Impact of technological processes on system security: focus on micro, small and medium-sized enterprises

Este trabalho analisou o impacto de processos tecnológicos para o aumento das garantias de segurança de sistemas junto à 180 micro, pequenas e medias empresas situadas no sul do Brasil. Para tal se utilizou de análise quantitativa de níveis de maturidade de processos do modelo COBIT. Se revisou teoricamente as principais versões do COBIT e segurança de sistemas e metodologicamente foram usadas técnicas estatísticas de correlação linear simples de Pearson, correlação não paramétrica de Spearman e regressão linear simples e múltipla. Os achados em gestão estão relacionados com o processo tecnológico de conformidade dos requisitos externos para gerar aumento das garantias de sistemas, entre outros processos que relacionados trouxeram importância secundária ao processo decisório.This work analysed the impact of technological processes to increase system security guarantees for 180 micro, small and medium-sized companies located in southern Brazil. To this end, a quantitative analysis of the process maturity levels of the COBIT model was used. The main versions of COBIT and system security were theoretically reviewed and statistical techniques of simple linear correlation of Pearson, non-parametric correlation of Spearman and simple and multiple linear regression were used methodologically. The findings in management are related to the technological process of compliance of external requirements to generate an increase in system guarantees, among other related processes that brought secondary importance to the decision-making process

An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration

Information security threats and their associated breaches are exponentially growing, with millions of records containing personally identified information released to the public each year. Cyber incidents targeting businesses nearly doubled in US past 6 years, with more than 130 large-scale targeted breaches per year in U.S. In the first half of 2020, 36 billion records were exfiltrated by external hackers, with the average cost to recover from a cyber-attack averaging $21.00 per record. While Small and Mid-sized Businesses (SMBs) attempt to stay ahead of this growing trend and protect organizational data, they have specific behaviors that do not affect larger organizations. The four behaviors (non-strategic executive-level sponsorship, apathetic risk management procedures, constrained resources, and non-existent technical skills) are identified in the literature and recognized within the small to midsized industry. If not correctly identified and remediated, these behaviors may impede the businesses from protecting information assets and achieve a mature level of information security governance. To assist organizations in achieving information security governance, the literature identifies five domains that all organizations should possess for organizational alignment and governance maturity. These governance domains are Strategic Alignment, Value Delivery, Risk Management, Performance Measurement, and Resource Management. However, extant literature does not align the five governance domains with the small to midsized business behaviors, nor provide a solution to assist SMBs in achieving information security governance. The literature review focused on four main aspects that are relevant to the study: SMB Characteristics, Virtual Leadership, Information Security Governance, and Information Security program. Previous research identified how similar organizations utilized virtual leadership positions to overcome SMB behaviors to attain organizational business requirements but did not identify virtual positions that can assist SMBs with information security governance. To bridge this gap, this study explored a recent phenomenon, identified as a virtual Chief Information Security Officer (vCISO), that can align the SMB behaviors with the five governance domains and provide a viable solution for SMBs to achieve Information Security Governance within the identified behaviors. Specifically, this qualitative exploratory study interviewed six vCISOs and 14 companies to examine the role the vCISO provided in bridging SMB’s organizational behaviors with the five Information Security Governance domains

Flashlight in a Dark Room: A Grounded Theory Study on Information Security Management at Small Healthcare Provider Organizations

Healthcare providers have a responsibility to protect patient’s privacy and a business motivation to properly secure their assets. These providers encounter barriers to achieving these objectives and limited academic research has been conducted to examine the causes and strategies to overcome them. A subset of this demographic, businesses with less than 10 providers, compose a majority 57% of provider organizations in the United States. This grounded theory study provides exploratory findings, discovering these small healthcare provider organizations (SHPO) have limited knowledge on information technology (IT) and information security that results in assumptions and misappropriations of information security implementation, who is responsible for security, and what the scope of security is to address organizational cyber risk. A theory conveying the interrelationship among concepts, illustrating these barriers, is visually communicated. This research can be leveraged by researchers to further understand the dimensions of the identified barriers and by practitioners to develop strategies to improve organizational information security for this demographic. The study’s findings may apply to SHPOs in other states as the criteria of South Carolina based SHPOs did not seem to influence the findings. Intensive interviewing was conducted on nine SHPOs in the state of South Carolina to elicit their thoughts and perspectives on information security at their business, how decisions are made regarding information security, how threats and risks to their business are perceived, and to understand financial activities associated with providing information security at their organization. The concepts and categories, and how they interrelate to each other compose the “flashlight in a dark room” theory. This theory claims the current IT and information security knowledge of staff responsible for information security at these SHPOs produces a narrow scope of what is required for proper information security and informs their perceived cyber risk exposure. These personnel are only “seeing” what the flashlight illuminates in a dark room full of cyber risk. They are committed to secure their organization appropriately and are confident in their current cyber security posture. This causes an organizational cyber risk reality versus perception misalignment, resulting in unknown, accepted risk exposure. SHPOs support information security and are motivated to be ‘as secure as possible’ with a strong emphasis on protecting their patient’s protected health information. This suggests if ‘the “overhead light in the dark room” could be turned on, and illuminate the scope of cyber risk, these organizations would begin to work toward implementing security controls that align to their actual cyber risk

An Empirical Assessment of Cybersecurity Readiness and Resilience in Small Businesses

A cyber-attack can become costly if small businesses are not prepared to protect their information systems or lack the ability to recover from a cybersecurity incident. Small businesses that are not ready to deal with cyber threats are risking significant disruption and loss. In many cases the small business decision makers, owners or managers, do not have a strategy to improve their cybersecurity posture despite the known risk to their business. This research study focused on the relationship between two constructs that are associated with readiness and resilience of small businesses based on their cybersecurity planning, implementation, as well as response and recovery activities. An empirical assessment was conducted on small businesses’ level preparedness relative to their decision makers’ perceived risk of cyber-attack (perceived likelihood x perceived impact). Subject matter experts (SMEs) were used to validate a set of cybersecurity preparedness activities for the construct of cybersecurity preparedness. The SMEs approved 70 cybersecurity preparedness activities among the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assess the level of cybersecurity preparedness of small businesses. The SMEs then assigned weights to the validated preparedness activities to enable an aggregated benchmark cybersecurity preparedness score (CPS). The construct the decision maker’s perceived risk of cyberattack (DMPRCA) was updated with a set of common cyber threat vectors and using simple definitions from the SMEs. A Cybersecurity Preparedness-Risk Taxonomy (CyPRisT) was then developed using the theoretical foundation of prospect theory and status quo bias. The four quadrants of cybersecurity risk postures were defined as indifference, susceptible, aversive, and strategic. The aggregated scores of CPSs and DMPRCA were positioned on the CyPRisT for each of the 216 small businesses who participated in this study. Statistical differences were found in the CPSs and DMPRCA by demographics industry, size (number of employees), and Information Technology (IT) budget (%). The findings of the quantitative analysis are presented along with the position on the CyPRisT for each demographic indicator of the businesses. The Cybersecurity Assessment of Risk Management to optimize Readiness and Resilience (cyberARMoRR) program for small businesses was developed as a cybersecurity strategy planning guide and collection of resources. The cyberARMoRR program was administered to 50 small business decision makers. The CPSs and DMPRCA were evaluated before and after participation in cyberARMoRR program and positioned on the CyPRisT to assess differences in the small businesses’ cybersecurity posture. The results of the paired sample t-test showed no significant differences between the pretest and posttest groups. However, there was an observed increase in both the CPSs and DMPRCA that moved the position toward the risk-aversive quadrant of the CyPRisT. An analysis of the empirical data was conducted on the cybersecurity preparedness activities that participants identified as most challenging to implement and their explanations of why. Data were collected from 15 semi-structured interviews and 50 surveys with five open-ended questions, one per each function of the NIST Cybersecurity Framework. A two-cycle thematic analysis was performed using the responses that described the challenges of cybersecurity preparedness activities. The results of the qualitative analysis suggest that small business decision makers are more likely to improve their ability to mitigate cyber threats when the applicable technologies are uncomplicated, technical expertise is accessible, and cybersecurity educational material is easy to understand. The small business owners and managers also indicated that the cybersecurity preparedness activities are more attainable when the demand of their time did not change their focus away from business operations. Conversely, the small businesses that were able to improve their cybersecurity posture had committed to incorporating many of the cybersecurity preparedness activities into their routine business processes, such as allocating a budget for cybersecurity and performing vulnerability assessments. The effects of prospect theory and status quo bias are discussed in the context of the CyPRisT positions for the small businesses

Strategies to Reduce Small Business Data Security Breaches

Organizations affected by data security breaches may experience reputational damage and remediation costs. Understanding the data security strategies needed to protect small businesses is vital to safeguard company data and protect consumers’ personal information. Grounded in systems theory, the purpose of this qualitative multiple case study was to explore the strategies small business owners use to reduce data security breaches. The participants were 4 small business owners located in the southern region of the United States: 2 franchise small business owners and 2 nonfranchise small business owners. Data were collected from semistructured interviews and organizational documents. Yin’s 5-step data analysis was used to analyze the data. Two themes emerged: information assurance and third-party dependencies. A key recommendation includes small business owners implementing a contingency plan to manage a data security breach. The implications of positive social change include the potential for small business owners to develop data security strategies to protect their organizations from experiencing a data breach. Protection from data breaches can, in turn, rebuild trust with small business owners and increase spending, increasing the local community’s tax base that may be used to improve social services in the local community

Factors Influencing Small Construction Businesses from Implementing Information Security: A Case Study

This qualitative study described the influence of small businesses’ failure to properly implement information security technologies resulting in the loss of sensitive and proprietary business information. A collective case study approach was used to determine the most effective way to gain a holistic picture of how small construction businesses make security technology implementation decisions to support their workforce. The theory guiding this study was the Unified Theory of Acceptance and Use of Technology (UTAUT) model which is related to the Theory of Planned Behavior and the Technology Acceptance Model which helped explain the intentions of individuals to use information systems. Security policies and threats (insider and cyber) were also looked at during this study. Data collection methods included questionnaires, interviews, document reviews, journaling, and webpage scans to provide insight into security information technology use. The results of this study indicated small construction businesses rely heavily on third-party information technology venders to perform security functions. This security model has led to several of the businesses experiencing cyber security incidents and the businesses being more reactive in responding to cyber-attacks. Deficiencies with planning for system implementations also impacted how employees thought and used the businesses’ security information systems. The study’s results indicated employee’s behavior intention and use behavior was highly impacted by the age moderator with older employees more likely to display a lower behavior intention and use behavior for using systems