EN | PL | ES | IT | RO


Coping with uncertainty, ambiguity & risk in a cyber-environment
Video demo    |   Feedback form    |       Play Audio    |   Download:
A cyber risk management-mindset for MSMEs

Introduction and background notesClick to read  

The content of this training module is a non-official follow-up to EntreComp for cyber risk-readiness.

Back in the previous units we referred several frameworks to be better equipped in assessing and evaluating cyber risks and threats coming from the IT environment.

In the following section, we will provide learners conceptual roadmaps to navigate cyber security, cyber readiness and cyber resilience from a quality assurance and risk management perspective.



Now that businesses and organisation are facing an exponential exposure to cyber-threats, cybersecurity is becoming a top concern not only for IT specialists but also for professionals and experts operating in the field of risk management.


Organisations rely more and more on digital means/tools to plan, manage and develop their activities, any disruption on their “digital value chain” translates into severe consequences to which many are largely unprepared.

There is a shared misconception about cybersecurity, which is: securing IT systems from cyber-threats implies complex and highly-sophisticated computer science proceedings.


Although it is certainly true that cybersecurity professionals dispose of advanced engineering expertise and know-how, a cyber-mindset is within everyone’s reach…


Key takeaways from a 2021 report by IBM indicates that cyber-resilience is about few simple actions:

• Investing in Prevention (i.e. risk identification and assessment)

• Zero-Trust security module (“who got access to your data?”)

• Stress testing (measuring and evaluation internal resilience strategies)
• [relevant more than even in the smart working era] identity and access management to manage remote employees
• Compliance programs: nurturing cyberculture on cross-functional level
• Reducing complexity (“being simple but sophisticated”)
• Narrowing the skills gap


As a matter of facts, evidences from the aforementioned report indicates that the main causes that intervenes as further disruptors are associated to human factors, rather than technological inefficiencies:

Safety Nets


Red Team Testing

Risk management “task force”

Compliance Failures

AI Platform

Data Loss prevention

Cloud Migration

Board Involvement

Extensive encryption

IoT / OT impacted

Experienced CISO

Formation of PR team

Lost or Stolen devices

Risk containment routines

Cyber Insurance

Remote Workforce


Managed security services

Security Skills shortage

Threat Intel Sharing

Vulnerability Testing

Complex” internal bureaucracies

Employee Training

ID Theft protection

Third Party Breach

Security Analytics


Source: IBM, 2021



Risk Management Click to read  

Evidences gathered by Cyber MSMEs’ partners identify in the lack of reliable (cyber) risk management systems one of the most common cause of cyber exposure.

Per se, this result is indicative of the “non-acknowledgement” of cybersecurity as a top-concern for business resilience and competitiveness.

 Cyber risk management should follow the same paradigms and operative focus (i.e., monitoring and evaluation) of any other core function, as indicative of a new competitive leverage at enterprises’ disposal to adapt (and react to) the new evolving threats coming from markets and societies.

ISO 31000

The International Organisation for Standardisation recognise in risk management a process involving the systematic application of policies, procedures and practices to the activities of communication and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

As all business functions remain bond to the efficiency and effectiveness of IT systems and networks regulating their tasks’ flow, cyber risk management becomes an integral part of strategic decision-making and long-term planning.

Cyber risk management is a cyclical process and it includes an on-going mechanisms orientated to the achievement of ever higher standards.

    Check > Evaluation > Fine-tuning


ISO 31000, a visual representation

Mitigating the cyber riskClick to read  

Based on ISO 31000, internal (cyber) risk management models should reflect the organization’s values, objectives and resources and be consistent with policies and statements about organization’s obligations and the views of stakeholders.

Once the organisation settles the scope, context and criterium of its management model, it is recommended to proceed with the actual assessment.

The assessment concludes in a three-step process:

The Risk Evaluation FlowClick to read  


Source: Caliste, J.-P & Heitor, Jone (2020)

The Risk Assessment Grid Click to read  
Quality Assurance for cyber-hygiene

An introduction to Quality AssuranceClick to read  

Professionals and experts in the domain of business management will certainly have heard of Lean Manufacturing, Total Quality Management (TQM), Just In Time (JIT), etc.

The ones that we just mentioned are among the most notorious audit frameworks for quality management applied at industrial level.

These models have all one thing in common: their origins are from Japan and they became worldwide the top reference for audit and quality assurance procedures.

An introduction to Quality Assurance – KAIZEN Click to read  

What is less known about TQM and JIT, is the business “philosophy” from which they emerged: Kaizen (改善), literally translated as 改 = change,善 = good.

Kaizen’s culture implies a constant and continuous establishment of higher performance’ standards.

Around the 80s it became the dominant business paradigm of Japanese’ industries, with particular reference to Toyota (i.e., Toyota Production System, Toyotism).

…but even less known is the fact that the Kaizen’s culture in not a fully Japan-made product.

An introduction to Quality Assurance – DEMING Click to read  



The Kaizen model owns its origins to a cross-national industry collaboration programme between the USA and Japan started at the end of the WW2.

More specifically, the incipits for the current Kaizen model have been inspired by the work of a luminary figure in the US’ business landscape of the time: W. Edwards Deming (1990-1993).

E. Deming is the man behind one of the first reference framework for quality assurance and auditing: the DEMING model



The DEMING Model

Source: Deming, W.E., 1950. Elementary Principles of the Statistical Control of Quality, JUSE.


Throughout time, the DEMING model knew a very large number of revisions promoted by other authors crossing E. Deming’s trail, as Kaizen is in fact one of them.

As of today, the original DEMING model inspired ISO 9001 for quality management principles.

Out of all the readaptation of the DEMING model, we would like to propose the one presented in an “evolutionary” perspective.

The “advanced” DEMING model

The DEMING model – remarks

The real strength of the DEMING model that allowed it to pass the time-test, is that:

It is simple to understand
It can be applied by any organisation – regardless of the occupied market/industry
It can be applied to any process/business function – including cybersecurity

From ISO 31000, we saw that a comprehensive risk management model takes into consideration a transversal and ongoing monitoring and evaluation process.

The DEMING cycle cover both priorities as it allows users to:

1.Strategize on the most suitable cybersecurity solutions in consideration of the mapped risks and organisational settings
2.Implement the aforementioned
3.Evaluate and validate their adequacy
4. React accordingly.
Formative VS Summative evaluationClick to read  

It might be recommended to split the evaluation process (i.e., the “check” phase) into two separate, depending on the actual timing of the evaluation.


Formative Evaluation

Summative Evaluation

Step by step evaluation of processes and day-by-day assessment of your activities

Upon conclusion of any major result, look back at what has been done and try to compare it with your foreseen standards / expectations.


Key takeawaysClick to read  

• Risk management transiting from horizontal function to key internal resources for competitive success
• Risk management as a mind-set, rather than operational approach
• Awareness → Readiness → Resilience
• Risk mitigations and counter measure: identification, analysis and evaluation
• Evaluation of the risk: Likelihood VS Impact
• Quality Assurance: constant & continuous improvement


Quality Assurance, DEMING cycle, risk identification, risk assessment, monitoring, evaluation, management


The objective of this module is to nurture in readers a renewed awareness on the strategic role of (cyber) risk management for micro and small-medium enterprises operating within an interconnected digital ecosystem.


new agenda for risk management as a business functions that permeates transversely all task and activates while responding to the new urgent need of safeguarding businesses from cyber threats.

We will do that by sharing trustworthy, robust and reliable managerial frameworks that applies traditionally to all business functions.

Related training material


team img
team img
team img

team img
team img
team img
The European Commission's support for the production of this publication does not constitute an endorsement of the contents, which reflect the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.
Legal description – Creative Commons licensing:
The materials published on the CyberMSME project website are classified as Open Educational Resources' (OER) and can be freely (without permission of their creators): downloaded, used, reused, copied, adapted, and shared by users, with information about the source of their origin.