A hybrid cybersecurity framework for small businesses : integrating NIST CSF, ISO 27001, and CEO engagement

Abstract

Small businesses face escalating cyber threats but often lack the resources to implement robust defenses. This thesis proposes a hybrid cybersecurity framework integrating NIST CSF, ISO 27001, and CEO proactive culture to address business vulnerabilities. Through a literature review the study identifies and recommends a framework that prioritizes cost effective controls such as multifactor authentication, regular audits and leadership engagement to foster a proactive security culture. These findings suggest that small businesses can significantly mitigate risks by adopting a phased approach combining NIST’s flexibility with ISO 27001’s structured governance. The thesis concludes with actionable steps for implementation and continuous improvement, offering a scalable model for small businesses.