Small Firms, Big Threats: Cybersecurity Research and the Role of Public Policy in the SME Sector

Small-sized and medium-sized enterprises (SMEs) are vital to global economies but remain highly vulnerable to cyber threats due to limited resources, technical capacity, and awareness. This bibliometric study analyzes 245 peer-reviewed documents on SME cybersecurity published between 2005 and 2025, mapping the field through keyword co-occurrence, author productivity, citation patterns, and collaboration networks. Results show steady growth, with research output increasing at 16.7% annually. Core themes include awareness, governance, risk management, digital adoption, and Industry 4.0 integration, with a clear shift from technical toward strategic and human-centered approaches. Lotka's Law indicates fragmentation, as most authors contribute only once, underscoring the need for academic continuity. The United States, the United Kingdom, and South Africa dominate in volume, while France and Australia stand out for international collaboration. Influential contributors such as Spruit M and De Arroyabe JCF emphasize regulatory compliance and resilience. The literature highlights persistent challenges for SMEs in adopting standards like ISO 27001 and emerging technologies such as machine learning. Promising interventions include gamified training tools like CySecEscape 2.0 to strengthen awareness. This study advances understanding of SME cybersecurity research and calls for tailored, interdisciplinary strategies to enhance resilience, offering insights for policy, scholarship, and practice. The bibliometric evidence also reveals a growing recognition of the role of public policy and regulation in shaping SME cybersecurity practices. Highly cited works such as Kabanda et al. (2018), Heidt et al. (2019), Kljucnikov et al. (2019), and Tamvada et al. (2022) emphasize that national and European regulatory frameworks, including the NIS2 Directive and the Cyber Resilience Act, significantly influence SMEs' readiness, compliance behavior, and investment in security. These findings underline that effective cybersecurity strategies for SMEs require not only technological and organizational measures but also coherent public policy support and accessible institutional mechanisms.