3 research outputs found
Automating the Communication of Cybersecurity Knowledge: Multi-Case Study
Cybersecurity is essential for the protection of companies against cyber
threats. Traditionally, cybersecurity experts assess and improve a company's
capabilities. However, many small and medium-sized businesses (SMBs) consider
such services not to be affordable. We explore an alternative do-it-yourself
(DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC,
implements the Self-Determination Theory (SDT) to guide and motivate SMBs to
adopt good cybersecurity practices. CYSEC uses assessment questions and
recommendations to communicate cybersecurity knowledge to the end-user SMBs and
encourage self-motivated change. In this paper, the operationalisation of SDT
in CYSEC is presented and the results of a multi-case study shown that offer
insight into how SMBs adopted cybersecurity practices with CYSEC. Effective
automated cybersecurity communication depended on the SMB's hands-on skills,
tools adaptedness, and the users' willingness to documenting confidential
information. The SMBs wanted to learn in simple, incremental steps, allowing
them to understand what they do. An SMB's motivation to improve security
depended on the fitness of assessment questions and recommendations with the
SMB's business model and IT infrastructure. The results of this study indicate
that automated counselling can help many SMBs in security adoption. The final
publication is available at Springer via
https://link.springer.com/chapter/10.1007%2F978-3-030-59291-2_8Comment: 14 pages, 1 figure, 13th World Conference on Information Security
Educatio
SMEs' Confidentiality Concerns for Security Information Sharing
Small and medium-sized enterprises are considered an essential part of the EU
economy, however, highly vulnerable to cyberattacks. SMEs have specific
characteristics which separate them from large companies and influence their
adoption of good cybersecurity practices. To mitigate the SMEs' cybersecurity
adoption issues and raise their awareness of cyber threats, we have designed a
self-paced security assessment and capability improvement method, CYSEC. CYSEC
is a security awareness and training method that utilises self-reporting
questionnaires to collect companies' information about cybersecurity awareness,
practices, and vulnerabilities to generate automated recommendations for
counselling. However, confidentiality concerns about cybersecurity information
have an impact on companies' willingness to share their information. Security
information sharing decreases the risk of incidents and increases users'
self-efficacy in security awareness programs. This paper presents the results
of semi-structured interviews with seven chief information security officers of
SMEs to evaluate the impact of online consent communication on motivation for
information sharing. The results were analysed in respect of the Self
Determination Theory. The findings demonstrate that online consent with
multiple options for indicating a suitable level of agreement improved
motivation for information sharing. This allows many SMEs to participate in
security information sharing activities and supports security experts to have a
better overview of common vulnerabilities. The final publication is available
at Springer via https://doi.org/10.1007/978-3-030-57404-8_22Comment: 10 pages, 2 figures, 14th International Symposium on Human Aspects of
Information Security & Assurance (HAISA 2020