research-article

Open access

A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs

Authors:

Max van Haastrecht,

Alireza Shojaifar,

Louis Baumgartner,

Wissam Mallouli,

Marco SpruitAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 158, Pages 1 - 12

https://doi.org/10.1145/3465481.3469199

Published: 17 August 2021 Publication History

All formats PDF

Abstract

Cybersecurity incidents are commonplace nowadays, and Small- and Medium-Sized Enterprises (SMEs) are exceptionally vulnerable targets. The lack of cybersecurity resources available to SMEs implies that they are less capable of dealing with cyber-attacks. Motivation to improve cybersecurity is often low, as the prerequisite knowledge and awareness to drive motivation is generally absent at SMEs. A solution that aims to help SMEs manage their cybersecurity risks should therefore not only offer a correct assessment but should also motivate SME users. From Self-Determination Theory (SDT), we know that by promoting perceived autonomy, competence, and relatedness, people can be motivated to take action. In this paper, we explain how a threat-based cybersecurity risk assessment approach can help to address the needs outlined in SDT. We propose such an approach for SMEs and outline the data requirements that facilitate automation. We present a practical application covering various user interfaces, showing how our threat-based cybersecurity risk assessment approach turns SME data into prioritised, actionable recommendations.

References

[1]

Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, and Carol Woody. 2005. OCTAVE-S Implementation Guide, Version 1. Technical Report. Software Engineering Institute, Carnegie Mellon University.

[2]

Tansu Alpcan and Nick Bambos. 2009. Modeling Dependencies in Security Risk Management. In 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009). 113–116. https://doi.org/10.1109/CRISIS.2009.5411969

[3]

A. W. Atamli and A. Martin. 2014. Threat-Based Security Analysis for the Internet of Things. In 2014 International Workshop on Secure Internet of Things. 35–43. https://doi.org/10.1109/SIoT.2014.10

Digital Library

[4]

Thijs Baars, Frederik Mijnhardt, Kevin Vlaanderen, and Marco Spruit. 2016. An Analytics Approach to Adaptive Maturity Models Using Organizational Characteristics. Decision Analytics 3, 1 (Nov. 2016), 5. https://doi.org/10.1186/s40165-016-0022-1

[5]

Matthew P. Barrett. 2018. Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. Technical Report. NIST.

[6]

Mohamed Slim Ben Mahmoud, Nicolas Larrieu, and Alain Pirovano. 2011. A Risk Propagation Based Quantitative Assessment Methodology for Network Security - Aeronautical Network Case Study. In 2011 Conference on Network and Information Systems Security. 1–9. https://doi.org/10.1109/SAR-SSI.2011.5931372

[7]

Michael Benz and Dave Chatterjee. 2020. Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. Business Horizons 63, 4 (July 2020), 531–540. https://doi.org/10.1016/j.bushor.2020.03.010

[8]

J. F. Carías, M. R. S. Borges, L. Labaka, S. Arrizabalaga, and J. Hernantes. 2020. Systematic Approach to Cyber Resilience Operationalization in SMEs. IEEE Access 8(2020), 174200–174221. https://doi.org/10.1109/ACCESS.2020.3026063

[9]

Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, and Umberto Villano. 2019. Toward the Automation of Threat Modeling and Risk Assessment in IoT Systems. Internet of Things 7 (Sept. 2019), 100056. https://doi.org/10.1016/j.iot.2019.100056

[10]

Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, and Umberto Villano. 2020. A Novel Security-by-Design Methodology: Modeling and Assessing Security by SLAs with a Quantitative Approach. Journal of Systems and Software 163 (May 2020), 110537. https://doi.org/10.1016/j.jss.2020.110537

[11]

Louis Anthony Cox. 2008. Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks. Risk Analysis 28, 6 (2008), 1749–1761. https://doi.org/10.1111/j.1539-6924.2008.01142.x

[12]

