What Attitude Changes Are Needed to Cause SMEs to Take a Strategic Approach to Information Security?

Spending on security in an SME usually has to compete with demands for hardware, infrastructure, and strategic applications. In this paper, the authors seek to explore the reasons why smaller SMEs in particular have consistently failed to see securing information as strategic year-on-year spending, and just regard as part of an overall tight IT budget. The authors scrutinise the typical SMEs reasoning for choosing to see non-spending on security as an acceptable strategic risk. They look particularly at possible reasons why SMEs tend not to take much notice of "scare stories" in the media based on research showing they are increasingly at risk, whilst larger businesses are taking greater precautions and become more difficult to penetrate. The results and their analysis provide useful pointers towards broader business environment changes that would cause SMEs to be more risk-averse and ethical in their approach to securing their own and their clients’ information

Balancing Risk Appetite and Risk Attitude in Requirements: a Framework for User Liberation

The tendency to throw controls at perceived and real system vulnerabilities, coupled with the likelihood of these controls being technical in nature, has the propensity to favour security over usability. However there is little evidence of increased assurance and it could encourage work stoppages or deviations that keep honest users from engaging with the system. The conflicting balance of trust and controls, and the challenge of turning that balance into clear requirements, creates an environment that alienates users and feeds the paranoia of actors who assume more ownership of the system than necessary. Security therefore becomes an inhibitor rather than an enabler for the community. This paper looks at measuring the balance of an organisation’s or a community’s risk appetite with the risk attitudes of its members in the early stages of IS development. It suggests how the dials of assurance can be influenced by the levers of good systems practice to create a cultural shift to trusting the users

Linking Research and Teaching: an Applied Soft Systems Methodology Case Study

This paper links research and teaching through an applied Soft Systems Methodology case study. The case study focuses on the redevelopment of a Research and Professional Skills module to provide support for international postgraduate students through the use of formative feedback with the aim of increasing academic research skills and confidence. The stages of the Soft Systems Methodology were used as a structure for the redevelopment of module content and assessment. It proved to be a valuable tool for identifying complex issues, a basis for discussion and debate from which an enhanced understanding was gained and a successful solution implemented together with a case study that could be utilised for teaching Soft Systems Methodology concepts. Changes to the module were very successful and resulted in significantly higher grades and a higher pass rate

SMEs Attitudes to “Information Assurance” and Consequences for the Digital Single Market

It is now generally accepted that cyber crime represents a big threat to organisations, and that they need to take appropriate action to protect their valuable information assets. However, current research shows that, although small businesses understand that they are potentially vulnerable, many are still not taking sufficient action to counteract the threat. Last year, the authors sought, through a more generalised but categorised attitudinal study, to explore the reasons why smaller SMEs in particular were reluctant to engage with accepted principles for protecting their data. The results showed that SMEs understood many of the issues. They were prepared to spend more but were particularly suspicious about spending on information assurance. The authors’ current research again focuses on SME attitudes but this time the survey asks only questions directly relating to information assurance and the standards available, in an attempt to try to understand exactly what is causing them to shy away from getting the badge or certificate that would demonstrate to customers and business partners that they take cyber security seriously. As with last year’s study, the results and analysis provide useful pointers towards the broader business environment changes that might cause SMEs to be more interested in working towards an appropriate cyber security standard

Facilitating Requirements Negotiating: Modeling Alternatives and Arguments

Co-development aims to ensure the alignment of business processes and support technical systems. During co-development stakeholders need an early understanding of the potential impact of different requirement choices on the enterprise. An early impact analysis understanding is more likely to actively engage stakeholders, highlight strategic options and deliver useful and sustainable systems. However, when multiple stakeholders are involved with differing backgrounds, experiences and frequently competing goals it is inevitable that conflicts occur during the early phases when requirements tend to be opaque. This paper puts forward a conceptual framework for co-development to support collaborative reasoning and decision-making through the modelling of requirements alternatives and arguments, promoting critical reflection, negotiation and discussion

ATINER's Conference Paper Series SME2015-1749: What Attitude Changes Are Needed to Cause SMEs to Take a Strategic Approach to Information Security?

Spending on security in an SME usually has to compete with demands for hardware, infrastructure, and strategic applications. In this paper, the authors seek to explore the reasons why smaller SMEs in particular have consistently failed to see securing information as strategic year-on-year spending, and just regard as part of an overall tight IT budget. The authors scrutinise the typical SMEs reasoning for choosing to see non-spending on security as an acceptable strategic risk. They look particularly at possible reasons why SMEs tend not to take much notice of "scare stories" in the media based on research showing they are increasingly at risk, whilst larger businesses are taking greater precautions and become more difficult to penetrate. The results and their analysis provide useful pointers towards broader business environment changes that would cause SMEs to be more risk-averse and ethical in their approach to securing their own and their clients’ information

Facilitating Requirements Negotiation: Modelling Alternatives and Arguments

Co-development aims to ensure the alignment of business processes and support technical systems. During co-development stakeholders need an early understanding of the potential impact of different requirement choices on the enterprise. An early impact analysis understanding is more likely to actively engage stakeholders, highlight strategic options and deliver useful and sustainable systems. However, when multiple stakeholders are involved with differing backgrounds, experiences and frequently competing goals it is inevitable that conflicts occur during the early phases when requirements tend to be opaque. This paper puts forward a conceptual framework for co-development to support collaborative reasoning and decision-making through the modelling of requirements alternatives and arguments, promoting critical reflection, negotiation and discussion

A Scaffolded Approach To Teaching Research Skills To Postgraduate Students

A recent re-validation of Postgraduate Awards and a move from fifteen to twenty credit modules provided an opportunity to re-think and restructure modules. This research looks at one specific module titled Research and Professional Skills which was restructured to implement a scaffolded approach to delivering the module aimed at increasing the students’ confidence as well as their academic research skills. This research has shown that postgraduate students may have had little research experience during their undergraduate studies and that appropriate scaffolding is needed to support them developing research skills and has resulted in the formulation of a six step framework for developing postgraduate research skills

Requirements and Risk: Singing From the Same Hymn-Sheet

Failing to elicit requirements is as much of a risk in the traditional, negative sense as successfully defining requirements is a positive step towards successful systems development. The discipline of risk management has long since had to deal with the spectre of emergent risk and its inherent lack of predictability. Just as risk management considers how any number of vulnerabilities in a system may be exploited by accident or by malicious intent that preys upon exposure to otherwise independent factors, so successful requirements elicitation is beholden to the ability to recognise the need for, and define, derived requirements. In this paper we suggest that risk assessment and requirements elicitation are two manifestations of the same activity: creating trustworthy software. We propose the research and development of a methodology where the two disciplines converge

J\u27Accuse! ATTRIBUTION OF BLAME WHEN SOFTWARE IS AN ACTOR (11)

The desire for closure after an accident may be hastened by the attribution of blame. This is particularly attractive in situations where complex factors may distance the understanding of attribution from those who may not be familiar with all vectors towards the failure causing the accident. The keyword here is ‘accident’ suggesting that deliberate action/s have not been the cause. It is pertinent to establish systems – such as those responsible for process control where it may be argued that the risk of remote, malicious intervention was not readily foreseeable at the time of their realization. The paper puts forward a framework for the elaboration of requirements with a focus on organizational factors as a way of teasing out problems in early development. The objective is to achieve a sense of assurance that due diligence is both done and seen to be done in an increasingly non-deterministic operational environment