research-article

Open access

A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs

Authors:

Max van Haastrecht,

Alireza Shojaifar,

Louis Baumgartner,

Wissam Mallouli,

Marco SpruitAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 158, Pages 1 - 12

https://doi.org/10.1145/3465481.3469199

Published: 17 August 2021 Publication History

All formats PDF

Abstract

Cybersecurity incidents are commonplace nowadays, and Small- and Medium-Sized Enterprises (SMEs) are exceptionally vulnerable targets. The lack of cybersecurity resources available to SMEs implies that they are less capable of dealing with cyber-attacks. Motivation to improve cybersecurity is often low, as the prerequisite knowledge and awareness to drive motivation is generally absent at SMEs. A solution that aims to help SMEs manage their cybersecurity risks should therefore not only offer a correct assessment but should also motivate SME users. From Self-Determination Theory (SDT), we know that by promoting perceived autonomy, competence, and relatedness, people can be motivated to take action. In this paper, we explain how a threat-based cybersecurity risk assessment approach can help to address the needs outlined in SDT. We propose such an approach for SMEs and outline the data requirements that facilitate automation. We present a practical application covering various user interfaces, showing how our threat-based cybersecurity risk assessment approach turns SME data into prioritised, actionable recommendations.

References

[1]

Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, and Carol Woody. 2005. OCTAVE-S Implementation Guide, Version 1. Technical Report. Software Engineering Institute, Carnegie Mellon University.

[2]

Tansu Alpcan and Nick Bambos. 2009. Modeling Dependencies in Security Risk Management. In 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009). 113–116. https://doi.org/10.1109/CRISIS.2009.5411969

[3]

A. W. Atamli and A. Martin. 2014. Threat-Based Security Analysis for the Internet of Things. In 2014 International Workshop on Secure Internet of Things. 35–43. https://doi.org/10.1109/SIoT.2014.10

Digital Library

[4]

Thijs Baars, Frederik Mijnhardt, Kevin Vlaanderen, and Marco Spruit. 2016. An Analytics Approach to Adaptive Maturity Models Using Organizational Characteristics. Decision Analytics 3, 1 (Nov. 2016), 5. https://doi.org/10.1186/s40165-016-0022-1

[5]

Matthew P. Barrett. 2018. Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. Technical Report. NIST.

[6]

Mohamed Slim Ben Mahmoud, Nicolas Larrieu, and Alain Pirovano. 2011. A Risk Propagation Based Quantitative Assessment Methodology for Network Security - Aeronautical Network Case Study. In 2011 Conference on Network and Information Systems Security. 1–9. https://doi.org/10.1109/SAR-SSI.2011.5931372

[7]

Michael Benz and Dave Chatterjee. 2020. Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. Business Horizons 63, 4 (July 2020), 531–540. https://doi.org/10.1016/j.bushor.2020.03.010

[8]

J. F. Carías, M. R. S. Borges, L. Labaka, S. Arrizabalaga, and J. Hernantes. 2020. Systematic Approach to Cyber Resilience Operationalization in SMEs. IEEE Access 8(2020), 174200–174221. https://doi.org/10.1109/ACCESS.2020.3026063

[9]

Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, and Umberto Villano. 2019. Toward the Automation of Threat Modeling and Risk Assessment in IoT Systems. Internet of Things 7 (Sept. 2019), 100056. https://doi.org/10.1016/j.iot.2019.100056

[10]

Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, and Umberto Villano. 2020. A Novel Security-by-Design Methodology: Modeling and Assessing Security by SLAs with a Quantitative Approach. Journal of Systems and Software 163 (May 2020), 110537. https://doi.org/10.1016/j.jss.2020.110537

[11]

Louis Anthony Cox. 2008. Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks. Risk Analysis 28, 6 (2008), 1749–1761. https://doi.org/10.1111/j.1539-6924.2008.01142.x

[12]

Matthew C. Davis, Rose Challenger, Dharshana N. W. Jayewardene, and Chris W. Clegg. 2014. Advancing Socio-Technical Systems Thinking: A Call for Bravery. Applied Ergonomics 45, 2, Part A (March 2014), 171–180. https://doi.org/10.1016/j.apergo.2013.02.009

[13]

Edward L. Deci and Richard M. Ryan. 1985. The General Causality Orientations Scale: Self-Determination in Personality. Journal of Research in Personality 19, 2 (June 1985), 109–134. https://doi.org/10.1016/0092-6566(85)90023-6

[14]

Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. 2011. A Privacy Threat Analysis Framework: Supporting the Elicitation and Fulfillment of Privacy Requirements. Requirements Engineering 16, 1 (March 2011), 3–32. https://doi.org/10.1007/s00766-010-0115-7

Digital Library

[15]

ENISA. 2007. A Simplified Approach to Risk Management for SMEs. Report. ENISA.

[16]

ENISA. 2016. ENISA Threat Taxonomy. https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy.

[17]

ENISA. 2019. ENISA Threat Landscape Report 2018. Report. ENISA.

[18]

ENISA. 2020. ENISA Threat Landscape 2020 - List of Top 15 Threats. Report. ENISA.

[19]

European Commission. 2016. SME Definition. https://ec.europa.eu/growth/smes/sme-definition.

[20]

European DIGITAL SME Alliance. 2020. The EU Cybersecurity Act and the Role of Standards for SMEs - Position Paper. Technical Report. Brussels.

[21]

GEIGER Consortium. 2020. GEIGER Project Website. https://project.cyber-geiger.eu/.

[22]

D. Gollmann, C. Herley, V. Koenig, W. Pieters, and M. A. Sasse. 2015. Socio-Technical Security Metrics. Dagstuhl Reports, 4, 2015(2015). https://doi.org/10.4230/DagRep.4.12.1

[23]

Bartlomiej Hanus and Yu “Andy” Wu. 2016. Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective. Information Systems Management 33, 1 (Jan. 2016), 2–16. https://doi.org/10.1080/10580530.2015.1117842

Digital Library

[24]

Margareta Heidt, Jin P. Gerlach, and Peter Buxmann. 2019. Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments. Information Systems Frontiers 21, 6 (Dec. 2019), 1285–1305. https://doi.org/10.1007/s10796-019-09959-1

Digital Library

[25]

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC). 2012. ISO/IEC 27032:2012 Information Technology — Security Techniques — Guidelines for Cybersecurity. Technical Report. ISO/IEC.

[26]

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC). 2013. ISO/IEC 27002:2013 Information Technology — Security Techniques — Code of Practice for Information Security Controls. Technical Report. ISO/IEC.

[27]

Urpo Kaila and Linus Nyman. 2018. Information Security Best Practices: First Steps for Startups and SMEs. Technology Innovation Management Review 8, 11 (2018), 32–42. https://doi.org/10.22215/timreview/1198

[28]

Younghwa Lee and Kai R. Larsen. 2009. Threat or Coping Appraisal: Determinants of SMB Executives’ Decision to Adopt Anti-Malware Software. European Journal of Information Systems 18, 2 (April 2009), 177–187. https://doi.org/10.1057/ejis.2009.11

[29]

Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. 2015. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents. In 24th {USENIX} Security Symposium ({USENIX} Security 15). 1009–1024.

[30]

Louis Marinos and Andreas Sfakianakis. 2013. ENISA Threat Landscape 2012. Report. ENISA.

[31]

Marijn Martens, Ralf De Wolf, and Lieven De Marez. 2019. Investigating and Comparing the Predictors of the Intention towards Taking Security Measures against Malware, Scams and Cybercrime in General. Computers in Human Behavior 92 (March 2019), 139–150. https://doi.org/10.1016/j.chb.2018.11.002

Digital Library

[32]

Philip Menard, Gregory J. Bott, and Robert E. Crossler. 2017. User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of Management Information Systems 34, 4 (Oct. 2017), 1203–1230. https://doi.org/10.1080/07421222.2017.1394083

[33]

Frederik Mijnhardt, Thijs Baars, and Marco Spruit. 2016. Organizational Characteristics Influencing SME Information Security Maturity. Journal of Computer Information Systems 56, 2 (April 2016), 106–115. https://doi.org/10.1080/08874417.2016.1117369

[34]

Michael Muckin and Scott C Fitch. 2019. A Threat-Driven Approach to Cyber Security. Technical Report. Lockheed Martin Corporation. 45 pages.

