Skip to main content
NCBI home page
Wiley Open Access Collection logoLink to Wiley Open Access Collection
. 2025 Mar 31;45(8):2390–2414. doi: 10.1111/risa.70026

Zero Trust Architecture as a Risk Countermeasure in Small–Medium Enterprises and Advanced Technology Systems

Ahmed M Abdelmagid 1,2,, Rafael Diaz 1,3,4
PMCID: PMC12411126  PMID: 40159873

Abstract

The growing sophistication of cyberattacks exposes small‐ and medium‐sized businesses (SMBs) to a widening range of security risks. As these threats evolve in complexity, the need for advanced security measures becomes increasingly pressing. This necessitates a proactive approach to defending against potential cyber intrusions. Emerging technologies, such as blockchain, artificial intelligence, and Zero Trust security framework, offer crucial tools for strengthening the digital infrastructure of SMBs. The Zero Trust architecture (ZTA) holds significant promise as a critical strategy for protecting SMBs. While existing literature explores the implementation of ZTA in various business settings, discussions specifically addressing the financial, human resource, and capability limitations of SMBs remain scarce. Given the vital role of SMBs in the global economy, this research offers a valuable opportunity to bridge this gap and assist researchers and practitioners in enhancing the cybersecurity of SMBs through ZTA adoption by examining and classifying potential risks that may arise during the pre‐ and post‐deployment phases of ZTA implementation within SMBs. The risks, benefits, and challenges of ZTA adoption are introduced from the unique perspective of SMBs. Practical solutions and mitigation strategies will be provided to address the identified ZT risks and streamline the migration process for SMBs. The findings of that research showed that ZTA will bolster the cybersecurity posture and reduce the cyber risk for SMBs only if they address its associated risks effectively. Future research directions underscore the need for more research to help SMBs migrate to ZTA and mitigate the risks it may pose.

Keywords: cyber risk management, small–medium businesses, Zero Trust architecture, Zero Trust residual risk, Zero Trust residual risk remediations

1. INTRODUCTION

Small‐ and medium‐sized businesses (SMBs) play a pivotal role in the global economy since they confer multiple employment opportunities to the vast majority of the workforce. The US Business Administration (SBA) announced that SMBs constitute 99.9% of US businesses, and the workforce is about 61.7 million people, which represents 46.4% of US employees, with a total of 33.2 million small businesses (U.S. SBA, 2022). These statistics depict the pivotal role SMBs play in the global economy. Therefore, cyberattacks can cause severe damage and disruptions to valuable assets, critical infrastructures, and industry sectors such as healthcare, energy, banking, stock markets (Rinaldi et al., 2001), and maritime logistics (Abdelmagid et al., 2021, 2022a, 2022b). Cybercrime caused financial damage, reaching $9.5 trillion in 2024, and is expected to increase to $10.5 trillion by 2025 from $3 trillion in 2015 (Sausalito, 2024). According to the 2024 IBM Data Breach Investigation Report, the average cost of data breach incidents is $4.88 M, showing a 10 increase compared to 2023 and the highest magnitude ever in large organizations (IBM, 2024). SMBs are considered low‐hanging fruit for cyber attackers, so 43% of cyber incidents are directed at them (Palatty, 2024). Hence, SMBs must implement adequate cybersecurity practices to keep their digital infrastructure safe. However, Renaud and Weir 2016 pointed out that SMBs lack cybersecurity measures that enable responding in practice to cope with the increasing magnitude of cyberattacks in terms of frequency and complexity. Therefore, SMBs are more prone to overly negative consequences such as financial losses, productivity disruptions, and probably bankruptcy compared to large organizations (Chidukwani et al., 2022).

SMB managers usually need more resources and capabilities to adopt adequate cybersecurity measures. Nivarthi and Gatla (2022) noted that the primary challenge for 55% of SMBs in the United States is to maintain a robust cybersecurity scheme due to the lack of resources and knowledge. SMBs require a straightforward procedure to handle the speedy and continuous evolution of cyberattacks and information systems threats (Njenga & Jordaan, 2016). In addition, the limited budgets of SMBs leave the digital network inadequately fortified against cyber threats. Due to these obstacles, SMBs are easy targets for adversaries to launch sophisticated cyberattacks such as phishing, malware, and ransomware. The fact that SMBs are facing severe cyberattacks as large organizations while having fewer resources and capabilities allocated for cybersecurity amplifies the losses (Sukumar et al., 2023).

Alvarado (2022) and Levy and Gafni (2022) noted that the Defense Industry Base (DIB) consists of more than 300,000 small businesses, and they need help to comply with the Department of Defense (DoD) security requirements. The cascading effect of a data breach on one of these subcontractors can expose the DoD Controlled Unclassified Information and consequently impact national security. In line with that, an executive order announced in 2021 by President Biden (The White House, 2021) urged the US agencies and organizations to implement Zero Trust (ZT) security models as highlighted by the Office of Management and Budget Memoranda M‐22‐09 (Young, 2022), M‐21‐31 (Young, 2021), and National Security Memorandum 8 (The White House, 2022) to reduce the attack surface and enhance organizations' security posture. Memoranda M‐22‐09 (Young, 2022) depends on Executive Order 14028 (The White House, 2021) to highlight the significance of migrating to the ZT paradigm to protect critical infrastructures from complicated cyberattacks that affect national safety, privacy, and the economy.

In addition, the Department of Homeland Security (DHS) put pressure on migrating to the ZT security model as the conventional network‐centric techniques adopted within the DHS are expensive, untenable, and inadequate (Department of Homeland Security, 2023). In January 2024, the DHS published a ZT implementation strategy1 to streamline and prioritize the adoption process of its security tools and prompt business organizations and agencies.

ZT security model is a multistaged security approach to organizations' networks that depends on authentication and verification processes for each user or software access request (Campbell, 2020). In other words, it is a “never trust, always verify” technique. ZT security tools can effectively enhance the security posture of business organizations in the face of data breaches and malware compromise by preventing the installation of malicious software on the user's device (Adahman et al., 2022). It also can lessen the likelihood of lateral movement attacks by limiting access to the needed resources and protecting the domain (Adahman et al., 2022). An additional cyber threat ZT architecture (ZTA) can protect from is ransomware attacks, which could wreak havoc and cause severe financial losses (Abdelmagid et al., 2023; Adahman et al., 2022). Figure 1 illustrates the differences between implementing perimeter‐based security tools and ZTA when facing different cyberattacks.

FIGURE 1.

FIGURE 1

Open in a new tab

A comparison between combating a data breach attack scenario with and without implementing Zero Trust architecture (ZTA) (Adahman et al., 2022).

As shown in Figure 1, ZTA can prevent disclosure of sensitive information, monetary losses such as ransom, and IT system recovery. It aligns with SMBs' attributes, which suffer from limited financial and human resources. It represents a strategic move toward enhancing their cybersecurity posture since it mandates using advanced security techniques and systems such as Identity and Access Management (IAM), Multi‐Factor Authentication (MFA), and Extended Detection and Response (Craven, 2021). Despite all the advantages of ZT discussed previously, its adoption still witnesses slow progress among business organizations in substituting traditional security solutions (Buck et al., 2021). SMBs show a lower implementation percentage of the ZT paradigm than 50% of organizations with fewer than 1000 employees headcount (Lillis, 2024).

Traditional security solutions are futile in facing vulnerabilities produced by working remotely, which has increased during the COVID‐19 pandemic. The need for regular access to resources and software from external users and devices and the emergence of the Bring Your Own Device policy can lead to data breaches, according to the IBM report (IBM, 2024). The IBM report highlighted that the average data breach loss for an organization whose 81%–100% of employees work remotely is $5.54 million (IBM Security, 2021). On top of that, the interplays between organizations and their suppliers, customers, and contractors can pose cyber threats. By migrating to the ZT model, SMBs can protect each digital entity separately; therefore, the cascading effect can be diminished if an entity within the network gets compromised (Tam et al., 2021). In addition, all access requests will be authenticated, authorized, and encrypted before approving the requests.

ZT security paradigm can be exemplary and satisfy the security needs of SMBs because of the inherent less uniformity of SMBs digital infrastructure. The IT infrastructure of SMBs comprises a limited scale of legacy systems to replace, and their scattered IT activities can align with the ZT model (Javadnejad et al., 2024; Tam et al., 2021). Handling legacy systems is one of the significant constraints for large organizations when investing in ZT security tools (Teerakanok et al., 2021). However, the situation is different in SMBs because the majority of them neither adopt complex IT systems nor own security devices. Therefore, the migration to ZT in SMBs can be less complicated. In reality, migration to ZTA experiences barriers that include limited resources, integration complexities, and incompatibility with SMBs’ characteristics and security needs (Ashfaq et al., 2023).

Despite the fact that safeguarding the digital infrastructure for SMBs is crucial, the research studies and discussions focusing on implementing ZTA within SMBs are still limited. Hence, this paper strives to respond to the following research questions:

  • RQ1 :

    What are the pros, cons, and implementation hurdles of ZTA in the context of SMBs?

  • RQ2 :

    How can SMBs leverage the benefits, navigate the disadvantages, and manage the implementation risks of ZTA?

To respond to the research questions above, this article provides an overview of the ZTA from the SMBs’ perspective, including its benefits, challenges, and associated risks, by surveying both the gray and academic literature. In addition, a taxonomy for the risks raised by implementing ZT is developed based on three main risk factors: supply chain, operational, and financial risks, among other subcategories. Then, each category and its subcategory are illustrated in the scope of SMBs, followed by practical solutions and mitigation approaches that align with the business and financial nature of SMBs. To the best of the author's knowledge, a holistic classification of ZT risks, its benefits, and critics from the scope of SMBs have not been discussed before.

In addition, very few articles discuss the adoption of ZTA in SMBs, and no existing studies explicitly elaborate on its associated risks and how to mitigate them, considering the unique business attributes of SMBs. Some risks are common regardless of the organization size (e.g., the technical risks discussed in Subsection 5.3.1); nonetheless, the mitigation measures suggested are tailored to SMBs. Moreover, this research reveals the role ZTA components can play in enhancing Governance, Risk, and Compliance activities, as well as streamlining the enterprise risk management approach for SMBs.

The remainder of this paper is summarized as follows: Section 2 includes a methodological framework that depicts the systematic approach followed to come up with this research findings, while Section 3 provides a discussion of the main components of ZTA and their interaction mechanism. Section 4 discusses the advantages and pitfalls of ZTA for SMBs. Section 5 introduces the associated threats to the ZT security paradigm. Section 6 recommends mitigation strategies and relevant actions to mitigate ZT risks. Finally, conclusions and future work are discussed in Section 7.

2. METHODOLOGICAL FRAMEWORK

This research endeavors to comprehensively investigate the benefits and limitations of ZTA within the context of SMBs. Furthermore, it aims to provide an in‐depth discussion of the implementation risks associated with ZTA from various perspectives, including organizational, technical, and supply chain aspects. The methodological framework adopted for this study is illustrated in Figure 2. The method followed to conduct this research is the classical literature review approach. Initially, the background of the problem, the research questions, and the research objectives were identified through an extensive review of both gray and academic literature. The selected resources were meticulously analyzed to extract pertinent information related to the benefits, drawbacks, and implementation risks of ZTA from the perspective of SMBs. The identified risks were then categorized into various subcategories to explore their underlying causes and impacts on SMBs. Finally, remediation strategies were proposed to assist practitioners in mitigating or eliminating these identified risks. Further information on the mechanism executed to collate the relevant academic and gray resources, and the key findings will be introduced in Subsections 2.1 and 2.2. The preliminary findings of surveying both the academic and gray literature (GL) are discussed in Subsection 2.3.

FIGURE 2.

FIGURE 2

Open in a new tab

The research approach.

2.1. Academic literature search approach

For the academic literature survey, keywords such as “Zero Trust,” OR “zero‐trust,” OR “software‐defined perimeter,” OR “BeyondCorp,” AND “Small Businesses,” OR “SMBs,” OR “Small‐Medium Businesses,” OR “Small‐Medium Enterprises” OR “SMEs”, AND “Implementation Risks,” OR “Benefits,” OR “Challenges,” OR “Threats,” OR “Disadvantages” were utilized interchangeably across databases including IEEE Xplore, ScienceDirect, ACM, JSTOR, SpringerLink, ProQuest, and Web of Science to develop research queries and gather relevant academic resources. The academic resources include research articles (either journal or conference papers), Master Thesis, Doctoral Dissertations, and Book Chapters. The title and abstract of the found resources were investigated to decide whether the article is relevant to this research context. This process eases the development of inclusion and exclusion criteria similar to the criteria introduced by Buck et al. (2021) with other considerations that align with this paper's objectives and refine the literature survey process.

The articles included in this research must (1) have the full text available; (2) be published in peer‐reviewed journals or conferences; (3) have a clear contribution to ZTA; (4) at least discuss one of the following aspects: ZTA benefits, downsides, and/or implementation risks; and (5) refer to SMBs in the context of ZTA. The articles were eliminated since they (1) do not reflect a clear contribution to ZTA, (2) do not include deep illustrations of the ZTA concept, (3) are written in a language rather than English, and (4) do not discuss one of the aspects highlighted in no. (4) in the inclusion criteria. After implementing the inclusion and exclusion criteria illustrated above, 30 academic references were identified.

2.2. Grey literature search approach

The Grey Literature (GL) used Google Search Engine to collect pieces of evidence related to the research problem context. The advanced research option was utilized using the keywords specified in the previous subsection to identify the relevant information. The resources included governmental reports developed by federal, governmental institutions such as the National Institute of Standards and Technology (NIST), Executive Orders, and Memoranda, as well as Technical Articles that have been written by authors who have strong technical backgrounds in cybersecurity and ZTA fields, Industrial Reports published by security companies, and white papers. The search technique followed the approach proposed by (Butijn et al., 2020), stating that if the results of three consecutive pages contain less than 25% relevant references, then the search was stopped. The inclusion and exclusion criteria are quite similar to their academic literature counterpart. In the end, 19 relevant GL references were found to match the objectives of this research. Table 1 shows a classification of the total 49 references found and their mappings to developed ZT risk taxonomy in addition to differentiating this study from the literature.

TABLE 1.

The found references classification and their mappings to the proposed taxonomy.

ZTA risks Mitigations suggested
Author Name, Year AL GL Document type ZTA pros ZTA cons FR TR OR SCR FRM TRM ORM SCRM Refer to SMBs?
(The White House, 2021) GR
(Young, 2022) GR
(Young, 2021) GR
(The White House, 2022) GR
(Department of Homeland Security, 2023) GR
(Campbell, 2020) RA
(Adahman et al., 2022) RA
(Craven, 2021) TA
(Buck et al., 2021) RA
(Lillis, 2024) TA
(Tam et al., 2021) RA
(Teerakanok et al., 2021) RA
(Ashfaq et al., 2023) RA
(Aurelien, 2021) TH/DS
(Stafford, 2020) GR
(Uwaoma, 2023) RA
(Syed et al., 2022) RA
(Dijen, 2023) TH/DS
(Boxley, 2022) RA
(Kudrati & Pillai, 2022) BC
(Heidorn, 2021) GR
(Moubayed et al., 2019) RA
(Okta, 2023) IR
(Daley, 2022) RA
(Michael et al., 2022) RA
(Swearingen et al., 2024) RA
(Kramer et al., 2022) IR
(Levine & Tucker, 2023) RA
(Shea & Turpitka, 2022) TA
(Tyler & Viana, 2021) RA
(Mutabazi et al., 2023) RA
(Qazi, 2022) RA
(Luckett, 2024) TH/DS
(Itodo, 2024) TH/DS
(Itodo & Ozer, 2024) RA
(NSTAC, 2024) GR
(Sanders, 2021) RA
(Stelzer, 2021) TA
(Deloitte, 2023) TA
(Garbis & Chapman, 2021) BC
(Phiayura & Teerakanok, 2023) RA
(AWS, 2024) TA
(Zyoud & Lutfi, 2024) RA
(Collier & Sarkis, 2021) RA
(Yaari, 2023) TA
(Vukotich & Hurt, 2023) RA
(Collier & Thekdi, 2024) BC
(Kudrati & Xia, 2022) TA
(DiMase et al., 2021) WP
This study RA
Open in a new tab

Abbreviations: AL, academic literature; BC, book chapter; FR, financial risks; FRM, financial risks mitigations; GL, gray literature; GR, governmental report; OR, organizational risks; ORM, organizational risks mitigations; RA, research article; SCR, supply chain risks; SCRM, supply chain risks mitigations; TA, technical article; TH/DS, thesis/dissertation; TR, technical risks; TRM, technical risks mitigations; WP, white paper.

2.3. Preliminary insights

The inferred results of both academic and literature surveys showed that considerable and increasing attention is given to ZTA as risk a risk countermeasure. As shown in Figures 3 and 4, academic researchers, nonacademic organizations, industrial enterprises, and governmental institutions are investigating the impact of implementing ZTA and how to overcome its disadvantages and navigate its associated hurdles. Regarding its pros and cons, most of the references focused on the advantages of ZTA (33 out of 49 references), while only eight references discussed its disadvantages (excluding this study). Moreover, only 15 out of 49 items referred to ZTA in the context of SMBs, as in Figure 5, while 11 items highlighted its advantages and only 2 discussed its disadvantages for SMBs. Regarding the ZTA adoption risks, a quite percent of articles acknowledged the financial and organizational risks of ZTA in the context of SMBs; however, the technical risks and supply chain risks have never been discussed in the literature, nor have their mitigation measures been provided. The resources found in the literature, especially the academic references, did not provide a comprehensive discussion about the benefits, barriers, and implementation risks from SMBs’ point of view.

FIGURE 3.

FIGURE 3

Open in a new tab

Gray literature analysis.

FIGURE 4.

FIGURE 4

Open in a new tab

Academic literature analysis.

FIGURE 5.

FIGURE 5

Open in a new tab

Number of references referred to small‐ and medium‐sized businesses (SMBs) in the context of Zero Trust architecture (ZTA).

Except for references Luckett (2024), Aurelien (2021), Adahman et al. (2022), and Kudrati and Pillai (2022), SMBs were specified once or twice without introducing a thorough analysis of how SMBs can leverage the benefits of ZTA to safeguard their digital infrastructure, navigate its downsides, or the potential migration risks and the relevant corresponding mitigation measures that streamline the adoption process. Despite the four references considered some of the considerations studied in this paper, other aspects are missing. For instance, Luckett (2024) proposed a study that responds to the lack of standardized approaches, guidelines, and methods that illustrate the adoption of ZT for consumers and small businesses. The author conducted interviews with subject matter experts from federal organizations like NIST, DoD, and Cybersecurity and Infrastructure Security Agency (CISA) and from security providers such as Palo Alto, Cisco, Zscaler, and others to identify what pillars, tenets, and components of ZT that can safeguard consumers and small businesses. The emerged themes elicited from SMEs are leveraged to construct a ZT roadmap to be able to respond to phishing and identity theft attacks that may be triggered by the sustained online interactions between customers and small businesses. The author highlighted financial, technical, and organizational risks with the appropriate mitigation actions yet disregarded the associated ZTA supply chain risks given the critical role SMBs play in the worldwide supply chain, nor discussing explicitly the pros and cons of ZTA and how they can be utilized, and addressed, respectively.

Kudrati and Pillai (2022) in their book illustrated the ZTA benefits and its associated financial, technical, and organizational risks from SMBs’ perspective, yet they did not consider its disadvantages, the supply chain risk, nor provided any mitigation action for these risks. Adahman et al. (2022) proposed a study to guide organizations in implementing ZTA by analyzing the costs needed to purchase ZTA tools and resources according to the capacity and business priorities of SMBs and large organizations. The authors focused on discussing the advantages of ZTA in general and referred to financial risks and possible mitigation actions while not acknowledging other kinds of risks and downsides ZTA could bring to SMBs. Finally, Aurelien (2021) highlighted ZTA as one of the solutions that could be of interest to SMBs to establish an effective defensive strategy in response to cyber threats, highlighting that limited resources and lack of technical skills are key factors in adopting proactive cybersecurity measures. The author introduced the ZTA concept and discussed its main elements and potential benefits to enhance the cybersecurity posture of SMBs, among other measures, without delving deeper into its implementation risks and disadvantages.

Based on the above findings, the literature lacks a study that introduces a comprehensive discussion about how ZTA concepts can be tailored to SMBs' security needs while navigating its downsides and potential hurdles that could affect its operational efficiency and effectiveness thorough practical and managerial solutions. Generally, the scope of migrating to the ZTA security paradigm in the context of SMBs needs further investigation, according to the literature survey proposed in this study. Thus, this research article adds to the body of knowledge by reviewing the GL and AL to help SMBs achieve the ultimate benefits, address the challenges, and control the anticipated negative outcomes of ZTA. Moreover, the literature lacks a holistic and deep discussion that describes how ZTA can be vital for large enterprises and SMBs to streamline the process of enterprise risk management as well as Governance, Risk, and Compliance activities. Although Levine and Tucker (2023) recommended some programs that organizations can implement, such as the OCTAVE FORTE (Tucker, 2020), to aid in enterprise risk management activities in organizations migrating to ZTA, the authors did not show how ZTA components themselves can be auxiliary factors in each stage of the process of risk management, which this paper will cover. A thorough discussion of the identified references and the main findings of the literature survey will be introduced in the upcoming sections.

3. COMPONENTS OF ZTA

According to the NIST report on ZTA (Stafford, 2020), ZTA consists of various technologies, not just one technology, that interact together to remove the implicit trust within the IT system and create a ZT environment by evaluating the submitted access requests continuously to protect resources. The ZTA introduced in the NIST publication can be used as a reference to guide the migration process among various sectors, such as governmental agencies, educational organizations, and SMBs (Uwaoma, 2023). The key components that achieve ZTA are authentication, access control (Syed et al., 2022), asset management, network segmentation, policies, security mechanisms, and threat intelligence parameters (Adahman et al., 2022). ZTA architecture is versatile and adaptable security paradigm and is applicable to all organizations regardless of their size or IT infrastructure complexity (Stafford, 2020). To the best of the authors’ knowledge, there is no version of ZTA tailored to SMBs. However, all ZTA components and the relevant security tools emphasized in the manuscript were underscored and recommended in research studies investigating the adoption of ZTA in the context of SMBs such as Itodo (2024), Aurelien (2021), and Luckett (2024). Examples of these security tools are MFA, Data Encryption, Identity Access Management, and Extended Detection and Response. The core of ZTA is the same in SMBs and large organizations. It differs in the implementation approach.

Each of these technologies plays a crucial role in maintaining the effectiveness of ZTA in protecting organizations’ resources. Adahman et al. (2022) dissected the main components of ZTA and their interactions with each other in the context of SMBs, as shown in Figure 6. The following are ZTA elements in detail:

  • A subject can be a user or device that requests access to an organization's resources. A device can be mobile phones, tablets, laptops, and smart televisions (Teerakanok et al., 2021), and the access request is sent to the Policy Enforcement Point (PEP). An example is when an on‐premises server transmits data to a printer within the organization's IT perimeter. The server is considered a subject in this case (Dijen, 2023).

  • The PEP represents an element placed on the server to enforce control policies of administrators and decisions related to policies as a response to the received access requests. It enables, monitors, and denies connections between subjects and organization resources within the data plane. The access request is submitted to the Policy Decision Point (PDP), which is responsible for deciding whether to approve or deny access requests of subjects.

  • The PDP makes decisions on the access requests depending on the software security policy (Teerakanok et al., 2021). Then, a command is sent back to the PEP to either approve or deny the access request between the user or device and the resource. For each access request, a Trust Algorithm (TA) is executed to make the decision as an output. The inputs of TA are the data from supplement components. After the decision is made, the PDP reviews it and identifies the PEPs that are convenient for setting up or terminating a connection (Dijen, 2023).

    • Policy Engine (PE) includes the security policies applied to the network.

    • Policy Administrators (PAs) manage and control organization policies obtained from the supplement components.

  • Supplement components (aka logical components (Dijen, 2023)) consist of pillars that help make decisions on access requests submitted from the subject considering the organization's security requirements, such as threat intelligence information, identity credentials, and activity logs (Teerakanok et al., 2021). Examples of supplement components are identity management systems, Security Information and Event Management (SIEM) systems, and continuous diagnostics and mitigations systems (Dijen, 2023).

    • Threat intelligence includes recent information about tactics, techniques, and procedures followed by adversaries to launch cyberattacks and provides mitigation actions to control the consequences (Alagappan et al., 2022; Stafford, 2020).

    • Activity logs describe the activities performed through the organization network to provide instantaneous feedback on the security posture of the IT network. Activity log data include network traffic, resource access actions, and database logs (Dijen, 2023).

    • Continuous monitoring systems dissect the information gained from activity logs and user behaviors to detect anomalies within the network. Continuous monitoring approaches can be applied by adopting Intrusion Detection Systems that analyze network activities and detect anticipated attacks on IT assets using SIEMs. Another technique is deploying Intrusion Prevention Systems, which respond to cyber incidents by detecting and blocking anomaly traffic automatically without the need for Security Operation Center interference (Dijen, 2023).

    • Data Access Policies refer to characteristics, policies, and regulations that manage decision‐making and workflow within the organization. The formation of policies depends on the requirements and threats of the business organization and limits the subject to access the needed resources only (Stafford, 2020; Teerakanok et al., 2021).

    • Organization compliance: policies developed by organizations to maintain compliance with laws and preserve their reputation. Compliance with policies contributes to fines and profit loss avoidance (Alagappan et al., 2022; Stafford, 2020).

    • Network traffic: displays the data capacity of a network within a specific time frame.

    • Geo location: represents the geographic location of users and devices trying to access the organization's network.

    • Mechanisms refer to the tools or methods used to enforce security policies within an organization's network (Adahman et al., 2022).

    • Identity management (credentials): Identity management systems are tasked with developing, saving, and controlling user accounts for organizations (Dijen, 2023). For each user account, characteristics such as role, access requirements, and designated assets are stored (Stafford, 2020). Also, it comprises confidential personal information such as passwords, usernames, and email addresses used to access a resource within an organization's network (Adahman et al., 2022). Identity management systems work in tandem with the Access Control Mechanism, which implements various methods to illustrate and execute access control policies (Syed et al., 2022), such as Role‐Based Access Control and Attribute‐Based Access Control, show higher operational effectiveness when integrated with ZTA (Dijen, 2023).

    • Inventory management: involves storing a detailed list of digital assets, including software, hardware, and network resources, in addition to the purchases and sales. It keeps organizations aware of the count and status of all assets and manages their budgets.

    • External users and devices: includes information about suppliers, customers, third‐party organizations, and allies that can access organizations’ networks.

    • Resources include organization assets, servers, databases, user accounts, workflows, and sensitive information related to the organization's budget, employees' personal information, and others (Adahman et al., 2022). Dijen (2023) illustrated that continuous diagnostics and mitigation systems contribute to identifying and managing digital assets using Hardware Asset Management (HWAM) tools. The adoption of HWAM approaches streamlines the migration process to ZTA by establishing the required capacities by detecting vulnerable assets within the network.

    • Public Key Infrastructure is responsible for establishing and logging credentials for all subjects, resources, services, and applications for organizations in addition to authenticating their trustworthiness (Stafford, 2020).

FIGURE 6.

FIGURE 6

Open in a new tab

The main components and their interactions of Zero Trust architecture (ZTA) in the context of small‐ and medium‐sized businesses (SMBs) (Adahman et al., 2022).

4. ADVANTAGES AND DRAWBACKS OF ZTA FOR SMBS

Generally, cybersecurity resilience and high profitability are the top priorities for business organizations nowadays (Boxley, 2022). ZT security framework is one of the keys enabling technologies that can fulfill these business goals. Boxley (2022) highlighted that one of the key strategies to enhance the security of business databases is the adoption of software‐defined perimeter techniques, along with other software, to ensure data availability. The author highlighted the technical returns of the ZT model as it prevents the lateral movement attacks associated with using VPNs within the network, thus reducing the attack surface and enhancing network security. The economic returns include increasing cost savings and achieving a high return on investment (ROI). Cost savings come from abandoning VPNs, unnecessarily purchase security software license, and using various clustering technologies.

4.1. Advantages of ZTA

Buck et al. (2021) stated that many benefits outweigh the ZT security model over perimeter‐based security tools. These benefits can be summarized as follows:

  1. Adopting a multistaged authentication process confers adequate security to IT assets and resources against cyberattacks and data breaches.

  2. Dividing the network into small segments deters the lateral movement of adversaries and malware through the IT network.

  3. The ZT security model can minimize the likelihood of a broad range of cyberattacks, such as DDoS attacks, as access requests must pass through the PEP, which can be rejected immediately.

  4. Implementing complex authentication techniques and well‐defined access policies enables regulating and monitoring access requests compared to conventional security solutions.

  5. The continuous monitoring and logging of the network traffic streamline the detection process of malicious activities. In addition, ZT allows the utilization of lessons gained from previous cyber incidents and facilitates the ability to track and combine events of a cyber incident with forensics.

From the perspective of SMBs, where the majority expands rapidly through hiring new employees and dealing with new vendors and contractors, SMBs' IT network will be accessed by new users to start up business activities. Although there is a common belief that migrating to ZT models can hinder the business development of SMBs (Kudrati & Pillai, 2022), this may be considered misleading since ZT can safeguard digital infrastructures and intellectual property, save the time consumed to handle security issues, and avoid pricy data breach incidents (Kudrati & Pillai, 2022). Kudrati and Pillai (2022) introduced the needed security tools that should be implemented within the ZT model for SMBs to mitigate the negative consequences of data breaches and limit the time spent in performing security forensics as follows:

  1. Implement MFA for all users and network entities to reduce the potential of privilege escalation cyberattacks, where adversaries gain higher permissions on networks (MITRE, 2015).

  2. Secure passwords in a shared account and adopt password lockers that encrypt usernames and passwords for various applications (aka password vaults) to limit the privilege escalation attacks. Password vaults are considered a must‐have security measure for businesses, and they include sensitive information that plays a significant role in business development and growth. Password vaults guarantee access to only trusted users. Also, password vaults reduce the attack surfaces of SMBs.

  3. The migration to the ZT model confers secure remote access for users and ensures that the least privilege security measure is in place so entities within the IT network can access the needed digital resources, assets, and data. Because SMBs lack cybersecurity specialists and expertise in handling cybersecurity systems, implementing ZT tools can provide an adequate security level.

  4. Adopting continuous monitoring and auditing is useful for tracking activity on the IT network, especially for high‐level access users. Real‐time auditing and monitoring develop a record of privileged users’ activities within the network, which streamlines the detection of malicious events and proves that they meet mandatory compliance requirements such as Health Insurance Portability and Accountability Act, Federal Information Security Modernization Act, NIST, and other security standards.

  5. Merging the high‐level access credentials to network devices into the ZT security model is significant for SMBs. Due to time constraints, SMBs may ignore changing old passwords set by old users (e.g., manufacturers), which are easy to guess and known within the hacking community, leaving the network vulnerable to cyberattacks. Thus, including privileged access credentials in ZT through password vaults and secured shared accounts will address this issue, enhancing the security posture and limiting the potential risk of unauthorized access to network devices.

Furthermore, Kudrati and Pillai (2022) noted that implementing the ZT model will satisfy SMBs' security needs instead of depending on outsourcing IT services. A “never trust, always verify, enforce the least privilege” approach will guarantee a secure login and least privilege access by verifying the access request attributes before approving the access.

Based on the above understandings, it can be seen that ZTA can confer adequate protections for SMBs by reducing the risks of cyberattacks and helping recover from security breaches promptly. SMBs should utilize the momentum of migrating to ZT principles since 61% of organizations globally have established ZTA security initiatives, indicating an increasing tendency toward robust security measures (Okta, 2023). According to the Okta survey, small organizations (500–900 employees) are less likely to develop a ZT security migration plan compared to large enterprises (+10,000 employees) by 17% (Okta, 2023). Adopting ZTA can also assist SMBs in complying with regulatory compliance by ensuring data protection and access control, such as the Federal Information Security Modernization Act and the Health Insurance Portability and Accountability Act (Stafford, 2020). Furthermore, Heidorn (2021) outlined the relevance of ZTA to protecting Controlled Unclassified Information within federal agencies and small businesses in the DIB. Despite the implementation complexities of ZTA for small businesses due to a lack of financial and skillful human resources, cloud‐based ZT security measures could streamline the migration process, thus meeting the security requirements of the Cybersecurity Maturity Model Certification (CMMC) (Heidorn, 2021). The DoD mandates all Small Business Defense Contractors to comply with the CMMC security regulations. Hence, the adoption benefits of ZT within Small Business Defense Contractors include enhancing their cybersecurity posture and easing the CMMC compliance process.

4.2. ZTA critiques

Organizations face problems when it comes to migration to ZT because of the ambiguity associated with substantial changes in security infrastructure, associated costs, workflow, and the need for training. These factors hold up the implementation of the ZT security paradigm and may expose business organizations to more sophisticated cyber threats (Moubayed et al., 2019). According to Daley (2022), the primary disadvantages of ZT models are as follows:

  • The implementation difficulty introduced by substituting ZT tools over legacy security systems could be pricey and laborious.

  • Establishing an organization's IT network from scratch is necessary instead of using the old system and policies within the new security paradigm.

  • The diversity of the policies required for each user cohort since organizations may have different user groups such as clients, contractors, and suppliers. In addition, using multiple devices for an individual user may mandate various policies to maintain network security.

  • Since organizations face challenges in measuring the ROI of cybersecurity tools, the migration to the ZT security model is underrepresented within business companies despite outweighing the conventional security systems.

  • Making decisions about investing in new security tools is complex, and quantitative assessments of investment worthiness are difficult Dijen (2023), especially for small businesses that lack financial resources and expertise.

On top of that, Michael et al. (2022) noted that the ZT concept itself is misinterpreted and not well‐defined. Although distinct materials have been developed and published, such as NIST SP 800‐207, it is still unclear what should be trusted in the digital environment and how to integrate ZT components. The authors believe that the concept of ZT is inconsistent and confusing because, at least to some extent, some elements of any system should be trusted. The concept of ZT may trust entities that are not necessarily trustworthy, such as PEs and administrators, PEPs, and TAs. In addition, the inconsistency emerges from the vagueness, contradiction, and infeasibility of the implementation of principles discussed in the NIST SP 800‐207. ZT security paradigm can be seen as complex and unreliable since it needs continuous updates and adjustments to keep up with the changes in security policies, processes, and users. The need for sustainable updates and monitoring can be an arduous task for enterprises. Furthermore, it violates some of the security design principles developed by Saltzer and Schroeder (1975), such as the “economy of mechanism” due to its complexity (Michael et al., 2022).

Michael et al. (2022) highlighted that based on its publicly available definitions, the ZT concept depends on organizations' selection of security tools that should be adopted, aligning with ZT tenets, which could be any security measure the organization leadership thinks belong to the ZT concept.

Despite the challenges associated with deploying ZT security technologies within SMBs, the ZTA still represents an overarching security paradigm that can potentially face sophisticated cyberattacks. A report published in 2022 indicated that ZTA is a key component toward executing a resilient and robust security paradigm for SMBs in the United States to combat cyberattacks threatening national security and the US economy (Kramer et al., 2022). Kramer et al. (2022) suggested that SMBs should utilize the implied security technologies in ZTA offered by cybersecurity providers. Federal government funding through transferable cybersecurity investment tax credits can eliminate the burden of financial constraints and allow access to the needed cybersecurity resources and expertise (Kramer et al., 2022).

5. ZTA‐ASSOCIATED RISKS AND REMEDIATIONS

Like any new technology, implementing ZTA could pose many associated risks. While ZTA bolsters the security posture of SMBs by adopting strong access controls and sustainable verification of subjects, its deployment complexities and associated costs can represent a hurdle. Levine and Tucker (2023) highlighted that organizations should be ready to address the residual risks that ZTA may not manage and the newly emerged risks resulting from its implementation. The unique attributes of SMBs, such as limited budgets, lack of human expertise, and operational constraints, can exaggerate migration risks to ZTA. Of these risks are financial risks, which emerge, for instance, when enterprises dedicate less budget for implementing ZT based on inaccurate ROI calculations; operational risks, which present when the normal activities within enterprises are disrupted for unexpected consequences; and supply chain risks associated with to what extent vendors will comply with the security requirements enforced by ZTA with the supply chain. Figure 7 displays a comprehensive classification of ZT implementation risks. Levine and Tucker (2023) provided a broad overview of the main risks of migrating to ZTA. Hence, this section reviews and expands on the ZT adoption risks that could affect its operational efficacy from the SMBs’ perspective and introduces the possible mitigation approaches for each type of risk.

FIGURE 7.

FIGURE 7

Open in a new tab

Classification of Zero Trust (ZT) implementation risk.

5.1. Financial risks

Operational and overhead costs: Implementing ZT security tools requires the replacement of old IT and OT technologies within organizations with the new security capabilities that constitute the ZT concept. Transitioning between the two phases can translate into additional overhead and operational costs required to purchase and operate the new hardware and software security tools (Levine & Tucker, 2023). On top of that, the migration to ZTA enforces sustainable administrative work, including changing policies, setting visibility measures (Levine & Tucker, 2023), and updating access controls that may require hiring new employees (Shea & Turpitka, 2022), which means additional expenses. In addition, maintenance costs should be considered to maintain the throughput and avoid operational disruptions (Shea & Turpitka, 2022).

Inaccurate estimation of required budget: Due to the complex decision‐making process required to determine whether to invest in a new security measure and assess its ROI, organizations are experiencing uncertainty about its feasibility (Weishäupl et al., 2018). One challenge that can hinder the implementation of the ZT security paradigm is the difficulty in making decisions on investing in new security tools and the inability to estimate the returns of such security tools quantitatively (Buck et al., 2021). The migration to ZT architecture requires the substitution of legacy security systems or even their integration into the ZT security model in a complicated way. The resulting financial implications of this change in network structures bring uncertainties about ZT's economic returns (Buck et al., 2021; Tyler & Viana, 2021). Business organizations face complexities in deciding to invest in new security solutions because of the difficulty in conducting security assessments and determining the ROI. Due to the lack of knowledge on what ZT is and the lack of standardization of the relevant ZTA to compare and select different security alternatives and providers (Mutabazi et al., 2023), organizations are unable to estimate the accurate budget needed in addition to the susceptibility of whether ZTA is profitable or not (Buck et al., 2021). The limited budgets, human and financial resources, and lack of IT expertise could exacerbate this risk for SMBs.

5.2. Financial risks remediation recommendations

SMBs usually find investments in cybersecurity measures costly, which results in potential vulnerabilities in their security posture. Various alternatives could streamline the migration to ZTA while mitigating its financial implications. One alternative is the utilization of open‐source security solutions and the adoption of free trials of security packages so as not to spend money on license purchases and renewals, leading to cost savings while adopting ZT technologies (Mutabazi et al., 2023). Mutabazi et al. (2023) confirmed that leveraging open‐source security tools can raise awareness by providing bit‐by‐bit guidance on properly operating these tools, which could be feasible and affordable for SMBs. Qazi (2022) provided the security corporations that offer top low‐cost ZT security tools for SMBs as follows:

  • Appaegis

  • Banyan Security

  • Cloudflare

  • GoodAccess

  • NordLayer

  • OpenVPN

  • Perimeter 81

  • Sentry Sentry

Adahman et al. (2022) discussed the role of All‐in‐One Zero‐Trust Solutions can be considered to develop ZTA policies with lower cost and effort. For instance, Perimeter 81 provides security tools such as activity auditing, cloud network management, web‐based secure access of applications, and network segmentation that directly support the implementation of each ZT component. The authors also highlighted other providers that offer cheap security services linked to ZT, such as Wandera, Okta, and Cloudflare. In line with that, Luckett (2024) affirmed that there are affordable tools that can be utilized by small businesses to achieve that goal such Identity services can be deployed through Okta, Ping, NordLayer, Google Workspace, and Microsoft 365 providers for $15/month/user. Also, JumpCloud and ManageEnginer offer identity and device management services for small businesses for about $20/month/user for the latter. The MFA for small businesses can be obtained from Okta, Duo, JumpCloud, Microsoft, Google, and Beyond Identity providers. Itodo (2024) proposed a cost‐benefit analysis for ZT security tools from various providers and found out that, despite the financial burdens ZTA can bring, an organization with 500 employees can save up to $4,248,854 in response to data breaches in case of adopting ZT tools.

The enhancement of the cybersecurity posture of SMBs while considering their budget limitations has been paid significant attention to by public authorities and security agencies in the United States. A 2024 report to the President of the United States by the National Security Telecommunications and Advisory Committee (NSTAC) suggested solutions that could help SMBs overcome the limited budgets toward enhancing their security posture (NSTAC, 2024). First, the NSTAC report suggested creating new market‐based economic incentives, such as tax deductions or federal grants, that prompt SMBs to invest in cybersecurity measures they cannot afford to meet national security and emergency preparedness requirements. Moreover, the NSTAC report recommended that the President should direct the Office of the National Cybersecurity Director to collaborate with federal agencies such as the CISA, the National Security Agency, the DoD, and the NIST to develop a national educational program for SMBs to make them aware of the free tools offered by these agencies such as CISA Cyber Hygiene Service and other programs with the aim of significantly enhance their cybersecurity capabilities. Hence, SMBs can utilize these initiatives to implement ZTA while mitigating the potential financial burdens.

5.3. Operational

5.3.1. Technical

As discussed earlier, ZTA can significantly improve the overall security posture and protect against cybersecurity risks. However, some technical threats with specific attributes can emerge when adopting ZTA. Below, we will discuss the technical threats to ZTA within organizations as introduced by the NIST SP 800‐207 (Stafford, 2020), elaborating on each risk and its potential impact.

  • Subversion of the decision process

Description: It happens when malicious actors manipulate or bypass the PE and PAs, representing valuable ZTA components. PA and PE are responsible for configuring and making decisions on the communications between organization resources.

Impact: In the event of decision‐process subversion, unauthorized access to organization resources might occur, leading to data breaches or compromise of the system.

  • DoS/network disruption

Description: This risk refers to the launch of intentional cyberattacks that aim to disrupt network services or cause denial of service to legitimate users. When a malicious actor disrupts or gains access to the PE/PA, it can cause network disruptions.

Impact: System disruptions can lead to downtime, loss of operational productivity, and potential monetary losses.

  • Stolen credentials/insider attacks

Description: It involves the misuse of valid credentials to gain unauthorized access. Attackers could be insiders or external and may launch phishing or social engineering attacks to steal the credentials of valuable accounts.

Impact: Stolen credentials can lead to unauthorized access to confidential information, unauthorized transactions, and other malicious activities.

  • Lack of network visibility

Description: This risk comprises the inability to monitor some of the traffic on the organization's network and the lack of visibility into network activities. This obscure traffic may come from services that use organization networks to access the internet, leading to problematic detection and response to potential cyberattacks. In addition, lack of network visibility may create blind areas in traffic monitoring, which contradicts the principles highlighted in the NIST SP 800‐207, dictating full control of the network traffic and granular visibility.

Impact: Lack of network traffic monitoring may hinder anomalous activity detection, resulting in delayed incident response and significant negative impacts.

  • Storage of system and network information

Description: This risk is closely related to the previous one. The information obtained from monitoring network traffic and scans is used to develop policies and conduct forensics. This data could be a potential target for malicious actors; therefore, it should be securely stored and protected. Another valuable piece of information is the data stored in the access policies management tool.

Impact: Unauthorized access to this information can facilitate the attacker's task of finding the crown jewels accounts to compromise and enable access to the targeted assets.

  • Dependence on proprietary data types or tools

Description: ZTA depends on different data sources for access decisions, such as information about used assets and risk analysis. The absence of straightforward guidance on using and exchanging information stored in assets can lead to vendor lock‐in due to interoperability issues.

Impact: The reliance on proprietary data can hinder shifting to new service providers in case of current provider disruptions due to high costs, which affect the business continuity and cause limited flexibility, as well as inoperable ZTA.

  • Using of non‐person entities (NPE) in the administration process

Description: The adoption of artificial intelligence and software‐based agents to control security tasks brings complexities to the authentication process in an organization's network. The reason is that these entities interact with the PE and PA of ZTA instead of human administrators.

Impact: The primary risks of adopting automated technology for policy enforcement are false positives (faulty actions taken for attacks) and false negatives (attacks inaccurate for regular activity). Misinterpreting actions can lead to security incidents, jeopardizing the organization's security posture and disrupting the workflow. Another impact of AI‐based software is that attackers can manipulate non‐person entities to gain unauthorized access due to lax authentication requirements for such software compared to human users, as they use authentication keys instead of MFA enforced on human beings (Sanders, 2021). Thus, it opens a backdoor for compromising security, escalating privileges, and performing malicious activities. Sanders (2021) highlighted that this is one of the biggest threats identified in the NIST SP 800‐207 due to paving the way for privilege escalation attacks targeting the ZTA.

5.3.2. Technical risks remediation recommendations

This subsection illustrates the mitigation approaches to address the seven technical risks identified in the NIST SP 800‐207. The recommended risk mitigation action identified from the NIST SP 800‐207 will be outlined below. Table 2 maps each technical risk to the associated targeted ZTA component with the relevant mitigation strategy.

TABLE 2.

Zero Trust architecture (ZTA) technical risks, targeted ZT components, and mitigation strategies (Sanders, 2021).

ZTA technical risk Targeted components and inputs Mitigation approach
Subversion of the decision process

PE

PA

Configuration Management

Monitoring

Detection
DoS/network disruption

PEP

PE

PA

 Resilience
Stolen credentials/insider attacks

ID Management

Data Access Policy

 Contextual Trust Algorithm
Network visibility

Activity Log

SIEM

Network Traffic Inspection

Network Traffic Logging

Metadata

Machine Learning
Storage of system and network information

Activity Logs

CDM System

Industry Compliance

Data Access Policy

PKI

ID Management

SIEM Information

PA

PE

 Restrictive Data Access Policies
Dependence on proprietary data types or tools

Activity Logs

CDM System

Industry Compliance

Data Access Policy

PKI

ID Management

SIEM Information

PA

PE

Service Provider Evaluation

Vendor Security Controls

Enterprise Switching Costs

Supply Chain Risk Management

Performance

Stability
Using of non‐person entities (NPE) in the administration process

PE

PA

 Regular Returning Analysis
Open in a new tab

Subversion of the decision process: To mitigate this risk, SMBs should adopt robust access controls, conduct regular audits, and ensure that restricted ZTA policies are followed. Implementing continuous modeling and threat intelligence can ease the detection of and protect against subversion of the decision process.

DoS/network disruption: SMBs can mitigate this threat by deploying resilient network security measures and DoS protection approaches and ensuring redundancy (one of the pillars of resiliency) of the critical IT infrastructure. In addition, establishing post‐incident guidelines (e.g., incident response plans) and continuous testing can mitigate the impact of service disruptions.

Stolen credentials/insider attacks: This risk can be mitigated through the implementation of strong authentication methods (e.g., MFA), enforcing least privilege access controls, conducting regular training on best security practices, and adopting contextual TA to detect network anomalies, and reject access of the compromised account or insider attackers to valuable resources.

Network visibility: SMBs can address this threat by utilizing metadata analysis, employing machine learning for traffic classification, and implementing advanced monitoring methods that can disseminate encrypted or obscure traffic.

Storage of system and network information: Robust protection measures should be employed to limit unauthorized access and access trials to protect valuable organization data. Restrictive data access policies should be developed to restrict access to only the designated administrator accounts.

Dependence on proprietary data types or tools: Organizations should conduct holistic service provider evaluations considering factors including vendor security controls, shifting costs, and supply chain risk management. In addition, the service providers' assessment should include an appraisal of service performance and stability. Adopting open standards, discussing data portability conditions in contracts, and investing in interoperable measures can reduce the dependency on proprietary solutions, increase flexibility, and minimize the likelihood of potential disruptions to their ZTA implementations, respectively.

Using of non‐person entities (NPE) in the administration process: Implementing MFA for NPEs can reduce the risk of unauthorized access. Moreover, conducting returning analysis to rectify the faulty decisions and enhance the decision‐making process could mitigate this risk.

5.3.3. Organizational

Substitution of legacy systems: there is a chance that the existing IT systems do not cope with the new requirements of implementing the ZT model, especially those that depend on Operational technology to achieve the enterprise's objectives. Mutabazi et al. (2023) highlighted that one of the challenges to migrating to ZTA is the integration with the current security systems since they do not offer the needed security controls aligning with ZT requirements, which triggers additional replacements and technological complexities. For example, this scenario occurred in practice when the Commercial International Bank in Egypt migrated to ZTA in 2017. The Chief Security Officer highlighted that one of the main challenges was integrating IBM security technologies into the complex IT infrastructure with more than 120 software in the bank (Stelzer, 2021). Another practical scenario is that the electric power industry could be an excellent example of a situation where the substitution of legacy systems would be pricy and inapplicable from an organizational perspective.

The complex requirements mandated by adopting the ZT model to achieve satisfactory cybersecurity hygiene, user authentication, and verification may require decisions that exceed software updates. The replacement of legacy IT systems would possibly turn out to be an additional expense, as well as the possibility of disrupting productivity and efficiency (Levine & Tucker, 2023). A recent poll that targeted executives of C‐suite and other organizations deploying ZTA showed that 44.6% of the interviewees referred to the complexity and compatibility with legacy IT systems challenge as the highest threat to the ZTA deployment (Deloitte, 2023). In addition, Andrew Rafla, Deloitte Risk & Financial Advisory's Zero Trust offering leader and principal, Deloitte & Touche LLP, stated that ZT tools can secure both legacy and advanced security systems to combat the ever‐evolving cyberattack landscape despite the associated challenges with legacy systems substitution (Deloitte, 2023). Last, the insufficient vendor support for legacy IT and Operational Technology (OT) systems impedes migrating to ZTA (Swearingen et al., 2024).

Implementing ZTA is highly dependent on identifying and addressing these risks, as their occurrence may lead to the failure of ZT security. Organizations lack a methodical and systematic technique for morphing their traditional security systems into temporary security controls and then migrating to the ZT security paradigm. The substitution of ZT over the current security systems is not easily fulfilled, so practitioners suggested a step‐by‐step transformation (Tufin, 2021).

Due to the simplistic IT infrastructure and limited security tools (Tam et al., 2021), retrofitting legacy systems and software threats can be inappropriate for SMBs, unlike large organizations (Shea & Turpitka, 2022), because of the absence of complex IT security systems.

Organizational resistance to change: Business organizations that seek to adopt the ZT model may collide due to employees' unwillingness to change policies, authentication, and identity access approaches. The migration to ZT is correlated to the organization's culture and employees’ resistance to change (Mutabazi et al., 2023). The workforce may reject the shifting to robust access controls and sustainable monitoring as they think they are unnecessary or disruptive (Mutabazi et al., 2023). For example, replacing traditional access control policies with the principles of least privilege and adopting multifactor authentication for users pose complexities and may lead to reluctance to coexist with the new security measures. The migration to the ZT model stipulates a change management plan since the sudden transition can adversely affect operational efficiency.

Integration complexity: This risk refers to the risks associated with integrating various bundled security solutions that can lead to hurdles in configuration and operation. Despite addressing the interconnectivity and compatibility issues, deploying the ZT model through bundled security tools may lose the benefits offered by best‐of‐breed solutions. For instance, next‐generation techniques that offer firewalls, proxies, intrusion detection/prevention, identity management, and anti‐malware tools can be difficult to operate. The potential issues due to these difficulties may create new risks, although the original intent was to mitigate the existing risks. The same scenario emerges when adopting endpoint solutions that bundle detection, response, and security features may pose additional threats (Levine & Tucker, 2023).

Analysis paralysis: Analysis paralysis means that an individual is unable to make a decision because of overanalyzing or overthinking a scenario when many variables are involved or because of the fear of making wrong decisions (Wikipedia, 2024). Since ZTA is a relatively new technology, decision‐makers are struggling to start its adoption as they need to deeply grasp and identify its associated risks and requirements (Garbis & Chapman, 2021). The lack of awareness of how to navigate the complexities of ZTA technologies and policies and the mechanisms of handling its associated risks can amplify the migration barriers (Phiayura & Teerakanok, 2023). With the implied SMBs’ attributes, including low cybersecurity awareness, overall cyber risk perception, and the lack of technical expertise needed to implement ZTA, this risk could directly impact the ZTA migration journey.

5.3.4. Organizational risks remediation recommendations

Organizations should raise employees' awareness about the extent to which implementing the new security paradigm could enhance the organization's security posture and protect against cyberattacks. Most SMBs lack foundational cybersecurity measures, and their managers have an IT knowledge deficit. Thus, SMBs should leverage the free resources, presentations, and training sessions conducted by the DoD, NIST, CISA, NSF, and other governmental stakeholders to improve cybersecurity skills and awareness before the migration to ZTA begins. The NSTAC recommended that President Biden should direct previously mentioned stakeholders to set up a virtual cyber academy to provide free training in response to the lack of skillset personnel and resources to hire and keep expert IT specialists (NSTAC, 2024), which represent the main issues SMBs suffer from. In addition, the report suggested establishing a cyber corps that comprises expert cybersecurity volunteers who can provide SMBs with expert guidance and help enhance their cybersecurity posture (NSTAC, 2024). Educating personnel on the mechanism of using the new security tools and their responsibilities in maintaining the ZT environment is a pivotal factor in the successful ZT migration and implementation field (AWS, 2024). Itodo and Ozer (2024) recommended that due to the fact that ZTA comprises new technologies that require deep expertise, maintaining a level of collaboration between security employees, higher management, and trained individuals within organizations will guarantee a successful implementation.

As discussed in Section 5.3.3, one of the challenges organizations could face in transitioning to ZTA is the resistance to change the status quo, meaning that employees refuse to cope with the new security tools, policies, access controls, and continuous monitoring. Mutabazi et al. (2023) highlighted that a change management plan is significant in addressing this hurdle. Phiayura and Teerakanok (2023) and Levine and Tucker (2023) also specified that forming a change management board is crucial to streamlining the migration to ZTA. The main task of this board is to ease the usage of ZT tools in a production environment. The significance of adopting a change management strategy stems from the alteration of an organization's cybersecurity philosophy and culture (Zyoud & Lutfi, 2024). A well‐designed change management plan with documented change steps will facilitate the migration process and record the changed IT elements (Teerakanok et al., 2021). The consideration of the interaction between the appeal of ZT tools to the end users is significant as it impacts the willingness of users to use such new tools (Venkatesh et al., 2003).

The substitution of legacy systems risk could be manageable by considering a phased and agile approach to transform to ZTA. Phased implementation means proposing a new product or service in steps (DealHub Experts, 2023). Luckett (2024) indicated that one of the success factors of ZT is using a phased approach, meaning that organizations should take small steps to protect the most valuable assets and mitigate the technical and organizational challenges associated with ZT security paradigm implementation. The migration to ZTA can be a daunting task for SMBs; therefore, a phased approach that includes a gradual level of maturity can be a practical solution (Uwaoma, 2023). In this sense, a recent cloud computing company Amazon Web Services (AWS) report recommended a phased approach to implement a smooth transition to ZT while minimizing business process disruption (AWS, 2024). The phases of this approach include:

  1. Phase 1: Assessment and planning stage: In this step, the current security posture is evaluated to identify security gaps. The security objectives are defined, then ZTA will be designed to fulfill the organization's security objectives.

  2. Phase 2: Piloting and implementation: The next stage is to start implementing ZT concepts gradually and test them on a small scale to get feedback. This phase comprises developing a change management plan to ensure a smooth transition to ZT concepts.

  3. Phase 3: Monitoring and sustainable improvement: Once the ZTA is in place, continuous monitoring and improvement are necessary to identify any security issues or areas that need more improvement. The continuous improvement maintains the effectiveness and adaptivity over time.

Although the impact of this risk is negligent in the context of SMBs because of the absence of complex security systems and software, the phased approach could offer practical solutions to avoid high upfront costs and potential long‐term savings. Following the phased approach is evidently successful in the case of Commercial International Bank in Egypt on its journey to implement ZTA (Stelzer, 2021). The CSO explained, “We decided to focus on quick wins that generated business values for the departments,” (Stelzer, 2021) meaning that they selected the ZT concepts that satisfy the top‐priority security objectives.

In order to address the integration complexity risk of ZTA, SMBs can follow the same approach that prioritizes best‐of‐breed solutions. First, they can reduce the complexities resulting from integrating multiple security tools. Second, they can ensure that the ultimate tools for most SMBs' security needs are obtained, which can be more cost‐effective than implementing bundled security solutions that may have vulnerabilities in specific areas.

Last, hiring Managed Service Providers (MSPs) is an alternative for SMBs to implement ZT due to a lack of financial resources and technical expertise. MSPs can navigate the complexities and uncertainty associated with implementing ZT as they have the necessary expertise, making the migration process easier and less complicated, leading to mitigating the analysis paralysis risk discussed earlier. MSPs can support creating asset registers, data, and asset prioritization, as well as implementing IAM, MFA, and cloud‐based security tools. In addition, MSPs can perform assessments, monitor and strengthen networks, secure confidential data and critical assets, and implement adequate observability, analytics, and automation (Luckett, 2024).

5.4. Supply chain risks

SMBs are pivotal in supply chains across developing countries in many industry sectors. For instance, in the realm of information and communications technology, they make up a considerable portion of companies in the United States, reaching more than 160,000 companies, according to the CISA (CISA, 2023). Moreover, the DIB of the DoD includes a significant number of third‐party small business suppliers that can pose vulnerabilities to the DoD supply chain leading to the exposure of sensitive information.

5.4.1. ZT—Third‐party supply chain risks

Malicious supply chain attacks could happen when an attacker gains access to an organization's IT system through a third‐party vendor (Collier & Sarkis, 2021). Collier and Sarkis (2021) highlighted that 56% of companies had breach incidents through one of their third parties. The 2024 Verizon data breach report stated that data breaches involving a third party, including software vulnerabilities, reached 15%, with a 68% increase compared to the previous year (Verizon, 2024). The effect of these incidents ranges from affecting the partner infrastructure to directly or indirectly impacting larger organizations through vulnerabilities in third‐party software, which ultimately affect the whole supply chain. Organizations can prevent or control these breaches by selecting vendors with adequate cybersecurity track records (Verizon, 2024). Large organizations tend to investigate the security measures adopted by potential SMB third parties or vendors to maintain a secured end‐to‐end supply chain (Chidukwani et al., 2022).

Implementing ZT could pose risks across the corporation's supply chain. Managing supply chain risks in the context of the ZT security paradigm is challenging and can impact the ZT security model's operational effectiveness. Since the boom in digital and communication technologies has extended to supply chains, many software applications and online platforms highly leverage cloud computing technology, especially Software as a Service, as their basis for allowing users to access applications over the internet. In that case, a network of interconnected systems is made up that connects various interfaces. The complex interplays of these systems require a high level of trust among the involved entities to ensure the security of digital products depending on these services (Yaari, 2023). In digital supply chains, performing authorization and verification processes enforced by the ZT paradigm for each supply chain entity may not be relevant due to the sheer number of involved entities and the dynamic interplays between them (Yaari, 2023).

In a recent report published by the Defense Acquisition University, the importance of adopting the ZT security paradigm is emphasized for SMBs, representing 23% of the total value of all DoD spending to protect against cyberattacks. The impact of utilizing vulnerabilities in SMBs that do business with DoD is amplified due to the sensitivity of information hackers can access. The authors highlighted the importance of keeping SMBs’ software up to date to avoid hidden vulnerabilities that could compromise the whole DoD's supply chain. The Target Corporation incident that occurred in 2013 is an example of threats that a third party may pose to the whole supply chain. Cyber attackers exfiltrated 70 million customers' data using the login credentials of that company through an HVAC company that has a trusted connection with Target's IT network (Vukotich & Hurt, 2023).

Another scenario is when certain digital product manufacturers depend on third‐party vendors. These vendors have their own suppliers and partners, making compliance with ZT tenants within the supply chain extremely difficult (Shea & Turpitka, 2022). The successful adoption of ZTA has a direct relationship with supply chain risk management because it entails compliance with its tenets. Consequently, some supply chain suppliers may fail to cope with or adhere to ZTA requirements, resulting in posing a supply chain resistance risk and incomplete implementation (Levine & Tucker, 2023). For example, when one of the vendors uses a traditional software solution that does not cope with the advanced authentication protocols adopted by ZT. Therefore, for those organizations that adopt the ZT paradigm, quantification and analysis of risks associated with supply chain entities' reluctance should be considered to avoid the cascading impacts of those risks on the operational efficacy of ZTA.

5.4.2. ZT—Fourth‐party supply chain risks

Organizations should be aware of the risks associated with fourth parties, which correspond to the outsourced companies that do business with third parties (Collier & Thekdi, 2024). An organization's security posture can be compromised if a fourth‐party supplier is compromised. Fourth‐party risks can be considered a consequence of noncompliance with strong access control policies as required by ZTA. In case a third party declines to adopt the same security measures as the parent organization, a backdoor will be opened for threat actors to launch supply chain security attacks through their network vulnerabilities (Graham, 2022). This can happen in the following scenarios (Blog, 2024):

  • A third‐party supplier grants fourth‐party access to its system (which stores the parent organization's data) for normally required activities (e.g., system maintenance and updates).

  • If a fourth party experiences a security breach, threat actors can access the third party's and the parent organization's information.

When ZTA is implemented within the perimeter of a large organization, it may fail to detect or prevent access by the compromised fourth party with legitimate credentials to a third‐party vendor's system, resulting in disclosing sensitive information and disruptions to the whole supply chain. As discussed earlier, SMBs can be either third‐party or fourth‐party vendors for large organizations (e.g., the DoD). Hence, they must prioritize robust security measures and comply with the security requirements enforced by ZTA to safeguard the IT security of the whole supply chain.

5.4.3. Supply chain risks remediation recommendations

The implementation of ZT tenets within supply chains is complicated and requires deep effort as it requires a defined enterprise‐wide cybersecurity plan and policies for the supply chain that determine the interplays between stakeholders, flows of goods, data, money, and access policies (Collier & Sarkis, 2021). Organizations should involve the enterprise risk management process in the early stages of migration to ZTA to comprehend the potential unintentional effects comprising new organizational risks. The migration to ZTA modulates an organization's IT technologies, policies, and business processes. Thus, its implementation risks should be controlled to avoid operational disruptions. NIST 800‐207, CISA Zero Trust Maturity Model, and OCTAVE FORTE can provide adequate guidance to organizations by setting up a governance framework and illustrating the interdependencies in the process of effectively implementing ZTA tenets (Levine & Tucker, 2023).

Adopting third‐party and fourth‐party risk management approaches can mitigate the associated supply chain risks, especially in enterprises with wide and complicated supply chains (Collier & Thekdi, 2024). Fourth‐party risk management involves an assessment of the vendors’ vendors, while third‐party risk management manages direct vendor risks (Beaconer, 2023). The collaboration between businesses and third and fourth parties within the supply chain can significantly mitigate risks by raising cybersecurity awareness through training sessions, discussing third‐party compliance policies, and adopting safe information‐sharing approaches such as using hard copies and restricting access to read‐only (Collier & Thekdi, 2024). Also, due to the difficulty of setting up direct physical communication with fourth‐party vendors, deploying attack surface monitoring and supplier risk management techniques is essential to address the lack of visibility that emerges from these tangled interplays (Beaconer, 2023).

Organizations should review suppliers’ contracts and service‐level agreements to impose adherence to ZTA measures with some kind of collaboration with vendors. The compulsory conditions linked to ZTA compliance without collaboration can adversely affect the vendors’ willingness to be involved in the business process; their performance may be changed, or they may request new contractual terms to achieve ZT compliance (Levine & Tucker, 2023). In the event of third‐party SMBs, contractual conditions such as clauses in third‐party contracts that address fourth‐party risks can be relevant. These clauses comprise the disclosure of their fourth‐party interconnections, impose restrictions on data access granted to SMBs’ vendors (e.g., fourth parties to parent organizations), and ensure accountability of third parties for breaches caused by their fourth‐party suppliers. Large organizations should prioritize security when selecting third‐party suppliers that employ robust risk management programs and implement strong access controls for their own suppliers (fourth parties). For example, the DoD created the CMMC to ensure that the DIB that forms their supply chain ecosystem follows the family NIST SP 800.171 or SP 800.172 normative to protect cyber‐physical entities related and involved to their planning and execution activities (Friedman, 2020). Heidorn (2021) discussed how implementing CMMC can be expedited using ZTAs and concluded by suggesting focusing on the outcomes. As inconsistencies might be presented (e.g., Configuration Management) as indicated by Sundararajan (2022), further analyses to reconcile incongruencies and improve alignment may be required.

6. ZTA AND RISK MANAGEMENT

ZTA can significantly reduce cyber risks and enhance SMBs' security posture. However, the implied risks that could result from the complex interrelationships between ZTA from one side the organizational, technical, financial, and supply chain aspects from another side should be identified and controlled by implementing cyber risk management approaches. Subsection 6.1 discusses the need to adopt systemic risk management over traditional approaches to cope with the complex nature of the ZT security paradigm and the emerging implementation risks within SMBs. On the other hand, Subsection 6.2 reveals how ZTA can enhance the risk management cycle through each stage and the extent to which its concepts support Governance, Risk, and Compliance tasks.

6.1. Managing ZTA inherent risks

ZTA requires a distributed management environment (multienterprise environment) (Sanders, 2021) where management control is shared among various decision‐makers in different enterprises (Alberts & Dorofee, 2009). Distributed environments include networks that consist of highly complex components in connection together. The risks associated with ZT architecture highlighted by NIST SP 800‐207 (Stafford, 2020) are difficult to assess or manage through traditional cyber risk management frameworks, either quantitative methods such as Factor Analysis of Information Risk (FAIR) or qualitative methods such as NIST 800‐30 and NIST RMF. One reason is the complexity and interrelationships between various ZT architecture elements. While ZTA is increasingly significant in multi‐enterprise environments with many external services and third‐party vendors, it can also be implemented in single‐enterprise environments regardless of the organization's size or digital network complexity. ZTA is versatile and adaptable to both simple enterprises and multi‐enterprise scenarios (Stafford, 2020).

The previously mentioned methods presume a linear cause‐and‐effect relationship between risk events and their consequences (Sanders, 2021). Traditional risk management techniques adopt a bottom‐up theme and serve the tactical level while controlling risks. Tactical, bottom‐up risk management comprises two techniques. The first is conducting a Pareto analysis to prioritize risks with high‐risk measures (e.g., impact, likelihood, and risk exposure). Risk managers then concentrate on mitigating 10%–20% of the top prioritized risks identified and disregarding the rest. The continuous changes occurring in the market, technologies, and higher management objectives can make low‐priority risks become high‐priority risks and vice versa. Risks with low priority may turn out to be serious risks that bring in severe losses. Therefore, with this approach, the program's continuity may be jeopardized.

The second technique is clustering risks into clusters by developing a risk statement for each risk cluster. Afterward, the risk measures for each cluster will be evaluated. This technique is called affinity grouping. The disadvantage of this approach is that it could be time‐consuming due to the diverse and large number of risks that should be clustered. Moreover, there is the possibility of inconsistency in clusters among different partners in the event of a distributed management environment (aka multi‐enterprise program) (Alberts & Dorofee, 2009).

In contrast, systemic risk management approaches can control the risks associated with distributed environments by adopting a top‐down risk analysis approach that determines the success parameters of the systems or programs being analyzed. In other words, specifying the key factors that significantly impact the final outcome of the system. The second step is to identify a group of control factors that affect the achievement of the key factors. These two steps are crucial in dissecting the systems’ strengths and weaknesses and pave the way for subsequent risk analysis (Alberts & Dorofee, 2009). The systemic risk concept originally emerged in the financial crisis in 2008 and was adopted in cyberspace because cyberspace consists of interconnected networks like financial industry networks (Welburn & Strong, 2022). Welburn and Strong (2022) indicated that the systemic risk management notion considers the concepts of the interconnectedness of entities within a network, aggregate impacts of risks, and the contagion effects where the failure of one entity can lead to failures in others, unlike traditional risk management approaches. These concepts align with the nature of ZTA and can enhance the adoption of systemic risk management approach by recognizing how vulnerabilities propagate within the network, informing developing ZTA strategies to evaluate how security breaches impact the entire organization, not just isolated components, and ensure the security measures are in place to prevent the cascading effect of a breach, which aligns with the ZTA principle of least privilege, respectively. Finally, the authors argued that the systemic cyber risk concept is hinged on cybersecurity, finance, economics, and risk analysis; thus, adequate knowledge of these fields is required to address systemic cyber risks.

In summary, tactical risk management methods mandate adopting many mitigation measures to control a specific risk. Implementing such approaches on large programs can bring complexity to the risk management process in addition to unnecessary use of resources and futile management of risks (Alberts & Dorofee, 2009). ZT security model consists of multiple, complex, and linked elements that require a systemic and adaptive technique to manage the implied operational risks (Sanders, 2021).

6.2. ZTA as a risk countermeasure

ZTA can be an enabler for a holistic and proactive risk countermeasure for SMBs that experience limited resources, increasing pressures, and the evolution of the regulatory environment. Governance in the context of Governance, Risk, and Compliance means the process of ensuring that enterprise policies are executed at scale. Risk management quantifies and prioritizes cyber risks considering the organization's operations. Compliance refers to the rules imposed by the government, industry, or the market in which an organization is conducting business (Kudrati & Pillai, 2022). Kudrati and Pillai (2022) highlighted, “Compliance is all about risk management and lessening risk, and the same is true of Zero Trust.” From the risk management perspective, ZTA redefines the risk identification and mitigation process through the verification and authentication of every access request, whether internal or external. Specifically, ZTA can facilitate the risk management process throughout its four main steps as follows (Kudrati & Xia, 2022):

6.2.1. Risk identification

The primary step in the process of risk management is to discover and prioritize the system components and data being handled to perform an impact assessment and vulnerability identification. ZTA ensures that organization assets within the whole digital infrastructure are secured through compliance with the security requirements of the six pillars: identity, endpoint, network, data, application, and infrastructure.

6.2.2. Risk assessment

ZTA suggests a sustained risk assessment in many ways. First, each access request is authenticated and verified through the PDP and PEP, and real‐time monitoring and analytics are used to detect and respond promptly to anomalies, thus enabling effective risk management. Second, the implied security tools that serve each ZTA pillar support the risk assessment processes at both system and organizational scales. For example, MFA supports the Identity pillar and verifies any subject's identity to reduce the probability of unauthorized access. The device pillar ensures that only updated and secure devices can access organizations’ resources. Network segmentation reduces lateral movement, while data encryption tools diminish the consequences of data breach incidents. These tools allow SMBs to mitigate risks proactively and address the vulnerabilities in critical assets, leading to maintaining the confidentiality of sensitive information.

6.2.3. Response to risks

The concepts of ZTA align with the four risk response approaches: tolerate, operate, monitor, and improve. It enables, through the design phase, feeding of the risk assessments into ZT PDP and PEP for immediate threat response. The evaluation of risks on a real‐time basis permits the process of granting, denying, limiting, or further authenticating access requests, which confers prompt risk management within the entire access request lifecycle.

6.2.4. Risk monitoring and reporting

As risk monitoring and reporting is a key process to maintain risk governance, ZTA serves this process since it requires complete visibility at all levels by evaluating, logging, and reporting risks with each user's identity. The integrated security tools can obtain data breach indicators and share this information with the security team for further analysis. The accumulated data improves the quality of risk reporting to higher management and auditors. The insights attained from monitoring enable continuous review and improvement of risk management strategies and policies.

From the compliance perspective, compliance with regulatory standards and regulations is a challenging task for SMBs since they grow more complex. ZTA simplifies the compliance process through embedded continuous verification, strict access controls, and real‐time risk monitoring in organizational operations. Each access request can be automatically verified in terms of security and compliance with the organization's security policies, leading to less risk of non‐compliance due to human error, which makes sense in SMBs where specialized compliance teams are rarely found. On top of that, ZTA could pave the way for SMBs to maintain effective governance by enforcing policies at each access point and continuously aligning these policies with industry norms and regulatory requirements, leading to less cost and administrative work need to ensure compliance.

7. CONCLUSIONS AND FUTURE RESEARCH DIRECTIONS

This article provides a comprehensive overview of ZTA through the lens of SMBs, focusing on its advantages, disadvantages, and the residual risks that emerge after its implementation. The risks associated with the ZT security paradigm are identified and classified into three main categories: supply chain, financial, and operational. Each risk category is divided into subcategories of risks that should be addressed to avoid adverse impacts on the operational effectiveness of ZTA. Moreover, the relevant risk management approaches that can be implemented to address ZTA's residual risks are discussed. In addition, practical actions are suggested to introduce solutions for SMBs’ managers and decision‐makers to control the discussed risk factors (e.g., Financial, Technical, Organizational, and Supply Chain).

The GL and academic literature were surveyed to review the aspects through the lens of SMBs. The findings of the literature survey revealed many research gaps. Research articles that review the implementation success and failure factors and the risks associated with ZTA, considering the unique business attributes of SMBs, are rarely found. Hence, this paper sheds light on the importance of guiding SMBs through the migration to ZTA while addressing its disadvantages (e.g., technical complexity and high costs) to satisfy their security objectives. The unanswered questions related to the disadvantages of ZT hinder its deployment through organizations, and practical solutions should be provided to ease the migration process. In addition, this research revealed how ZTA can be utilized as an enabler of a comprehensive and proactive risk management strategy and its contributions to streamlining the governance, risk, and compliance activities for SMBs. In the meantime, the systemic risk management technique is found to be effective in managing the implied risks that may emerge due to the complex interactions between ZTA elements and the organizations and business processes.

Knowing the paramount importance of safeguarding SMBs' IT networks and in light of the recently announced Executive Orders, initiatives, and demands that promote the adoption of ZT models, it is crucial to enhance the decision‐making process to adopt ZT tools within SMBs. There is hesitation when deciding on the worthiness of migrating to the ZT security paradigm because decision‐makers are uncertain about its long‐run benefits. A future research direction is developing a cost–benefit analysis and estimating the potential ROI to eliminate the vagueness linked with ZTA economic returns and facilitate decision‐making.

Moreover, assessing the downsides of the ZT security concept against conventional security approaches, specifically, the ability of ZT to combat current and potential sophisticated cyberattacks compared to traditional tools, can be another direction of research. The literature lacks frameworks and tools that enable testing and validating ZTA through practical scenarios within various organizational scales to ensure its operational effectiveness and scalability (Itodo & Ozer, 2024). In addition, the impact of implementing ZT tenets across supply chains, especially through the lens of SMBs, shows a significant research gap. The lack of a straightforward mapping between IT networks and supply chains generally leads to ambiguity in that context. The faulty mapping of IT security concepts and supply chains can worsen things instead of no mapping (DiMase et al., 2021). Thus, more research is needed to fill out this perspective (Collier & Thekdi, 2024). The findings of the literature survey underscore the lack of research studies that investigate how to manage third‐ and fourth‐party supply chain risks in the context of ZTA, given the role SMBs play in the United States and the global supply chains.

Last, the need for a systemic risk management approach to address the inherent risks of ZTA for SMBs raises a research gap. Because of the distributed, interrelated, complex nature of ZT components, tactical risk management approaches could not effectively address the residual risks for organizations. One of the systemic risk management approaches that can deal with complex systems is the Functional Dependency Network Analysis (Garvey & Pinto, 2009) and its extensions (e.g., SODA (Guariniello & DeLaurentis, 2017), ARNDA (Diaz et al., 2021; Smith et al., 2022, 2024), which can be utilized to quantify and predict the cascading effect of risks before their occurrence.

ACKNOWLEDGMENTS

This project has been partially funded by the State of Virginia Commonwealth Cyber Initiative (CCI) of project #300864‐010, Machine‐learning‐enabled Dependency Network Analysis for Quantifying Risks and Ripple Effects Steaming from Cybersecurity Non‐Compliance Issues to CMMC.

Abdelmagid, A. M. , & Diaz, R. (2025). Zero Trust architecture as a risk countermeasure in small–medium enterprises and advanced technology systems. Risk Analysis, 45, 2390–2414. 10.1111/risa.70026

Footnotes

REFERENCES

  1. Abdelmagid, A. M. , Gheith, M. S. , & Eltawil, A. B. (2021). A binary integer programming formulation and solution for truck appointment scheduling and reducing truck turnaround time in container terminals. In Proceedings of the 2021 8th international conference on industrial engineering and applications (Europe) , 126–131.
  2. Abdelmagid, A. M. , Gheith, M. S. , & Eltawil, A. B. (2022a). A comprehensive review of the truck appointment scheduling models and directions for future research. Transport Reviews, 42(1), 102–126. [Google Scholar]
  3. Abdelmagid, A. M. , Gheith, M. S. , & Eltawil, A. B. (2022b). Scheduling external trucks appointments in container terminals to minimize cost and truck turnaround times. Logistics, 6(3), 45. https://www.mdpi.com/2305‐6290/6/3/45 [Google Scholar]
  4. Abdelmagid, A. M. , Javadnejad, F. , Pinto, C. A. , McShane, M. K. , Diaz, R. , & Gartell, E. (2023). Assessing the frequency and severity of malware attacks: An exploratory analysis of the Advisen cyber loss dataset. In Modeling, simulation and visualization student capstone conference, Suffolk, Virginia.
  5. Adahman, Z. , Malik, A. W. , & Anwar, Z. (2022). An analysis of zero‐trust architecture and its cost‐effectiveness for organizational security. Computers & Security, 122, 102911. [Google Scholar]
  6. Alagappan, A. , Venkatachary, S. K. , & Andrews, L. J. B. (2022). Augmenting zero trust network architecture to enhance security in virtual power plants. Energy Reports, 8, 1309–1320. [Google Scholar]
  7. Alberts, C. J. , & Dorofee, A. J. (2009). A framework for categorizing key drivers of risk (Technical Report CMU/SEI‐2009‐TR‐007 ESC‐TR‐2009‐007). Software Engineering Institute. https://insights.sei.cmu.edu/documents/811/2009_005_001_15104.pdf [Google Scholar]
  8. Alvarado, S. F. (2022). Department of Defense Cybersecurity Maturity Model Certification compliance: The impact on Small Business Defense Contractors [Doctoral dissertation, Colorado Technical University].
  9. Ashfaq, S. , Patil, S. A. , Borde, S. , Chandre, P. , Shafi, P. M. , & Jadhav, A. (2023). Zero trust security paradigm: A comprehensive survey and research analysis. Journal of Electrical Systems, 19(2), 28–37. [Google Scholar]
  10. Aurelien, J. (2021). Exploring effective defensive cybersecurity strategies for small businesses. Colorado Technical University. [Google Scholar]
  11. AWS . (2024). Embracing Zero Trust: A strategy for secure and agile business transformation . https://docs.aws.amazon.com/pdfs/prescriptive‐guidance/latest/strategy‐zero‐trust‐architecture/strategy‐zero‐trust‐architecture.pdf
  12. Beaconer . (2023). Fourth party risk management—A comprehensive guide . https://beaconer.io/fourth‐party‐risk‐management‐a‐comprehensive‐guide/#Significance
  13. Boxley, D. (2022). How to partner cyber‐resilience with business functions. Database Trends and Applications, 36(1), 26–27. [Google Scholar]
  14. Buck, C. , Olenberger, C. , Schweizer, A. , Völter, F. , & Eymann, T. (2021). Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero‐trust. Computers & Security, 110, 102436. [Google Scholar]
  15. Butijn, B.‐J. , Tamburri, D. A. , & van den Heuvel, W.‐J. (2020). Blockchains: A systematic multivocal literature review. ACM Computing Surveys, 53(3), 1–37. 10.1145/3369052 [DOI] [Google Scholar]
  16. Campbell, M. (2020). Beyond zero trust: Trust is a vulnerability. Computer, 53(10), 110–113. [Google Scholar]
  17. Chidukwani, A. , Zander, S. , & Koutsakis, P. (2022). A survey on the cyber security of small‐to‐medium businesses: Challenges, research focus and recommendations. IEEE Access, 10, 85701–85719. 10.1109/ACCESS.2022.3197899 [DOI] [Google Scholar]
  18. CISA . (2023). Securing small and medium‐sized business (SMB) supply chains: A resource handbook to reduce information and communication technology risks . https://www.cisa.gov/resources‐tools/resources/securing‐smb‐supply‐chains‐resource‐handbook
  19. Collier, Z. A. , & Sarkis, J. (2021). The zero trust supply chain: Managing supply chain risk in the absence of trust. International Journal of Production Research, 59(11), 3430–3445. [Google Scholar]
  20. Collier, Z. A. , & Thekdi, S. A. (2024). Supply chain security. In Sarkis J. (Ed.), The Palgrave handbook of supply chain management (pp. 561–584). Springer. [Google Scholar]
  21. Craven, C. (2021). What are zero‐trust benefits and challenges? https://www.sdxcentral.com/security/zero‐trust/definitions/what‐are‐zero‐trust‐benefits‐and‐challenges/
  22. Daley, S. (2022). Evaluation of Zero Trust framework for remote working environments. Department of Science and Technology, Bournemouth University. [Google Scholar]
  23. DealHub Experts . (2023). Phased implementation . https://dealhub.io/glossary/phased‐implementation/
  24. Deloitte . (2023). Legacy tech poses a challenge to zero trust adoption, while risk management needs continue to drive its advancement . https://www.prnewswire.com/news‐releases/legacy‐tech‐poses‐a‐challenge‐to‐zero‐trust‐adoption‐while‐risk‐management‐needs‐continue‐to‐drive‐its‐advancement‐301801737.html
  25. Department of Homeland Security . (2023). Zero trust implementation strategy . https://www.dhs.gov/sites/default/files/2024‐02/24_0129_cio_zero_trust_implementation_strategy_october.pdf
  26. Diaz, R. , Smith, K. , Acero, B. , Longo, F. , & Padovano, A. (2021). Developing an artificial intelligence framework to assess shipbuilding and repair sub‐tier supply chains risk. Procedia Computer Science, 180, 996–1002. [Google Scholar]
  27. van Dijen, B. (2023). The ZEro Trust DECision Making (ZEDEC) method: Selecting relevant zero trust concepts to mitigate high‐priority risks [Master's thesis, Utrecht University].
  28. DiMase, D. , Collier, Z. , Muldavin, J. , Chandy, J. , Davidson, D. , Doran, D. , Guin, U. , Hallman, J. , Heebink, J. , & Hall, E. (2021). Zero trust for hardware supply chains: Challenges in application of zero trust principles to hardware . [White paper]. NDIA. [Google Scholar]
  29. Friedman, S. (2020). DOD rule establishes compliance regime ahead of CMMC implementation. Inside the Pentagon, 36(45), 7–8. [Google Scholar]
  30. Garbis, J. , & Chapman, J. W. (2021). Zero trust security: An enterprise guide. Springer. [Google Scholar]
  31. Garvey, P. R. , & Pinto, C. A. (2009). Introduction to functional dependency network analysis. The MITRE Corporation and Old Dominion. In Second international symposium on engineering systems, MIT, Cambridge, MA.
  32. Graham, K. (2022). What is fourth‐party risk vs third‐party risk? (How to manage both) . https://www.bitsight.com/blog/what‐third‐party‐vs‐fourth‐party‐risk‐and‐how‐manage‐both
  33. Guariniello, C. , & DeLaurentis, D. (2017). Supporting design via the system operational dependency analysis methodology. Research in Engineering Design, 28(1), 53–69. [Google Scholar]
  34. Heidorn, R. (2021). Hasten CMMC compliance through zero‐trust. National Defense, 106(813), 16–17. [Google Scholar]
  35. IBM . (2024). Cost of a data breach report . https://www.ibm.com/account/reg/signup?formid=urx‐52913
  36. IBM Security . (2021). Cost of a data breach report 2021. Risk Quantification, 73, 54–59. [Google Scholar]
  37. Itodo, C. A. (2024). A novel framework for the adoption of zero trust security for small, medium and large‐scale organizations [Doctoral dissertation, University of Cincinnati].
  38. Itodo, C. , & Ozer, M. (2024). Multivocal literature review on zero‐trust security implementation. Computers & Security, 141, 103827. [Google Scholar]
  39. Javadnejad, F. , Abdelmagid, A. M. , Pinto, C. A. , McShane, M. , & Diaz, R. (2024). An exploratory data analysis of malware/ransomware cyberattacks: Insights from an extensive cyber loss dataset. Enterprise Information Systems, 18, 2369952. 10.1080/17517575.2024.2369952 [DOI] [Google Scholar]
  40. Kramer, F. D. , Teplinsky, M. J. , & Butler, R. J. (2022). Cybersecurity for innovative small and medium enterprises and academia. Atlantic Council, Scowcroft Center for Strategy and Security. [Google Scholar]
  41. Kudrati, A. , & Pillai, B. A. (2022). Zero trust journey across the digital estate. CRC Press. [Google Scholar]
  42. Kudrati, A. , & Xia, J. (2022). How to improve risk management using Zero Trust architecture. Microsoft. https://www.microsoft.com/en‐us/security/blog/2022/05/23/how‐to‐improve‐risk‐management‐using‐zero‐trust‐architecture/ [Google Scholar]
  43. Levine, A. , & Tucker, B. A. (2023). Zero trust architecture: Risk discussion. Digital Threats, 4(1), 1–6. 10.1145/3573892 [DOI] [Google Scholar]
  44. Levy, Y. , & Gafni, R. (2022). Towards the quantification of cybersecurity footprint for SMBs using the CMMC 2.0. Online Journal of Applied Knowledge Management, 10(1), 43–61. [Google Scholar]
  45. Lillis, N. (2024). Why zero‐trust security is the best defense for small businesses . https://biztechmagazine.com/article/2024/03/why‐zero‐trust‐security‐best‐defense‐small‐businesses
  46. Luckett, J. (2024). A zero trust roadmap for consumers and small businesses [Doctoral dissertation, Marymount University].
  47. Michael, J. B. , Dinolt, G. C. , Cohen, F. B. , & Wijesekera, D. (2022). Can you trust zero trust? Computer, 55(8), 103–105. [Google Scholar]
  48. MITRE . (2015). ATT&CK . https://attack.mitre.org/
  49. Moubayed, A. , Refaey, A. , & Shami, A. (2019). Software‐defined perimeter (SDP): State of the art secure solution for modern networks. IEEE Network, 33(5), 226–233. 10.1109/MNET.2019.1800324 [DOI] [Google Scholar]
  50. MPG Blog . (2024). Understand the role fourth‐party vendors play in your risk profile. Retrieved May 24 from https://www.mindpointgroup.com/blog/understand‐the‐role‐fourth‐party‐vendors‐play‐in‐your‐risk‐profile
  51. Mutabazi, P. , Ndashimye, E. , & Ndibwile, J. D. (2023). Investigating the challenges companies in Rwanda face when implementing zero‐trust network. In 2023 10th international conference on future internet of things and cloud (FiCloud) (pp. 382–392). IEEE. [Google Scholar]
  52. Nivarthi, K. S. P. , & Gatla, G. (2022). Fighting cybercrime with zero trust. American Scientific Research Journal for Engineering, Technology, and Sciences, 90(1), 371–381. [Google Scholar]
  53. Njenga, K. , & Jordaan, P. (2016). We want to do it our way: The neutralisation approach to managing information systems security by small businesses. The African Journal of Information Systems, 8(1), 3. [Google Scholar]
  54. NSTAC . (2024). NSTAC report to the president on measuring and incentivizing the adoption of cybersecurity best practices . https://www.cisa.gov/sites/default/files/2024‐04/2024.03.07_NSTAC_M&I_Report.pdf
  55. Okta . (2023). The state of zero trust security 2023 . https://okta.com/resources/whitepaper‐the‐state‐of‐zero‐trust‐security‐2023/
  56. Palatty, N. J. (2024). 51 small business cyber attack statistics 2024 (and what you can do about them) . https://www.getastra.com/blog/security‐audit/small‐business‐cyber‐attack‐statistics/
  57. Phiayura, P. , & Teerakanok, S. (2023). A comprehensive framework for migrating to zero trust architecture. IEEE Access, 11, 19487–19511. [Google Scholar]
  58. Qazi, F. A. (2022). Study of zero trust architecture for applications and network security. In 2022 IEEE 19th international conference on smart communities: Improving quality of life using ICT, IoT and AI (HONET) . IEEE. [Google Scholar]
  59. Renaud, K. , & Weir, G. R. S. (2016). Cybersecurity and the Unbearability of Uncertainty. 2016 Cybersecurity and Cyberforensics Conference (CCC), 137–143. 10.1109/ccc.2016.29 [DOI]
  60. Rinaldi, S. M. , Peerenboom, J. P. , & Kelly, T. K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine, 21(6), 11–25. [Google Scholar]
  61. Saltzer, J. H. , & Schroeder, M. D. (1975). The protection of information in computer systems. Proceedings of the IEEE, 63(9), 1278–1308. [Google Scholar]
  62. Sanders, G. (2021, March 8). Zero trust adoption: Managing risk with cybersecurity engineering and adaptive risk assessment . Retrieved March 21, 2025, from https://insights.sei.cmu.edu/blog/zero‐trust‐adoption‐managing‐risk‐with‐cybersecurity‐engineering‐and‐adaptive‐risk‐assessment/
  63. Sausalito, C. (2024). 2024 cybersecurity almanac: 100 facts, figures, predictions and statistics . https://cybersecurityventures.com/cybersecurity‐almanac‐2024/
  64. Shea, S. , & Turpitka, D. (2022). Top 6 challenges of a zero‐trust security model . https://www.techtarget.com/searchsecurity/tip/Top‐risks‐of‐deploying‐zero‐trust‐cybersecurity‐model
  65. Smith, K. , Diaz, R. , & Shen, Y. (2022). Development of a framework to support informed shipbuilding based on supply chain disruptions. Procedia Computer Science, 200, 1093–1102. 10.1016/j.procs.2022.01.309 [DOI] [Google Scholar]
  66. Smith, K. , Diaz, R. , & Shen, Y. (2024). A quantified hypervulnerability approach for assessing resilience in supply chain networks. International Journal of Simulation and Process Modelling, 21(3), 166–178. [Google Scholar]
  67. Stafford, V. (2020). Zero trust architecture. NIST Special Publication, 800, 207. [Google Scholar]
  68. Stelzer, K. (2021). Bank's digital strategy surmounts security obstacles . https://www.ibm.com/downloads/cas/NGLBBLMZ
  69. Sukumar, A. , Mahdiraji, H. A. , & Jafari‐Sadeghi, V. (2023). Cyber risk assessment in small and medium‐sized enterprises: A multilevel decision‐making approach for small e‐tailors. Risk Analysis, 43(10), 2082–2098. [DOI] [PubMed] [Google Scholar]
  70. Sundararajan, V. (2022). Assessing common control deficiencies in CMMC non‐compliant DoD contractors [Master's thesis, Purdue University].
  71. Swearingen, M. T. , Michael, J. B. , Weiss, J. , & Radvanovsky, R. (2024). Resilient without zero trust. Computer, 57(1), 120–122. [Google Scholar]
  72. Syed, N. F. , Shah, S. W. , Shaghaghi, A. , Anwar, A. , Baig, Z. , & Doss, R. (2022). Zero trust architecture (ZTA): A comprehensive survey. IEEE Access, 10, 57143–57179. [Google Scholar]
  73. Tam, T. , Rao, A. , & Hall, J. (2021). The good, the bad and the missing: A narrative review of cyber‐security implications for Australian small businesses. Computers & Security, 109, 102385. 10.1016/j.cose.2021.102385 [DOI] [Google Scholar]
  74. Teerakanok, S. , Uehara, T. , & Inomata, A. (2021). Migrating to zero trust architecture: Reviews and challenges. Security and Communication Networks, 2021, 1–10. [Google Scholar]
  75. The White House . (2021). Executive order on improving the nation's cybersecurity . https://www.whitehouse.gov/briefing‐room/presidential‐actions/2021/05/12/executive‐order‐on‐improving‐the‐nations‐cybersecurity/
  76. The White House . (2022). Improving the cybersecurity of national security. Department of Defense, and Intelligence Community Systems. https://www.whitehouse.gov/briefing‐room/presidential‐actions/2022/01/19/memorandum‐on‐improving‐the‐cybersecurity‐of‐national‐security‐department‐of‐defense‐and‐intelligence‐community‐systems/ [Google Scholar]
  77. Tucker, B. (2020). Advancing risk management capability using the OCTAVE FORTE process (Technical Note). Software Engineering Institute, Carnegie Mellon University. [Google Scholar]
  78. Tufin . (2021). Achieving a Zero Trust Network Security Model with Tufin. Retrieved March 19 from https://lp.tufin.com/rs/769‐ICF‐145/images/zero‐trust‐security‐model.pdf
  79. Tyler, D. , & Viana, T. (2021). Trust no one? A framework for assisting healthcare organisations in transitioning to a zero‐trust network architecture. Applied Sciences, 11(16), 7499. [Google Scholar]
  80. U.S. SBA . (2022). Small businesses profile. Office of Advocacy. https://advocacy.sba.gov/wp‐content/uploads/2022/08/State_Profiles_2022.pdf [Google Scholar]
  81. Uwaoma, C. (2023). The challenges and processes of achieving optimal implementation of zero trust architecture in workplace. In SIGMIS‐CPR '23: Proceedings of the 2023 computers and people research conference .
  82. Venkatesh, V. , Morris, M. G. , Davis, G. B. , & Davis, F. D. (2003). User acceptance of information technology: Toward a unified view. MIS Quarterly, 27, 425–478. [Google Scholar]
  83. Verizon . (2024). 2024 data breach investigations report . https://www.verizon.com/business/resources/T600/reports/2024‐dbir‐data‐breach‐investigations‐report.pdf
  84. Vukotich, G. , & Hurt, T. (2023). Small businesses and Dod cybersecurity: The zero trust approach. Defense Acquisition, 52(3), 29–33. [Google Scholar]
  85. Weishäupl, E. , Yasasin, E. , & Schryen, G. (2018). Information security investments: An exploratory multiple case study on decision‐making, evaluation and learning. Computers & Security, 77, 807–823. [Google Scholar]
  86. Welburn, J. W. , & Strong, A. M. (2022). Systemic cyber risk and aggregate impacts. Risk Analysis, 42(8), 1606–1622. [DOI] [PubMed] [Google Scholar]
  87. Wikipedia . (2024). Analysis paralysis . https://en.wikipedia.org/wiki/Analysis_paralysis
  88. Yaari, L. (2023). The top five challenges of zero‐trust security . https://www.forbes.com/sites/forbestechcouncil/2023/04/11/the‐top‐five‐challenges‐of‐zero‐trust‐security/?sh=2aca9a4d4e25
  89. Young, S. D. (2021). Improving the Federal Government's investigative and remediation capabilities related to cybersecurity incidents . Memorandum M‐21‐31. https://www.whitehouse.gov/wp‐content/uploads/2021/08/M‐21‐31‐Improving‐the‐Federal‐Governments‐Investigative‐and‐Remediation‐Capabilities‐Related‐to‐Cybersecurity‐Incidents.pdf
  90. Young, S. D. (2022). Moving the US government toward zero trust cybersecurity principles . Memorandum M‐22‐09.
  91. Zyoud, B. , & Lutfi, S. L. (2024). The role of information security culture in zero trust adoption: Insights from UAE organizations. IEEE Access, 12, 72420–72444. [Google Scholar]

Articles from Risk Analysis are provided here courtesy of Wiley

RESOURCES