Abstract

The growing amount of cyberspace threats highlights the need to evaluate cybersecurity risks and to plan for effective investments. One internationally recognized document for cybersecurity risk management is the framework for Improving Critical Infrastructure Cybersecurity by the US National Institute of Standards and Technology (NIST). It provides guidelines, best practices and standards for cybersecurity risk management. Nevertheless, as other self-assessment frameworks, it produces a static view of an organization's cyber posture and does not capture the dynamics of organizational changes and cyberattacks. Moreover, the current situation sees small and medium enterprises (SMEs) in a critical position since they need to manage their cybersecurity while usually not being skilled or equipped enough to internalize this process. Therefore, there is a need for a practical and easily applicable model able to identify a cybersecurity risk profile and its dynamics. This study proposes a system dynamics methodology and tool (SMECRA - SME Cyber Risk Assessment) for supporting cybersecurity investment decisions for SMEs through the evaluation of cyber risk and previous investments. SMECRA addresses dynamic organizational complexity and can be used to assess cyber risks and related dynamics over time. Three case studies demonstrate its capability to assess a SME's cybersecurity status and to evaluate investments impacts on an organization's risk profile, raising cybersecurity awareness. This study is important for SMEs wishing to manage their own cybersecurity risk and for insurance companies in their economic evaluation of residual risks that SMEs wish to externalize.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.