Towards Zero Trust Architecture: A Pilot Study on Information Systems Security Readiness amongst Small and Medium Enterprises

Anushia Inthiran; Yu Deng

arxiv: 2605.18901 · v2 · pith:RUIA5O5Enew · submitted 2026-05-17 · 💻 cs.CR · cs.CY

Towards Zero Trust Architecture: A Pilot Study on Information Systems Security Readiness amongst Small and Medium Enterprises

Yu Deng , Anushia Inthiran This is my paper

Pith reviewed 2026-05-21 08:21 UTC · model grok-4.3

classification 💻 cs.CR cs.CY

keywords Zero Trust ArchitectureSMEscybersecurity readinessadoption barrierscloud computingidentity and access management

0 comments

The pith

Survey links Zero Trust familiarity and cloud needs to higher perceived necessity in SMEs

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This pilot study investigates the factors shaping small and medium enterprises' views on adopting Zero Trust Architecture to address cyber threats with limited resources. Survey responses from 64 IT and security professionals in the Asia-Pacific region identify ZTA familiarity and cloud-computing requirements as the strongest drivers raising the sense that Zero Trust is necessary. Accumulated barriers display only a weak negative tie to that perception. Identity and access management complexity along with scalability stand out as the chief practical obstacles. The authors use these patterns to outline a three-stage adoption sequence that aligns with typical SME constraints.

Core claim

The study establishes that ZTA familiarity and cloud-computing needs are the strongest positive correlates of perceived necessity for Zero Trust Architecture among SMEs, whereas accumulated barriers show only a weak negative association. Identity and access management complexity and scalability emerge as the main implementation hurdles. Based on these findings, the authors propose a three-stage route for SMEs: strengthening identity governance, segmenting high-value assets, and introducing targeted monitoring in line with operational capacity.

What carries the argument

The survey-based correlation analysis that isolates familiarity and cloud needs as primary positive drivers, combined with the proposed three-stage adoption path that sequences identity governance, asset segmentation, and monitoring.

If this is right

SMEs that gain more exposure to Zero Trust concepts will tend to view adoption as more necessary.
Firms with heavier cloud-computing demands will show stronger inclination toward Zero Trust measures.
Prioritizing fixes for identity and access management complexity should lower the largest reported barrier.
Following the staged sequence allows SMEs to advance security without exceeding available resources at any step.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Training programs aimed at raising ZTA awareness could measurably increase adoption interest in resource-constrained firms.
Testing whether the three stages produce measurable security improvements would provide direct evidence for the proposed path.
Support policies that pair cloud migration aid with basic identity governance guidance might accelerate realistic Zero Trust uptake.

Load-bearing premise

The self-reported perceptions from a convenience sample of 64 IT and security professionals in the Asia-Pacific region accurately capture the drivers, barriers, and readiness levels of SMEs more broadly.

What would settle it

A larger survey using random sampling of SMEs across multiple regions that finds no significant positive correlation between ZTA familiarity and perceived necessity would undermine the central claim.

read the original abstract

Small and medium enterprises (SMEs) face growing cyber threats but often lack the resources and expertise needed to adopt Zero Trust Architecture (ZTA). This pilot study examines the drivers and barriers shaping SME perceptions of ZTA necessity and proposes an exploratory staged adoption path. Survey data from 64 IT and security professionals in the Asia-Pacific region show that ZTA familiarity and cloud-computing needs are the strongest positive correlates of perceived necessity, whereas accumulated barriers show only a weak negative association. Identity and access management complexity and scalability emerge as the main implementation hurdles. Based on these findings, we propose a three-stage route for SMEs: strengthening identity governance, segmenting high-value assets, and introducing targeted monitoring in line with operational capacity. The study offers early evidence for more realistic Zero Trust transitions in resource-constrained firms.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Small pilot survey gives some Asia-Pacific data on ZTA perceptions in SMEs but the convenience sample of 64 keeps the correlates and staged path preliminary.

read the letter

This paper is a pilot survey of 64 IT and security professionals in the Asia-Pacific region that looks at what drives SMEs to see Zero Trust Architecture as necessary and what gets in the way. The central claims are that familiarity with ZTA and cloud-computing needs show the strongest positive correlations with perceived necessity, while total barriers have only a weak negative link, and that identity and access management complexity plus scalability are the main hurdles. From those patterns the authors sketch a three-stage adoption route: start with identity governance, move to segmenting high-value assets, then add targeted monitoring as capacity allows. That is the new piece here, a bit of fresh regional data on perceptions that was not in the earlier literature they cite. The practical framing is also a plus. It stays focused on resource-constrained firms and offers a stepwise path instead of treating full Zero Trust as an all-or-nothing jump, which lines up with how smaller organizations actually operate. The survey responses directly inform the stages, so the suggestion feels grounded rather than pulled from thin air. The soft spot is the sample itself. A convenience group of 64 means we have no real handle on response rate, selection process, or how well it represents SMEs even within the region, let alone beyond it. Self-reported perceptions can shift with who answers, and without details on statistical controls or validation the ranking of correlates and the derived path rest on limited evidence. Regional concentration adds another layer where local regulations or infrastructure could be doing more work than the numbers show. This is the kind of paper that would interest practitioners who advise SMEs on cybersecurity or researchers running follow-up adoption studies. A reader looking for early ideas on realistic rollout steps could take something useful from the stages, but anyone needing generalizable statistics or broad theory should look elsewhere. It deserves peer review. The topic matters for applied work, the data is new for that region, and the practical angle is worth refining even if the current methods need tightening and the claims need more caution.

Referee Report

2 major / 2 minor

Summary. This pilot study examines drivers and barriers to Zero Trust Architecture (ZTA) adoption among Small and Medium Enterprises (SMEs) via a survey of 64 IT and security professionals in the Asia-Pacific region. Key findings include ZTA familiarity and cloud-computing needs as the strongest positive correlates of perceived necessity, a weak negative association with accumulated barriers, and identity and access management (IAM) complexity plus scalability as primary implementation hurdles. The authors derive a three-stage exploratory adoption path: strengthening identity governance, segmenting high-value assets, and introducing targeted monitoring aligned with operational capacity.

Significance. If the correlations and staged path hold under broader sampling, the work supplies early, practitioner-oriented evidence on realistic ZTA transitions for resource-limited SMEs. It identifies concrete correlates and hurdles that could guide both future empirical studies and incremental security planning in smaller firms.

major comments (2)

[Methods / Survey Design] The methods description provides no sampling frame, response rate, recruitment procedure, or statistical controls for the convenience sample of 64 respondents. Because the central claims—ranking ZTA familiarity and cloud needs as strongest correlates, reporting only weak negative association for barriers, and deriving the three-stage adoption route—rest directly on these self-reported associations, the absence of these details prevents assessment of selection bias or generalizability.
[Results and Proposed Adoption Path] No power analysis, confidence intervals, or robustness checks are reported for the correlational results. With n=64, the identification of specific factors as 'strongest' correlates and the emergence of IAM complexity/scalability as main hurdles could be sensitive to sampling variability, directly affecting the reliability of the proposed adoption path.

minor comments (2)

[Abstract] The abstract and introduction would benefit from an explicit statement of the study's pilot limitations to calibrate reader expectations.
[Throughout] Ensure all acronyms (ZTA, IAM) are defined at first use in the main body and that figure or table captions fully describe the variables and scales used in the correlations.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our pilot study. The comments correctly identify areas where methodological transparency and statistical reporting can be strengthened. We respond to each major comment below and indicate the revisions we will make to the manuscript.

read point-by-point responses

Referee: [Methods / Survey Design] The methods description provides no sampling frame, response rate, recruitment procedure, or statistical controls for the convenience sample of 64 respondents. Because the central claims—ranking ZTA familiarity and cloud needs as strongest correlates, reporting only weak negative association for barriers, and deriving the three-stage adoption route—rest directly on these self-reported associations, the absence of these details prevents assessment of selection bias or generalizability.

Authors: We agree that the original Methods section was insufficiently detailed on sampling. The study used convenience sampling via professional networks, industry forums, and direct outreach to IT and security professionals in the Asia-Pacific region; no predefined sampling frame existed and response rate was not recorded because distribution was open rather than targeted to a closed list. In revision we will expand the Methods section to describe the recruitment channels explicitly, state that this was a convenience sample, and add a dedicated Limitations subsection that discusses selection bias, limited generalizability, and the pilot character of the work. These changes will allow readers to evaluate the reported associations more accurately. revision: yes
Referee: [Results and Proposed Adoption Path] No power analysis, confidence intervals, or robustness checks are reported for the correlational results. With n=64, the identification of specific factors as 'strongest' correlates and the emergence of IAM complexity/scalability as main hurdles could be sensitive to sampling variability, directly affecting the reliability of the proposed adoption path.

Authors: We accept that additional statistical reporting is warranted for a small-sample exploratory study. We will add 95% confidence intervals for the key Pearson and Spearman correlations in the Results section and include a post-hoc power discussion as a limitation. The three-stage adoption path is framed as an exploratory synthesis derived from the quantitative patterns and open-text responses rather than a statistically confirmed model; we will make this exploratory status clearer and add any feasible robustness checks (e.g., partial correlations controlling for respondent role). A formal a-priori power analysis cannot be supplied retrospectively, but we will note this explicitly. revision: partial

Circularity Check

0 steps flagged

No circularity: empirical survey outputs derive directly from collected responses

full rationale

This is a pilot survey study reporting descriptive statistics and correlations from 64 self-reported responses. No equations, fitted models, or derivations appear in the provided text. The strongest-claim correlates, barrier associations, and proposed three-stage adoption path are presented as direct interpretations of the survey data rather than reductions to prior fitted parameters or self-citations. The analysis is self-contained against external benchmarks with no load-bearing self-referential steps.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claims rest on the validity of self-reported survey data and the assumption that a small regional pilot sample can inform a general staged adoption model for SMEs.

