A Sectoral Study of Cyber Threats and Vulnerability Management in Resource-Constrained Nigerian SMEs’
DOI:
https://doi.org/10.70112/ajeat-2025.14.1.4297Keywords:
Cybersecurity Resilience, Unpatched Vulnerabilities, Small and Medium Enterprises (SMEs), Social Engineering, Human and Technical ConstraintsAbstract
Nigerian SMEs face increasing cyber threats due to unpatched vulnerabilities and limited cybersecurity resources. Human and technical constraints have contributed to weak defences, exposing businesses to malware, ransomware, and social engineering attacks. Understanding these risks is essential to improving cybersecurity resilience. This study investigates the prevalence and severity of unpatched vulnerabilities among 100 Nigerian SMEs, focusing on how human and technical constraints influence their cybersecurity posture. An anonymous web-based survey was used to assess patch management practices, exposure to cyber threats, and security gaps. Responses were analyzed thematically to identify recurring patterns of weakness in human behavior, technical infrastructure, and organizational practices. Findings reveal that 78% of SMEs experienced at least one cybersecurity incident in the past year. The most common threats were social engineering (42%) and unpatched software vulnerabilities (38%). Thematic analysis of 65 qualitative responses identified key challenges such as ineffective security practices (n=25), low cybersecurity awareness (n=22), and resource constraints (n=18). Notably, only 29% of SMEs had a dedicated cybersecurity budget. These findings highlight the urgent need for sector-specific, cost-effective training and affordable security frameworks tailored to SMEs. Practical policy support is essential to bridging the cybersecurity gap in resource- constrained environments.
References
[1]L. Bamidele, L. Benjamin, A. Adegbola, P. Amajuoyi, M. Adegbola,and K. Adeusi, “Digital transformation in SMEs: Identifying cybersecurity risks and developing effective mitigation strategies,” Glob. J. Eng. Technol. Adv., 2024. [Online]. Available:https://doi.org/10.30574/gjeta.2024.19.2.0084
[2]E. Onatuyeh et al., “Cybersecurity and business survival in Nigeria: Building customer's trust,” Afr. J. Appl. Res., vol. 11, no. 1, 2025.[Online]. Available: https://doi.org/10.26437/ajar.v11i1.882
[3]S. Ewuga, Z. Egieya, A. Omotosho, and A. Adegbite, “Comparative review of technology integration in SMEs: A tale of two economies - The United States and Nigeria,” Eng. Sci. Technol. J., vol. 4, no. 6,2023. [Online]. Available: https://doi.org/10.51594/estj.v4i6.680
[4]F. Ikuero, “Preliminary review of cybersecurity coordination in Nigeria,” Niger. J. Technol., vol. 41, no. 3, 2022. [Online]. Available:https://doi.org/10.4314/njt.v41i3.11
[5]C. Jerome, J. Ezinne, and K. Abia, “Cybersecurity challenges in Nigeria: The way forward,” Oforji, 2017.
[6]E. Onatuyeh et al., “Cybersecurity and business survival in Nigeria: Building customer's trust,” Afr. J. Appl. Res., vol. 11, no. 1, 2025.[Online]. Available: https://doi.org/10.26437/ajar.v11i1.882
[7]H. Ukwuoma, I. Williams, and I. Choji, “Digital economy and cybersecurity in Nigeria: Policy implications for development,” Int. J. Innov. Digit. Econ., vol. 13, pp. 1–11, 2022. [Online]. Available:https://doi.org/10.4018/ijide.292489
[8]Y. Ibrahim et al., “Cybersecurity and cybercrimes in Nigeria: An overview of challenges and prospects,” in Proc. 2024 Int. Conf. Sci.,Eng. Bus. Driving Sustainable Development Goals (SEB4SDG), 2024, pp. 1–7. [Online]. Available: https://doi.org/10.1109/SEB4SDG60871.2024.10630301
[9]A. Iorliam, “Cybersecurity and mobile device forensic,” in Cybersecurity in Nigeria, Springer, 2019. [Online]. Available:https://doi.org/10.1007/978-3-030-15210-9_4
[10]J. De Arroyabe, M. Arroyabe, I. Fernandez, and C. Arranz,“Cybersecurity resilience in SMEs: A machine learning approach,” J. Comput. Inf. Syst., 2023. [Online]. Available: https://doi.org/10.1080/08874417.2023.2248925
[11]L. Wong, V. Lee, G. Tan, K. Ooi, and A. Sohal, “The role ofcybersecurity and policy awareness in shifting employee complianceattitudes: Building supply chain capabilities,” Int. J. Inf. Manag., vol.66, p. 102520, 2022. [Online]. Available: https://doi.org/10.1016/j.ijin fomgt.2022.102520
[12]M. Neri, F. Niccolini, and L. Martino, “Organizational cybersecurityreadiness in the ICT sector: A quanti-qualitative assessment,” Inf. Comput. Secur., vol. 32, pp. 38–52, 2023. [Online]. Available:https://doi.org/10.1108/ics-05-2023-0084
[13]Q. Aigbefo, Y. Blount, and M. Marrone, “The influence of hardinessand habit on security behaviour intention,” Behav. Inf. Technol., vol.41, pp. 1151–1170, 2020. [Online]. Available: https://doi.org/10.1080/0144929X.2020.1856928
[14]Z. Wang, H. Zhu, and L. Sun, “Social engineering in cybersecurity: Effect mechanisms, human vulnerabilities and attack methods,” IEEE Access, vol. 9, pp. 11895–11910, 2021. [Online]. Available: https://doi.org/10.1109/ACCESS.2021.3051633
[15]J. Olaniyan and A. Ogunola, “Protecting small businesses from socialengineering attacks in the digital era,” World J. Adv. Res. Rev., 2024.[Online]. Available: https://doi.org/10.30574/wjarr.2024.24.3.3745
[16]W. Syafitri, Z. Shukur, U. Mokhtar, R. Sulaiman, and M. Ibrahim, “Social engineering attacks prevention: A systematic literature review,” IEEE Access, 2022, pp. 1–1. [Online]. Available: https://doi.org/10.1109/ACCESS.2022.3162594
[17]G. White, R. Allen, A. Samuel, A. Abdullah, and R. Thomas,“Antecedents of cybersecurity implementation: A study of the cyber-preparedness of U.K. social enterprises,” IEEE Trans. Eng. Manag., pp. 1–12, 2020. [Online]. Available: https://doi.org/10.1109/TEM.2020.2994981
[18]N. Wulandari, M. Adnan, and C. Wicaksono, “Are you a soft target for cyber-attack? Drivers of susceptibility to social engineering-based cyber-attack (SECA): A case study of mobile messaging application,” Hum. Behav. Emerg. Technol., 2022. [Online]. Available:https://doi.org/10.1155/2022/5738969
[19]N. Beu et al., “Falling for phishing attempts: An investigation ofindividual differences that are associated with behavior in a naturalistic phishing simulation,” Comput. Secur., vol. 131, p. 103313, 2023. [Online]. Available: https://doi.org/10.1016/j.cose.2023.103313
[20]M. Chronopoulos, E. Panaousis, and J. Grossklags, “An options approach to cybersecurity investment,” IEEE Access, vol. 6, pp.12175–12186, 2018. [Online]. Available: https://doi.org/10.1109/ACCESS.2017.2773366
[21]A. Fedele and C. Roner, “Dangerous games: A literature review oncybersecurity investments,” J. Econ. Surv., 2021. [Online]. Available: https://doi.org/10.1111/joes.12456
[22]J. Simon and A. Omar, “Cybersecurity investments in the supply chain: Coordination and a strategic attacker,” Eur. J. Oper. Res., vol. 282, pp. 161–171, 2020. [Online]. Available: https://doi.org/10.1016/j.ejor.2019.09.017
[23]S. Armenia, M. Angelini, F. Nonino, G. Palombi, and M. Schlitzer, “A dynamic simulation approach to support the evaluation of cyber risksand security investments in SMEs,” Decis. Support Syst., vol. 147, p.113580, 2021. [Online]. Available: https://doi.org/10.1016/J.DSS.20 21.113580
[24]M. Arroyabe, C. Arranz, I. De Arroyabe, and J. De Arroyabe,“Exploring the economic role of cybersecurity in SMEs: A case studyof the UK,” Technol. Soc., 2024. [Online]. Available: https://doi.org/10.1016/j.techsoc.2024.102670
[25]A. Alahmari and R. Duncan, “Investigating potential barriers tocybersecurity risk management investment in SMEs,” in Proc. 202113th Int. Conf. Electron., Comput. Artif. Intell. (ECAI), 2021, pp. 1–6. [Online]. Available: https://doi.org/10.1109/ECAI52376.2021.9515166
[26]I. De Arroyabe, C. Arranz, M. Arroyabe, and J. De Arroyabe,“Cybersecurity capabilities and cyber-attacks as drivers of investmentin cybersecurity systems: A UK survey for 2018 and 2019,” Comput. Secur., vol. 124, p. 102954, 2022. [Online]. Available:https://doi.org/10.1016/j.cose.2022.102954
[27]S. Kabanda, M. Tanner, and C. Kent, “Exploring SME cybersecuritypractices in developing countries,” J. Organ. Comput. Electron.Commer., vol. 28, pp. 269–282, 2018. [Online]. Available:https://doi.org/10.1080/10919392.2018.1484598
[28]T. Boonen, Y. Feng, and Z. Tong, “Cybersecurity investments andcyber insurance purchases in a non-cooperative game,” ASTIN Bull., 2025. [Online]. Available: https://doi.org/10.1017/asb.2024.40
[29]M. Marican, S. Razak, A. Selamat, and S. Othman, “Cybersecurity maturity assessment framework for technology startups: A systematicliterature review,” IEEE Access, vol. 11, pp. 5442–5452, 2023.[Online]. Available: https://doi.org/10.1109/ACCESS.2022.3229766
[30]O. O. Blaise, I. Aaron, U. Alfred, and A. Amusa, “Evaluating theethical frameworks of information security professionals: Acomparative analysis,” Asian J. Comput. Sci. Technol., vol. 13, no. 2,pp. 61–66, Nov. 2024. [Online]. Available: https://doi.org/10.70112/ajcst-2024.13.2.4289
[31]M. S. Islam, M. Sajjad, M. M. Hasan, and M. S. I. Mazumder,“Phishing attack detecting system using DNS and IP filtering,” Asian J.Comput. Sci. Technol., vol. 12, no. 1, pp. 16–20, 2023. [Online]. Available: https://doi.org/10.51983/ajcst-2023.12.1.3552
[32]S. Ravichandran and K. L. N. Rao, “Design and development of anadvancing web information stockpiling for engraved ontology in usercontours,” Asian J. Comput. Sci. Technol., vol. 11, no. 2, pp. 11–15, 2022. [Online]. Available: https://doi.org/10.51983/ajcst-2022.11.2.3379
[33]K. A. Y. Yaseen, “Importance of cybersecurity in the higher education sector,” Asian J. Comput. Sci. Technol., vol. 11, no. 2, pp. 20–24, 2022. [Online]. Available: https://doi.org/10.51983/ajcst-2022.11.2.3448
[34]A. M. Auwal and S. Lazarus, “Sociological and criminological research of victimization issues: Preliminary stage and new sphere of cybercrime categorization,” J. Digit. Technol. Law, vol. 2, no. 4, pp.915–942, 2024. [Online]. Available: https://doi.org/10.21202/jdtl. 2024.44.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Centre for Research and Innovation
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
