Practical Approaches and Guidance to Small Business Organization Cyber Risk and Threat Assessments

Cyber-attacks and breaches can occur in any organization type, and the areas of small businesses are not exempt from this nefarious activity. This research note and rapid review provide various cybersecurity tools, guidelines, and frameworks that a small business can consider when embarking on the action to assess its cybersecurity hygiene and defensive stance. The content was pulled together in response to the need for an easy-to-digest approach that a small business utilizes to gain valuable confidence to undertake a self-assessment or third-party review of an organization’s cybersecurity plans. Regarding cybersecurity concerns, doing nothing is not an option, and taking an initial step to review computing, information technology, and data systems practices will only be beneficial in attempting to sustain a business and organization

Exploring the Sufficiency of Undergraduate Students’ Cybersecurity Knowledge Within Top Universities’ Entrepreneurship Programs

Small businesses using technology are at risk of cyberattacks and often do not have adequate cybersecurity knowledge, budgets, or dedicated security staff. Attackers know small businesses are accordingly vulnerable. An attack can result in severe losses or the closure of business, making this knowledge critical. Businesses ownership can originate with newly graduated entrepreneurship students, so that sample is selected for this study to determine if cybersecurity knowledge is gained through undergraduate curriculum. The preliminary findings of the study imply that entrepreneurship education might be enhanced with coursework that would help future small businesses avoid becoming victims of cyberattacks

SecBot: a Business-Driven Conversational Agent for Cybersecurity Planning and Management

Businesses were moving during the past decades to-ward full digital models, which made companies face new threatsand cyberattacks affecting their services and, consequently, theirprofits. To avoid negative impacts, companies’ investments incybersecurity are increasing considerably. However, Small andMedium-sized Enterprises (SMEs) operate on small budgets,minimal technical expertise, and few personnel to address cy-bersecurity threats. In order to address such challenges, it isessential to promote novel approaches that can intuitively presentcybersecurity-related technical information.This paper introduces SecBot, a cybersecurity-driven conver-sational agent (i.e., chatbot) for the support of cybersecurityplanning and management. SecBot applies concepts of neuralnetworks and Natural Language Processing (NLP), to interactand extract information from a conversation. SecBot can(a)identify cyberattacks based on related symptoms,(b)indicatesolutions and configurations according to business demands,and(c)provide insightful information for the decision on cy-bersecurity investments and risks. A formal description hadbeen developed to describe states, transitions, a language, anda Proof-of-Concept (PoC) implementation. A case study and aperformance evaluation were conducted to provide evidence ofthe proposed solution’s feasibility and accurac

Organizational cybersecurity readiness in the ICT sector: a quanti-qualitative assessment

Purpose – Cyberattacks are becoming increasingly widespread, and cybersecurity is therefore increasingly important. Although the technological aspects of cybersecurity are its best-known characteristics, the cybersecurity phenomenon goes beyond the detection of technological impacts, and encompasses all the dimensions of an organization. This study thus focusses on an additional set of organizational elements. The key elements of cybersecurity organizational readiness depicted here are cybersecurity awareness, cybersecurity culture and cybersecurity organizational resilience (OR). This study aims to qualitatively assess small and medium enterprises’ (SMEs) overall level of organizational cybersecurity readiness. Design/methodology/approach – This study focused on conducting a cybersecurity organizational readiness assessment using a sample of 53 Italian SMEs from the information and communication technology sector. Informed mixed method research, this study was conducted consistent with the principles of the explanatory sequential mixed method design, and adopting a quanti-qualitative methodology. The quantitative data were collected through a questionnaire. Qualitative data were subsequently collected through semi-structured interviews. Findings – Although many elements of the technical aspects of cybersecurity OR have yielded very encouraging results, there are still some areas that require improvement. These include those facets that constitute the foundation of cybersecurity awareness, and, thus, a cybersecurity culture. This result highlights that the areas in need of improvement are exactly those that are most important in fighting against cyber threats via organizational cybersecurity readiness. Originality/value – Although the importance of SMEs is obvious, evidence of such organizations’ attitudes to cybersecurity are still limited. This research is an attempt to depict the organizational issue related to cybersecurity, i.e. overall cybersecurity organizational readiness

Evaluation of a Tool to Increase Cybersecurity Awareness Among Non-experts (SME Employees)

Humans are the weak link in cybersecurity, hence, this paper considers the human factor in cybersecurity and how the customer journey approach can be used to increase cybersecurity awareness. The Customer Journey Modelling Language (CJML) is used to document and visualise a service process. We expand the CJML formalism to encompass cybersecurity and develop an easy-to-use web application as a supporting tool for training and awareness. We present the results from the usability test with ten persons in the target group and report on usability and feasibility. All participants managed to finish the test, and most participants indicated that the tool was easy to use. By using the tool, non-expert users can make user journey diagrams showing basic conformance in a short time without professional training. For the threat diagram, half of the users achieved full conformance. In conclusion, the tool can serve as low-threshold cybersecurity awareness training for SME employees. We discuss th e limitations and validity of the results and future work to improve the tool’s usability.publishedVersio

Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs)

PurposeThe purpose of this study is to focus on organisation’s cybersecurity strategy and propose a high-level programme for cybersecurity education and awareness to be used when targeting small- and medium-sized enterprises/businesses (SMEs/SMBs) at a city-level. An essential component of an organisation’s cybersecurity strategy is building awareness and education of online threats and how to protect corporate data and services. This programme is based on existing research and provides a unique insight into an ongoing city-based project with similar aims.Design/methodology/approachTo structure this work, a scoping review was conducted of the literature in cybersecurity education and awareness, particularly for SMEs/SMBs. This theoretical analysis was complemented using a case study and reflecting on an ongoing, innovative programme that seeks to work with these businesses to significantly enhance their security posture. From these analyses, best practices and important lessons/recommendations to produce a high-level programme for cybersecurity education and awareness were recommended.FindingsWhile the literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. However, existing programmes, such as the one explored in this study, have great potential, but there can be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities.Originality/valueThe study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, literature in this space was examined and insights into the advances and challenges faced by an on-going programme were presented. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.</jats:sec

Assessing SMEs’ cybersecurity organizational readiness: Findings from an Italian survey

The Small and Medium-sized Enterprises’ (SMEs) level of organizational cybersecurity readiness has been poorly investigated to date. Currently, all SMEs need to maintain an adequate level of cybersecurity to run their businesses, not only those wishing to fully exploit digitalization’s benefits. Unfortunately, due to their lack of resources, skills, and their low level of cyber awareness, SMEs often seem unprepared. It is essential that they address the digital threats that they face by using technology and complementary (and not alternative) factors, such as guidelines, formal policies, and training. All these elements trigger development processes regarding skills, awareness, the organizational cybersecurity culture, and the organizational resilience. This paper describes Italy’s first multidisciplinary attempt to assess its SMEs’ overall cybersecurity readiness level. We used a survey as its initial quantitative assessment approach, although SMEs can also use it as a cyber self-assessment tool, which prepares them better to navigate the digital ecosystem. Thereafter, we held semi-structured interviews to explore the critical points that had emerged from the study’s first phase. The overall results show that SMEs have not yet achieved high levels of organizational readiness. SMEs are currently starting to set the stage for their organizational cyber readiness and will, therefore, have to take many more proactive steps to address their cyber challenges

A survey on the cyber security of Small-to-Medium businesses: Challenges, research focus and recommendations

Small-to-medium sized businesses (SMBs) constitute a large fraction of many countries’ economies but according to the literature SMBs are not adequately implementing cyber security which leaves them susceptible to cyber-attacks. Furthermore, research in cyber security is rarely focused on SMBs, despite them representing a large proportion of businesses. In this paper we review recent research on the cyber security of SMBs, with a focus on the alignment of this research to the popular NIST Cyber Security Framework (CSF). From the literature we also summarise the key challenges SMBs face in implementing good cyber security and conclude with key recommendations on how to implement good cyber security. We find that research in SMB cyber security is mainly qualitative analysis and narrowly focused on the Identify and Protect functions of the NIST CSF with very little work on the other existing functions. SMBs should have the ability to detect, respond and recover from cyber-attacks, and if research lacks in those areas, then SMBs may have little guidance on how to act. Future research in SMB cyber security should be more balanced and researchers should adopt well-established powerful quantitative research approaches to refine and test research whilst governments and academia are urged to invest in incentivising researchers to expand their research focus

The HORM Diagramming Tool: A Domain-Specific Modelling Tool for SME Cybersecurity Awareness

Improving security posture while addressing human errors made by employees are among the most challenging tasks for SMEs concerning cybersecurity risk management. To facilitate these measures, a domain-specific modelling tool for visualising cybersecurity-related user journeys, called the HORM Diagramming Tool (HORM-DT), is introduced. By visualising SMEs’ cybersecurity practices, HORM-DT aims to raise their cybersecurity awareness by highlighting the related gaps, thereby ultimately informing new or updated cyber-risk strategies. HORM-DT’s target group consists of SMEs’ employees with various areas of technical expertise and different backgrounds. The tool was developed as part of the Human and Organisational Risk Modelling (HORM) framework, and the underlying formalism is based on the Customer Journey Modelling Language (CJML) as extended by elements of the CORAS language to cover cybersecurity-related user journeys. HORM-DT is a fork of the open-source Diagrams.net software, which was modified to facilitate the creation of cybersecurity-related diagrams. To evaluate the tool, a usability study following a within-subject design was conducted with 29 participants. HORM-DT achieved a satisfactory system usability scale score of 80.69, and no statistically significant differences were found between participants with diverse diagramming tool experience. The tool’s usability was also praised by participants, although there were negative comments regarding its functionality of connecting elements with lines.publishedVersio

Cybersecurity Architectural Analysis for Complex Cyber-Physical Systems

In the modern military’s highly interconnected and technology-reliant operational environment, cybersecurity is rapidly growing in importance. Moreover, as a number of highly publicized attacks have occurred against complex cyber-physical systems such as automobiles and airplanes, cybersecurity is no longer limited to traditional computer systems and IT networks. While architectural analysis approaches are critical to improving cybersecurity, these approaches are often poorly understood and applied in ad hoc fashion. This work addresses these gaps by answering the questions: 1. “What is cybersecurity architectural analysis?” and 2. “How can architectural analysis be used to more effectively support cybersecurity decision making for complex cyber-physical systems?” First, a readily understandable description of key architectural concepts and definitions is provided which culminates in a working definition of “cybersecurity architectural analysis,” since none is available in the literature. Next, we survey several architectural analysis approaches to provide the reader with an understanding of the various approaches being used across government and industry. Based on our proposed definition, the previously introduced key concepts, and our survey results, we establish desirable characteristics for evaluating cybersecurity architectural analysis approaches. Lastly, each of the surveyed approaches is assessed against the characteristics and areas of future work are identified