axioms (1)

domain assumption Self-reported perceptions from IT professionals accurately reflect SME organizational readiness and barriers to ZTA adoption.
The study interprets survey responses as direct evidence of necessity and hurdles without external validation.

pith-pipeline@v0.9.0 · 5667 in / 1176 out tokens · 40161 ms · 2026-05-21T08:21:15.022920+00:00 · methodology

Review history (2 revisions) →

discussion (0)

Reference graph

Works this paper leans on

5 extracted references · 5 canonical work pages

[1]

Abdelmagid, A., & Diaz, R. (2025). Zero trust architecture as a risk countermeasure in small –medium enterprises and advanced technology systems. Risk Analysis , n/a -n/a. https://doi.org/10.1111/risa.70026 ACSC. (2025). Foundations for modern defensible architecture | cyber.gov.au . https://www.cyber.gov.au/resources-business-and-government/governance-an...

work page doi:10.1111/risa.70026 2025
[2]

R., Becker, I., & Johnson, S

https://doi.org/10.18535/ijsrm/v10i4.ec11 Junior, C. R., Becker, I., & Johnson, S. (2023). Unaware, unfunded and uneducated: A systematic review of SME cybersecurity (arXiv:2309.17186). arXiv. https://doi.org/10.48550/arXiv.2309.17186 Kanei, F., Hasegawa, A. A., Shioji, E., & Akiyama, M. (2021). A cross -role and bi -national analysis on security efforts ...

work page doi:10.18535/ijsrm/v10i4.ec11 2023
[3]

https://doi.org/10.3390/encyclopedia5010018 Likert, R. (1932). A technique for the measurement of attitudes. Archives of Psychology, 22(140),

work page doi:10.3390/encyclopedia5010018 1932
[4]

Complexity is the worst enemy of security

Lindemulder, G., & Kosinski, M. (2024, June 20). What is zero trust? | IBM . https://www.ibm.com/think/topics/zero-trust Mittal, C. (2023). Realizing the benefits of zero trust architecture . https://www.secureworld.io/industry - news/benefits-zero-trust-architecture Towards Zero Trust Architecture for SMEs Pacific-Asia Conference on Information Systems, ...

work page doi:10.17705/1jais.00723 2024
[5]

(2014, July 29)

https://doi.org/10.3390/app11167499 Vocalcom. (2014, July 29). Key differences between the SMB, SME and large enterprise. Vocalcom. https://www.vocalcom.com/blog/key-differences-between-the-smb-sme-and-large-enterprise/

work page doi:10.3390/app11167499 2014

[1] [1]

Abdelmagid, A., & Diaz, R. (2025). Zero trust architecture as a risk countermeasure in small –medium enterprises and advanced technology systems. Risk Analysis , n/a -n/a. https://doi.org/10.1111/risa.70026 ACSC. (2025). Foundations for modern defensible architecture | cyber.gov.au . https://www.cyber.gov.au/resources-business-and-government/governance-an...

work page doi:10.1111/risa.70026 2025

[2] [2]

R., Becker, I., & Johnson, S

https://doi.org/10.18535/ijsrm/v10i4.ec11 Junior, C. R., Becker, I., & Johnson, S. (2023). Unaware, unfunded and uneducated: A systematic review of SME cybersecurity (arXiv:2309.17186). arXiv. https://doi.org/10.48550/arXiv.2309.17186 Kanei, F., Hasegawa, A. A., Shioji, E., & Akiyama, M. (2021). A cross -role and bi -national analysis on security efforts ...

work page doi:10.18535/ijsrm/v10i4.ec11 2023

[3] [3]

https://doi.org/10.3390/encyclopedia5010018 Likert, R. (1932). A technique for the measurement of attitudes. Archives of Psychology, 22(140),

work page doi:10.3390/encyclopedia5010018 1932

[4] [4]

Complexity is the worst enemy of security

Lindemulder, G., & Kosinski, M. (2024, June 20). What is zero trust? | IBM . https://www.ibm.com/think/topics/zero-trust Mittal, C. (2023). Realizing the benefits of zero trust architecture . https://www.secureworld.io/industry - news/benefits-zero-trust-architecture Towards Zero Trust Architecture for SMEs Pacific-Asia Conference on Information Systems, ...

work page doi:10.17705/1jais.00723 2024

[5] [5]

(2014, July 29)

https://doi.org/10.3390/app11167499 Vocalcom. (2014, July 29). Key differences between the SMB, SME and large enterprise. Vocalcom. https://www.vocalcom.com/blog/key-differences-between-the-smb-sme-and-large-enterprise/

work page doi:10.3390/app11167499 2014