Systematic approach to cyber resilience operationalization in SMEs

The constantly evolving cyber threat landscape is a latent problem for today’s companies. This is especially true for the Small and Medium-sized Enterprises (SMEs) because they have limited resources to face the threats but, as a group, represent an extensive payload for cybercriminals to exploit. Moreover, the traditional cybersecurity approach of protecting against known threats cannot withstand the rapidly evolving technologies and threats used by cybercriminals. This study claims that cyber resilience, a more holistic approach to cybersecurity, could help SMEs anticipate, detect, withstand, recover from and evolve after cyber incidents. However, to operationalize cyber resilience is not an easy task, and thus, the study presents a framework with a corresponding implementation order for SMEs that could help them implement cyber resilience practices. The framework is the result of using a variation of Design Science Research in which Grounded Theory was used to induce the most important actions required to implement cyber resilience and an iterative evaluation from experts to validate the actions and put them in a logical order. Therefore, this study proposes that the framework could benefit SME managers to understand cyber resilience, as well as help them start implementing it with concrete actions and an order dictated by the experience of experts. This could potentially ease cyber resilience implementation for SMEs by making them aware of what cyber resilience implies, which dimensions it includes and what actions can be implemented to increase their cyber resilience

Cyber Resilience Operationalization Framework (CR-OF) for SMEs

The constantly evolving cyber threat landscape is a latent problem for today’s companies. This is especially true for the Small and Medium-sized Enterprises (SMEs) because they have limited resources to face the threats but, as a group, represent an extensive payload for cybercriminals to exploit. Moreover, the risk of cyber incidents is not only due to cybercriminals but can be evoked from multiple sources such as human error, system failure, etc. In any case, the costs of these cyber incidents are high and can considerably affect SMEs. On the other hand, the traditional cybersecurity approach of protecting against known threats cannot withstand the rapidly evolving technologies and threats. In this sense, this study claims that cyber resilience, a more holistic approach to cybersecurity, could help SMEs anticipate, detect, withstand, recover from and evolve after cyber incidents. However, to operationalize cyber resilience is not an easy task since it requires technical and strategical knowledge and experience for its broad scope, holistic and multidimensional nature. Although the current literature regarding the operationalization of cyber resilience has widely covered the actions and areas of knowledge (often called policies and domains) required to operationalize cyber resilience, their prioritization and specific implementation strategies are not clear. Moreover, the differences between the actions suggested among the authors require companies to select one approach and later prioritize these actions. Therefore, it requires decision capabilities, knowledge and experience to know what is best for the company. In SMEs, this knowledge and experience might not be present since in most cases cybersecurity is not the core of their business. Therefore, this study tries to facilitate the cyber resilience operationalization process for SMEs. To achieve the goal of aiding SMEs in cyber resilience operationalization, this study presents an operationalization framework to help them prioritize the required cyber resilience policies and develop effective strategies to implement them. For this, the study presents a classification with the essential cyber resilience domains and policies required to operationalize cyber resilience in SMEs. Once these policies have been established, it also presents an implementation order for effective a cyber resilience operationalization. Moreover, the study presents example progressions for each policy in a progression model in order for companies to be able to strategize how to implement and later improve the required policies. These results are combined into a self-assessment tool and simulation models that could be used by companies in their decision-making process in order to take into account the findings of this study when operationalizing cyber resilience.El panorama de las ciberamenazas, en constante evolución, es un problema latente para las empresas actuales. Esto es especialmente cierto para las Pequeñas y Medianas Empresas (PYMEs) porque tienen recursos limitados para hacer frente a las amenazas pero, como grupo, representan un amplio mercado para que los ciberdelincuentes exploten. Además, el riesgo de incidentes cibernéticos no se debe únicamente a los ciberdelincuentes, sino que puede provenir de múltiples fuentes, como errores humanos, fallos del sistema, etc. En cualquier caso, los costes de estos ciber incidentes son elevados y pueden afectar considerablemente a las PYMEs. Por otra parte, el enfoque tradicional de ciberseguridad de protección contra las amenazas conocidas no puede resistir la rápida evolución de las tecnologías y las amenazas. En este sentido, este estudio afirma que la ciberresiliencia, un enfoque más holístico de la ciberseguridad, podría ayudar a las PYMEs a anticipar, detectar, resistir, recuperarse y evolucionar tras los ciberincidentes. Sin embargo, operacionalizar la ciberresiliencia no es una tarea fácil, ya que requiere conocimientos técnicos y estratégicos y experiencia por su amplio enfoque, su naturaleza holística y multidimensional. Aunque la literatura actual relativa a la operacionalización de la ciberresiliencia ha cubierto ampliamente las acciones y áreas de conocimiento (a menudo llamadas políticas y dominios) requeridas para operacionalizar la ciberresiliencia, su priorización y las estrategias específicas de implementación no están claras. Además, las diferencias entre las acciones sugeridas entre los distintos autores obligan a las empresas a seleccionar un enfoque y a priorizar posteriormente estas acciones. Por lo tanto, se requiere capacidad de decisión, conocimiento y experiencia para saber qué es lo mejor para la empresa. En las PYMES, estos conocimientos y experiencia pueden no estar presentes ya que en la mayoría de los casos la ciberseguridad no es el núcleo de su negocio. Por lo tanto, este estudio trata de facilitar el proceso de operacionalización de la ciberresiliencia para las PYMEs. Para lograr el objetivo de ayudar a las PYMEs en la operacionalización de la ciberresiliencia, este estudio presenta un marco de operacionalización para ayudarles a priorizar las políticas de ciberresiliencia necesarias y desarrollar estrategias efectivas para implementarlas. Para ello, el estudio presenta una clasificación con los dominios y políticas de ciberresiliencia esenciales para operacionalizar la ciberresiliencia en las PYMEs. Una vez establecidas estas políticas, también presenta un orden de implementación para una operacionalización efectiva de la ciberresiliencia. Además, el estudio presenta ejemplos de progresión para cada política en un modelo de progresión con el fin de que las empresas puedan elaborar estrategias para implementar y posteriormente mejorar las políticas requeridas. Estos resultados se combinan en una herramienta de autoevaluación y en modelos de simulación que podrían ser utilizados por las empresas en su proceso de toma de decisiones para tener en cuenta las conclusiones de este estudio a la hora de hacer operativa la ciberresiliencia

Cyber Resilience Operationalization Framework (CR-OF) for SMEs

The constantly evolving cyber threat landscape is a latent problem for today’s companies. This is especially true for the Small and Medium-sized Enterprises (SMEs) because they have limited resources to face the threats but, as a group, represent an extensive payload for cybercriminals to exploit. Moreover, the risk of cyber incidents is not only due to cybercriminals but can be evoked from multiple sources such as human error, system failure, etc. In any case, the costs of these cyber incidents are high and can considerably affect SMEs. On the other hand, the traditional cybersecurity approach of protecting against known threats cannot withstand the rapidly evolving technologies and threats. In this sense, this study claims that cyber resilience, a more holistic approach to cybersecurity, could help SMEs anticipate, detect, withstand, recover from and evolve after cyber incidents. However, to operationalize cyber resilience is not an easy task since it requires technical and strategical knowledge and experience for its broad scope, holistic and multidimensional nature. Although the current literature regarding the operationalization of cyber resilience has widely covered the actions and areas of knowledge (often called policies and domains) required to operationalize cyber resilience, their prioritization and specific implementation strategies are not clear. Moreover, the differences between the actions suggested among the authors require companies to select one approach and later prioritize these actions. Therefore, it requires decision capabilities, knowledge and experience to know what is best for the company. In SMEs, this knowledge and experience might not be present since in most cases cybersecurity is not the core of their business. Therefore, this study tries to facilitate the cyber resilience operationalization process for SMEs. To achieve the goal of aiding SMEs in cyber resilience operationalization, this study presents an operationalization framework to help them prioritize the required cyber resilience policies and develop effective strategies to implement them. For this, the study presents a classification with the essential cyber resilience domains and policies required to operationalize cyber resilience in SMEs. Once these policies have been established, it also presents an implementation order for effective a cyber resilience operationalization. Moreover, the study presents example progressions for each policy in a progression model in order for companies to be able to strategize how to implement and later improve the required policies. These results are combined into a self-assessment tool and simulation models that could be used by companies in their decision-making process in order to take into account the findings of this study when operationalizing cyber resilience.El panorama de las ciberamenazas, en constante evolución, es un problema latente para las empresas actuales. Esto es especialmente cierto para las Pequeñas y Medianas Empresas (PYMEs) porque tienen recursos limitados para hacer frente a las amenazas pero, como grupo, representan un amplio mercado para que los ciberdelincuentes exploten. Además, el riesgo de incidentes cibernéticos no se debe únicamente a los ciberdelincuentes, sino que puede provenir de múltiples fuentes, como errores humanos, fallos del sistema, etc. En cualquier caso, los costes de estos ciber incidentes son elevados y pueden afectar considerablemente a las PYMEs. Por otra parte, el enfoque tradicional de ciberseguridad de protección contra las amenazas conocidas no puede resistir la rápida evolución de las tecnologías y las amenazas. En este sentido, este estudio afirma que la ciberresiliencia, un enfoque más holístico de la ciberseguridad, podría ayudar a las PYMEs a anticipar, detectar, resistir, recuperarse y evolucionar tras los ciberincidentes. Sin embargo, operacionalizar la ciberresiliencia no es una tarea fácil, ya que requiere conocimientos técnicos y estratégicos y experiencia por su amplio enfoque, su naturaleza holística y multidimensional. Aunque la literatura actual relativa a la operacionalización de la ciberresiliencia ha cubierto ampliamente las acciones y áreas de conocimiento (a menudo llamadas políticas y dominios) requeridas para operacionalizar la ciberresiliencia, su priorización y las estrategias específicas de implementación no están claras. Además, las diferencias entre las acciones sugeridas entre los distintos autores obligan a las empresas a seleccionar un enfoque y a priorizar posteriormente estas acciones. Por lo tanto, se requiere capacidad de decisión, conocimiento y experiencia para saber qué es lo mejor para la empresa. En las PYMES, estos conocimientos y experiencia pueden no estar presentes ya que en la mayoría de los casos la ciberseguridad no es el núcleo de su negocio. Por lo tanto, este estudio trata de facilitar el proceso de operacionalización de la ciberresiliencia para las PYMEs. Para lograr el objetivo de ayudar a las PYMEs en la operacionalización de la ciberresiliencia, este estudio presenta un marco de operacionalización para ayudarles a priorizar las políticas de ciberresiliencia necesarias y desarrollar estrategias efectivas para implementarlas. Para ello, el estudio presenta una clasificación con los dominios y políticas de ciberresiliencia esenciales para operacionalizar la ciberresiliencia en las PYMEs. Una vez establecidas estas políticas, también presenta un orden de implementación para una operacionalización efectiva de la ciberresiliencia. Además, el estudio presenta ejemplos de progresión para cada política en un modelo de progresión con el fin de que las empresas puedan elaborar estrategias para implementar y posteriormente mejorar las políticas requeridas. Estos resultados se combinan en una herramienta de autoevaluación y en modelos de simulación que podrían ser utilizados por las empresas en su proceso de toma de decisiones para tener en cuenta las conclusiones de este estudio a la hora de hacer operativa la ciberresiliencia

Cyber Resilience Progression Model

Due to the hazardous current cyber environment, cyber resilience is more necessary than ever. Companies are exposed to an often-ignored risk of suffering a cyber incident. This places cyber incidents as one of the main risks for companies in the past few years. On the other hand, the literature meant to aid on the operationalization of cyber resilience is mostly focused on listing the policies required to operationalize it, but is often lacking on how to prioritize these actions and how to strategize their implementation. Therefore, the usage of the current literature in this state is not optimal for companies. Thus, this study proposes a progression model to help companies strategize and prioritize cyber resilience policies by proposing the natural evolution of the policies over time. To develop the model, this study used semi-structured interviews and an analysis of the data obtained from the interviews. Through this methodology, this study found the starting points for each cyber resilience policy and their natural progression over time. These results can help companies in their cyber resilience building process by giving them insights on how to strategize the implementation of the cyber resilience policies

Systematic approach to cyber resilience operationalization in SMEs

The constantly evolving cyber threat landscape is a latent problem for today’s companies. This is especially true for the Small and Medium-sized Enterprises (SMEs) because they have limited resources to face the threats but, as a group, represent an extensive payload for cybercriminals to exploit. Moreover, the traditional cybersecurity approach of protecting against known threats cannot withstand the rapidly evolving technologies and threats used by cybercriminals. This study claims that cyber resilience, a more holistic approach to cybersecurity, could help SMEs anticipate, detect, withstand, recover from and evolve after cyber incidents. However, to operationalize cyber resilience is not an easy task, and thus, the study presents a framework with a corresponding implementation order for SMEs that could help them implement cyber resilience practices. The framework is the result of using a variation of Design Science Research in which Grounded Theory was used to induce the most important actions required to implement cyber resilience and an iterative evaluation from experts to validate the actions and put them in a logical order. Therefore, this study proposes that the framework could benefit SME managers to understand cyber resilience, as well as help them start implementing it with concrete actions and an order dictated by the experience of experts. This could potentially ease cyber resilience implementation for SMEs by making them aware of what cyber resilience implies, which dimensions it includes and what actions can be implemented to increase their cyber resilience