Abstract:
"The constantly evolving threat landscape has made it mandatory to implement security controls for any organization that relies on information technology for its operation. However, organizations could not assume by implementing a subset of these security controls that they would be secure against all information security threats. Hence, most enterprise and financial organizations utilize security posture assessment mechanisms to evaluate their network infrastructure. But when it comes to SME organizations, conducting security assessment becomes a great challenge because of the financial and knowledge constraints. As a result, SMEs just assume that the implemented security controls and solutions provide the intended security for their network infrastructure, which is an alarming practice from the perspective of information security.
This study approach to address this problem by conducting a set of interviews with security
responsible personnel of SME organizations in Sri Lanka. Further, the study will analyze the data gathered from interviews based on a qualitative approach by utilizing the thematic analysis method. The study selected this methodology to understand the perspective of subjects to address the problem accurately. As the final outcome, self-evaluation framework has been introduced by the study. This framework
is designed with tools that are freely available and well-known for information security
assessment. Further, the framework provides a holistic approach to evaluate the network
infrastructure security posture of an SME organization by combining risk-based assessment and security testing-based assessments"
