An InfoSec GRC Maturity Model Proposal for a Secure Information Systems Usage on Brazilian Small Organizations
Resumo
On one hand, Small organizations are highly dependent on Information Systems. On the other hand, small organizations have limited resources, including a lack of specialized professionals and insufficient budgets to invest in Information Security (InfoSec). The objective of this paper is to propose a preliminary Maturity Model focused on Governance, Risk Management, and Compliance (GRC) in the usage of Information Systems in small organizations. The model’s levels are designed to enable small organizations to implement several security mechanisms without requiring an expert on the team in the initial stages. This research aims to support small organizations in developing information security (InfoSec) practices for the use of information systems.Referências
Ahmed, N. N. and Nanath, K. (2021). Exploring cybersecurity ecosystem in the middle east: Towards an sme recommender system. Journal of Cyber Security and Mobility, 10(3):511–536.
AL-Dosari, K. and Fetais, N. (2023). Risk-management framework and information-security systems for small and medium enterprises (smes): A meta-analysis approach. Electronics, 12(17):3629.
Alahmari, A. A. and Duncan, R. A. (2021). Investigating potential barriers to cybersecurity risk management investment in smes. In Proceedings of the International Conference on Electronics, Computers and Artificial Intelligence, pages 1–6, Pitesti, Romania. IEEE.
Alharbi, F., Alsulami, M., Al-Solami, A., Al-Otaibi, Y., Al-Osimi, M., Al-Qanor, F., and Al-Otaibi, K. (2021). The impact of cybersecurity practices on cyberattack damage: The perspective of small enterprises in saudi arabia. Sensors, 21(20):6901.
Almubayedh, D., Alazman, G., Alabdali, M., Al-Refai, R., Nagy, N., et al. (2018). Security related issues in saudi arabia small organizations: a saudi case study. In Proceedings of the Saudi Computer Society National Computer Conference, pages 1–6, Riyadh, Saudi Arabia. IEEE.
Anass, R., Saliha, A., and Roudiès, O. (2020). A concept & compliance study of security maturity models with iso 21827. In International Conference on Enterprise Information Systems, pages 385–392, Online Streaming. IEEE.
Archibald, J. and Renaud, K. (2018). Pointer: A gdpr-compliant framework for human pentesting (for smes). In Proceedings of the International Symposium on Human Aspects of Information Security & Assurance, pages 147–157, Dundee, Scotland. Springer.
Azinheira, B., Antunes, M., Maximiano, M., and Gomes, R. (2023). A methodology for mapping cybersecurity standards into governance guidelines for sme in portugal. Procedia Computer Science, 219:121–128.
Benjamin, L. B., Adegbola, A. E., Amajuoyi, P., Adegbola, M. D., and Adeusi, K. B. (2024). Digital transformation in smes: Identifying cybersecurity risks and developing effective mitigation strategies. Global Journal of Engineering and Technology Advances, 19(2):134–153.
Carías, J. F., Arrizabalaga, S., Labaka, L., and Hernantes, J. (2021). Cyber resilience self-assessment tool (cr-sat) for smes. IEEE Access, 9:20–33.
Cartwright, A., Cartwright, E., and Edun, E. S. (2023). Cascading information on best practice: Cyber security risk management in uk micro and small businesses and the role of it companies. Computers & Security, 131:103288.
Chidukwani, A., Zander, S., and Koutsakis, P. (2022). A survey on the cyber security of small-to-medium businesses: challenges, research focus and recommendations. IEEE Access, 10:85701–85719.
Cruzado, C. F., Rodriguez-Baca, L. S., Huanca-López, L. G., and Acuña-Salinas, E. I. (2022). Reference framework “hogo” for cybersecurity in smes based on iso 27002 and 27032. In Proceedings of the International Conference on Cloud Computing, Data Science & Engineering (Confluence), pages 35–40, Noida, India. IEEE.
Flick, U. (2014). An introduction to qualitative research. Sage Publications.
Harsch, A., Idler, S., and Thurner, S. (2014). Assuming a state of compromise: A best practise approach for smes on incident response management. In Proceedings of the International Conference on IT Security Incident Management & IT Forensics, pages 76–84, Münster, Germany. IEEE.
Heidenreich, M. (2017). How to design a method for measuring it security in micro enterprises for it security level measuring? a literature analysis. In Proceedings of the Communication and Information Technologies, pages 1–9, Vysoke Tatry, Slovakia. IEEE.
Jahankhani, H., Meda, L. N., and Samadi, M. (2022). Cybersecurity challenges in small and medium enterprise (smes). In Jahankhani, H., Kilpin, D., and Kendzierskyj, S., editors, Blockchain and Other Emerging Technologies for Digital Business Strategies, chapter 1, pages 1–19. Springer, Cham, Switzerland.
Jain, R., Prajapati, D., and Dangi, A. (2023). Transforming the financial sector: A review of recent advancements in fintech. International Journal for Research Trends and Innovation, 8(2):250–267.
Javaid, M. I. and Iqbal, M. M. W. (2017). A comprehensive people, process and technology (ppt) application model for information systems (is) risk management in small/medium enterprises (sme). In Proceedings of the international conference on communication technologies, pages 78–90, Rawalpindi, Pakistan. IEEE.
Jayathilaka, H. and Wijayanayake, J. (2025). Systematic literature review on developing an ai framework for sme cybersecurity identification and personalized recommendations. Journal of Desk Research Review and Analysis, 2(2):233–247.
Kaušpadienė, L., Ramanauskaitė, S., and Čenys, A. (2019). Information security management framework suitability estimation for small and medium enterprise. Technological and Economic Development of Economy, 25(5):1–19.
Kwong, J. and Pearlson, K. (2024). Supply chain cybersecurity and small and medium-sized enterprises (smes): Exploring shortcomings in third party risk management of smes. In Proceedings of the Hawaii International Conference on System Sciences, pages 211–224, Honolulu, USA. Springer.
Lejaka, T. K., da Veiga, A., and Loock, M. (2023). Towards roles and responsibilities in a cyber security awareness framework for south african small, medium, and micro enterprises (smmes). In Proceedings of the International Symposium on Human Aspects of Information Security and Assurance, pages 211–224, Kent, UK. Springer.
Mlakar, I., Jeran, P., Šafran, V., and Logothetis, V. (2021). A cost-effective security framework to protect micro enterprises: Palantir e-commerce use case. In Proceedings of the International Symposium on Digital Forensics and Security, pages 1–6, Elazig, Turkey. IEEE.
Mutalib, M. M. A., Zainol, Z., and Halip, M. H. M. (2021). Mitigating malware threats at small medium enterprise (sme) organisation: A review and framework. In Proceed ings of the IEEE International Conference on Recent Advances and Innovations in Engineering, pages 1–6, Kedah, Malaysia. IEEE.
Ogbeide, V. O., Omorogiuwa, O., and Salami, E. E. (2024). A cyber security framework to strengthen small and medium scale enterprises (smes) in nigeria. International Journal of Science Academic Research, 4(9):6301–6310.
Ozkan, B. Y. and Spruit, M. (2019). Cybersecurity standardisation for smes: the stake-holders’ perspectives and a research agenda. International Journal of Standardization Research, 17(2):41–72.
Pérez, A. G., Martínez, A. L., and Pérez, M. G. (2023). Adaptive vulnerability-based risk identification software with virtualization functions for dynamic management. Journal of Network and Computer Applications, 219:103728.
Ponsard, C. and Grandclaudon, J. (2019). Guidelines and tool support for building a cybersecurity awareness program for smes. In Proceedings of the International Conference on Information Systems Security and Privacy, pages 335–357, Prague, Czech Republic. Springer.
Scholl, M. and Schuktomow, R. (2021). The current state of–information security awareness” in german smes. International Journal of Emerging Technology and Advanced Engineering, 11(12):151–163.
Wardana, A. A. and Suryani, E. (2021). Evaluation of information security management in micro, small, and medium enterprises (msmes) using penilaian mandiri keamanan informasi (paman kami). In Proceedings of the International Conference on Management of Technology, Innovation, and Project, pages 1–12, Surabaya, Indonesia. MOTIP.
Yigit Ozkan, B. and Spruit, M. (2023). Adaptable security maturity assessment and standardization for digital smes. Journal of Computer Information Systems, 63(4):965–987.
AL-Dosari, K. and Fetais, N. (2023). Risk-management framework and information-security systems for small and medium enterprises (smes): A meta-analysis approach. Electronics, 12(17):3629.
Alahmari, A. A. and Duncan, R. A. (2021). Investigating potential barriers to cybersecurity risk management investment in smes. In Proceedings of the International Conference on Electronics, Computers and Artificial Intelligence, pages 1–6, Pitesti, Romania. IEEE.
Alharbi, F., Alsulami, M., Al-Solami, A., Al-Otaibi, Y., Al-Osimi, M., Al-Qanor, F., and Al-Otaibi, K. (2021). The impact of cybersecurity practices on cyberattack damage: The perspective of small enterprises in saudi arabia. Sensors, 21(20):6901.
Almubayedh, D., Alazman, G., Alabdali, M., Al-Refai, R., Nagy, N., et al. (2018). Security related issues in saudi arabia small organizations: a saudi case study. In Proceedings of the Saudi Computer Society National Computer Conference, pages 1–6, Riyadh, Saudi Arabia. IEEE.
Anass, R., Saliha, A., and Roudiès, O. (2020). A concept & compliance study of security maturity models with iso 21827. In International Conference on Enterprise Information Systems, pages 385–392, Online Streaming. IEEE.
Archibald, J. and Renaud, K. (2018). Pointer: A gdpr-compliant framework for human pentesting (for smes). In Proceedings of the International Symposium on Human Aspects of Information Security & Assurance, pages 147–157, Dundee, Scotland. Springer.
Azinheira, B., Antunes, M., Maximiano, M., and Gomes, R. (2023). A methodology for mapping cybersecurity standards into governance guidelines for sme in portugal. Procedia Computer Science, 219:121–128.
Benjamin, L. B., Adegbola, A. E., Amajuoyi, P., Adegbola, M. D., and Adeusi, K. B. (2024). Digital transformation in smes: Identifying cybersecurity risks and developing effective mitigation strategies. Global Journal of Engineering and Technology Advances, 19(2):134–153.
Carías, J. F., Arrizabalaga, S., Labaka, L., and Hernantes, J. (2021). Cyber resilience self-assessment tool (cr-sat) for smes. IEEE Access, 9:20–33.
Cartwright, A., Cartwright, E., and Edun, E. S. (2023). Cascading information on best practice: Cyber security risk management in uk micro and small businesses and the role of it companies. Computers & Security, 131:103288.
Chidukwani, A., Zander, S., and Koutsakis, P. (2022). A survey on the cyber security of small-to-medium businesses: challenges, research focus and recommendations. IEEE Access, 10:85701–85719.
Cruzado, C. F., Rodriguez-Baca, L. S., Huanca-López, L. G., and Acuña-Salinas, E. I. (2022). Reference framework “hogo” for cybersecurity in smes based on iso 27002 and 27032. In Proceedings of the International Conference on Cloud Computing, Data Science & Engineering (Confluence), pages 35–40, Noida, India. IEEE.
Flick, U. (2014). An introduction to qualitative research. Sage Publications.
Harsch, A., Idler, S., and Thurner, S. (2014). Assuming a state of compromise: A best practise approach for smes on incident response management. In Proceedings of the International Conference on IT Security Incident Management & IT Forensics, pages 76–84, Münster, Germany. IEEE.
Heidenreich, M. (2017). How to design a method for measuring it security in micro enterprises for it security level measuring? a literature analysis. In Proceedings of the Communication and Information Technologies, pages 1–9, Vysoke Tatry, Slovakia. IEEE.
Jahankhani, H., Meda, L. N., and Samadi, M. (2022). Cybersecurity challenges in small and medium enterprise (smes). In Jahankhani, H., Kilpin, D., and Kendzierskyj, S., editors, Blockchain and Other Emerging Technologies for Digital Business Strategies, chapter 1, pages 1–19. Springer, Cham, Switzerland.
Jain, R., Prajapati, D., and Dangi, A. (2023). Transforming the financial sector: A review of recent advancements in fintech. International Journal for Research Trends and Innovation, 8(2):250–267.
Javaid, M. I. and Iqbal, M. M. W. (2017). A comprehensive people, process and technology (ppt) application model for information systems (is) risk management in small/medium enterprises (sme). In Proceedings of the international conference on communication technologies, pages 78–90, Rawalpindi, Pakistan. IEEE.
Jayathilaka, H. and Wijayanayake, J. (2025). Systematic literature review on developing an ai framework for sme cybersecurity identification and personalized recommendations. Journal of Desk Research Review and Analysis, 2(2):233–247.
Kaušpadienė, L., Ramanauskaitė, S., and Čenys, A. (2019). Information security management framework suitability estimation for small and medium enterprise. Technological and Economic Development of Economy, 25(5):1–19.
Kwong, J. and Pearlson, K. (2024). Supply chain cybersecurity and small and medium-sized enterprises (smes): Exploring shortcomings in third party risk management of smes. In Proceedings of the Hawaii International Conference on System Sciences, pages 211–224, Honolulu, USA. Springer.
Lejaka, T. K., da Veiga, A., and Loock, M. (2023). Towards roles and responsibilities in a cyber security awareness framework for south african small, medium, and micro enterprises (smmes). In Proceedings of the International Symposium on Human Aspects of Information Security and Assurance, pages 211–224, Kent, UK. Springer.
Mlakar, I., Jeran, P., Šafran, V., and Logothetis, V. (2021). A cost-effective security framework to protect micro enterprises: Palantir e-commerce use case. In Proceedings of the International Symposium on Digital Forensics and Security, pages 1–6, Elazig, Turkey. IEEE.
Mutalib, M. M. A., Zainol, Z., and Halip, M. H. M. (2021). Mitigating malware threats at small medium enterprise (sme) organisation: A review and framework. In Proceed ings of the IEEE International Conference on Recent Advances and Innovations in Engineering, pages 1–6, Kedah, Malaysia. IEEE.
Ogbeide, V. O., Omorogiuwa, O., and Salami, E. E. (2024). A cyber security framework to strengthen small and medium scale enterprises (smes) in nigeria. International Journal of Science Academic Research, 4(9):6301–6310.
Ozkan, B. Y. and Spruit, M. (2019). Cybersecurity standardisation for smes: the stake-holders’ perspectives and a research agenda. International Journal of Standardization Research, 17(2):41–72.
Pérez, A. G., Martínez, A. L., and Pérez, M. G. (2023). Adaptive vulnerability-based risk identification software with virtualization functions for dynamic management. Journal of Network and Computer Applications, 219:103728.
Ponsard, C. and Grandclaudon, J. (2019). Guidelines and tool support for building a cybersecurity awareness program for smes. In Proceedings of the International Conference on Information Systems Security and Privacy, pages 335–357, Prague, Czech Republic. Springer.
Scholl, M. and Schuktomow, R. (2021). The current state of–information security awareness” in german smes. International Journal of Emerging Technology and Advanced Engineering, 11(12):151–163.
Wardana, A. A. and Suryani, E. (2021). Evaluation of information security management in micro, small, and medium enterprises (msmes) using penilaian mandiri keamanan informasi (paman kami). In Proceedings of the International Conference on Management of Technology, Innovation, and Project, pages 1–12, Surabaya, Indonesia. MOTIP.
Yigit Ozkan, B. and Spruit, M. (2023). Adaptable security maturity assessment and standardization for digital smes. Journal of Computer Information Systems, 63(4):965–987.
Publicado
25/05/2026
Como Citar
STEGLICH, Caio; RODRIGUES, Ildevana Poltronieri; ZORZO, Avelino Francisco; BERTOGLIO, Daniel Dalalana.
An InfoSec GRC Maturity Model Proposal for a Secure Information Systems Usage on Brazilian Small Organizations. In: TRILHA DE NOVAS IDEIAS E RESULTADOS EMERGENTES EM SI - POSICIONAMENTO DE IDEIAS - SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 22. , 2026, Vitória/ES.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 320-333.
DOI: https://doi.org/10.5753/sbsi_estendido.2026.249104.