Matthew C. Davis, Rose Challenger, Dharshana N. W. Jayewardene, and Chris W. Clegg. 2014. Advancing Socio-Technical Systems Thinking: A Call for Bravery. Applied Ergonomics 45, 2, Part A (March 2014), 171–180. https://doi.org/10.1016/j.apergo.2013.02.009

[13]

Edward L. Deci and Richard M. Ryan. 1985. The General Causality Orientations Scale: Self-Determination in Personality. Journal of Research in Personality 19, 2 (June 1985), 109–134. https://doi.org/10.1016/0092-6566(85)90023-6

[14]

Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. 2011. A Privacy Threat Analysis Framework: Supporting the Elicitation and Fulfillment of Privacy Requirements. Requirements Engineering 16, 1 (March 2011), 3–32. https://doi.org/10.1007/s00766-010-0115-7

Digital Library

[15]

ENISA. 2007. A Simplified Approach to Risk Management for SMEs. Report. ENISA.

[16]

ENISA. 2016. ENISA Threat Taxonomy. https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy.

[17]

ENISA. 2019. ENISA Threat Landscape Report 2018. Report. ENISA.

[18]

ENISA. 2020. ENISA Threat Landscape 2020 - List of Top 15 Threats. Report. ENISA.

[19]

European Commission. 2016. SME Definition. https://ec.europa.eu/growth/smes/sme-definition.

[20]

European DIGITAL SME Alliance. 2020. The EU Cybersecurity Act and the Role of Standards for SMEs - Position Paper. Technical Report. Brussels.

[21]

GEIGER Consortium. 2020. GEIGER Project Website. https://project.cyber-geiger.eu/.

[22]

D. Gollmann, C. Herley, V. Koenig, W. Pieters, and M. A. Sasse. 2015. Socio-Technical Security Metrics. Dagstuhl Reports, 4, 2015(2015). https://doi.org/10.4230/DagRep.4.12.1

[23]

Bartlomiej Hanus and Yu “Andy” Wu. 2016. Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective. Information Systems Management 33, 1 (Jan. 2016), 2–16. https://doi.org/10.1080/10580530.2015.1117842

Digital Library

[24]

Margareta Heidt, Jin P. Gerlach, and Peter Buxmann. 2019. Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments. Information Systems Frontiers 21, 6 (Dec. 2019), 1285–1305. https://doi.org/10.1007/s10796-019-09959-1

Digital Library

[25]

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC). 2012. ISO/IEC 27032:2012 Information Technology — Security Techniques — Guidelines for Cybersecurity. Technical Report. ISO/IEC.

[26]

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC). 2013. ISO/IEC 27002:2013 Information Technology — Security Techniques — Code of Practice for Information Security Controls. Technical Report. ISO/IEC.

[27]

Urpo Kaila and Linus Nyman. 2018. Information Security Best Practices: First Steps for Startups and SMEs. Technology Innovation Management Review 8, 11 (2018), 32–42. https://doi.org/10.22215/timreview/1198

[28]

Younghwa Lee and Kai R. Larsen. 2009. Threat or Coping Appraisal: Determinants of SMB Executives’ Decision to Adopt Anti-Malware Software. European Journal of Information Systems 18, 2 (April 2009), 177–187. https://doi.org/10.1057/ejis.2009.11

[29]

Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. 2015. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents. In 24th {USENIX} Security Symposium ({USENIX} Security 15). 1009–1024.

[30]

Louis Marinos and Andreas Sfakianakis. 2013. ENISA Threat Landscape 2012. Report. ENISA.

[31]

Marijn Martens, Ralf De Wolf, and Lieven De Marez. 2019. Investigating and Comparing the Predictors of the Intention towards Taking Security Measures against Malware, Scams and Cybercrime in General. Computers in Human Behavior 92 (March 2019), 139–150. https://doi.org/10.1016/j.chb.2018.11.002

Digital Library

[32]

Philip Menard, Gregory J. Bott, and Robert E. Crossler. 2017. User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of Management Information Systems 34, 4 (Oct. 2017), 1203–1230. https://doi.org/10.1080/07421222.2017.1394083

[33]

Frederik Mijnhardt, Thijs Baars, and Marco Spruit. 2016. Organizational Characteristics Influencing SME Information Security Maturity. Journal of Computer Information Systems 56, 2 (April 2016), 106–115. https://doi.org/10.1080/08874417.2016.1117369

[34]

Michael Muckin and Scott C Fitch. 2019. A Threat-Driven Approach to Cyber Security. Technical Report. Lockheed Martin Corporation. 45 pages.

[35]

NCSC UK. 2014. Cyber Essentials. https://www.ncsc.gov.uk/cyberessentials/overview.

[36]

Keshnee Padayachee. 2012. Taxonomy of Compliant Information Security Behavior. Computers & Security 31, 5 (July 2012), 673–680. https://doi.org/10.1016/j.cose.2012.04.004

Digital Library

[37]

Charles P. Pfleeger and Shari Lawrence Pfleeger. 2012. Analyzing Computer Security: A Threat/Vulnerability/Countermeasure Approach. Prentice Hall Professional.

[38]

Atle Refsdal, Bjørnar Solhaug, and Ketil Stolen. 2015. Cyber-Risk Management. Springer International Publishing.

[39]

James Riordan and R. P. Lippmann. 2016. Threat-Based Risk Assessment for Enterprise Networks.

[40]

Richard M. Ryan and Edward L. Deci. 2000. Self-Determination Theory and the Facilitation of Intrinsic Motivation, Social Development, and Well-Being. American Psychologist 55, 1 (2000), 68–78. https://doi.org/10.1037/0003-066X.55.1.68

[41]

Armin Sarabi, Parinaz Naghizadeh, Yang Liu, and Mingyan Liu. 2016. Risky Business: Fine-Grained Data Breach Prediction Using Business Profiles. Journal of Cybersecurity 2, 1 (Dec. 2016), 15–28. https://doi.org/10.1093/cybsec/tyw004

[42]

Riccardo Scandariato, Kim Wuyts, and Wouter Joosen. 2015. A Descriptive Study of Microsoft’s Threat Modeling Technique. Requirements Engineering 20, 2 (June 2015), 163–180. https://doi.org/10.1007/s00766-013-0195-2

Digital Library

[43]

Stephan Schmidt and Sahin Albayrak. 2010. A Quantitative Framework for Dependency-Aware Organizational IT Risk Management. In 2010 10th International Conference on Intelligent Systems Design and Applications. 1207–1212. https://doi.org/10.1109/ISDA.2010.5687022

[44]

Alireza Shameli-Sendi, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. Taxonomy of Information Security Risk Assessment (ISRA). Computers & Security 57 (March 2016), 14–30. https://doi.org/10.1016/j.cose.2015.11.001

Digital Library

[45]

Alireza Shojaifar and Samuel A. Fricker. 2020. SMEs’ Confidentiality Concerns for Security Information Sharing. In Human Aspects of Information Security and Assurance(IFIP Advances in Information and Communication Technology), Nathan Clarke and Steven Furnell (Eds.). Springer International Publishing, Cham, 289–299. https://doi.org/10.1007/978-3-030-57404-8_22

[46]

Alireza Shojaifar, Samuel A. Fricker, and Martin Gwerder. 2020. Automating the Communication of Cybersecurity Knowledge: Multi-Case Study. In Information Security Education. Information Security in Action(IFIP Advances in Information and Communication Technology), Lynette Drevin, Suné Von Solms, and Marianthi Theocharidou (Eds.). Springer International Publishing, Cham, 110–124. https://doi.org/10.1007/978-3-030-59291-2_8

[47]

Marco Spruit and Martijn Roeling. 2014. ISFAM: The Information Security Focus Area Maturity Model. ECIS 2014 Proceedings (June 2014).

[48]

G. Stergiopoulos, D. Gritzalis, and V. Kouktzoglou. 2018. Using Formal Distributions for Threat Likelihood Estimation in Cloud-Enabled IT Risk Assessment. Computer Networks 134 (April 2018), 23–45. https://doi.org/10.1016/j.comnet.2018.01.033

Digital Library

[49]

Swiss NCSC. 2021. Cyberthreats. https://www.ncsc.admin.ch/ncsc/en/home.html.

[50]

Brett Tucker. 2020. Advancing Risk Management Capability Using the OCTAVE FORTE Process. (Dec. 2020). https://doi.org/10.1184/R1/13014266.v1

[51]

Robert J. Vallerand. 1997. Toward A Hierarchical Model of Intrinsic and Extrinsic Motivation. In Advances in Experimental Social Psychology, Mark P. Zanna (Ed.). Vol. 29. Academic Press, 271–360. https://doi.org/10.1016/S0065-2601(08)60019-2

[52]

René van Bavel, Nuria Rodríguez-Priego, José Vila, and Pam Briggs. 2019. Using Protection Motivation Theory in the Design of Nudges to Improve Online Security Behavior. International Journal of Human-Computer Studies 123 (March 2019), 29–39. https://doi.org/10.1016/j.ijhcs.2018.11.003

[53]

Kim Wuyts, Riccardo Scandariato, and Wouter Joosen. 2014. Empirical Evaluation of a Privacy-Focused Threat Modeling Methodology. Journal of Systems and Software 96 (Oct. 2014), 122–138. https://doi.org/10.1016/j.jss.2014.05.075

[54]

Wenjun Xiong and Robert Lagerström. 2019. Threat Modeling – A Systematic Literature Review. Computers & Security 84 (July 2019), 53–69. https://doi.org/10.1016/j.cose.2019.03.010

Digital Library

[55]

Bilge Yigit Ozkan and Marco Spruit. 2020. Addressing SME Characteristics for Designing Information Security Maturity Models. In Human Aspects of Information Security and Assurance(IFIP Advances in Information and Communication Technology), Nathan Clarke and Steven Furnell (Eds.). Springer International Publishing, Cham, 161–174. https://doi.org/10.1007/978-3-030-57404-8_13

[56]

Bilge Yigit Ozkan, Marco Spruit, Roland Wondolleck, and Verónica Burriel Coll. 2019. Modelling Adaptive Information Security for SMEs in a Cluster. Journal of Intellectual Capital 21, 2 (Jan. 2019), 235–256. https://doi.org/10.1108/JIC-05-2019-0128

[57]

Bilge Yigit Ozkan, Sonny van Lingen, and Marco Spruit. 2021. The Cybersecurity Focus Area Maturity (CYSFAM) Model. Journal of Cybersecurity and Privacy 1, 1 (March 2021), 119–139. https://doi.org/10.3390/jcp1010007

Cited By

El-Hajj MMirza Z(2024)ProtectingSmall and Medium Enterprises: A Specialized Cybersecurity Risk Assessment Framework and ToolElectronics10.3390/electronics1319391013:19(3910)Online publication date: 2-Oct-2024
https://doi.org/10.3390/electronics13193910
Saeedi KHassan MAlarifi SAlmagwashi H(2024)An intuitive approach to cybersecurity risk assessment for non-governmental organizationsTransforming Government: People, Process and Policy10.1108/TG-08-2024-0201Online publication date: 17-Oct-2024
https://doi.org/10.1108/TG-08-2024-0201
Kim EMun DJun MYun H(2024)Operation and Productivity Monitoring from Sound Signal of Legacy Pipe Bending Machine via Convolutional Neural Network (CNN)International Journal of Precision Engineering and Manufacturing10.1007/s12541-024-01018-325:7(1437-1456)Online publication date: 15-Apr-2024
https://doi.org/10.1007/s12541-024-01018-3
Show More Cited By

Index Terms

A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs

Index terms have been assigned to the content through auto-classification.

