy for characterizing hackers according to their threat properties.,” in In 2012 14th International Conference on Advanced Communication Technology (ICACT), IEEE, 2012, pp. 81–86.

S. Chng, H. Y. Lu, A. Kumar and D. Yau, “Hacker types, motivations and strategies: A comprehensive framework.,” Computers in Human Behavior Reports, 5, 100167. 2022.

J. M. Pedersen, Writer, Teaching material. [Performance]. 2022.

“ENISA threat landscape 2021,” ENISA, 2021.

ENISA, “Guidelines for SMEs on the security of personal data,” ENISA, 2016.

“Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1,” 16 April 2018. [Online]. Available:

OECD, “OECD Policy Responses to Coronavirus (COVID-19): Teleworking in the COVID-19 pandemic: Trends and prospects,” OECD, 2021.

“Digital sikkerhed i danske SMV’er (in Danish),” Danish Business Authority, 2021.

DIGITAL SME Alliance 2020, “. European Digital SME alliance 2020. The EU cyber security Act and the role of standards for SMEs- Position paper. Technical report.,” Brussels.

M. van Haastrecht, I. Sarhan, A. Shojaifar, L. Baumgartner, W. Mallouli and M. Spruit, “A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs,” in The 16th International Conference on Availability, Reliability and Security, 2021.

T. H. Davenport, Process innovation: reengineering work through information technology, Harvard Business Press, 1993.

M. Hammer and J. Champy, Business process reengineering, London: Nicholas Brealey, 1993.

W. A. Aziz, “Business process reengineering impact on SMEs operations: evidences from GCC region,” International Journal of Services and Operations Management, pp. 545–562, 33(4) 2019.

E. I. Edoun, G. B. Fotso and C. Mbohwa, “Business Process Reengineering: An Evaluation of Soft versus Hard,” in Proceedings of the 2018 International Conference on Internet and e-Business, 2018, pp. 90–93.

D. Chaffey, E-business &E-commerce Managemnt, London: Prentice Hall, 2011.

C. Ponsard, J. Grandclaudon and S. Bal, “Survey and Lessons Learned on Raising SME Awareness about Cybersecurity,” ICISSP, pp. 558–563.

B. J. Galli, “Change management models: A comparative analysis and concerns,” IEEE Engineering Management Review, pp. 124–132, 46(3) 2018.

J. Stouten, D. M. Rousseau and D. De Cremer, “Successful organizational change: Integrating the management practice and scholarly literatures,” Academy of Management Annals, pp. 752–788, 12(2) 2018.

K. Lewin, Field theory in social change, New York, NY, USA : Harper & Row, 1951.

J. P. Kotter, Leading change, Cambridge, MA, USA: Harvard Business, 1996.

J. M. Hiatt, Employees Survival Guide to Change: The Complete Guide To Surviving and Thriving During Organizational Change, Loveland, CO, USA: Prosci Research, 2013.

European Commission, New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient, Brussels, 2020.

M. Benz and D. Chatterjee, “ Calculated risk? A cybersecurity evaluation tool for SMEs,” Business Horizons, pp. 531–540, 63(4) 2020.




How to Cite

Falch M, Olesen H, Skouby KE, Tadayoni R, Williams I. Cybersecurity Strategies for SMEs in the Nordic Baltic Region. JCSANDM [Internet]. 2023 Jan. 31 [cited 2023 May 31];11(06):727–754. Available from: