MWAIS 2024 Proceedings


The shift from traditional businesses to digitally enabled organisations has made information the most valuable asset for SMEs, which, in turn, has made cyber security management a primary concern. This study explores the cybersecurity management practices in Thai SMEs and the factors determining the adoption of common cybersecurity frameworks and controls. The study applied a mixed-method research strategy with qualitative and quantitative data collection methods (in-depth interviews with experts, and an online survey of 75 SMEs). The preliminary findings indicate that SMEs in Thailand practice various cybersecurity controls but refrain from adopting cybersecurity standards or frameworks, such as ISO2700X series, NIST, and PCI DSS. On the other hand, SMEs seem to comply with national laws, including Thailand’s PDPA, Computer Crime Act, and Personal Information Act. A further analysis indicates that the lack of financial resources, tools and expertise were the main reasons for not adopting common frameworks and controls among SMEs.