Abstract-- This paper evaluates the possible vulnerabilities of ICT assets disposal policies and the associated impact that can affect the SMEs. A poorly implemented policy or unenforced policy is “potentially the weakest link ” in the cyber-security chain. Do SMEs have an idea of vulnerabilities or threats due to assets disposal? In the event of breaches, the SMEs pay for the cost of notifying the concerned stakeholders, compensate affected parties, invest in improved mitigation technologies and also may be subjected to unwarranted public scrutiny. ICT assets at the end-of-useful life span usually have data left on the hard disk drives or storage media, which is a source of data confidentiality vulnerability. SMEs were surveyed in developing economies on their assets disposal policies. The perceived correlations were analyzed using fuzzy cognitive maps (FCMs) to ascertain if any cyber-security vulnerabilities inherent in a particular policy have implications on others. The study endeavored to show that, SMEs ought to have appropriate assets disposal policies in place. Then, these policies ought to be signed off by all stakeholders as a matter of responsibility. By employing the FCM approach with fuzzy matrix operations, the results indicate positive correlations exist amongst the policy constructs. Thus, vulnerabilities with one policy have implications on others