Recommendations

Taxonomy of information security risk assessment (ISRA)

Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Threat Assessment: Assessing cyber-threats in the information environment

This paper presents TAME, a methodology for assessing threats, and gives a high level overview of its phases and processes. After the evaluation of an initial methodology that was developed in 2001, certain changes had to be made. These changes are ...
Yet another cybersecurity risk assessment framework
Abstract
IT systems pervade our society more and more, and we become heavily dependent on them. At the same time, these systems are increasingly targeted in cyberattacks, making us vulnerable. Enterprise and cybersecurity responsibles face the problem of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Horizon 2020 Framework Programme

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
4,316
Total Downloads

Downloads (Last 12 months)1,508
Downloads (Last 6 weeks)129

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

El-Hajj MMirza Z(2024)ProtectingSmall and Medium Enterprises: A Specialized Cybersecurity Risk Assessment Framework and ToolElectronics10.3390/electronics1319391013:19(3910)Online publication date: 2-Oct-2024
https://doi.org/10.3390/electronics13193910
Saeedi KHassan MAlarifi SAlmagwashi H(2024)An intuitive approach to cybersecurity risk assessment for non-governmental organizationsTransforming Government: People, Process and Policy10.1108/TG-08-2024-0201Online publication date: 17-Oct-2024
https://doi.org/10.1108/TG-08-2024-0201
Kim EMun DJun MYun H(2024)Operation and Productivity Monitoring from Sound Signal of Legacy Pipe Bending Machine via Convolutional Neural Network (CNN)International Journal of Precision Engineering and Manufacturing10.1007/s12541-024-01018-325:7(1437-1456)Online publication date: 15-Apr-2024
https://doi.org/10.1007/s12541-024-01018-3
Wright JBurrell D(2023)Telemedicine Cybersecurity Protection in Reproductive HealthcareHOLISTICA – Journal of Business and Public Administration10.2478/hjbpa-2023-001214:2(1-14)Online publication date: 14-Dec-2023
https://doi.org/10.2478/hjbpa-2023-0012
Apruzzese GAnderson HDambra SFreeman DPierazzi FRoundy K(2023)“Real Attackers Don't Compute Gradients”: Bridging the Gap Between Adversarial ML Research and Practice2023 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML)10.1109/SaTML54575.2023.00031(339-364)Online publication date: Feb-2023
https://doi.org/10.1109/SaTML54575.2023.00031
Tampati IBuana ISetiawan H(2023)Secure Mobile Application for Uniform Resource Locator (URL) Phising Detection based on Deep Learning2023 1st International Conference on Advanced Engineering and Technologies (ICONNIC)10.1109/ICONNIC59854.2023.10467246(231-236)Online publication date: 14-Oct-2023
https://doi.org/10.1109/ICONNIC59854.2023.10467246
van Haastrecht MBrinkhuis MWools SSpruit M(2023)VAST: a practical validation framework for e-assessment solutionsInformation Systems and e-Business Management10.1007/s10257-023-00641-321:3(603-627)Online publication date: 11-Jul-2023
https://dl.acm.org/doi/10.1007/s10257-023-00641-3
Hollerer SSauter TKastner W(2022)Risk Assessments Considering Safety, Security, and Their Interdependencies in OT EnvironmentsProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3543814(1-8)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3543814
Ali AAyyasamy RAkbar RPonnusamy VHeng L(2022)Cybersecurity Infrastructure adoption Model for Malware Mitigation in Small Medium Enterprises (SME)2022 IEEE 5th International Symposium in Robotics and Manufacturing Automation (ROMA)10.1109/ROMA55875.2022.9915696(1-6)Online publication date: 6-Aug-2022
https://doi.org/10.1109/ROMA55875.2022.9915696
Tartici IKilic ZDa Silva Bartolo P(2022)Impact of Additive Manufacturing in SMEsIndustry 4.0 and Advanced Manufacturing10.1007/978-981-19-0561-2_10(103-111)Online publication date: 24-Jul-2022
https://doi.org/10.1007/978-981-19-0561-2_10
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents