Research Proposal for Admission to MPhil in Information Systems at the University of Professional Studies,

Accra (UPSA)

Title: Assessment of Cybersecurity Maturity in SMEs: A Ghanaian Governance Framework for Sustainable
Adherence

1. Overview
Ghana's economy is significantly dependent on Small and Medium Enterprises (SMEs), which account for over
70% of the nation's GDP and employ approximately 80% of the labour force (Ghana Statistical Service, 2021).
The swift digital change across industries has heightened cybersecurity dangers for SMEs, including
ransomware attacks, data breaches, and phishing schemes (Cyber Security Authority [CSA], 2023).
Notwithstanding the implementation of the Cybersecurity Act (2020), numerous SMEs lack organised
governance frameworks owing to financial limitations, skill deficiencies, and inadequate policy enforcement
(Association of Ghana Industries, 2022).

This study aims to assess the cybersecurity maturity levels of Ghanaian SMEs and to suggest a cost-effective
governance approach customised to their specific requirements. The research will be based on case studies of
three organisations: Express Pay (FinTech), Nyaho Medical Centre (Healthcare), and the KNUST E-Learning
Centre (Education). These stories will offer practical insights into the problems and opportunities associated
with cybersecurity governance in small and medium-sized enterprises (SMEs).

Theoretical Framework: The research incorporates institutional theory, which examines compliance demands,
alongside the resource-based view, which evaluates the cybersecurity capabilities of SMEs. This dual theoretical
framework will enhance comprehension of how SMEs in developing economies reconcile constrained resources
with regulatory requirements.

2. Statement of the Problem

Current cybersecurity frameworks, such the National Institute of Standards and Technology (NIST)
Cybersecurity Framework and ISO 27001, are predominantly tailored for large enterprises. Approximately 92%
of enterprises in Ghana, classified as SMEs, are susceptible to cyber attacks (World Bank, 2022). Moreover,
85% of Ghanaian SMEs do not employ specialised IT security personnel, and 60% are unable to finance
compliance tools (Association of Ghana Industries, 2022; Bank of Ghana, 2022).

This disparity sustains non-compliance with the Cybersecurity Act, subjecting SMEs to considerable financial
losses, reputational harm, and operational interruptions. In the absence of customised solutions, SMEs will
persist in their difficulties to comply with regulatory mandates, obstructing their expansion and impact on the
national economy.

3. Research Aims
The research seeks to accomplish the subsequent objectives:
Evaluate the existing cybersecurity maturity levels within Ghanaian small and medium-sized enterprises
(SMEs).
2. Identify the obstacles to compliance, encompassing financial, technical, and institutional issues.
3. Create a stratified maturity model (Beginner, Intermediate, Advanced) to categorise SMEs according to their
cybersecurity competencies.
4. Propose a governance system that incorporates cost-effective solutions, including open-source software, to
improve compliance.

4. Research Enquiries
This study will examine the subsequent research enquiries:
1. In what ways can awareness deficiencies and resource constraints influence cybersecurity governance in
small and medium-sized enterprises (SMEs)?
2. What functions do regulatory pressures and industry collaborations serve in fostering compliance?
3. How can SMEs implement scalable and economical cybersecurity solutions without incurring substantial
expenses?

5. Review of Literature

5.1 Cybersecurity in African Small and Medium Enterprises

Investigations on cybersecurity within small and medium-sized enterprises (SMEs) have primarily concentrated
on developed economies, resulting in scant data pertaining to Sub-Saharan Africa (World Bank, 2022). In
Ghana, SMEs encounter distinct problems, notably financial constraints, as 78% prioritise operating expenses
over cybersecurity investments (PwC Ghana, 2022), and a deficiency in skills, with merely 12% of SMEs
offering cybersecurity training to employees (CSA, 2023).

5.2 Current Maturity Models

Frameworks like the NIST Cybersecurity Framework (CSF) and the Cybersecurity Capability Maturity Model
(C2M2) are frequently overly intricate and resource-demanding for small and medium-sized enterprises (SMEs)
(NIST, 2021). A notable research deficiency exists in tailoring these frameworks to Ghana's economic and
regulatory environment.

6. Methodology

6.1 Mixed-Methods Approach

The research will utilise a mixed-methods approach, integrating both quantitative and qualitative methodologies.

Quantitative Component: Surveys will be administered to 100 SMEs, chosen via stratified sampling according
to sector and geographic area. Data will be gathered using Google Forms and examined through regression
analysis in SPSS to associate maturity levels with variables such as revenue and staff training.
Qualitative Component: - Case Studies: Comprehensive examination of three organizations—ExpressPay
(FinTech), Nyaho Medical Centre (Healthcare), and KNUST E-Learning Centre (Education)—will yield
practical insights.
Interviews: Semi-structured interviews will be performed with 15 specialists, comprising CSA officials, IT
managers, and cybersecurity consultants.
Data Analysis: Thematic coding will be conducted with NVivo to discern patterns and topics.

6.2 Ethical Considerations -Anonymisation: The identities of SMEs will be substituted with codes (e.g., “SME-
F1” for FinTech) to maintain confidentiality.
- Ethical Approval: Ethical clearance will be obtained from the University of Professional Studies, Accra, and
the Cyber Security Authority (CSA).

7. Importance and Anticipated Contributions

7.1 Theoretical Contributions - This research will enhance institutional theory by correlating regulatory
demands with cybersecurity practices in SMEs. - This will enhance the resource-based view by examining how
SMEs utilise constrained resources to attain compliance.

7.2 Practical Contributions - Tiered Maturity Model: A classification framework for SMEs (Beginner,
Intermediate, Advanced) with customised solutions for each level.
Policy Toolkit: Guidelines for regulators to promote compliance, including tax incentives for SMEs utilising
open-source cybersecurity software.

8. Addressed Research Gaps

1. Contextual Models: Current frameworks fail to consider Ghana's informal SME sector and its budgetary
limitations.
2. Cost-Effective Solutions: The report suggests economical tools, like complimentary vulnerability scanners
like OpenVAS, to mitigate financial obstacles.
3. Regulatory Synergy: The study examines the alignment of Ghana’s Cybersecurity Act with the circumstances
of SMEs.

9. References: Association of Ghana Industries. (2022). SME Sector Report: Cybersecurity Challenges. AGI
Press. Bank of Ghana. 2022. Cybersecurity Risk Management in Financial Institutions. Bank of Ghana Bulletin.
Cyber Security Authority. (2023). State of Cybersecurity in Ghana Report. Cyber Security Authority. Ghana
Statistical Service. (2021). Economic Survey Report. GSS. National Institute of Standards and Technology,
2021. Cybersecurity Framework Version 1.1. National Institute of Standards and Technology. World Bank.
(2022). Digital Economy and SME Development in Sub-Saharan Africa. World Bank Publications.

10. Conclusion
This project addresses a significant deficiency in cybersecurity governance for Ghanaian SMEs by integrating
technical tools, including open-source software, with policy advocacy. The research provides actionable insights
for academia, policymakers, and SMEs by aligning with critical issues in Information Systems: digital
resilience, SME digitisation, and regulatory compliance. The suggested governance approach will enable SMEs
to attain sustained compliance, hence strengthening their resilience and contribution to Ghana's digital economy.