The Cybersecurity Focus Area Maturity (CYSFAM) Model

Özkan, Bilge Yiğit; Lingen, Sonny van; Spruit, Marco

doi:10.3390/jcp1010007

Cited by 13 publications

(11 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In line with [3,18], this study demonstrates that classification helps enrich the understanding of SME types to communicate and keep them engaged effectively. The classification approach is in contrast with the idea of CYSFAM [43] that proposes a maturity model for generic organisations. Moreover, compared to [3,18] (which identify four and two types of SMEs, respectively), this study indicates five types of SMEs with no counterpart for the cybersecurity capable SMEs.…”

Section: Discussionmentioning

confidence: 99%

Classifying SMEs for Approaching Cybersecurity Competence and Awareness

Shojaifar

Järvinen²

2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Cybersecurity is increasingly a concern for small and medium-sized enterprises (SMEs), and there exist many awareness training programs and tools for them. The literature mainly studies SMEs as a unitary type of company and provides one-size-fits-all recommendations and solutions. However, SMEs are not homogeneous. They are diverse with different vulnerabilities, cybersecurity needs, and competencies. Few studies considered such differences in standards and certificates for security tools adoption and cybersecurity tailoring for these SMEs. This study proposes a classification framework with an outline of cybersecurity improvement needs for each class. The framework suggests five SME types based on their characteristics and specific security needs: cybersecurity abandoned SME, unskilled SME, expert-connected SME, capable SME, and cybersecurity provider SME. In addition to describing the five classes, the study explains the framework's usage in sampled SMEs. The framework proposes solutions for each class to approach cybersecurity awareness and competence more consistent with SME needs.

show abstract

Section: Discussionmentioning

confidence: 99%

Classifying SMEs for Approaching Cybersecurity Competence and Awareness

Shojaifar

Järvinen²

2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…Their outcomes allowed for reporting some findings regarding how to set up the overall organisational structures, basic management processes, and some supporting tools for SMEs. In [11,39,40], Ozkan et al describe several information security and maturity models that can be applied to SMEs characteristics, in which ISO-27001:2013 is one of the available frameworks.…”

Section: Case Studies and Related Workmentioning

confidence: 99%

Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal

Antunes

Maximiano

Gomes

et al. 2021

JCP

View full text Add to dashboard Cite

Information security plays a key role in enterprises management, as it deals with the confidentiality, privacy, integrity, and availability of one of their most valuable resources: data and information. Small and Medium-sized enterprises (SME) are seen as a blind spot in information security and cybersecurity management, which is mainly due to their size, regional and familiar scope, and financial resources. This paper presents an information security and cybersecurity management project, in which a methodology based on the well-known ISO-27001:2013 standard was designed and implemented in fifty SMEs that were located in the center region of Portugal. The project was conducted by a business association located at the center of Portugal and mainly participated by SMEs. The Polytechnic of Leiria and an IT auditing/consulting team were the other two entities that participated on the project. The characterisation of the participating enterprises, the ISO-27001:2013 based methodology developed and implemented in SMEs, as well as the results obtained in this case study, are depicted and analysed in the paper. The attained results show a clear benefit to the audited and intervened SMEs, being mainly attested by the increasing of their information security management robustness and collaborators’ cyberawareness.

show abstract

“…Besides improving metric values, SMEs can also implement countermeasures (or controls) to counter vulnerabilities. Common countermeasures can be sourced from a variety of parties, from National Cyber Security Centres (NCSCs) and CERTs [35,49], to standards organisations [25,26], to peer-reviewed research [57]. In our SME context, we should be able to argue that the countermeasures included in our solution are both necessary and sufficient.…”

Section: Data Requirementsmentioning

confidence: 99%

“…Cybersecurity incidents are commonplace nowadays and can have a devastating impact on businesses [57]. Small-and Medium-Sized Enterprises (SMEs, [19]) are especially vulnerable since they have limited resources to deal with cyber-attacks [24].…”

Section: Introductionmentioning

confidence: 99%

A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs

Haastrecht

Sarhan

Shojaifar

et al. 2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

Cybersecurity incidents are commonplace nowadays, and Smalland Medium-Sized Enterprises (SMEs) are exceptionally vulnerable targets. The lack of cybersecurity resources available to SMEs implies that they are less capable of dealing with cyber-attacks. Motivation to improve cybersecurity is often low, as the prerequisite knowledge and awareness to drive motivation is generally absent at SMEs. A solution that aims to help SMEs manage their cybersecurity risks should therefore not only offer a correct assessment but should also motivate SME users. From Self-Determination Theory (SDT), we know that by promoting perceived autonomy, competence, and relatedness, people can be motivated to take action. In this paper, we explain how a threat-based cybersecurity risk assessment approach can help to address the needs outlined in SDT. We propose such an approach for SMEs and outline the data requirements that facilitate automation. We present a practical application covering various user interfaces, showing how our threat-based cybersecurity risk assessment approach turns SME data into prioritised, actionable recommendations. CCS CONCEPTS• Security and privacy → Systems security; Human and societal aspects of security and privacy.

show abstract

The Cybersecurity Focus Area Maturity (CYSFAM) Model

Cited by 13 publications

References 29 publications

Classifying SMEs for Approaching Cybersecurity Competence and Awareness

Classifying SMEs for Approaching Cybersecurity Competence and Awareness

Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal

A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs

Contact Info

Product

Resources

About