The growing amount of cyberspace threats highlights the need to evaluate cybersecurity risks and to plan for effective investments. One internationally recognized document for cybersecurity risk management is the framework for Improving Critical Infrastructure Cybersecurity by the US National Institute of Standards and Technology (NIST). It provides guidelines, best practices and standards for cybersecurity risk management. Nevertheless, as other self-assessment frameworks, it produces a static view of an organization's cyber posture and does not capture the dynamics of organizational changes and cyberattacks. Moreover, the current situation sees small and medium enterprises (SMEs) in a critical position since they need to manage their cybersecurity while usually not being skilled or equipped enough to internalize this process. Therefore, there is a need for a practical and easily applicable model able to identify a cybersecurity risk profile and its dynamics. This study proposes a system dynamics methodology and tool (SMECRA - SME Cyber Risk Assessment) for supporting cybersecurity investment decisions for SMEs through the evaluation of cyber risk and previous investments. SMECRA addresses dynamic organizational complexity and can be used to assess cyber risks and related dynamics over time. Three case studies demonstrate its capability to assess a SME's cybersecurity status and to evaluate investments impacts on an organization's risk profile, raising cybersecurity awareness. This study is important for SMEs wishing to manage their own cybersecurity risk and for insurance companies in their economic evaluation of residual risks that SMEs wish to externalize.

越来越多的网络空间威胁凸显了评估网络安全风险和规划有效投资的必要性。一份国际公认的网络安全风险管理文件是美国国家标准与技术研究院 (NIST) 制定的改进关键基础设施网络安全的框架。它为网络安全风险管理提供指南、最佳实践和标准。然而，与其他自我评估框架一样，它产生了组织网络态势的静态视图，并没有捕捉组织变化和网络攻击的动态。此外，在当前情况下，中小企业 (SME) 处于关键地位，因为它们需要管理网络安全，但通常没有足够的技能或装备来将这一过程内部化。所以，需要一种实用且易于应用的模型，能够识别网络安全风险概况及其动态。本研究提出了一种系统动力学方法和工具（SMECRA - SME Cyber​​ Risk Assessment），通过评估网络风险和先前的投资来支持中小企业的网络安全投资决策。SMECRA 解决动态的组织复杂性，可用于评估网络风险和相关动态随时间的推移。三个案例研究展示了其评估中小企业网络安全状况和评估投资对组织风险状况的影响、提高网络安全意识的能力。这项研究对于希望管理自己的网络安全风险的中小企业和保险公司对中小企业希望外部化的剩余风险进行经济评估很重要。