In the current context of digital transformation, Micro-, Small-, and Medium-Sized Enterprises (MSMEs) are increasingly exposed to cybersecurity risks. This exposure is intensified by the limited adoption of international standards for identifying impacts, low budgets, and shortages of trained personnel, which collectively result in the absence of structured control plans for mitigating cyber risks. (1) This study proposes a mechanism for selecting a cybersecurity risk analysis and management methodology suited to Colombian MSMEs by applying the multi-criteria Analytic Hierarchy Process (AHP) method. (2) The employed approach is qualitative and follows the AHP procedure to select the most suitable option that can be applied to cybersecurity. This selection process evaluated different criteria in five standards: ISO/IEC 27005:2022, NIST SP 800-30, OCTAVE-S, MAGERIT, and EBIOS-RM. (3) The AHP method enabled, in a practical manner, the selection of OCTAVE-S as the primary methodology, complemented with elements from other standards. Finally, the proposed methodology was implemented in a cloud-based web application called the Risk Analysis Module, integrated into the Keru IT security platform. It is concluded that the multi-criteria AHP method is effective and allows organizations to select the standards most appropriate to their needs, with potential applicability to other types of decisions.
Blandón et al. (Tue,) studied this question.