[35]

NCSC UK. 2014. Cyber Essentials. https://www.ncsc.gov.uk/cyberessentials/overview.

[36]

Keshnee Padayachee. 2012. Taxonomy of Compliant Information Security Behavior. Computers & Security 31, 5 (July 2012), 673–680. https://doi.org/10.1016/j.cose.2012.04.004

Digital Library

[37]

Charles P. Pfleeger and Shari Lawrence Pfleeger. 2012. Analyzing Computer Security: A Threat/Vulnerability/Countermeasure Approach. Prentice Hall Professional.

[38]

Atle Refsdal, Bjørnar Solhaug, and Ketil Stolen. 2015. Cyber-Risk Management. Springer International Publishing.

[39]

James Riordan and R. P. Lippmann. 2016. Threat-Based Risk Assessment for Enterprise Networks.

[40]

Richard M. Ryan and Edward L. Deci. 2000. Self-Determination Theory and the Facilitation of Intrinsic Motivation, Social Development, and Well-Being. American Psychologist 55, 1 (2000), 68–78. https://doi.org/10.1037/0003-066X.55.1.68

[41]

Armin Sarabi, Parinaz Naghizadeh, Yang Liu, and Mingyan Liu. 2016. Risky Business: Fine-Grained Data Breach Prediction Using Business Profiles. Journal of Cybersecurity 2, 1 (Dec. 2016), 15–28. https://doi.org/10.1093/cybsec/tyw004

[42]

Riccardo Scandariato, Kim Wuyts, and Wouter Joosen. 2015. A Descriptive Study of Microsoft’s Threat Modeling Technique. Requirements Engineering 20, 2 (June 2015), 163–180. https://doi.org/10.1007/s00766-013-0195-2

Digital Library

[43]

Stephan Schmidt and Sahin Albayrak. 2010. A Quantitative Framework for Dependency-Aware Organizational IT Risk Management. In 2010 10th International Conference on Intelligent Systems Design and Applications. 1207–1212. https://doi.org/10.1109/ISDA.2010.5687022

[44]

Alireza Shameli-Sendi, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. Taxonomy of Information Security Risk Assessment (ISRA). Computers & Security 57 (March 2016), 14–30. https://doi.org/10.1016/j.cose.2015.11.001

Digital Library

[45]

Alireza Shojaifar and Samuel A. Fricker. 2020. SMEs’ Confidentiality Concerns for Security Information Sharing. In Human Aspects of Information Security and Assurance(IFIP Advances in Information and Communication Technology), Nathan Clarke and Steven Furnell (Eds.). Springer International Publishing, Cham, 289–299. https://doi.org/10.1007/978-3-030-57404-8_22

[46]

Alireza Shojaifar, Samuel A. Fricker, and Martin Gwerder. 2020. Automating the Communication of Cybersecurity Knowledge: Multi-Case Study. In Information Security Education. Information Security in Action(IFIP Advances in Information and Communication Technology), Lynette Drevin, Suné Von Solms, and Marianthi Theocharidou (Eds.). Springer International Publishing, Cham, 110–124. https://doi.org/10.1007/978-3-030-59291-2_8

[47]

Marco Spruit and Martijn Roeling. 2014. ISFAM: The Information Security Focus Area Maturity Model. ECIS 2014 Proceedings (June 2014).

[48]

G. Stergiopoulos, D. Gritzalis, and V. Kouktzoglou. 2018. Using Formal Distributions for Threat Likelihood Estimation in Cloud-Enabled IT Risk Assessment. Computer Networks 134 (April 2018), 23–45. https://doi.org/10.1016/j.comnet.2018.01.033

Digital Library

[49]

Swiss NCSC. 2021. Cyberthreats. https://www.ncsc.admin.ch/ncsc/en/home.html.

[50]

Brett Tucker. 2020. Advancing Risk Management Capability Using the OCTAVE FORTE Process. (Dec. 2020). https://doi.org/10.1184/R1/13014266.v1

[51]

Robert J. Vallerand. 1997. Toward A Hierarchical Model of Intrinsic and Extrinsic Motivation. In Advances in Experimental Social Psychology, Mark P. Zanna (Ed.). Vol. 29. Academic Press, 271–360. https://doi.org/10.1016/S0065-2601(08)60019-2

[52]

René van Bavel, Nuria Rodríguez-Priego, José Vila, and Pam Briggs. 2019. Using Protection Motivation Theory in the Design of Nudges to Improve Online Security Behavior. International Journal of Human-Computer Studies 123 (March 2019), 29–39. https://doi.org/10.1016/j.ijhcs.2018.11.003

[53]

Kim Wuyts, Riccardo Scandariato, and Wouter Joosen. 2014. Empirical Evaluation of a Privacy-Focused Threat Modeling Methodology. Journal of Systems and Software 96 (Oct. 2014), 122–138. https://doi.org/10.1016/j.jss.2014.05.075

[54]

Wenjun Xiong and Robert Lagerström. 2019. Threat Modeling – A Systematic Literature Review. Computers & Security 84 (July 2019), 53–69. https://doi.org/10.1016/j.cose.2019.03.010

Digital Library

[55]

Bilge Yigit Ozkan and Marco Spruit. 2020. Addressing SME Characteristics for Designing Information Security Maturity Models. In Human Aspects of Information Security and Assurance(IFIP Advances in Information and Communication Technology), Nathan Clarke and Steven Furnell (Eds.). Springer International Publishing, Cham, 161–174. https://doi.org/10.1007/978-3-030-57404-8_13

[56]

Bilge Yigit Ozkan, Marco Spruit, Roland Wondolleck, and Verónica Burriel Coll. 2019. Modelling Adaptive Information Security for SMEs in a Cluster. Journal of Intellectual Capital 21, 2 (Jan. 2019), 235–256. https://doi.org/10.1108/JIC-05-2019-0128

[57]

Bilge Yigit Ozkan, Sonny van Lingen, and Marco Spruit. 2021. The Cybersecurity Focus Area Maturity (CYSFAM) Model. Journal of Cybersecurity and Privacy 1, 1 (March 2021), 119–139. https://doi.org/10.3390/jcp1010007

Cited By

Ali AAyyasamy RAkbar RJebna AAdnan K(2025)Cybersecurity Infrastructure Compliance Key Factors to Detect and Mitigate Malware Attacks in SMEs: A Systematic Literature ReviewSage Open10.1177/2158244025131467115:1Online publication date: 31-Jan-2025
https://doi.org/10.1177/21582440251314671
El-Hajj MMirza Z(2024)ProtectingSmall and Medium Enterprises: A Specialized Cybersecurity Risk Assessment Framework and ToolElectronics10.3390/electronics1319391013:19(3910)Online publication date: 2-Oct-2024
https://doi.org/10.3390/electronics13193910
Saeedi KHassan MAlarifi SAlmagwashi H(2024)An intuitive approach to cybersecurity risk assessment for non-governmental organizationsTransforming Government: People, Process and Policy10.1108/TG-08-2024-020119:1(159-182)Online publication date: 17-Oct-2024
https://doi.org/10.1108/TG-08-2024-0201
Show More Cited By

Index terms have been assigned to the content through auto-classification.

Recommendations

Classifying SMEs for Approaching Cybersecurity Competence and Awareness
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Cybersecurity is increasingly a concern for small and medium-sized enterprises (SMEs), and there exist many awareness training programs and tools for them. The literature mainly studies SMEs as a unitary type of company and provides one-size-fits-all ...
A state of the art survey - Impact of cyber attacks on SME's
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Corporations and end users are finding it hard to keep their devices safe from the ever evolving and complicated threat of cyber attacks. Currently, with the widespread adoption of the Internet of Things (IoT), cyber threat is becoming an even greater ...
Cyber Security & Ethical Hacking For SMEs
KMO '16: Proceedings of the The 11th International Knowledge Management in Organizations Conference on The changing face of Knowledge Management Impacting Society

Literature posits that 30,000 SME websites are hacked daily. Thus it is acknowledged that web-based tools are essential to prevent cyber criminals hacking into online networks to comprise their services and gain access to confidential data for improper ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Horizon 2020 Framework Programme

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
4,590
Total Downloads

Downloads (Last 12 months)1,271
Downloads (Last 6 weeks)147

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ali AAyyasamy RAkbar RJebna AAdnan K(2025)Cybersecurity Infrastructure Compliance Key Factors to Detect and Mitigate Malware Attacks in SMEs: A Systematic Literature ReviewSage Open10.1177/2158244025131467115:1Online publication date: 31-Jan-2025
https://doi.org/10.1177/21582440251314671
El-Hajj MMirza Z(2024)ProtectingSmall and Medium Enterprises: A Specialized Cybersecurity Risk Assessment Framework and ToolElectronics10.3390/electronics1319391013:19(3910)Online publication date: 2-Oct-2024
https://doi.org/10.3390/electronics13193910
Saeedi KHassan MAlarifi SAlmagwashi H(2024)An intuitive approach to cybersecurity risk assessment for non-governmental organizationsTransforming Government: People, Process and Policy10.1108/TG-08-2024-020119:1(159-182)Online publication date: 17-Oct-2024
https://doi.org/10.1108/TG-08-2024-0201
Kim EMun DJun MYun H(2024)Operation and Productivity Monitoring from Sound Signal of Legacy Pipe Bending Machine via Convolutional Neural Network (CNN)International Journal of Precision Engineering and Manufacturing10.1007/s12541-024-01018-325:7(1437-1456)Online publication date: 15-Apr-2024
https://doi.org/10.1007/s12541-024-01018-3
Wright JBurrell D(2023)Telemedicine Cybersecurity Protection in Reproductive HealthcareHOLISTICA – Journal of Business and Public Administration10.2478/hjbpa-2023-001214:2(1-14)Online publication date: 14-Dec-2023
https://doi.org/10.2478/hjbpa-2023-0012
Apruzzese GAnderson HDambra SFreeman DPierazzi FRoundy K(2023)“Real Attackers Don't Compute Gradients”: Bridging the Gap Between Adversarial ML Research and Practice2023 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML)10.1109/SaTML54575.2023.00031(339-364)Online publication date: Feb-2023
https://doi.org/10.1109/SaTML54575.2023.00031
Tampati IBuana ISetiawan H(2023)Secure Mobile Application for Uniform Resource Locator (URL) Phising Detection based on Deep Learning2023 1st International Conference on Advanced Engineering and Technologies (ICONNIC)10.1109/ICONNIC59854.2023.10467246(231-236)Online publication date: 14-Oct-2023
https://doi.org/10.1109/ICONNIC59854.2023.10467246
van Haastrecht MBrinkhuis MWools SSpruit M(2023)VAST: a practical validation framework for e-assessment solutionsInformation Systems and e-Business Management10.1007/s10257-023-00641-321:3(603-627)Online publication date: 11-Jul-2023
https://dl.acm.org/doi/10.1007/s10257-023-00641-3
Hollerer SSauter TKastner W(2022)Risk Assessments Considering Safety, Security, and Their Interdependencies in OT EnvironmentsProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3543814(1-8)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3543814
Ali AAyyasamy RAkbar RPonnusamy VHeng L(2022)Cybersecurity Infrastructure adoption Model for Malware Mitigation in Small Medium Enterprises (SME)2022 IEEE 5th International Symposium in Robotics and Manufacturing Automation (ROMA)10.1109/ROMA55875.2022.9915696(1-6)Online publication date: 6-Aug-2022
https://doi.org/10.1109/ROMA55875.2022.9915696
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten