Systematic Approach to Cyber Resilience Operationalization in SMEs

The constantly evolving cyber threat landscape is a latent problem for today’s companies. This is especially true for the Small and Medium-sized Enterprises (SMEs) because they have limited resources to face the threats but, as a group, represent an extensive payload for cybercriminals to exploit. Moreover, the traditional cybersecurity approach of protecting against known threats cannot withstand the rapidly evolving technologies and threats used by cybercriminals. This study claims that cyber resilience, a more holistic approach to cybersecurity, could help SMEs anticipate, detect, withstand, recover from and evolve after cyber incidents. However, to operationalize cyber resilience is not an easy task, and thus, the study presents a framework with a corresponding implementation order for SMEs that could help them implement cyber resilience practices. The framework is the result of using a variation of Design Science Research in which Grounded Theory was used to induce the most important actions required to implement cyber resilience and an iterative evaluation from experts to validate the actions and put them in a logical order. Therefore, this study proposes that the framework could benefit SME managers to understand cyber resilience, as well as help them start implementing it with concrete actions and an order dictated by the experience of experts. This could potentially ease cyber resilience implementation for SMEs by making them aware of what cyber resilience implies, which dimensions it includes and what actions can be implemented to increase their cyber resilience.

[1]  Nabil Sahli,et al.  SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS , 2013 .

[2]  Ulf Seigerroth,et al.  Design Science Research for Business Process Design: Organizational Transition at Intersport Sweden , 2010, Human Benefit through the Diffusion of Information Systems Design Science Research.

[3]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[4]  Chyan Yang,et al.  A decision model for IS outsourcing , 2000, Int. J. Inf. Manag..

[5]  Cleotilde Gonzalez,et al.  Effects of cyber security knowledge on attack detection , 2015, Comput. Hum. Behav..

[6]  MalacariaPasquale,et al.  Decision support approaches for cyber security investment , 2016 .

[7]  Alireza Esfahani,et al.  Machine Learning to Automate Network Segregation for Enhanced Security in Industry 4.0 , 2018, BROADNETS.

[8]  James T. C. Teng,et al.  A descriptive study on the outsourcing of information systems functions , 1994, Inf. Manag..

[9]  P. A. Williams,et al.  Small Business - A Cyber Resilience Vulnerability , 2010 .

[10]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[11]  Khin Than Win,et al.  Review of cybersecurity frameworks: context and shared concepts , 2018 .

[12]  Henry Lucas,et al.  IT Centralization, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education , 2017, ICIS.

[13]  Anselm L. Strauss,et al.  Qualitative Analysis For Social Scientists , 1987 .

[14]  George I. Sharkov,et al.  From Cybersecurity to Collaborative Resiliency , 2016, SafeConfig@CCS.

[15]  Manuel Wiesche GROUNDED THEORY METHODOLOGY IN INFORMATION SYSTEMS RESEARCH 1 , 2017 .

[16]  Glenn A. Bowen Document Analysis as a Qualitative Research Method , 2009 .

[17]  N. Kshetri The Global Cybercrime Industry , 2010 .

[18]  Thierry Volery,et al.  Factors influencing small business start-ups A comparison with previous research , 1999 .

[19]  Alok Gupta,et al.  Growth and Sustainability of Managed Security Services Networks: An Economic Perspective , 2012, MIS Q..

[20]  Rolf Hermann Erdmann,et al.  The construction process of grounded theory in administration , 2017 .

[21]  Niklaus Wirth,et al.  Program development by stepwise refinement , 1971, CACM.

[22]  K. Ketler,et al.  The outsourcing decision , 1993 .

[23]  Janis Stirna,et al.  Cyber Resilience - Fundamentals for a Definition , 2015, WorldCIST.

[24]  Mohammad Aktaruzzaman Khan,et al.  Effect of Entrepreneur and Firm Characteristics on the Business Success of Small and Medium Enterprises (SMEs) in Bangladesh , 2011 .

[25]  Bruce Schneier,et al.  The Future of Incident Response , 2014, IEEE Secur. Priv..

[26]  Terje I. Vaaland,et al.  Can the SME survive the supply chain challenges , 2007 .

[27]  M. Sokovic D. Pavletic K. K. Pipan,et al.  Quality Improvement Methodologies - PDCA Cycle, RADAR Matrix, DMAIC and DFSS , 2010 .

[28]  Thierry Volery,et al.  Factors influencing small business start‐ups , 1999 .

[29]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[30]  B. Glaser Theoretical Sensitivity: Advances in the Methodology of Grounded Theory , 1978 .

[31]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[32]  Richard H. Thayer,et al.  Software System Engineering Process Models , 2000 .

[33]  Leire Labaka,et al.  Defining a Cyber Resilience Investment Strategy in an Industrial Internet of Things Context † , 2019, Sensors.

[34]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[35]  Tomomi Aoyama,et al.  Studying resilient cyber incident management from large-scale cyber security training , 2015, 2015 10th Asian Control Conference (ASCC).

[36]  Richard Baskerville,et al.  Eating Our Own Cooking: Toward a Design Science of Research Methods , 2012 .

[37]  Shirley Gregor,et al.  The Anatomy of a Design Theory , 2007, J. Assoc. Inf. Syst..

[38]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[39]  Harriet Goldman,et al.  Cyber resilience for mission assurance , 2011, 2011 IEEE International Conference on Technologies for Homeland Security (HST).

[40]  Igor Linkov,et al.  Resilience metrics for cyber systems , 2013, Environment Systems and Decisions.

[41]  Brandy L. Simula Book Review: The Coding Manual for Qualitative Researchers, 3rd ed. , 2018 .

[42]  Defence Agenda,et al.  Defining cyber-security , 2011 .

[43]  Matthew P. Barrett,et al.  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Arabic translation) , 2018 .

[44]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[45]  George Cybenko Quantifying and measuring cyber resiliency , 2016, SPIE Defense + Security.

[46]  Lawrence A. Gordon,et al.  The impact of information sharing on cybersecurity underinvestment: A real options perspective , 2015 .

[47]  De-Li Yang,et al.  Using a hybrid multi-criteria decision aid method for information systems outsourcing , 2007, Comput. Oper. Res..

[48]  Helmut Krcmar,et al.  Grounded Theory Methodology in Information Systems Research , 2017, MIS Q..

[49]  Charles D. Tupper,et al.  Data Architecture: From Zen to Reality , 2011 .

[50]  C. Christopher Baughn,et al.  SME exporting challenges in transitional and developed economies , 2006 .