A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs

Cybersecurity incidents are commonplace nowadays, and Small- and Medium-Sized Enterprises (SMEs) are exceptionally vulnerable targets. The lack of cybersecurity resources available to SMEs implies that they are less capable of dealing with cyber-attacks. Motivation to improve cybersecurity is often low, as the prerequisite knowledge and awareness to drive motivation is generally absent at SMEs. A solution that aims to help SMEs manage their cybersecurity risks should therefore not only offer a correct assessment but should also motivate SME users. From Self-Determination Theory (SDT), we know that by promoting perceived autonomy, competence, and relatedness, people can be motivated to take action. In this paper, we explain how a threat-based cybersecurity risk assessment approach can help to address the needs outlined in SDT. We propose such an approach for SMEs and outline the data requirements that facilitate automation. We present a practical application covering various user interfaces, showing how our threat-based cybersecurity risk assessment approach turns SME data into prioritised, actionable recommendations.

[1]  Marco Spruit,et al.  The Cybersecurity Focus Area Maturity (CYSFAM) Model , 2021, J. Cybersecur. Priv..

[2]  Yu Andy Wu,et al.  Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective , 2016, Inf. Syst. Manag..

[3]  Andrew P. Martin,et al.  Threat-Based Security Analysis for the Internet of Things , 2014, 2014 International Workshop on Secure Internet of Things.

[4]  Marco R. Spruit,et al.  Isfam: the Information Security Focus Area Maturity Model , 2014, ECIS.

[5]  智治 横大路 2015 , 2015, Light Power: Half a Century of Solar Electricity Research.

[6]  Samuel A. Fricker,et al.  Automating the Communication of Cybersecurity Knowledge: Multi-case Study , 2020, WISE.

[7]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[8]  Robert E. Crossler,et al.  User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory , 2017, J. Manag. Inf. Syst..

[9]  Valentina Casola,et al.  A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach , 2020, J. Syst. Softw..

[10]  Tansu Alpcan,et al.  Modeling dependencies in security risk management , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[11]  Matthew P. Barrett,et al.  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Arabic translation) , 2018 .

[12]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[13]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[14]  Wouter Joosen,et al.  A descriptive study of Microsoft’s threat modeling technique , 2015, Requirements Engineering.

[15]  Samuel A. Fricker,et al.  SMEs Confidentiality Concerns for Security Information Sharing , 2020, HAISA.

[16]  Information Security Best Practices: First Steps for Startups and SMEs , 2018, Technology Innovation Management Review.

[17]  Sahin Albayrak,et al.  A quantitative framework for dependency-aware organizational IT Risk Management , 2010, 2010 10th International Conference on Intelligent Systems Design and Applications.

[18]  Pamela Briggs,et al.  Using protection motivation theory in the design of nudges to improve online security behavior , 2019, Int. J. Hum. Comput. Stud..

[19]  Edward L. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation , 2000 .

[20]  Wouter Joosen,et al.  Empirical evaluation of a privacy-focused threat modeling methodology , 2014, J. Syst. Softw..

[21]  Marco Spruit,et al.  Addressing SME Characteristics for Designing Information Security Maturity Models , 2020, HAISA.

[22]  Lieven De Marez,et al.  Investigating and comparing the predictors of the intention towards taking security measures against malware, scams and cybercrime in general , 2019, Comput. Hum. Behav..

[23]  Kevin Vlaanderen,et al.  An analytics approach to adaptive maturity models using organizational characteristics , 2016, Decis. Anal..

[24]  Shari Lawrence Pfleeger,et al.  Analyzing Computer Security - A Threat / Vulnerability / Countermeasure Approach , 2012 .

[25]  Alain Pirovano,et al.  A Risk Propagation Based Quantitative Assessment Methodology for Network Security - Aeronautical Network Case Study , 2011, 2011 Conference on Network and Information Systems Security.

[26]  Michael Muckin,et al.  A Threat-Driven Approach to Cyber Security Methodologies , Practices and Tools to Enable a Functionally Integrated Cyber Security Organization , 2015 .

[27]  Peter Buxmann,et al.  Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments , 2019, Information Systems Frontiers.

[28]  Dimitris Gritzalis,et al.  Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment , 2018, Comput. Networks.

[29]  Chris W. Clegg,et al.  Advancing socio-technical systems thinking: a call for bravery. , 2014, Applied ergonomics.

[30]  Marco Spruit,et al.  Modelling adaptive information security for SMEs in a cluster , 2019 .

[31]  Valentina Casola,et al.  Toward the automation of threat modeling and risk assessment in IoT systems , 2019, Internet Things.

[32]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..

[33]  E. Deci,et al.  The general causality orientations scale: Self-determination in personality , 1985 .

[34]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[35]  Michael Benz,et al.  Calculated risk? A cybersecurity evaluation tool for SMEs , 2020 .

[36]  R. Vallerand Toward A Hierarchical Model of Intrinsic and Extrinsic Motivation , 1997 .

[37]  Carol Woody,et al.  OCTAVE-S Implementation Guide, Version 1 , 2005 .

[38]  Parinaz Naghizadeh Ardabili,et al.  Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents , 2015, USENIX Security Symposium.

[39]  K. Stølen,et al.  Cyber-Risk Management , 2015, SpringerBriefs in Computer Science.

[40]  Robert Lagerström,et al.  Threat modeling - A systematic literature review , 2019, Comput. Secur..

[41]  James Riordan,et al.  Threat-Based Risk Assessment for Enterprise Networks , 2016 .

[42]  Parinaz Naghizadeh Ardabili,et al.  Risky business: Fine-grained data breach prediction using business profiles , 2016, J. Cybersecur..

[43]  Marcos R. S. Borges,et al.  Systematic Approach to Cyber Resilience Operationalization in SMEs , 2020, IEEE Access.

[44]  Marco Spruit,et al.  Organizational Characteristics Influencing SME Information Security Maturity , 2016, J. Comput. Inf. Syst..

[45]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.