Risk and the Small-Scale Cyber Security Decision Making Dialogue—a UK Case Study

Osborn, Emma; Simpson, Andrew

doi:10.1093/comjnl/bxx093

Cited by 26 publications

(9 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Studies with input from technical experts [17,81,82] identified different concerns compared to general small business owners [83,84,85,86]. A series of interviews from a single study [87] shows that small scale IT users have constraints in security decision making that are not expected by technical security providers. Australian small businesses in information, media and telecommunication, and professional, scientific and technical services categories made up less than 14% of all businesses, by business count, in 2019 [88].…”

Section: Business Versus It Perspectivesmentioning

confidence: 99%

The Good, The Bad and The Missing: A Narrative Review of Cyber-security Implications for Australian Small Businesses

Tam,

Rao,

Hall

2021

Preprint

View full text Add to dashboard Cite

Small businesses (0-19 employees) are becoming attractive targets for cyber-criminals, but struggle to implement cyber-security measures that large businesses routinely deploy. There is an urgent need for effective and suitable cyber-security solutions for small businesses as they employ a significant proportion of the workforce.In this paper, we consider the small business cyber-security challenges not currently addressed by research or products, contextualised via an Australian lens. We also highlight some unique characteristics of small businesses conducive to cyber-security actions.Small business cyber-security discussions to date have been narrow in focus and lack re-usability beyond specific circumstances. Our study uses global evidence from industry, government and research communities across multiple disciplines. We explore the technical and non-technical factors negatively impacting a small business' ability to safeguard itself, such as resource constraints, organisational process maturity, and legal structures. Our research shows that some small business characteristics, such as agility, large cohort size, and piecemeal IT architecture, could allow for increased cyber-security.We conclude that there is a gap in current research in small business cyber-security. In addition, legal and policy work are needed to help small businesses become cyber-resilient.

show abstract

Section: Business Versus It Perspectivesmentioning

confidence: 99%

The Good, The Bad and The Missing: A Narrative Review of Cyber-security Implications for Australian Small Businesses

Tam,

Rao,

Hall

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Smaller businesses may have fewer resources available to invest in automated security solutions, and be less likely to have a dedicated security function to manage threats [76]. For small charities also, this can include relying on volunteers having the necessary expertise [77]. Smaller organisations may also delegate security to an expert IT-security provider company [77].…”

Section: A Vulnerable User Groupsmentioning

confidence: 99%

“…For small charities also, this can include relying on volunteers having the necessary expertise [77]. Smaller organisations may also delegate security to an expert IT-security provider company [77].…”

Section: A Vulnerable User Groupsmentioning

confidence: 99%

Identifying Unintended Harms of Cybersecurity Countermeasures

Chua

Parkin

Edwards

et al. 2019

2019 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk countermeasures in cybersecurity. The framework identifies a series of unintended harms which go beyond technology alone, to consider the cyberphysical and sociotechnical space: displacement, insecure norms, additional costs, misuse, misclassification, amplification, and disruption. We demonstrate our framework through application to the complex, multi-stakeholder challenges associated with the prevention of cyberbullying as an applied example. Our framework aims to illuminate harmful consequences, not to paralyze decisionmaking, but so that potential unintended harms can be more thoroughly considered in risk management strategies. The framework can support identification and preemptive planning to identify vulnerable populations and preemptively insulate them from harm. There are opportunities to use the framework in coordinating risk management strategy across stakeholders in complex cyberphysical environments.

show abstract

“…While there is literature on how practitioners should conduct ISRM, there is little on how they actually perform ISRM [14]. Additionally, there is not much research on ISRM from a security-novice perspective [15]. Previous studies have, however, highlighted, for some time, concerns among organisations with limited security awareness or experience when deciding about or developing their digital services [15], [16].…”

Section: Introductionmentioning

confidence: 99%

“…Additionally, there is not much research on ISRM from a security-novice perspective [15]. Previous studies have, however, highlighted, for some time, concerns among organisations with limited security awareness or experience when deciding about or developing their digital services [15], [16]. Osborn and Simpson [15], for example, found that novice practitioners were uncertain about developing or outsourcing digital services because they felt they lacked the understanding of the consequences and limitations of the developed services or agreed contracts.…”

Section: Introductionmentioning

confidence: 99%

Security-Related Stress: A Perspective on Information Security Risk Management

Lundgren

Bergström

2019

2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

View full text Add to dashboard Cite

In this study, the enactment of information security risk management by novice practitioners is studied by applying an analytical lens of security-related stress. Two organisations were targeted in the study using a case study approach to obtain data about their practices. The study identifies stressors and stress inhibitors in the ISRM process and the supporting ISRM tools and discusses the implications for practitioners. For example, a mismatch between security standards and how they are interpreted in practice has been identified. This mismatch was further found to be strengthened by the design of the used ISRM tools. Those design shortcomings hamper agility since they may enforce a specific workflow or may restrict documentation. The study concludes that security-related stress can provide additional insight into security-novice practitioners' ISRM challenges.

show abstract

Risk and the Small-Scale Cyber Security Decision Making Dialogue—a UK Case Study

Cited by 26 publications

References 14 publications

The Good, The Bad and The Missing: A Narrative Review of Cyber-security Implications for Australian Small Businesses

The Good, The Bad and The Missing: A Narrative Review of Cyber-security Implications for Australian Small Businesses

Identifying Unintended Harms of Cybersecurity Countermeasures

Security-Related Stress: A Perspective on Information Security Risk Management

Contact Info

Product

Resources

About