Top

Published in:

2020 | OriginalPaper | Chapter

Automating the Communication of Cybersecurity Knowledge: Multi-case Study

Authors : Alireza Shojaifar, Samuel A. Fricker, Martin Gwerder

Published in: Information Security Education. Information Security in Action

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Cybersecurity is essential for the protection of companies against cyber threats. Traditionally, cybersecurity experts assess and improve a company’s capabilities. However, many small and medium-sized businesses (SMBs) consider such services not to be affordable. We explore an alternative do-it-yourself (DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC, implements the Self-Determination Theory (SDT) to guide and motivate SMBs to adopt good cybersecurity practices. CYSEC uses assessment questions and recommendations to communicate cybersecurity knowledge to the end-user SMBs and encourage self-motivated change. In this paper, the operationalisation of SDT in CYSEC is presented and the results of a multi-case study shown that offer insight into how SMBs adopted cybersecurity practices with CYSEC. Effective automated cybersecurity communication depended on the SMB’s hands-on skills, tools adaptedness, and the users’ willingness to documenting confidential information. The SMBs wanted to learn in simple, incremental steps, allowing them to understand what they do. An SMB’s motivation to improve security depended on the fitness of assessment questions and recommendations with the SMB’s business model and IT infrastructure. The results of this study indicate that automated counselling can help many SMBs in security adoption.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Exploring the Value of a Cyber Threat Intelligence Function in an Organization

next chapter A Serious Game-Based Peer-Instruction Digital Forensics Workshop

Muller, P., et al.: Annual report on European SMEs 2016/2017: Focus on self-employment. European Commission (2017)

Caldwell, T.: Securing small businesses – the weakest link in a supply chain? Comput. Fraud Secur. 2015, 5–10 (2015)

Ntouskas, T., Papanikas, D., Polemi, N.: A collaborative system offering security management services for SMEs/mEs. In: Georgiadis, C.K., Jahankhani, H., Pimenidis, E., Bashroush, R., Al-Nemrat, A. (eds.) e-Democracy/ICGS3 -2011. LNICSSITE, vol. 99, pp. 220–228. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33448-1_30CrossRef

Goucher, W.: Do SMEs have the right attitude to security? Comput. Fraud Secur. 2011, 18–20 (2011)

Gupta, A., Hammond, R.: Information systems security issues and decisions for small businesses: an empirical examination. Inf. Manage. Comput. Secur. 13, 297–310 (2005)CrossRef

Mijnhardt, F., Baars, T., Spruit, M.: Organizational characteristics influencing SME information security maturity. J. Comput. Inf. Syst. 56(11), 106–115 (2016)

Kurpjuhn, T.: The SME security challenge. Comput. Fraud Secur. 2015, 5–7 (2015)CrossRef

Valli, C., Martinus, I.C., Johnstone, M.N.: Small to Medium Enterprise Cyber Security Awareness: an initial survey of Western Australian Business (2014)

Brunner, M., Sillaber, C., Breu, R.: Towards automation in information security management systems. In: 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS), Prague, Czech Republic, pp. 160–167. IEEE (2017)

10.

Furnell, S.M., Gennatou, M., Dowland, P.S.: A prototype tool for information security awareness and training. Logist. Inf. Manage. 15, 352–357 (2002)CrossRef

11.

Dhillon, G., Torkzadeh, G.: Value-focused assessment of information system security in organizations. Inf. Syst. J. 16, 293–314 (2006)CrossRef

12.

Cranor, L.F.: A framework for reasoning about the human in the loop. In: UPSEC 2008 Proceedings of the 1st Conference on Usability, Psychology, Security, Berkeley, USA (2008)

13.

Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences (HICSS 2007), Hawaii, USA, pp. 156–166. IEEE (2007)

14.

Rhee, H.-S., Kim, C., Ryu, Y.U.: Self-efficacy in information security: its influence on end users’ information security practice behavior. Comput. Secur. 28, 816–826 (2009)CrossRef

15.

Shojaifar, A., Fricker, S.A., Gwerder, M.: Elicitation of SME requirements for cybersecurity solutions by studying adherence to recommendations. In: REFSQ Workshops (2018)

16.

Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Comput. Secur. 28, 476–490 (2009)CrossRef

17.

West, R.: The psychology of security. Commun. ACM 51(4), 34–40 (2008)CrossRef

18.

Hayes, J.: The Theory and Practice of Change Management. Palgrave, New York (2002)

19.

Menard, P., Bott, G.J., Crossler, R.E.: User motivations in protecting information security: protection motivation theory versus self-determination theory. J. Manage. Inf. Syst. 34(4), 1203–1230 (2017)CrossRef

20.

Pham, H.C., Pham, D.D., Brennan, L., Richardson, J.: Information security and people: a conundrum for compliance. AJIS 21, 1–16 (2017)

21.

Ryan, R.M., Deci, E.L.: Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. Am. Psychol. 55, 68–78 (2000)CrossRef

22.

Deci, E.L., Ryan, R.M.: Self-determination theory: a macrotheory of human motivation, development, and health. Can. Psychol. 49(3), 182–185 (2008)CrossRef

23.

Deci, E.L., Ryan, R.M.: The general causality orientations scale: self-determination in personality. J. Res. Pers. 19(2), 109–134 (1985)CrossRef

24.

Deming, W.E.: Elementary principles of the statistical control of quality. Nippon Kagaku Gigutsu Remmei: Japanese Union of Science and Engineering (JUSE) (1951)

25.

Yigit Ozkan, B., Spruit, M.: A questionnaire model for cybersecurity maturity assessment of critical infrastructures. In: Fournaris, A.P., Lampropoulos, K., Marín Tordera, E. (eds.) IOSec 2018. LNCS, vol. 11398, pp. 49–60. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12085-6_5CrossRef

26.

Gardner, B., Thomas, V.: Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats. Elsevier/Syngress, Amsterdam (2014)

27.

Yin, R.K.: Case Study Research: Design and Methods, 4th edn. Sage, Thousand Oaks (2009)

28.

Bennett, R.J., Robinson, S.L.: Development of a measure of workplace deviance. J. Appl. Psychol. 85(3), 349–360 (2000)CrossRef

29.

Runeson, P., Höst, M., Rainer, A., Regnell, B.: Case Study Research in Software Engineering: Guidelines and Examples. Wiley, Hoboken (2012)CrossRef

Title: Automating the Communication of Cybersecurity Knowledge: Multi-case Study
Authors: Alireza Shojaifar
Samuel A. Fricker
Martin Gwerder
Publisher: Springer International Publishing
Book: Information Security Education. Information Security in Action
Print ISBN: 978-3-030-59290-5

Electronic ISBN: 978-3-030-59291-2

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-59291-2_8

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner