Computer Standards & Interfaces 97 (2026) 104099 Contents lists available at ScienceDirect Computer Standards & Interfaces journal homepage: www.elsevier.com/locate/csi Integrating IoT security practices into a risk-based framework for small and medium enterprises (SMEs) Samer Aoudi * , Hussain Al-Aqrabi Department of Computer Information Science, Higher Colleges of Technology, Sharjah, UAE A R T I C L E I N F O A B S T R A C T Keywords: The growing integration of Internet of Things (IoT) technologies within Small and Medium Enterprises (SMEs) IoT security has introduced new operational efficiencies while simultaneously expanding the cybersecurity threat landscape. Risk assessment However, most SMEs lack the resources, technical expertise, and institutional maturity required to adopt existing SME cybersecurity security frameworks, which are often designed with large enterprises in mind. This paper proposes a risk-based Threat modeling STRIDE framework specifically developed to help SMEs identify, assess, and mitigate IoT-related security risks in a CVSS structured and scalable manner. The framework integrates key components such as asset classification, STRIDE- Bayesian inference based threat modeling, CVSS-driven vulnerability assessment, and dynamic risk prioritization through Bayesian inference. Emphasis is placed on cost-effective mitigation strategies that are feasible within SME resource con­ straints and aligned with regulatory requirements. The framework was validated through a real-world case study involving a digitally enabled retail SME. Results demonstrate tangible improvements in vulnerability manage­ ment, security control implementation, and organizational readiness. Additionally, qualitative feedback from stakeholders highlights the framework’s usability, adaptability, and minimal disruption to operations. This research bridges a critical gap in the current literature by contextualizing established cybersecurity methodol­ ogies for the SME sector and providing a practical toolset for managing IoT risks. The proposed framework offers SMEs a viable path toward improving cybersecurity resilience in increasingly connected business environments. 1. Introduction However, this rapid adoption has introduced heightened cybersecurity concerns. SMEs often lack dedicated cybersecurity personnel and oper­ The Internet of Things (IoT) is reshaping the digital landscape, ate with limited financial and technical resources, leaving them espe­ driving innovation across industries by interconnecting billions of de­ cially vulnerable to IoT-specific threats and system misconfigurations. vices. From smart sensors and industrial controllers to home automation The growth trajectory of IoT is further accelerated by advancements systems and connected medical equipment, IoT enables continuous data in artificial intelligence (AI) [4], edge computing [5–7], and 5 G net­ exchange, automation, and real-time analytics. Its widespread integra­ works [8]. AI-integrated IoT systems enhance threat detection and tion is transforming sectors such as healthcare, manufacturing, trans­ support autonomous decision-making. Edge computing enables portation, and retail. Projections indicate that IoT device adoption will low-latency data processing at the device level, and 5 G introduces exceed 39.9 billion units by 2033, outpacing traditional computing ultra-high bandwidth and reliable communication, powering real-time platforms such as laptops and smartphones [1]. industrial and smart city applications. Together, these technologies In the business domain, IoT technologies are instrumental in boost­ signal an era of unprecedented connectivity, in which SMEs must ing operational efficiency, reducing costs, and enabling agile service navigate both operational transformation and an increasingly complex models. For instance, in logistics, IoT-enabled tracking systems improve cybersecurity threat landscape. supply chain visibility and inventory accuracy, minimizing losses and enhancing responsiveness [2]. In healthcare, connected medical devices 1.1. Problem statement allow for real-time patient monitoring and timely clinical interventions, elevating care standards [3]. SMEs, in particular, are increasingly While the Internet of Things (IoT) offers significant operational ad­ adopting IoT solutions to streamline operations and remain competitive. vantages, it also exposes organizations, particularly SMEs, to * Corresponding author. E-mail address: samer_aoudi@hotmail.com (S. Aoudi). https://doi.org/10.1016/j.csi.2025.104099 Received 10 June 2025; Received in revised form 3 November 2025; Accepted 21 November 2025 Available online 26 November 2025 0920-5489/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies. S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 increasingly complex and evolving cyber threats [9–11]. The diverse yielding tangible improvements in vulnerability reduction, risk mitiga­ and heterogeneous nature of IoT devices introduces system-level chal­ tion efficiency, and staff security awareness. In doing so, this study lenges such as default credentials, outdated firmware, insecure provides a pragmatic and empirically validated model that bridges the communication protocols, and insufficient access controls [12–15]. gap between complex security theory and implementable practice for These technical shortcomings, combined with limited in-house expertise SMEs [23,24]. and constrained budgets, hinder SMEs from effectively securing their The remainder of this paper is structured as follows. Section 2 re­ IoT infrastructures [16]. Moreover, compliance with emerging regula­ views existing literature on IoT security and related frameworks, with a tions such as the European Union’s General Data Protection Regulation focus on challenges specific to SMEs. Section 3 outlines the research (GDPR) and the UAE’s Federal Personal Data Protection Law (PDPL) methodology, including the case study design and evaluation approach. further complicates security governance for SMEs. Section 4 presents the proposed five-step risk-based framework. Section Several well-known cybersecurity frameworks, such as the National 5 applies the framework to a real-world SME and reports both quanti­ Institute of Standards and Technology (NIST) Cybersecurity Framework tative results and qualitative feedback. Section 6 discusses the frame­ (CSF) [17], NIST SP 800–183 [18], ISO/IEC 27005 [19], European work’s effectiveness, compares it with existing standards, addresses Union Agency for Cybersecurity (ENISA) IoT security guidelines [20, regulatory compliance, and reflects on cost and SME applicability. 21], and the Open Web Application Security Project (OWASP) IoT Section 7 concludes the paper and outlines directions for future work. Project [22], offer valuable guidance for addressing IoT risks. However, these frameworks are often too complex, resource-intensive, or abstract 2. Literature review for SMEs to adopt without significant adaptation. Many lack actionable, SME-friendly methodologies or assume levels of organizational maturity This section reviews the academic and industry literature related to not representative of typical small businesses [23,24]. IoT security, with a particular emphasis on the unique challenges faced A critical gap exists in the cybersecurity literature: the absence of a by SMEs. It also evaluates existing cybersecurity frameworks and their risk-based, scalable, and accessible framework that effectively addresses limitations in SME contexts. the specific limitations and operational realities of SMEs operating IoT environments. While numerous frameworks exist, most are designed for 2.1. Foundations of IoT security challenges large enterprises and are ill-suited for small businesses with constrained resources. This study focuses specifically on SMEs that deploy IoT- The cybersecurity implications of IoT adoption have been widely enabled infrastructure, aiming to support them in managing the discussed across academic and industry literature yet challenges specific growing complexity of IoT-related cybersecurity risks through tailored, to SMEs remain underexplored. This section reviews the foundational resource-aware risk assessment practices. security concerns of IoT environments and critically examines existing frameworks and their limitations in SME contexts. 1.2. Research objectives The rapid proliferation of Internet of Things (IoT) technologies has ushered in unprecedented levels of interconnectivity, automation, and This research aims to develop a structured, risk-based framework operational efficiency across a wide range of sectors, including health­ tailored to the cybersecurity needs of Small and Medium Enterprises care, manufacturing, logistics, and retail [3]. While this technological (SMEs) operating Internet of Things (IoT) environments. The proposed advancement offers substantial benefits, it also significantly enlarges the approach is designed to help SMEs systematically identify, assess, and cybersecurity threat surface, introducing complex risks that are both mitigate IoT-related threats while accounting for their limited technical systemic and persistent. As noted by Tawalbeh et al. [9], the decen­ expertise and financial constraints. Rather than introducing entirely new tralized architecture, device-level resource constraints, and protocol tools, the framework repurposes and integrates well-established meth­ heterogeneity inherent in IoT environments collectively give rise to a odologies into a coherent, resource-aware process that SMEs can real­ multi-dimensional security landscape that defies traditional protection istically adopt and sustain. models. These concerns are amplified in 5G-enabled IoT deployments, Rather than introducing novel technical tools, the framework which, as highlighted by Wazid et al. [8], are vulnerable to a combi­ repurposes and streamlines established methods to create a workflow nation of legacy threats and emerging attack vectors enabled by accessible to SMEs with minimal cybersecurity maturity. In doing so, it increased bandwidth and connectivity. contributes to the IoT security literature by addressing persistent gaps in Fundamental to the cybersecurity discourse surrounding IoT is the the applicability, scalability, and adaptability of existing frameworks for difficulty of enforcing the foundational triad of information security: SMEs. This study advances the field in three key dimensions. confidentiality, integrity, and availability (C.I.A). Prior research has First, it emphasizes SME-centricity by grounding the proposed shown that IoT ecosystems struggle to uphold these principles uniformly framework in the operational realities of a real-world case study. Unlike due to the diversity of hardware and software platforms and the often- enterprise-focused research, this study captures the practical limitations limited computational capacity of devices [12,25]. Compounding this SMEs face, including limited staffing, budget constraints, and frag­ issue are persistent security misconfigurations, such as the widespread mented infrastructure. Second, the framework offers a multi-layered use of default credentials, outdated firmware, and unencrypted integration of essential cybersecurity practices. It links asset classifica­ communication channels, vulnerabilities that remain common despite tion with STRIDE-based threat modeling, CVSS-informed vulnerability increased awareness and guidance from sources such as the OWASP IoT assessment, and Bayesian-driven dynamic risk updates into a coherent, Project [22]. stepwise model. While these components are well-documented indi­ The evolution toward Industry 4.0, characterized by the convergence vidually, their consolidation for SME contexts is novel. Third, the in­ of IoT, cyber-physical systems, and autonomous control, has further clusion of Bayesian post-mitigation risk reassessment enables accelerated IoT adoption across business domains [26]. However, this continuous recalibration of threat likelihoods, a feature often absent shift has also intensified security concerns, particularly for SMEs that from SME-targeted frameworks. lack the organizational maturity, infrastructure, and expertise required This contribution bridges the gap between complex enterprise to manage these complex systems effectively. Empirical studies consis­ models and the lightweight, accessible solutions SMEs need, while tently emphasize the resulting security and privacy implications, extending the utility of standards such as ENISA’s guidelines [21] and including data leakage, unauthorized system access, and operational ISO/IEC 27005 [19] by contextualizing them for low-resource envi­ disruption [27]. These risks are especially pronounced in SME envi­ ronments. Moreover, the value of this research lies in its practical ronments, where cybersecurity preparedness often lags behind techno­ orientation: the proposed framework was tested in a real-world SME, logical adoption [28]. 2 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 2.2. Existing IoT risk assessment frameworks subjective assessments and oversimplified likelihood-impact scoring systems [33]. These models frequently fail to incorporate real-time Multiple frameworks have attempted to codify IoT security risk threat intelligence or context-aware decision-making, which are crit­ management, drawing from well-established standards such as ISO/IEC ical for dynamic and heterogeneous IoT environments. 27005 [19] and NIST’s Cybersecurity Framework [18]. While these Emerging approaches involving artificial intelligence (AI) and ma­ frameworks provide generic guidance for identifying, assessing, and chine learning (ML) show promise in areas such as anomaly detection mitigating risks, their practical applicability to SMEs with limited and automated vulnerability discovery [4,11,34]. However, such solu­ cybersecurity maturity remains questionable [24]. tions are often opaque, computationally intensive, and dependent on ENISA [20,21] provides IoT-specific guidance by recommending advanced technical skills, barriers that place them out of reach for many baseline security controls and governance practices for critical infra­ SMEs. Research by Kong et al. [35] and Aoudi et al. [36] has advanced structure. However, its approach tends to be prescriptive and often as­ intelligent IoT frameworks, yet these too generally assume the avail­ sumes high organizational maturity and resourcing. Similarly, the NIST ability of enterprise-grade infrastructure and cybersecurity expertise. SP 800–183 report [17] conceptualizes the "Network of Things," offering Moreover, the fragmented nature of IoT security standards further terminologies and abstraction layers for risk management but stops complicates adoption. Brass et al. [37] and Webb & Hume [38] highlight short of operationalizing a dynamic risk response model. the lack of harmonized, SME-centric guidance, which results in imple­ Zheng et al. [29] and Queiroz et al. [30], have explored digital mentation ambiguities and regulatory compliance challenges. To transformation frameworks for supply chains and smart manufacturing, contextualize these issues, Table 1 summarizes the major limitations of respectively, but their emphasis is primarily on strategic alignment and current frameworks when applied to SMEs, including their complexity, technological enablement rather than actionable risk quantification. scalability issues, and lack of actionable guidance tailored to smaller This subsection reviews key frameworks that inform our approach: organizational contexts. The framework proposed in this study seeks to overcome these • NIST Cybersecurity Framework (CSF) and NIST Special Publication challenges by distilling best practices from established standards such as 800–183: The NIST CSF is one of the most widely adopted frame­ NIST and ISO, and restructuring them into a pragmatic, lightweight, and works for managing cybersecurity risks. It provides a flexible and accessible model. In doing so, it provides SMEs with a pathway to scalable approach organized into five core functions: Identify, Pro­ improved IoT security posture that aligns with their operational realities tect, Detect, Respond, and Recover [17]. While the NIST CSF is and capacity constraints. comprehensive, its implementation often requires significant re­ sources and expertise, which may be beyond the capacity of many 2.4. Theoretical foundation SMEs [23]. • ISO/IEC 27005: ISO/IEC 27005 provides guidelines for information The formulation of a risk-based framework for securing Internet of security risk management, emphasizing the importance of risk Things (IoT) environments in SMEs is anchored in three foundational assessment and treatment [19]. Although it is highly detailed, its cybersecurity concepts: risk assessment, threat modeling, and vulnera­ complexity and resource-intensive nature make it less accessible for bility analysis. Together, these pillars provide the conceptual structure SMEs, particularly those with limited cybersecurity expertise [24]. necessary for systematically identifying, evaluating, and mitigating the • OWASP IoT Project: The Open Web Application Security Project unique security challenges that arise in SME-operated IoT ecosystems. (OWASP) IoT Project focuses on identifying and mitigating common This section articulates the theoretical basis for the proposed frame­ vulnerabilities in IoT devices and applications [15,22]. While it of­ work, establishing its relevance and rigor in addressing real-world SME fers practical guidance, it lacks a structured risk assessment process, constraints. making it difficult for SMEs to prioritize and address risks Risk assessment is a critical process that enables organizations to systematically. identify, analyze, and evaluate risks to their digital assets, operations, • ENISA IoT Security Guidelines: The European Union Agency for and stakeholders [19]. Within the IoT domain, risk assessment facilitates Cybersecurity (ENISA) has developed guidelines for securing IoT the mapping of potential security threats to specific devices and services, ecosystems, covering areas such as device hardening, secure supporting informed decision-making about risk mitigation and communication, and lifecycle management [21]. However, these resource allocation. The NIST Cybersecurity Framework [18] highlights guidelines are often too generic and do not provide actionable steps risk assessment as a central component of a proactive cybersecurity for SMEs with limited technical capabilities. strategy. For SMEs, whose resources are often severely constrained, a well-structured risk assessment process becomes indispensable for 2.3. Shortcomings in current approaches prioritizing security efforts and ensuring that the most pressing Despite the availability of numerous frameworks and guidelines designed to enhance the security of IoT ecosystems [31], a persistent gap Table 1 Gaps in Existing Frameworks for SMEs. remains in their applicability to SMEs. Many of these frameworks were developed with large organizations in mind, requiring considerable Gap Description technical expertise, financial investment, and operational maturity. As Resource Intensity Frameworks such as NIST CSF and ISO/IEC 27,005 require Chidukwani et al. [23] emphasize, most SMEs lack the resources significant financial and technical resources, which are often necessary to implement comprehensive cybersecurity programs, making unavailable to SMEs [24,19]. Complexity The technical complexity of ISO/IEC 27,005 and related the adoption of existing frameworks impractical without significant standards can be overwhelming for SMEs lacking dedicated adaptation. This challenge is compounded by the complexity and pre­ cybersecurity teams [23,24]. scriptive nature of these models, which often overwhelm smaller orga­ Lack of IoT-Specific Frameworks like the OWASP IoT Project address IoT nizations seeking feasible entry points into IoT security. Focus vulnerabilities but do not integrate end-to-end risk assessment and mitigation [15,39]. In addition to resource constraints, SMEs face methodological limi­ Scalability Issues Many existing frameworks assume organizational maturity tations in the tools commonly used for risk assessment. Czekster et al. that SMEs typically do not possess, hindering their [32] point to the rigidity of static risk models, which struggle to applicability [21,24]. accommodate evolving threat landscapes or adjust post-control risk Limited Practical Most frameworks offer general recommendations but lack levels based on new evidence. Traditional risk matrices, while widely Guidance detailed, step-by-step guidance tailored to SME operational contexts [23,32,33]. adopted for their simplicity, have drawn criticism for their reliance on 3 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 vulnerabilities are addressed efficiently. anomalies). This capacity for ongoing refinement makes Bayesian Threat modeling offers a complementary lens by systematically inference especially relevant in IoT ecosystems, where device configu­ identifying potential threats based on a system’s architecture, interfaces, rations, exposure profiles, and threat landscapes are in constant flux. and usage patterns [40]. Among the most recognized methodologies are However, despite its suitability, Bayesian modeling remains largely STRIDE [41] and PASTA [42]. STRIDE categorizes threats into six ar­ absent in SME-oriented IoT security literature, underscoring a signifi­ chetypes, Spoofing, Tampering, Repudiation, Information Disclosure, cant and timely gap that this study seeks to address through its proposed Denial of Service, and Elevation of Privilege, enabling structured anal­ framework. ysis of attack surfaces. In contrast, PASTA adopts a business-aligned, process-driven perspective, aiming to connect technical threats with 2.6. Integrating threat modeling and vulnerability scanning organizational impact. Both methodologies provide a rigorous basis for uncovering and preemptively addressing IoT-specific threats, including Structured threat modeling and automated vulnerability assessment unauthorized access, device manipulation, and data exfiltration. represent two foundational components of modern cybersecurity prac­ Vulnerability analysis completes the triad by identifying exploitable tices. Among threat modeling methodologies, the STRIDE framework weaknesses across the IoT stack from hardware and firmware to has emerged as a widely accepted standard due to its systematic tax­ communication protocols and cloud services [43]. Given the diversity onomy, encompassing Spoofing, Tampering, Repudiation, Information and scale of IoT deployments, SMEs often struggle to conduct vulnera­ Disclosure, Denial of Service, and Elevation of Privilege, and its align­ bility assessments systematically. Tools such as Nessus and OpenVAS ment with system-level architectural analysis [40–42]. Despite its con­ offer automated scanning capabilities that facilitate the identification ceptual strengths, the operational deployment of STRIDE remains and classification of vulnerabilities, often using metrics like CVSS scores largely limited to organizations with mature secure development life­ to guide remediation priorities [44]. Nevertheless, the effective use of cycles, rendering it inaccessible to many SMEs that lack formalized se­ these tools still requires a framework that contextualizes findings within curity engineering practices. the operational realities of SMEs. Parallel to threat modeling, vulnerability scanning tools such as The integration of these three theoretical domains, risk assessment, Nessus [43] and OpenVAS [44] provide powerful means for identifying threat modeling, and vulnerability analysis, forms the analytical core of known security flaws, misconfigurations, and software weaknesses. the proposed framework. Their synergy enables a comprehensive, end- These tools generate Common Vulnerability Scoring System to-end approach that is both methodologically rigorous and practically (CVSS)-based severity ratings, offering actionable insights for technical adaptable. For instance, asset classification, an essential element of risk remediation. However, as Neshenko et al. [39] observe, these tools are assessment, provides the input for targeted threat modeling, which, in frequently underutilized in SME contexts, not due to a lack of relevance, turn, informs vulnerability scanning strategies. This layered methodol­ but because their outputs are rarely integrated into broader, dynamic ogy supports SMEs in navigating complex IoT security landscapes with risk evaluation frameworks. In SMEs, where security decisions must limited expertise and resources, offering a structured yet flexible model often be made with minimal human oversight and limited technical for scalable, cost-effective cybersecurity risk management. capacity, such disconnection diminishes the practical value of vulnera­ bility data. 2.5. Probabilistic and Bayesian approaches Case-specific studies by Fernandes et al. [14] and Cherian and Varma [13] illustrate isolated applications of threat analysis in environments The incorporation of probabilistic reasoning into cybersecurity such as smart homes and SDN-based IoT networks. While valuable in decision-making has gained traction in recent years, particularly in the highlighting device-specific risks, these contributions remain narrowly context of dynamic risk estimation and adaptive threat modeling. focused and lack generalizable, system-level integration. More critically, Among these approaches, Bayesian inference stands out for its ability to they do not account for the potential of combining threat modeling and systematically update risk assessments based on new evidence, offering vulnerability data with probabilistic risk updating, such as Bayesian a mathematically grounded mechanism for recalibrating threat likeli­ inference, to inform risk prioritization and post-control reassessment. hoods over time [45]. Despite its demonstrated value in broader There remains, therefore, a notable gap in current literature and cybersecurity contexts, the application of Bayesian methods within practice: the absence of a unified, SME-oriented framework that sys­ IoT-specific risk frameworks remains underexplored, particularly in tematically links structured threat modeling (e.g., STRIDE), automated environments characterized by constrained resources and operational vulnerability scanning (e.g., Nessus, OpenVAS), and dynamic risk variability, such as SMEs. quantification. This study addresses that gap by proposing an integrated Existing literature acknowledges the need for dynamic models methodology that operationalizes these elements into a cohesive capable of responding to the fluidity of IoT threat landscapes. Czekster workflow tailored to the constraints and capabilities of SME et al. [32] advocate for adaptive risk models but fall short of articulating environments. concrete implementation pathways that are feasible for SMEs. Similarly, Lee [46] underscores the promise of probabilistic techniques in IoT 3. Methodology cybersecurity but highlights their limited uptake in practice, citing challenges such as computational overhead, model complexity, and the This section outlines the research design used to develop and vali­ lack of accessible tooling to support real-time updates. date the proposed framework. A sequential mixed-methods approach is A critical shortfall in current frameworks is the absence of structured adopted, combining theoretical integration with case-based evaluation. post-control risk reassessment. Once security controls, such as patch deployment or network segmentation, are implemented, most models 3.1. Research design fail to revise the underlying threat likelihoods accordingly. This omis­ sion can lead to persistent overestimation or underestimation of risk, The goal of this study is to develop and validate a cybersecurity risk resulting in inefficient allocation of limited security resources. ENISA management framework tailored to the needs and constraints of SMEs [21] and empirical investigations such as Younis et al. [2] reinforce the adopting IoT technologies. To ensure methodological rigor and practical importance of continuous reassessment to maintain alignment between relevance, a sequential mixed-methods design was adopted. This perceived and actual risk postures. approach combines qualitative and quantitative data collection and Bayesian models offer a theoretically robust solution to this problem analysis in a phased sequence, where the qualitative phase informs the by enabling the integration of prior risk estimates with real-time evi­ quantitative one, an established design in applied security research [47, dence (e.g., vulnerability scan results, threat intelligence, or behavioral 48]. 4 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 As illustrated in Fig. 1, the study follows a two-phase structure practical, real-world outcomes over strict epistemological adherence, an grounded in pragmatic philosophy and a deductive research strategy. essential stance when addressing the operational constraints of SMEs. The pragmatic stance prioritizes actionable, real-world solutions over The deductive approach enables theory-driven framework construction, rigid adherence to a single philosophical paradigm, allowing for meth­ which is then empirically validated through real-world application. odological flexibility and contextual adaptation [49]. The deductive Finally, the sequential mixed-methods strategy allows qualitative in­ approach supports theory-driven framework development, followed by sights to shape the development of the framework in Phase 1, while empirical validation. quantitative evaluation in Phase 2 ensures measurable impact. These Phase 1 centers on framework development, which forms the pri­ guiding principles shaped both the structure and execution of the study, mary contribution of this study. Drawing from ISO/IEC 27005 [19], the as illustrated in Fig. 1. NIST Cybersecurity Framework [17], and threat modeling strategies such as STRIDE and PASTA [41,42], this phase involved synthesizing 3.1.1. Phase 1: framework development best practices into a lightweight, five-step process appropriate for The initial phase of this research focuses on the design of a struc­ resource-constrained SMEs. This structured integration offers a novel tured, risk-based cybersecurity framework tailored to the specific con­ contribution by operationalizing concepts such as CVSS-based vulnera­ straints and operational realities of SMEs. To inform this development, a bility scoring and Bayesian risk updating within an accessible, systematic review was conducted encompassing existing IoT security implementation-ready format. The uniqueness of this integration lies in frameworks, risk assessment methodologies, and documented SME- its combination of STRIDE-based threat modeling, CVSS-driven vulner­ specific security challenges [50]. This review served not only to map ability scoring, and Bayesian updating into a cohesive workflow that the current state of practice but also to identify key gaps in applicability, enables SMEs to perform dynamic risk prioritization using lightweight, usability, and scalability that constrain existing solutions in SME resource-aware processes. environments. Phase 2 focuses on framework validation, conducted through a The proposed framework does not introduce novel security mecha­ single-case study in a real-world SME. This phase triangulates data from nisms. Instead, it synthesizes established methodologies into an inte­ stakeholder interviews, vulnerability scans, and document analysis to grated, coherent structure optimized for resource-limited organizations. assess the framework’s usability, scalability, and effectiveness in It draws from recognized standards such as the NIST Cybersecurity improving cybersecurity posture. This design ensures that the frame­ Framework (CSF) [17] and ISO/IEC 27005 [19] for risk assessment, work is not only theoretically grounded but also contextually feasible while employing threat modeling techniques like STRIDE [40] and and adaptable for small business environments. PASTA [41] to systematically identify and categorize threats. These Together, these phases are underpinned by a unified research design components are combined to form a pragmatic, stepwise process that grounded in three foundational elements: pragmatism, deductive logic, lowers the entry barrier for SMEs seeking to enhance their cybersecurity and a sequential mixed-methods strategy. Pragmatism emphasizes posture. Fig. 1. Research Design. 5 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 The resulting framework consists of five interlinked components: To protect the integrity and privacy of sensitive organizational data, all collected information was anonymized and securely stored on encrypted 1. Asset Classification: Systematic identification and categorization of systems, with access restricted to the research team. IoT assets based on business criticality and functional dependencies. Despite its contributions, the study is subject to several methodo­ 2. Threat Modeling: Application of STRIDE and PASTA to analyze logical limitations that warrant consideration. First, the use of a single- potential attack vectors and system vulnerabilities. case study design, although well-suited to in-depth, context-specific 3. Vulnerability Assessment: Technical analysis of system weaknesses exploration, may limit the generalizability of the findings to other SME using industry-standard tools such as Nessus and OpenVAS. contexts or industry sectors. While the selected case is representative of 4. Risk Prioritization: Development of a context-aware risk matrix many SME characteristics, broader validation across diverse organiza­ that accounts for both likelihood and business impact, tailored to tional settings is necessary to strengthen external validity. SME constraints. Second, a portion of the data collected, particularly through stake­ 5. Mitigation Strategies: Selection of cost-effective and scalable se­ holder interviews, is self-reported, and thus potentially subject to biases curity controls, including technical (e.g., encryption, access control) such as recall error or social desirability. However, these limitations and procedural (e.g., regular patching) safeguards. were mitigated through methodological triangulation, including the integration of quantitative vulnerability scan data and document anal­ 3.1.2. Phase 2: framework validation ysis. This multi-source validation strategy enhances the credibility of the The second phase involves empirical validation of the proposed findings and supports a more holistic understanding of the framework’s framework through a single-case study conducted in a real-world SME effectiveness. setting. This qualitative-quantitative design enables the evaluation of Overall, while recognizing its constraints, the study is designed with the framework’s practical relevance, scalability, and impact under sufficient methodological rigor to ensure reliability and relevance. These authentic operational constraints. The case study subject, Lilac Studio, is limitations also offer pathways for future research, particularly in a Dubai-based SME operating in the retail sector. It was selected using extending validation efforts to additional SMEs and industry domains. purposive sampling based on three criteria: (1) active use of IoT tech­ nologies, (2) resource limitations typical of SMEs, and (3) willingness to 4. Proposed framework participate in comprehensive evaluation procedures [51]. Data collection in this phase employed triangulated methods to This section introduces the five-step IoT risk-based framework enhance reliability and capture multidimensional insights: developed specifically for SMEs. Each component of the framework is discussed in detail, emphasizing practical implementation and • Semi-structured interviews were conducted with six SME stake­ scalability. holders, including two business owners, two IT personnel, and two operational staff, all based in the United Arab Emirates. While the 4.1. Overview sample size is small, it reflects key functional roles commonly found in SMEs and provides a representative cross-section of perspectives This section introduces the proposed risk-based IoT security frame­ within the organization. The findings are contextually relevant for work, which builds on insights from prior research and established in­ other SMEs operating in sectors such as retail, logistics, and hospi­ dustry practices. Designed specifically for SMEs, the framework tality, which share similar IoT adoption patterns and cybersecurity systematically addresses the unique cybersecurity challenges that arise constraints. in managing IoT environments. SMEs are particularly susceptible to IoT- • Vulnerability scanning was performed using Nessus and OpenVAS related threats due to constrained budgets, fragmented infrastructure, before and after framework implementation, providing objective and limited in-house expertise. To address these realities, the framework metrics on system-level improvements. provides a structured yet accessible approach that strengthens security • Document analysis of internal security policies and historical inci­ without introducing unnecessary complexity or financial burden. dent reports was conducted to establish a baseline and track proce­ The framework comprises five sequential steps, asset classification, dural enhancements. threat modeling, vulnerability assessment, risk prioritization, and miti­ gation planning. Each step builds on the preceding one, ensuring a This multi-source approach ensures that the framework’s effective­ logical and scalable progression toward comprehensive risk manage­ ness is evaluated both technically and operationally, supporting its ment. These components are elaborated in detail in Section 4.2, with practical relevance and broader applicability to similarly structured emphasis on real-world applicability, cost-effectiveness, and compati­ SMEs. bility with SME operational models. While the single-case design enables deep contextual analysis, it By consolidating established cybersecurity practices, such as those inherently limits the generalizability of the findings to other SME set­ found in the NIST Cybersecurity Framework and ISO/IEC 27005, into a tings or industry domains. The selected case represents a typical streamlined and integrated process, the framework combines theoretical example of a digitally enabled SME in a resource-constrained environ­ rigor with practical usability. It enables SMEs to identify critical assets, ment, but further validation across multiple organizations and sectors is assess threats, quantify risks, and implement appropriate mitigation needed to confirm the framework’s broader applicability. This limita­ strategies, all while remaining within realistic operational and resource tion is acknowledged as a trade-off for depth and realism in early-phase boundaries. Unlike traditional frameworks that treat these components framework evaluation. in isolation, this framework uniquely fuses STRIDE, CVSS, and Bayesian inference into a continuous cycle, supporting iterative risk reassessment 3.2. Ethical considerations and limitations as new evidence emerges. This study was conducted in strict accordance with established 4.2. Process ethical research protocols, with particular attention to the principles of informed consent, participant confidentiality, and data anonymization The operational logic of the proposed framework is realized through [47]. All participants involved in interviews and data collection activ­ five interlinked stages that guide SMEs through the identification, ities were fully briefed on the study’s objectives, procedures, and their evaluation, and mitigation of IoT security risks. Each step balances rights, including the right to withdraw at any point without conse­ methodological precision with operational feasibility, allowing imple­ quence. Written informed consent was obtained prior to participation. mentation by teams with limited cybersecurity expertise. 6 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 Fig. 2 illustrates the five-step IoT security risk framework, presenting lightweight algorithm that computes a risk score for each threat using each component in a sequential, SME-friendly format. This visual rep­ impact and likelihood metrics. Where available, Bayesian scoring re­ resentation supports structured implementation by mapping the flow places subjective estimations to enhance accuracy. The algorithm filters from asset identification to final mitigation. threats through a resource constraint lens, selecting only those for which Risk prioritization within the framework is further operationalized mitigation is feasible within the SME’s available capacity. through Algorithm 1, which presents a lightweight, resource-aware This algorithm enables SMEs to focus their limited resources on approach for ranking threats based on likelihood, impact, and feasi­ mitigating the highest-priority threats. The incorporation of Bayesian bility of mitigation. The algorithm integrates static scoring and, where inference allows for dynamic recalibration of risk scores as new data applicable, Bayesian inference to support dynamic risk recalibration. becomes available, ensuring that the framework remains both adaptive and aligned with the evolving threat landscape. 1. Asset Classification: The process begins with the identification and categorization of IoT assets based on their criticality to core business operations. This step creates a foundational asset inventory and es­ 4.3. Scalability and adaptability tablishes dependencies, which are essential for contextualizing sub­ sequent risk assessments. The asset classification process follows a A key strength of the proposed framework lies in its adaptability structured algorithm designed specifically for SMEs, which accounts across a wide range of SME IoT contexts. Recognizing that IoT imple­ for device criticality, functional dependencies, and data sensitivity. mentations vary in scale, complexity, and purpose even within the SME The steps are detailed in Algorithm 2 in Appendix A. segment, the framework is designed to be modular and context-aware. It 2. Threat Modeling: Leveraging established methodologies such as enables SMEs to tailor adoption based on their existing infrastructure, STRIDE, organizations systematically map threat categories to technical maturity, and regulatory requirements, while maintaining identified assets. This process uncovers potential attack vectors and alignment with core risk management principles. anticipates their business impacts. The application of STRIDE for Rather than attempting to generalize across all industry sectors, the threat modeling is guided by a structured procedure adapted for SME framework is explicitly focused on IoT-enabled SMEs, particularly those environments. The detailed steps are outlined in Algorithm 3 in deploying connected devices for operational monitoring, automation, or Appendix A. service delivery. These include SMEs in retail, logistics, and light in­ 3. Vulnerability Assessment: Automated scanning tools such as dustrial settings, domains where IoT adoption is growing and where Nessus and OpenVAS are employed to detect known vulnerabilities SMEs remain key stakeholders. across device, network, and software layers. The results are The framework also supports adaptation along two practical augmented by CVSS-based exploitability scores, yielding actionable dimensions: insights for remediation. The vulnerability assessment process is carried out using a three-stage procedure that includes automated • Maturity-Based Adaptations: SMEs with limited technical capacity scanning and optional penetration testing, tailored to SME capacity. can adopt a lightweight implementation by prioritizing essential This process is described in Algorithm 4 in Appendix A, while tool- steps such as asset classification and risk assessment using default specific configurations are detailed in Appendix B. STRIDE and CVSS templates. More mature SMEs can integrate 4. Risk Prioritization: Identified threats and vulnerabilities are eval­ advanced tools, including Bayesian updating and automated uated using a custom risk matrix that considers likelihood, business vulnerability scanning, for deeper security insights. impact, and resource constraints. For SMEs with access to advanced • Regulatory Adaptability: The framework is compatible with data, Bayesian inference can be used to dynamically update risk jurisdiction-specific compliance mandates. For example, SMEs levels based on new evidence, providing a more accurate and operating in the European Union can incorporate GDPR-aligned responsive prioritization model. safeguards, while those in the UAE can tailor their implementation 5. Mitigation Planning: Based on the prioritized risks, SMEs imple­ to meet the requirements of the Federal Personal Data Protection ment cost-effective and scalable controls such as firmware updates, Law (PDPL). network segmentation, access control mechanisms, or employee training. These mitigation actions are aligned with organizational By focusing on IoT-reliant SMEs and enabling scaling based on capacity and regulatory requirements (e.g., GDPR Article 32 and the operational maturity and legal context, the framework offers a propor­ UAE PDPL), ensuring both compliance and operational fit. Associ­ tionate and sustainable approach to risk management without over­ ated cost and effort estimates are provided in Appendix C. extending its intended scope. The framework is further supported by a practical and reusable A core strength of the framework lies in its resource-aware risk pri­ toolset tailored to the constraints of IoT-enabled SMEs. It incorporates oritization mechanism, which enables SMEs to direct limited efforts widely recognized methodologies and tools, including STRIDE for threat toward the most critical risks. This process is operationalized through a modeling, Nessus Essentials and OpenVAS for vulnerability assessment, CVSS v3.1 calculators for risk quantification, and optional Bayesian Fig. 2. Five-Step IoT Security Risk Framework for SMEs. 7 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 Algorithm 1 Risk Prioritization for IoT Systems in SMEs. Require: Threat list T, Vulnerability set V, Asset inventory A, Resource constraints R. Optional: Bayesian posterior probabilities P (t |E) Ensure: Prioritized threat list P 1: P ←∅ 2: for all threat t ∈T do 3: Retrieve associated asset a ∈A 4: if Bayesian scoring available then 5: L(t) ← P(t∣E) 6: else 7: Assign likelihood L(t) ∈{1, 2, 3} ▹ Low, Medium, High 8: end if 9: Assign impact I(t) ∈{1, 2, 3}from asset criticality 10: Compute risk score R(t) ←L(t) × I(t) 11: end for 12: Sort T in descending order of R(t) 13: for all threat t ∈T do 14: Estimate mitigation effort E(t) (cost or hours) 15: if E(t) ≤R then 16: Add t to P 17: R ←R− E(t) 18: end if 19: end for 20: return P inference scripts for post-mitigation risk updating. All components are In sum, the framework offers a cost-effective, scalable, and techni­ either open-source or available under free/community licenses, making cally feasible solution for SMEs seeking to secure their IoT ecosystems. them accessible and cost-effective for resource-constrained organiza­ By integrating essential components, asset classification, threat tions while ensuring methodological rigor. modeling, vulnerability assessment, risk prioritization, and mitigation planning, it provides a structured and context-sensitive approach that accommodates the diverse capabilities and constraints of SME envi­ 4.4. Cost effectiveness ronments. Its emphasis on affordability, adaptability, and operational clarity makes it especially valuable in an era of rapidly expanding IoT The proposed framework has been intentionally designed with cost adoption among smaller organizations. efficiency as a core principle, acknowledging the significant financial and technical constraints that characterize many SMEs. In contrast to 5. Case study enterprise-grade security models that often require substantial in­ vestments in personnel, infrastructure, and proprietary technologies, To evaluate the proposed framework, a case study was conducted in this framework offers a practical and economically viable pathway for a real-world SME environment. This section details the application enhancing IoT cybersecurity in resource-constrained environments. process, observed results, and validation methodology. Several interrelated features contribute to its cost-effectiveness: 5.1. SME profile • Use of Readily Available and Open-Source Tools: The framework emphasizes reliance on established, freely accessible resources, such Lilac Studio is a Dubai-based SME operating in the retail sector, as Nessus Essentials, OpenVAS, and CVSS calculators, thereby elim­ specializing in curated lifestyle products such as celebration robes, inating the need for costly commercial solutions or vendor lock-in. personalized accessories, and gift boxes. The company employs a hybrid This approach significantly reduces implementation costs while operational model, combining a physical storefront located in a com­ maintaining analytical rigor. mercial retail complex with an e-commerce platform that serves regional • Scalability and Incremental Adoption: The framework supports customers across the United Arab Emirates. To streamline operations modular deployment, allowing SMEs to implement core components, and enhance the customer experience, Lilac Studio has adopted several such as asset classification and basic threat modeling, before grad­ Internet of Things (IoT) technologies, including smart inventory sensors, ually expanding to include more sophisticated elements like Wi-Fi-enabled point-of-sale (PoS) systems, and mobile-connected sur­ Bayesian-based risk updating. This progressive rollout aligns with veillance cameras. variable budget cycles and evolving security maturity. These IoT-enabled systems support real-time inventory tracking, • Risk-Based Prioritization: By incorporating a customized risk prior­ efficient transaction processing, and continuous physical security itization algorithm, the framework ensures that security investments monitoring, illustrating the increasing digitalization of operational are directed toward the most critical threats and vulnerabilities. This workflows even within small retail environments. However, despite its targeted approach enhances return on investment by aligning miti­ growing technological footprint, Lilac Studio operates with minimal gation efforts with business-critical assets and realistic threat internal IT staffing and a modest cybersecurity budget, consistent with likelihoods. the broader profile of resource-constrained SMEs. • Operational Simplicity: The framework is designed to be intuitive This juxtaposition of digital dependency and limited cybersecurity and accessible, requiring minimal cybersecurity expertise to deploy. maturity renders Lilac Studio an ideal testbed for evaluating the pro­ SMEs can follow structured processes and algorithmic guidance posed IoT risk management framework. The case study captures the without needing to hire specialized security consultants or establish typical challenges faced by SMEs attempting to secure complex, inter­ dedicated SOC teams. connected systems in the absence of dedicated security personnel or • Structured Methodology: Its clear, step-by-step architecture reduces advanced infrastructure. As such, it provides a realistic and relevant ambiguity and streamlines implementation. This structure helps context for assessing the framework’s applicability, usability, and SMEs avoid ad hoc security practices and fosters consistent risk effectiveness in achieving measurable improvements in cybersecurity management practices over time. posture. 8 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 5.2. Application of the framework Table 3 Threat Modeling (STRIDE). The proposed risk-based framework was applied to Lilac Studio’s IoT Asset Threats Identified environment to evaluate its practicality and impact in a real-world SME Smart Inventory Sensors Spoofing, Information Disclosure context. The implementation followed the framework’s five core com­ PoS Terminal Elevation of Privilege, Tampering, Repudiation ponents: asset classification, threat modeling, vulnerability assessment, Surveillance Cameras Information Disclosure, Denial of Service risk prioritization, and mitigation planning. E-Commerce Platform Spoofing, Tampering, Information Disclosure IoT Gateway Denial of Service, Elevation of Privilege 5.2.1. Asset classification The first step involved identifying and categorizing the organiza­ tion’s IoT assets based on their criticality to business operations, the Table 4 sensitivity of data processed, and integration with other digital systems. Severity Distribution. Asset value scores, ranging from 1 (low importance) to 10 (critical, were CVSS Severity Vulnerability Examples Count determined through consultations with the operations manager, sales Critical IoT Gateway default credentials, firmware RCE 5 personnel, and a brief technical audit. These scores provide the foun­ High SQLi on PoS, weak TLS/SSL ciphers 8 dation for subsequent threat analysis and risk prioritization. The iden­ Medium Input validation flaws 4 tified IoT assets were categorized based on their business criticality, Low Weak password policy, missing headers 2 functional roles, and interdependencies, as shown in Table 2. 5.2.2. Threat modeling Table 5 Using the STRIDE methodology, each asset was evaluated to identify Static Risk Scores. potential threat types, enabling a structured assessment of the organi­ Asset Value Score Likelihood Static Risk Score zation’s attack surface. STRIDE threats were mapped to each asset to Surveillance Cameras 6 8.5 51.0 anticipate likely exploitation scenarios and their associated business PoS Terminal 9 7.2 64.8 impacts. The results of this mapping are presented in Table 3, which IoT Gateway 9 9.0 81.0 aligns each asset with its corresponding threat categories based on Note: The likelihood is CVSS-derived. architectural vulnerabilities and exposure vectors. Each threat is evaluated using a standard risk scoring formula: 5.2.3. Vulnerability assessment Comprehensive vulnerability scans were conducted using OpenVAS R=L×I (2) and Nessus Essentials across all five IoT-enabled assets. The assessment uncovered 19 vulnerabilities, categorized using CVSS v3.1 severity where R represents the overall risk score, L denotes the likelihood of ratings. These included 5 critical vulnerabilities, such as remote code threat occurrence (rated as 1 = low, 2 = medium, 3 = high), and I execution flaws in surveillance firmware and exposed default creden­ represents the potential business impact (1 = minor, 2 = significant, 3 = tials on the IoT gateway, along with additional high, medium, and low critical). This simple but effective method allows SMEs to rank threats severity issues. The distribution and examples of identified vulnerabil­ based on operational severity, forming the foundation for prioritized ities across severity levels are summarized in Table 4. mitigation planning. See Appendix B for the scan setup, plugin families used, and repre­ The resulting calculations and classifications are presented in sentative CVSS vectors. Table 5, which shows the risk levels for the most business-critical assets based on static risk scoring. 5.2.4. Risk prioritization Risks were then categorized using a simple 3-tier model: To determine which threats warranted immediate mitigation, a structured risk scoring model was applied. Each asset’s value score was • Low (0–15) multiplied by the CVSS-based likelihood estimate of exploitation, pro­ • Medium (16–40) ducing a static risk score. The resulting calculations and classifications • High (41–100) are presented in Table 5, which shows the risk levels for the most business-critical assets based on static risk scoring. The risk categorization thresholds were defined using expert judg­ ( ) ment and SME-specific resource constraints. This approach is consistent Static Risk Scorei,j = V aj − L(ti ) (1) with ISO/IEC 27005 guidance [19] and ENISA recommendations [21], Where: both of which support context-aware, non-uniform risk boundaries based on operational impact, resource availability, and business risk • V(aj): Asset value score for asset aj tolerance. In resource-constrained environments like SMEs, risk priori­ • L(ti): Likelihood of threat ti, derived from CVSS or other metrics tization emphasizes operational feasibility over statistical uniformity, allowing high-impact threats to be surfaced more aggressively even if scoring intervals are uneven. This prioritization ensured that mitigation strategies targeted the Table 2 most business-critical vulnerabilities, particularly those impacting IoT Asset Classification. customer data and payment infrastructure. Lower-risk assets were IoT Asset Description Value incorporated into a secondary mitigation schedule based on resource Score availability. Smart Inventory Tracks stock levels and updates in real- 8 Sensors time 5.2.5. Mitigation strategies Cloud-Connected PoS Handles transactions and customer 9 payments Based on the risk assessment results, tailored mitigation strategies Surveillance Cameras Monitors physical store remotely 6 were developed for each high-risk asset class. These controls address E-Commerce Platform Customer ordering 10 both hardware and software vulnerabilities, including application-level IoT Gateway/Router Connects all devices to central network 9 issues such as unpatched content management systems (CMS) and 9 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 insecure APIs. The mitigation efforts prioritize technical feasibility, cost- The results of applying Bayesian inference to adjust threat likeli­ efficiency, and regulatory alignment with data protection requirements hoods based on post-control evidence are presented in Table 7, which such as the GDPR and UAE PDPL. illustrates the resulting risk score reductions across key IoT assets. Table 6 below summarizes the selected mitigation actions, grouped Full scoring examples and base vector configurations are included in by asset: Appendix B. These mitigation controls were selected to balance impact severity with implementation complexity, ensuring that the organization could 5.3.1. Integration with the framework address the most critical vulnerabilities within its operational capacity. The Bayesian risk model is integrated into the proposed framework Where possible, open-source tools and existing infrastructure were as a second-stage enhancement, augmenting the initial static risk matrix leveraged to minimize cost. All actions were documented to support with dynamic, evidence-driven recalibration. While the qualitative audit readiness and regulatory compliance. matrix offers an accessible entry point for SMEs, particularly during early-stage assessments, its static nature limits responsiveness to real- 5.3. Probabilistic risk modeling using probability time changes in threat conditions. The Bayesian component addresses this limitation by introducing probabilistic updating, enabling SMEs to To overcome the rigidity of static risk matrices, the framework in­ refine risk estimates as new evidence becomes available (e.g., via corporates Bayesian inference to revise likelihood estimates based on scanner logs, incident reports, or patch records). post-control conditions. For example, after firmware updates were Recommended Implementation Flow: applied to the surveillance cameras, the likelihood of successful exploitation dropped significantly. Bayes’ Theorem for Posterior 1. Initial Risk Matrix: Risk scores are calculated based on static Likelihood: likelihood-impact assessments, typically using CVSS data and asset value scores. P(E|ti ).P(ti ) P(ti |E) = (3) 2. Evidence Collection: SMEs gather new data from system logs, P(E) vulnerability scanners, and update records that inform post-control Bayesian-adjusted risk score: conditions. ( ) 3. Bayesian Update: Posterior threat probabilities are computed using Bayesian Risk Scorei,j = V aj × P(ti |E) (4) Bayes’ Theorem, allowing likelihood scores to reflect real-world Where: changes. 4. Reprioritized Mitigation: Updated risk scores guide resource reallo­ • P(ti): Prior probability of threat ti cation, shifting focus to residual or emerging risks. • P(E∣ti): Likelihood of observing evidence E given ti • P(ti∣E): Updated probability after evidence is collected This probabilistic integration enhances cost efficiency, as SMEs avoid • V(aj): Asset value, same as before overspending on already mitigated threats. It also improves agility, enabling organizations to shift posture without complex reengineering or external consultation. From a usability perspective, the model is designed to function with basic spreadsheet tools or lightweight scripts, Table 6 making it feasible for SMEs with limited technical resources. Together, Asset-Specific Mitigation Strategies Addressing Hardware and Software Threats. the static matrix and Bayesian model offer a scalable, hybrid approach, Asset Identified Threats/ Mitigation Strategies starting with simplicity and evolving into adaptive precision as opera­ Vulnerabilities tional maturity improves. Surveillance Remote code execution (RCE), - Apply latest firmware Cameras default credentials, updates to patch RCE flaws 5.3.2. Deriving Bayesian parameters in practice unencrypted streams - Disable remote admin Applying Bayesian inference in the context of an SME, such as Lilac access Studio, involves translating observable operational indicators and - Enable TLS for video feeds PoS Terminal SQL injection, lack of input - Implement server-side domain knowledge into probability estimates. The key components of validation, insecure API input validation and Bayes’ Theorem, prior probability, evidence, likelihood, and marginal connections sanitization probability, are derived as follows: - Deploy a Web Application Firewall (WAF) • Prior Probability P(ti): Represents the baseline likelihood of a specific - Enforce HTTPS and secure API keys threat. In this case, Lilac Studio assigns a prior probability of 0.3 to a IoT Gateway Default login credentials, open - Replace default credentials Denial-of-Service (DoS) attack on its IoT gateway, based on historical ports, weak authentication with unique strong latency issues and sector-specific threat intelligence. passwords • Evidence E: The new observation that may indicate an active threat. - Enable multi-factor authentication (MFA) Lilac Studio identifies increased traffic volume and repeated port - Implement network scanning attempts from untrusted IP addresses during business segmentation hours. E-Commerce Unpatched CMS, exposed - Regularly update CMS Platform admin panel, insecure session plugins and core management - Restrict admin access by IP and enforce MFA - Implement secure cookie Table 7 settings and session timeout Bayesian-Adjusted Risk Scores. Smart Inventory Lack of authentication, - Enforce mutual Asset Value Posterior Bayesian Risk Sensors spoofing risk, insecure data authentication between Score Likelihood Score transmission sensors and gateway - Encrypt data in transit Surveillance 6 2.0 12.0 (TLS) Cameras - Configure MAC address PoS Terminal 9 4.0 36.0 whitelisting IoT Gateway 9 3.0 27.0 10 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 • Likelihood P(E|t i): The probability of observing this evidence if the Table 8 threat (T) is actually occurring. Drawing from industry reports, 80 % Vulnerability Comparison by Severity. of confirmed DoS attacks are preceded by similar traffic anomalies, Severity Pre-Mitigation Post-Mitigation % Change giving P(E|T) = 0.80. Critical 5 1 − 80 % • Marginal Probability P(E): The overall chance of seeing the observed High 8 2 − 75 % anomaly, regardless of whether a DoS attack is underway. Historical Medium 4 5 +25 % (reclassified) logs suggest such events occur approximately 40 % of the time, Low 2 3 +50 % resulting in P(E) = 0.40. Total 19 11 ¡42.1% Note: Certain vulnerabilities were reclassified based on reduced exploitability Applying Bayes’ Theorem: following partial remediation. P(E|ti ).P(ti ) 0.8 × 0.3 P(ti |E) = = = 0.6 (5) • Pre-Implementation: Mean = 8.1, SD = 1.23 P(E) 0.4 • Post-Implementation: Mean = 5.6, SD = 1.91 • Interpretation: After incorporating real-time evidence, the proba­ This corresponds to a 30.9 % reduction in average vulnerability bility of an active DoS attack increases from 0.30 (prior) to 0.60 severity, indicating a substantial improvement in the organization’s (posterior). This represents a substantial escalation in risk security posture. The increase in standard deviation is expected, as the perception. remaining vulnerabilities were more dispersed across lower severity • Use in Framework: The updated posterior probability (0.60) replaces categories following mitigation efforts. These quantitative results vali­ the static likelihood score in the risk calculation formula. For date the framework’s effectiveness in reducing exposure to critical and instance, for the IoT gateway, with an asset value of 9: high-risk threats in a real-world SME environment. The outcomes also ( ) support the suitability of the framework’s structured approach for in­ Bayesian Risk Scorei,j = V aj × P(ti |E) = 9 × 0.6 = 5.4 (6) cremental, cost-efficient risk reduction. 5.4.4. Qualitative feedback In addition to the quantitative findings, qualitative feedback was This revised score compared to a pre-mitigation score of 81.0 (static gathered to assess the perceived usability, effectiveness, and organiza­ risk based on likelihood 9.0), demonstrates a quantifiable reduction in tional impact of the proposed framework. Informal interviews were perceived risk due to implemented controls and new contextual evi­ conducted with four key stakeholders at Lilac Studio: the business dence. The use of historical cases such as the Mirai botnet [52] further owner, store manager, inventory manager, and a frontline employee. validates the approach, as they illustrate the real-world plausibility of The feedback was analyzed using thematic analysis, following the six- IoT devices being exploited in DoS attacks. Such precedents justify phase methodology outlined by Braun and Clarke [53]. These phases assigning elevated prior probabilities in similar contexts. included familiarization with the data, generation of initial codes, identification and refinement of themes, and narrative synthesis. 5.4. Quantitative and qualitative results Three dominant themes emerged from the analysis, reflecting the framework’s practical influence across different organizational levels: To empirically evaluate the effectiveness of the proposed risk-based framework, two full-spectrum vulnerability scans were conducted, one • Practicality and Accessibility: Stakeholders consistently emphasized prior to the implementation of mitigation strategies and another after the ease of implementation. The business owner stated, “The the controls were applied. Scanning was performed using both Nessus framework provided a clear roadmap for securing our IoT systems Essentials and OpenVAS, covering the same five IoT-enabled assets. All without overwhelming our small team.” Both technical and non- results were analyzed and categorized in accordance with the Common technical staff described the framework’s step-by-step structure as Vulnerability Scoring System (CVSS) v3.1, ensuring consistency and intuitive and scalable, suggesting its accessibility even in low- comparability. resource environments. • Operational Continuity: The store manager noted that “the security 5.4.1. Pre-implementation vulnerability scan improvements were seamless and didn’t disrupt daily operations.” The initial vulnerability scan identified 19 total vulnerabilities across This observation was echoed by the inventory manager, who re­ critical IoT assets, with severity levels ranging from low to critical. ported increased system reliability and fewer discrepancies in stock Notable weaknesses included default administrative credentials, management, suggesting that the framework enhanced security outdated firmware, and SQL injection flaws. These findings are quanti­ without compromising efficiency. fied by severity level and summarized in Table 7, which highlights the • Awareness and Confidence: A frontline employee remarked, “The scope of exposure prior to the implementation of mitigation strategies. training was really helpful; I understand the risks better now.” This feedback reflects a broader organizational shift toward increased 5.4.2. Post-implementation vulnerability scan security awareness and procedural clarity. Staff members expressed Following the mitigation efforts, a second vulnerability scan greater confidence in managing and responding to cyber risks. revealed a marked reduction in total and high-severity vulnerabilities. The comparative results between pre- and post-mitigation periods, These insights corroborate the quantitative results presented earlier. including percent change in each category, are detailed in Table 8, Stakeholders reported improved trust in the security of their systems and illustrating the framework’s measurable impact on reducing cyberse­ expressed confidence in the organization’s preparedness to address curity risk across the SME’s IoT environment. future threats. The framework’s non-disruptive and user-centric design appears to have contributed to both technical readiness and organiza­ 5.4.3. Statistical impact analysis tional alignment. To further quantify the reduction in overall risk, the mean CVSS Overall, the qualitative findings affirm that the framework is not only score for detected vulnerabilities was calculated for both assessment functionally effective but also culturally adoptable, making it well- periods: suited for replication in similarly structured SMEs. Its ability to foster 11 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 staff engagement, procedural clarity, and operational continuity high­ methodology, spanning asset classification, threat modeling, vulnera­ lights its value as a pragmatic cybersecurity solution for resource- bility assessment, risk prioritization, and mitigation planning, enabled constrained environments. the organization to identify and remediate critical risks in a systematic, resource-aware manner. 5.4.5. Key performance indicators (KPIs) By categorizing IoT assets based on business impact and integrating To objectively evaluate the impact of the proposed framework, a set these classifications into a multi-layered risk evaluation process, the of Key Performance Indicators (KPIs) was defined and tracked before organization was able to focus its limited cybersecurity resources on the and after implementation. These indicators were selected to reflect most pressing threats. The application of targeted mitigation strategies, critical dimensions of cybersecurity maturity, including technical risk including firmware updates, credential hardening, network segmenta­ reduction, procedural readiness, and organizational awareness. tion, and the deployment of a Web Application Firewall (WAF), resulted Together, they provide a holistic view of the framework’s effectiveness in a substantial reduction in the number and severity of vulnerabilities. in a real-world SME setting. Quantitative improvements included a 42.1 % reduction in total vul­ The following five KPIs were used: nerabilities and a 30.9 % decrease in average CVSS scores, demon­ strating the framework’s capacity to drive measurable security • %Critical Vulnerabilities: The proportion of total vulnerabilities outcomes. classified as Critical as CVSS ≥9.0 indicating exposure to the most Equally important were the organizational benefits. The inclusion of severe threats. structured security awareness training increased employee engagement • Mean CVSS Score: The average severity of all detected vulnerabil­ and contributed to a culture of proactive security management, as re­ ities, serving as a composite indicator of overall system risk. flected in the 90 % training participation rate. Positive stakeholder • Time to Mitigation (TtM): The average time (in days) required to feedback further validated the framework’s accessibility, scalability, remediate high and critical vulnerabilities, reflecting operational and minimal disruption to day-to-day operations. responsiveness. Overall, the Lilac Studio case study illustrates how a cost-effective, • Incident Response Preparedness: The presence or absence of docu­ modular, and methodologically rigorous framework can empower mented and tested incident response (IR) procedures. SMEs to improve their cybersecurity posture without exceeding their • Employee Security Awareness: The percentage of staff who operational or financial limits. The results support the framework’s completed foundational security awareness training, reflecting broader applicability across similarly structured SMEs, positioning it as organizational readiness and cultural alignment. a scalable solution for enhancing cybersecurity resilience in the rapidly expanding IoT landscape. The impact of the framework across key cybersecurity performance dimensions is summarized in Table 9, which tracks changes in technical, 6.2. Framework effectiveness procedural, and organizational metrics before and after implementation. These results demonstrate substantial improvements across all five The effectiveness of the proposed framework is demonstrated not by indicators. The percentage of critical vulnerabilities was reduced by the invention of new cybersecurity mechanisms, but by its strategic over 65 %, while the average CVSS score declined by 30.9 %. The Time realignment of established practices toward the unique needs of SMEs. to Mitigation improved significantly, dropping from an unstructured 30- At Lilac Studio, the framework enabled a comprehensive and systematic day cycle to a more agile 10-day process. Moreover, the organization assessment of the organization’s IoT ecosystem. By categorizing assets moved from having no formal incident response plan to one that was based on business criticality and aligning these with structured risk both documented and tested. Perhaps most notably, employee security assessment techniques, the company was able to prioritize its limited awareness increased from 0 % to 90 %, indicating a strong cultural shift cybersecurity resources efficiently. toward proactive cyber hygiene. Collectively, these KPI trends affirm the One of the most impactful elements was the framework’s tailored framework’s capacity to produce measurable, multidimensional im­ risk prioritization process, which directed attention to the most critical provements in SME cybersecurity posture, spanning technical risk, vulnerabilities. This approach ensured that mitigation efforts were not operational agility, and human factors. diluted across all identified issues but instead focused on those posing the greatest business risk. The application of controls, such as firmware 6. Discussion updates, web application firewalls, and network segmentation, resulted in measurable improvements in vulnerability reduction, operational This section discusses the effectiveness of the proposed framework, continuity, and staff awareness. These interventions were specifically synthesizing both the quantitative and qualitative results. It also com­ selected for their low cost, ease of implementation, and regulatory pares the framework against established models and reflects on broader alignment with standards like the GDPR and UAE PDPL. implications for SME cybersecurity practice. Another strength of the framework lies in its accessibility. Its step-by- step design, supported by practical tools and algorithms, allowed non- specialist staff to participate in the security improvement process 6.1. Application of the framework without requiring advanced expertise. The use of scalable controls and guidance documents made the implementation feasible for an organi­ The implementation of the proposed risk-based framework at Lilac zation with minimal internal IT capacity. Studio offers compelling evidence of its practical value in addressing IoT Importantly, the framework enabled Lilac Studio to shift from a security challenges within a real-world SME context. The structured reactive to a proactive security posture. Instead of responding to in­ cidents ad hoc, the company began adopting preventive measures based Table 9 on formalized asset risk profiles and updated threat intelligence. This Key Performance Indicators (KPIs). cultural shift was reinforced by a 90 % employee participation rate in KPI Pre-Implementation Post-Implementation security training and by the introduction of documented incident % Critical Vulnerabilities 26.3 % 9.1 % response protocols, both of which were absent prior to framework Mean CVSS Score 8.1 5.6 adoption. Time to Mitigation (TtM) 30 days (ad hoc) 10 days (structured) The inclusion of Bayesian risk scoring in the framework further IR Preparedness None Documented + tested enhanced its analytical depth and responsiveness. However, to maintain Employee Security Awareness 0% 90 % focus in the discussion section, the Bayesian scoring formula and 12 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 numerical example have been relocated to Section 5.3.2, where quan­ mechanisms. titative risk adjustments are explained in detail. This separation pre­ In contrast, the proposed framework explicitly incorporates serves the clarity of the narrative while ensuring methodological measurable KPIs such as CVSS severity reduction, time to mitigation, transparency. and employee readiness, offering a practical, scalable, and data-driven Quantitative outcomes further validate the framework’s utility. Over approach tailored to the operational realities of SMEs. a six-week implementation period, Lilac Studio experienced a 42.1 % reduction in total vulnerabilities and a 30.9 % decrease in mean CVSS scores. These metrics highlight the framework’s capacity to deliver both 6.4. Threat modeling results and documentation immediate and sustainable security improvements in an SME environ­ ment. Collectively, the results confirm that when security strategies are This section presents the results of the threat modeling process, aligned with operational constraints, even small organizations can which employed the STRIDE methodology to identify, categorize, and achieve significant cybersecurity gains. evaluate potential threats to Lilac Studio’s IoT infrastructure. The methodology was implemented following the structured workflow out­ lined in Algorithm 3 (Appendix A), which systematically maps threats to 6.3. Comparison of existing frameworks asset attributes and system configurations. This approach ensures comprehensive coverage and operational relevance in the SME context. Existing frameworks for IoT security, such as the NIST Cybersecurity Using the classified asset inventory developed during the initial Framework (CSF), ISO/IEC 27005, and OWASP IoT Project, provide assessment phase, each IoT asset was evaluated against the six STRIDE valuable guidance but often fall short in addressing the unique needs of threat categories: Spoofing, Tampering, Repudiation, Information SMEs. The NIST CSF, while comprehensive, requires significant re­ Disclosure, Denial of Service, and Elevation of Privilege. Specific vul­ sources and expertise, making it challenging for SMEs with limited nerabilities were identified based on configuration weaknesses, expo­ budgets and technical capabilities to implement effectively. Similarly, sure to external interfaces, and known exploit vectors. These were then ISO/IEC 27005 offers detailed guidelines for risk management but is linked to corresponding business impacts, ensuring that the threat often too complex and resource-intensive for smaller organizations. The analysis remained both technically rigorous and business centric. OWASP IoT Project, though practical, lacks a structured risk assessment To improve traceability and practical usability, the threat docu­ process, leaving SMEs without clear prioritization of risks. These mentation process recorded the affected asset, observed vulnerability, frameworks also tend to be generic, lacking tailored guidance for the likely exploitation vector, and anticipated operational consequence. specific challenges SMEs face, such as limited IT infrastructure and This mapping, carried out in accordance with Steps 2–8 of Algorithm 3, cybersecurity expertise. While recent frameworks target industrial supports both technical remediation and decision-making by non- control systems specifically [54], they often assume PLC-centric archi­ tectures, limiting applicability to general-purpose IoT infrastructures found in SMEs. Table 11 Validation of Threats Based on STRIDE Utilizing Asset Inventory. The proposed framework addresses these gaps by offering a cost- effective, scalable, and SME-focused approach to IoT security. It sim­ Threat Description Asset Identified Impact Category Vulnerability plifies complex methodologies like risk assessment and threat modeling, making them accessible to non-technical stakeholders. By integrating Spoofing Potential for Sensors Lack of False asset classification, vulnerability analysis, and risk prioritization, the unauthorized authentication inventory devices to data framework provides a structured yet flexible process that SMEs can inject false adapt to their specific contexts. Additionally, it emphasizes practical, inventory data actionable steps and leverages readily available tools, reducing the need Tampering Risk of data Inventory Insecure data Corrupted for specialized expertise or significant financial investment. This manipulation Server, PoS handling records, System financial tailored approach ensures that SMEs can enhance their IoT security loss posture without overburdening their resources, bridging the gap left by Repudiation Lack of audit PoS System Absence of Dispute existing frameworks. trails for logging resolution The comparative strengths and limitations of the proposed frame­ transactions mechanisms failure work relative to established alternatives such as NIST CSF, ISO/IEC Information Exposure of Network Unencrypted Privacy Disclosure customer data Infrastructure traffic breach, 27005, ENISA, and the OWASP IoT Project are summarized in Table 10, through legal using a set of measurable KPIs to highlight practical applicability for unsecured penalties SMEs. networks While ISO/IEC 27005 provides a comprehensive methodology for Denial of Overloading Sensors, Lack of traffic Downtime, Service the IoT Network filtering or operational information security risk management, it assumes a level of maturity network Infrastructure rate limits loss and resourcing that many SMEs lack. Its abstract treatment of likelihood, causing impact, and risk response mechanisms often requires consulting exper­ service tise to operationalize. OWASP’s IoT Top 10 is valuable for threat iden­ disruptions tification but lacks integrated risk assessment or prioritization Table 10 KPI-Based Comparative Framework Assessment. Feature NIST CSF ENISA ISO 270005 OWASP IoT Proposed Framework KPI-Driven Evaluation Not explicit Limited Not defined No Yes CVSS Integration Indirect No Indirect No Native Dynamic Risk Scoring No Partial No No Bayesian updating Risk Prioritization Guidance High-level Prespective Detailed No Structured, contextual Resource Constraint Awareness Low Medium Low Low High Usability for SMEs Low Medium Low Medium High Time to Mitigation (TtM) No No No No Embedded metric Employee Readiness Optional No No No Yes 13 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 technical stakeholders. In the UAE context, the framework aligns with provisions of the Table 11 summarizes the threat-to-asset mapping. It illustrates how Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data identified vulnerabilities, such as lack of authentication on sensors or (PDPL) [58], which similarly requires entities to adopt appropriate unencrypted traffic on the network infrastructure, correspond to STRIDE cybersecurity measures to protect data confidentiality, integrity, and threat categories and lead to concrete business risks such as data availability. The inclusion of employee training, incident response integrity failures or service disruption. This actionable mapping pro­ readiness, and periodic risk reassessment in the framework addresses vides SMEs with a prioritized and contextualized understanding of IoT Article 5 of the PDPL, which emphasizes both technical and organiza­ security threats, allowing them to implement targeted mitigation stra­ tional security measures [58]. tegies without overextending limited resources. Recent case studies have shown that mapping ISO 27005, NIST CSF, Threat assessment is based on predefined likelihood and impact and SP 800–53 to enterprise contexts remains complex [59]; this scores, which are detailed in Section 5.2.4 as part of the risk prioriti­ framework simplifies that mapping by focusing on risk outputs action­ zation methodology. able for SMEs. By embedding these legal principles into its structure, the framework not only enhances operational security but also serves as a 6.5. Implications for SMEs pragmatic tool to support ongoing regulatory compliance. This is espe­ cially beneficial for SMEs that often lack dedicated legal or compliance The proposed framework offers significant practical benefits for teams and must rely on integrated approaches to meet both security and SMEs, addressing their unique challenges and resource constraints while legal expectations. enhancing their IoT security posture. By providing a structured yet flexible approach, the framework enables SMEs to systematically iden­ 6.7. Limitations tify, assess, and mitigate IoT security risks without requiring extensive technical expertise or financial investment (See Appendix C for guidance While the proposed framework demonstrates significant potential for on resource allocation and cost minimization strategies.). Its emphasis enhancing IoT security in SMEs, it is important to acknowledge its on asset classification and risk prioritization ensures that limited re­ limitations. First, the framework’s effectiveness is highly dependent on sources are allocated efficiently, focusing on the most critical vulnera­ the accuracy of the initial asset classification and risk assessment, which bilities and threats. may be challenging for SMEs with limited technical expertise or The framework’s scalability allows SMEs to start small and expand incomplete knowledge of their IoT ecosystems. Second, the framework’s their efforts as needed, making it adaptable to businesses of varying sizes reliance on vulnerability scanning tools and penetration testing may not and industries. Additionally, the inclusion of cost-effective security uncover all potential risks, particularly those related to zero-day vul­ controls and practical, actionable steps empowers SMEs to implement nerabilities or sophisticated attack vectors. Third, the case study’s focus robust security measures without overburdening their operations. By on a single SME, Lilac Studio, limits the generalizability of the findings, integrating staff training and clear guidance, the framework also builds as the results may not fully represent the diverse challenges faced by internal capacity, fostering a culture of cybersecurity awareness. SMEs in different industries or regions. Additionally, the framework’s Moreover, SME-specific frameworks in smart manufacturing success in other contexts may vary based on factors such as the emphasize the importance of operational continuity, real-time moni­ complexity of the IoT ecosystem, the level of stakeholder engagement, toring, and layered security [55], all of which align with the goals of this and the availability of resources. framework. Overall, the framework equips SMEs with the tools and Finally, while the framework emphasizes cost-effectiveness, some knowledge needed to secure their IoT ecosystems, reducing the risk of SMEs may still face financial or logistical barriers to implementing disruptions, data breaches, and financial losses, while supporting busi­ certain security controls. These limitations highlight the need for further ness continuity and growth. research and validation across a broader range of SMEs to refine the framework and ensure its applicability in diverse settings. 6.6. Regulatory alignment and compliance implications 7. Conclusion and future work While the primary goal of this framework is to enhance IoT cyber­ security posture within SMEs, it also supports alignment with key legal In an era of rapid digital transformation, SMEs face a growing need to and regulatory obligations. For example, the European General Data adopt Internet of Things (IoT) technologies to enhance operational ef­ Protection Regulation (GDPR), particularly Article 32, mandates data ficiency, customer engagement, and competitive advantage. However, controllers and processors to implement appropriate technical and this shift has significantly expanded their cybersecurity risk surface, organizational measures to ensure the security of personal data [56]. exposing them to increasingly sophisticated threats while they remain The proposed framework operationalizes this requirement through its constrained by limited budgets, technical capacity, and regulatory risk-based approach, which drives the adoption of proportional controls burdens. such as data encryption, network segmentation, and access restriction In summary, this study contributes a practical, cost-conscious IoT mechanisms [21]. Additionally, recent approaches have demonstrated security framework specifically tailored to the operational constraints of the feasibility of aligning threat modeling with ISO/IEC 27005 and SMEs. Drawing upon well-established methodologies, such as STRIDE GDPR Article 32 through structured risk management methods [57]. for threat modeling [41], CVSS for vulnerability scoring [44], and The proposed framework reflects this alignment by integrating threat Bayesian inference for dynamic risk reassessment [45], the framework identification, CVSS scoring, and mitigation planning within a distills complex processes into a five-step model comprising asset clas­ GDPR-compliant process. sification, threat modeling, vulnerability assessment, risk prioritization, Specifically, the asset classification and threat modeling stages of the and mitigation planning. This structured yet adaptable approach em­ framework allow organizations to identify where personal or sensitive powers SMEs to identify and address critical IoT vulnerabilities in a data is processed, thus supporting data flow mapping and risk docu­ scalable and resource-aware manner. mentation required under Articles 30 and 35 of the GDPR [26]. Simi­ The framework’s value was validated through a real-world case larly, the use of vulnerability scanners and CVSS-based scoring directly study involving a digitally enabled retail SME, where implementation supports the principle of “security by design and by default”. These led to a 42.1 % reduction in total vulnerabilities, a 65 % drop in critical technical safeguards help SMEs demonstrate that personal data is issues, and measurable improvements in response time and employee adequately protected against unauthorized access or loss, core expec­ security awareness. These outcomes underscore the framework’s prac­ tations under GDPR’s security provisions. tical effectiveness and its ability to enhance cybersecurity posture 14 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 without imposing prohibitive costs or disruption to operations. By parameter calibration and facilitate continuous, autonomous risk embedding regulatory considerations from GDPR [56] and the UAE’s management. PDPL [58], the framework also supports SMEs in fulfilling legal obli­ Overall, this study bridges the gap between enterprise-scale cyber­ gations while improving their security maturity. security models and SME feasibility, offering a robust, implementable While the case study provides strong evidence of real-world appli­ pathway for improving IoT security resilience in resource-constrained cability, it represents a single organizational context. As such, the environments. findings may not fully generalize to SMEs in other sectors or regions. Future work should therefore focus on broadening the generalizability CRediT authorship contribution statement of this approach through multi-case studies across diverse industries and geographical settings. Sector-specific adaptations, for example, in Samer Aoudi: Writing – original draft, Validation, Supervision, healthcare, manufacturing, and agriculture, may further refine the Methodology, Investigation, Formal analysis, Data curation, Conceptu­ framework’s utility by aligning with domain-specific threat landscapes alization. Hussain Al-Aqrabi: Writing – review & editing, Visualization, and regulatory contexts. Additionally, integrating artificial intelligence Methodology, Investigation, Formal analysis, Conceptualization. (AI) and machine learning (ML) for anomaly detection and predictive risk modeling offers promising avenues for enhancing responsiveness Declaration of competing interest and precision in SME cybersecurity. Further research could also explore embedding this framework within modular testbed environments or The authors declare that they have no known competing financial extending its reach through integration with SIEM tools and automated interests or personal relationships that could have appeared to influence log parsers. These enhancements would support real-time Bayesian the work reported in this paper. Appendix A. Framework Algorithms Algorithm 2 provides a structured approach to classifying IoT assets within SME environments. Accurate asset classification is essential for un­ derstanding business-critical dependencies and for ensuring that security resources are focused where they matter most. This algorithm supports SMEs in developing a comprehensive asset inventory, capturing key metadata such as location, function, ownership, and criticality. It serves as the foundational input for subsequent threat modeling and risk prioritization processes within the proposed framework. Algorithm 2 IoT Asset Classification for SMEs. Require: IoT environment E with devices, networks, and applications Ensure: Structured asset inventory I with criticality levels 1: I ←∅ 2: for all asset a ∈ E do 3: Identify asset type: device, network, or software 4: Record metadata: location, function, dependencies, owner 5: Assign criticality level C(a) based on: 6: Impact on core operations 7: Data sensitivity 8: Service continuity dependencies 9: Add entry {a, type, metadata, C(a)}to I 10: end for 11: return I Algorithm 3 outlines a systematic method for applying the STRIDE threat modeling framework to classified IoT assets. By assessing each asset against the six STRIDE categories, Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, the al­ gorithm helps identify specific threat scenarios that are relevant in the context of SME operations. This targeted threat mapping ensures that the risk assessment process is grounded in the actual exposure and function of each asset, rather than relying on generic threat assumptions. Algorithm 3 STRIDE-Based Threat Modeling for IoT Assets. Require: Asset inventory I with criticality scores and configurations Ensure: Threat list T mapped to assets and threat categories 1: T ←∅ 2: for all asset a ∈ I do 3: Retrieve asset characteristics: access interfaces, communication protocols 4: for all STRIDE category s ∈{Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, 5: Elevation of Privilege} do 6: Assess applicability of s to a using: 7: Known vulnerabilities 8: Exposure to external actors 9: Past incidents or threat intelligence 10: if s applicable then 11: Record threat t ←{a, s, impact level, justification} 12: Add t to T 13: end if 14: end for 15: end for 16: return T 15 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 Algorithm 4 describes a three-stage vulnerability assessment process suitable for SMEs. It combines automated scanning using tools like Nessus or OpenVAS with optional penetration testing for high-value or high-risk assets. The algorithm also supports structured documentation and categori­ zation of vulnerabilities based on CVSS scores and exploitability levels. This ensures that the vulnerability data feeding into the risk prioritization step is both comprehensive and context-sensitive, enabling more informed and defensible security decisions. Algorithm 4 Vulnerability Assessment for IoT Systems. Require: IoT assets E, security tools (e.g., Nessus, OpenVAS) Ensure: Consolidated vulnerability report V with CVSS scores 1: V ←∅ 2: for all asset a ∈ E do 3: Perform vulnerability scan using automated tools 4: Extract raw findings: CVE identifiers, descriptions, CVSS base scores 5: if critical service or internet-facing then 6: Conduct targeted penetration testing for a 7: end if 8: for all vulnerability v found on a do 9: Classify v by: 10: Severity: CVSS ∈{Low, M edium, High, Critical} 11: Exploitability: ∈{Low, M edium, High} 12: Add {a, v, CVSS, exploitability, description}to V 13: end for 14: end for 15: return V Appendix B. Vulnerability Scanning Configuration and Use Case Details To enhance reproducibility and provide implementation-level detail, this appendix outlines the configuration parameters and specific use cases employed during the vulnerability assessment phase described in Sections 4.2 and 5.2.3. B.1 Tools Used • Nessus Essentials v10.5.1 • OpenVAS via Greenbone Security Assistant v22.4 B.2 Target Scope • Devices scanned included IoT gateways, IP surveillance cameras, PoS terminals, and connected web-based interfaces. • Internal scans were conducted over a segmented test VLAN with static IPs assigned for each IoT node. B.3 Key Nessus Configuration • Scan Template: “Advanced Scan” • Plugin Families Enabled: ○ IoT Protocol Detection ○ Web Servers ○ General Plugins ○ SCADA • Port Scanning: ○ TCP Full Connect Scan: Enabled ○ UDP Scan: Enabled (restricted to ports 53, 123, 161) • Authentication: SSH credential-based scanning on PoS terminal • Performance Settings: ○ Max simultaneous checks: 4 ○ Max hosts per scan: 5 B.4 Key OpenVAS Configuration • Scan Profile: “Full and fast” • Timeouts: Increased to 120 s for embedded camera systems • Log Level: Verbose • Credentialed checks: Disabled (due to vendor restrictions on camera firmware) B.5 CVSS Use Cases Vulnerabilities were scored using CVSS v3.1 base scores from scan outputs. Example vectors: • CVE-2022–22954 (PoS terminal input validation flaw): 16 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 ○Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ○CVSS Score: 9.8 (Critical) • CVE-2021–36260 (Surveillance camera RCE): ○ Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ○ CVSS Score: 10.0 (Critical) • Default credentials on IoT Gateway: ○ Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N ○ CVSS Estimate: 7.4 (High), no CVE assigned; based on vendor advisory These scores were directly used in the risk prioritization algorithm (Section 4.2) and in calculating static and Bayesian-adjusted risk scores (Section 5.3). Appendix C. Estimated Effort and Budget for Framework Implementation in SMEs This appendix outlines the estimated resource requirements for implementing the proposed IoT risk-based security framework in a typical SME environment. Estimates are based on a single-site deployment with fewer than 50 IoT-enabled assets and no dedicated cybersecurity team. Figures assume internal staff carry out most tasks, with optional external support for tool configuration or training. C.1 Effort Estimate by Framework Component • Asset Classification: 6–10 staff hours (IT administrator or operations manager maps devices and dependencies) • Threat Modeling (STRIDE): 8–12 hours (Basic STRIDE mapping across 3–5 asset categories using checklists or templates) • Vulnerability Assessment: 10–15 hours (Tool setup, scan execution, review of Nessus/OpenVAS output; includes re-scanning) • Risk Prioritization: 6–8 hours (Matrix creation, CVSS lookup, optional Bayesian update for top 3 risks) • Mitigation Planning and Implementation: 15–25 hours (Patch application, credential changes, segmentation, training delivery, testing) Total Staff Effort Estimate: 45–70 hours C.2 Budget Estimate by Activity Category • Open-Source Tools (OpenVAS, CVSS calculators): $0 • Commercial Tool (Optional: Nessus Pro license): $2990/year • Training Resources (Basic awareness kit): $200–$500 • External Consultant Support (Optional): $1500–$3000 for tailored threat modeling or scan review Estimated Budget Range: $200 – $6500 depending on tool/license choices and external assistance. C.3 SME Cost Optimization Notes Most SMEs can minimize costs by: • Using free versions of scanning tools (e.g., Nessus Essentials) • Relying on publicly available STRIDE and CVSS documentation • Delivering internal security awareness training using open resources (e.g., OWASP guides) • Prioritizing mitigation actions with minimal operational disruption (e.g., disabling unused ports) These estimates provide a practical benchmark to help SMEs plan framework adoption incrementally while staying within budget. Data availability [2] H. Younis, N. Shbikat, O.M. Bwaliez, I. Hazaimeh, B. Sundarakani, An overarching framework for the successful adoption of IoT in supply chains, Benchmark. Int. J. (2025). The data that has been used is confidential. [3] L. Atzori, A. Iera, G. Morabito, Understanding the internet of things: definition, potentials, and societal role of a fast-evolving paradigm, Ad. Hoc. Netw. 56 (2017) 122–140, https://doi.org/10.1016/j.adhoc.2016.12.004. References [4] S. Jayadatta, A study on latest developments in artificial intelligence (AI) and internet of things (IoT) in current context, J. Appl. Inf. Sci. 11 (2) (2023) 21–28. [1] Transforma Insights, Global IoT Forecast Report, 2023-2033. https://tinyurl.com /549jrpsv, May 2024. 17 S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099 [5] M. Satyanarayanan, The emergence of edge computing, Computer (Long. Beach. [31] E. Lee, Y.D. Seo, S.R. Oh, Y.G. Kim, A survey on standards for interoperability and Calif.) 50 (1) (2017) 30–39, https://doi.org/10.1109/MC.2017.9. security in the internet of things, IEEE Commun. Surv. Tutor. 23 (2) (2021) [6] H. Al-Aqrabi, L. Liu, R. Hill, N. Antonopoulos, A multi-layer hierarchical inter- 1020–1047. cloud connectivity model for sequential packet inspection of tenant sessions [32] R.M. Czekster, P. Grace, C. Marcon, F. Hessel, S.C. Cazella, Challenges and accessing BI as a service, in: Proc. 2014 IEEE Int. Conf. High Perform. Comput. opportunities for conducting dynamic risk assessments in medical IoT, Appl. Sci. 13 Commun. (HPCC), 2014 IEEE 6th Int. Symp. Cyberspace Safety Security (CSS), (13) (2023) 7406. 2014 IEEE 11th Int. Conf. Embedded Softw. Syst. (ICESS), 2014, pp. 498–505. [33] H. Taherdoost, Understanding cybersecurity frameworks and information security [7] H. Al-Aqrabi, R. Hill, P. Lane, H. Aagela, Securing manufacturing intelligence for standards—A review and comprehensive overview, Electronics (Basel) 11 (14) the industrial internet of things, in: Proc. 4th Int. Congr. Inf. Commun. Technol. (2022) 2181. (ICICT), London, U.K. 2, 2019, pp. 267–282. [34] M. Alauthman, A. Almomani, S. Aoudi, A. al-Qerem, A. Aldweesh, Automated [8] M. Wazid, A.K. Das, S. Shetty, P. Gope, J. Rodrigues, Security in 5G-Enabled vulnerability discovery generative AI in offensive security, in: A. Almomani, Internet of Things Communication: Issues, Challenges and Future Research M. Alauthman (Eds.), Examining Cybersecurity Risks Produced by Generative AI, Roadmap, IEEE Access, 2020, https://doi.org/10.1109/ACCESS.2020.3047895, 1- IGI Global Scientific Publishing, 2025, pp. 309–328, https://doi.org/10.4018/979- 1. 8-3373-0832-6.ch013. [9] L.A. Tawalbeh, F. Muheidat, M. Tawalbeh, M. Quwaider, IoT Privacy and security: [35] L. Kong, J. Tan, J. Huang, G. Chen, S. Wang, X. Jin, P. Zeng, M. Khan, S. Das, Edge- challenges and solutions, Appl. Sci. 10 (12) (2020) 4102. computing-driven Internet of Things: a Survey, ACM Comput. Surv. 55 (8) (August [10] M. Azrour, J. Mabrouki, A. Guezzaz, A. Kanwal, Internet of things security: 2023) 41, https://doi.org/10.1145/3555308. Article 174pages. challenges and key issues, Secur. Commun. Netw. 2021 (1) (2021) 5533843. [36] O. Aouedi, T.H. Vu, A. Sacco, D.C. Nguyen, K. Piamrat, G. Marchetto, Q.V. Pham, [11] B.K. Mohanta, D. Jena, U. Satapathy, S. Patnaik, Survey on IoT security: challenges A survey on intelligent Internet of Things: applications, security, privacy, and and solution using machine learning, artificial intelligence and blockchain future directions, IEEE Commun. Surv. Tutor. (2024). technology, Internet of Things 11 (2020) 100227. [37] I. Brass, L. Tanczer, M. Carr, M. Elsden, J. Blackstock, Standardising a moving [12] S. Sicari, A. Rizzardi, L.A. Grieco, A. Coen-Porisini, Security, privacy and trust in target: the development and evolution of IoT security standards. Living in the Internet of Things: the road ahead, Comput. Netw. 76 (2015) 146–164, https://doi. Internet of Things: Cybersecurity of the IoT-2018, IET, Stevenage, UK, 2018, p. 24. org/10.1016/j.comnet.2014.11.008. [38] J. Webb, D. Hume, Campus IoT collaboration and governance using the NIST [13] M.M. Cherian, S.L. Varma, Mitigation of DDOS and MiTM attacks using belief cybersecurity framework. Living in the Internet of Things: Cybersecurity of the IoT- based secure correlation approach in SDN-based IoT networks, Int. J. Comp. Netw. 2018, IET, March 2018, pp. 1–7. Inf. Secur. 14 (1) (2022) 52. [39] N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, N. Ghani, Demystifying IoT [14] E. Fernandes, J. Jung, A. Prakash, Security analysis of emerging smart home security: an exhaustive survey on IoT vulnerabilities and a first empirical look on applications, in: IEEE Symposium on Security and Privacy, 2016, pp. 636–654, Internet-scale IoT exploitations, IEEE Commun. Surv. Tutor. 21 (3) (2019) https://doi.org/10.1109/SP.2016.44. 2702–2733. [15] OWASP, OWASP IoT Top Ten 2018, Open Web Application Security Project. [40] A. Shostack, Threat modeling: Designing for Security, John Wiley & Sons, 2014. https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=I [41] Microsoft, The STRIDE Threat Model, Microsoft Security Development Lifecycle, oT_Top_10, 2018. 2005. [16] I. Kuzminykh, B. Ghita, J.M. Such, The challenges with Internet of Things security [42] T. UcedaVelez, M.M. Morana, Risk Centric Threat modeling: Process for Attack for business, in: International Conference on Next Generation Wired/Wireless Simulation and Threat Analysis, Wiley, 2015. Networking, Springer International Publishing, Cham, August 2021, pp. 46–58. [43] Tenable, Nessus vulnerability scanner, Tenable Network Security (2021). [17] N.I.S.T. NIST, Special Publication 800-183: Networks of ’Things, National Institute [44] OpenVAS, Open Vulnerability Assessment System, Greenbone Networks, 2021. of Standards and Technology, 2016, https://doi.org/10.6028/NIST.SP.800-183. [45] Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby, K. Stoddart, https://csrc.nist.gov/pubs/sp/800/183/final. A review of cyber security risk assessment methods for SCADA systems, Comput. [18] C.I. Cybersecurity, Framework for improving critical infrastructure cybersecurity. Secur. 56 (2016) 1–27. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, 2018. [46] I. Lee, Internet of Things (IoT) cybersecurity: literature review and IoT cyber risk [19] ISO/IEC, ISO/IEC 27005:2022 Information security, cybersecurity and privacy management, Future Internet 12 (9) (2020) 157. protection - Guidance on managing information security risks, 4th edition. [47] E. Bell, B. Harley, A. Bryman, Business Research Methods, Oxford University Press, https://www.iso.org/standard/80585.html, October 2022. 2022. [20] ENISA, Baseline Security Recommendations for Internet of Things in the context of [48] J.W. Creswell, J.D. Creswell, Research design: Qualitative, quantitative, and mixed critical information infrastructures. https://www.enisa.europa.eu/publications/ba methods approaches, Sage Publications, 2017. seline-security-recommendations-for-iot, 2017. [49] Keele, S., Guidelines for performing systematic literature reviews in software [21] ENISA, Guidelines for Securing the Internet of Things. https://www.enisa.europa. engineering (Vol. 5), Technical report, ver. 2.3, EBSE Technical Report, 2007. eu/publications/guidelines-for-securing-the-internet-of-things, 2020. [50] M. Casula, N. Rangarajan, P. Shields, The potential of working hypotheses for [22] OWASP Foundation, OWASP Internet of Things Project, Retrieved June 8, 2025, deductive exploratory research, Qual. Quant. 55 (5) (2021) 1703–1725. from, https://owasp.org/www-project-internet-of-things/, 2018. [51] R.K. Yin, Case Study Research and applications: Design and Methods, Sage [23] A. Chidukwani, S. Zander, P. Koutsakis, A survey on the cyber security of small-to- Publications, 2017. medium businesses: challenges, research focus and recommendations, IEEE Access [52] C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, DDoS in the IoT: Mirai and other 10 (2022) 85701–85719. botnets, Computer (Long. Beach. Calif.) 50 (7) (2017) 80–84. [24] F. Almeida, J.D. Santos, J.A. Monteiro, Challenges in cybersecurity: lessons from [53] V. Braun, V. Clarke, Using thematic analysis in psychology, Qual. Res. Psychol. 3 the ISO/IEC 27001 and ISO/IEC 27005 standards, J. Glob. Inf. Manage. 27 (4) (2) (2006) 77–101. (2019) 1–15. [54] Manubolu, G.S., A comprehensive security testing framework for PLC-based [25] R. Roman, J. Zhou, J. Lopez, On the features and challenges of security and privacy industrial automation, 2024. in distributed internet of things, Comput. Netw. 57 (10) (2013) 2266–2279. [55] Ramya, G., & Srinivasagan, K.G., Integrating cybersecurity threats into smart [26] European Union, General Data Protection Regulation (EU) 2016/679, Official manufacturing: best practices and frameworks, In Artificial Intelligence Solutions Journal of the European Union, 2016, p. L119. http://data.europa.eu/eli/reg/20 For Cyber-Physical Systems, pp. 120–138, Auerbach Publications. 16/679/oj. [56] P. Voigt, A. Von dem Bussche, The EU General Data Protection Regulation (gdpr), [27] M. Saleh, T. Kdour, A. Ferrah, H. Ahmed, S. AP, R. Azzawi, A. Ali, Health wearable A practical Guide, 1st ed., 10, Springer International Publishing, Cham, 2017, IoT (WIoT) technology devices security and privacy vulnerability analysis, in: 2022 pp. 10–5555. 8th International Conference on Information Technology Trends (ITT), IEEE, 2022, [57] Flores, D.A., & Perugachi, R., A GDPR-compliant risk management approach based pp. 16–20. on threat modelling and ISO 27005, arXiv preprint arXiv:2306.04783, 2023. [28] M. Aqeel, F. Ali, M.W. Iqbal, T.A. Rana, M. Arif, M.R. Auwul, A review of security [58] United Arab Emirates Government, Federal decree-law no. 45 of 2021 on the and privacy concerns in the internet of things (IoT), J. Sens. (1) (2022) 5724168, protection of personal data (PDPL). https://u.ae/en/about-the-uae/digital-uae/da 2022. ta/data-protection-law, 2021. [29] P. Zheng, H. Wang, Z. Sang, R.Y. Zhong, Y. Liu, C. Liu, X. Xu, Smart manufacturing [59] E.H.N. Safitri, H. Kabetta, Cyber-risk management planning using NIST CSF V1.1, systems for Industry 4.0: conceptual framework, scenarios, and future perspectives, ISO/IEC 27005:2018, and NIST SP 800-53 Revision 5 (A Study Case to ABC J. Manuf. Syst. 56 (2020) 1–12. Organization), in: 2023 IEEE International Conference on Cryptography, [30] M.M. Queiroz, S.C.F. Pereira, R. Telles, M.C. Machado, Industry 4.0 and digital Informatics, and Cybersecurity (ICoCICs), IEEE, August 2023, pp. 332–338. supply chain capabilities: a framework for understanding digitalisation challenges and opportunities, Benchmark. Int. J. 28 (5) (2019) 1761–1782. 18