Cybersecurity Standards in Critical Infrastructure Protection: A Maturity Model for Finnish SMEs

Abstract: The protection of critical infrastructure such as energy grids, water supply systems, and transportation networks has become a central concern in national and organizational security strategies. These systems form the backbone of societal functionality, and disruptions can lead to severe economic losses, safety risks, and societal instability. As digitalization accelerates, their vulnerability to cyber threats increases, making cybersecurity standards essential for both operational resilience and strategic preparedness. This study investigates whether Finnish companies utilize cybersecurity standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework to safeguard critical infrastructure, and how their adoption influences strategic decision-making, operational practices, competence development, and stakeholder collaboration. These standards support regulatory compliance and unify practices across sectors, but their effective implementation requires leadership commitment, resources, and continuous development, especially in environments where regulation may lag technological change. The findings show that standards are widely adopted, but the extent and effectiveness vary significantly depending on organizational size, industry, and cybersecurity maturity. Larger organizations tend to integrate standards into strategic decision-making and risk management, whereas smaller firms often apply them reactively. The effectiveness of standards is highest when combined with continuous improvement, maturity assessments, and targeted training. Cybersecurity standards are not merely technical guidelines but strategic tools for leadership, planning, and culture-building. To enhance their impact, companies should integrate standards into business strategy and governance, invest in staff training and competence development, leverage expert networks and collaborative partnerships, and actively engage stakeholders, especially in sectors where cybersecurity directly affects operational continuity. This research provides actionable insights for companies, policymakers, and security professionals aiming to improve national resilience through standardized and proactive cybersecurity practices.

Keywords: Security standards, critical infrastructure, risk management, cybersecurity culture, cyber readiness, cyber strategy, strategic decision-making

DOI: 10.54941/ahfe1007043

Cite this paper:

​