Systematic Approach to Cyber Resilience Operationalization in SMEs

Carias, Juan Francisco; Borges, Marcos R. S.; Labaka, Leire; Arrizabalaga, Saioa; Hernantes, Josune

doi:10.1109/access.2020.3026063

Cited by 25 publications

(49 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Information security management is a crucial challenge for the companies, as they aim to prevent the exposure to security and privacy threats to information systems and networking infrastructure. Although many of SMEs may have a minimal IT infrastructure to fight cyberattacks [13,14], they can act on a preliminary phase in order to gradually improve their security level. Therefore, organisations must ensure that their businesses processes, policies, and workforce behaviour allow them to minimize and mitigate some of the risks that are involved in their information systems and IT infrastructures [15,16].…”

Section: Information Security Management and Cybersecuritymentioning

confidence: 99%

Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal

Antunes

Maximiano

Gomes

et al. 2021

JCP

View full text Add to dashboard Cite

Information security plays a key role in enterprises management, as it deals with the confidentiality, privacy, integrity, and availability of one of their most valuable resources: data and information. Small and Medium-sized enterprises (SME) are seen as a blind spot in information security and cybersecurity management, which is mainly due to their size, regional and familiar scope, and financial resources. This paper presents an information security and cybersecurity management project, in which a methodology based on the well-known ISO-27001:2013 standard was designed and implemented in fifty SMEs that were located in the center region of Portugal. The project was conducted by a business association located at the center of Portugal and mainly participated by SMEs. The Polytechnic of Leiria and an IT auditing/consulting team were the other two entities that participated on the project. The characterisation of the participating enterprises, the ISO-27001:2013 based methodology developed and implemented in SMEs, as well as the results obtained in this case study, are depicted and analysed in the paper. The attained results show a clear benefit to the audited and intervened SMEs, being mainly attested by the increasing of their information security management robustness and collaborators’ cyberawareness.

show abstract

Section: Information Security Management and Cybersecuritymentioning

confidence: 99%

Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal

Antunes

Maximiano

Gomes

et al. 2021

JCP

View full text Add to dashboard Cite

show abstract

“…For instance, there are several frameworks that often include domains and policies to guide companies on what is needed in order to operationalize cyber resilience [8], [12]- [15]. Although these frameworks are sometimes comparable, they are often not completely equivalent to each other and offer nuances that can be important for certain companies, but might be too advanced for others, such as SMEs [7]. Similarly, standards can help companies in their cyber resilience operationalization.…”

Section: State Of the Artmentioning

confidence: 99%

“…To compare these documents and their ability to aid SMEs in the cyber resilience operationalization, they needed to be compared on their ability to help companies determine their current cyber resilience state, define improvement actions and prioritize them. These documents were all selected based on the criterion of defining a set of policies to operationalize cyber resilience [7], and therefore they all are able to aid companies in the definition of improvement actions. Thus, the comparison in this article focused on these tools' abilities to aid companies in the assessment of their current state and on the prioritization of the improvement actions they defined.…”

Section: State Of the Artmentioning

confidence: 99%

“…These simple representations of the progression or scaling of cyber resilience policies could help SMEs easily identify with one of the maturity states and easily be able to define improvement actions based on their current state. • Finally, the tool should have a way to prioritize these actions so that the company is able to effectively operationalize cyber resilience [7], [21]. As shown in the table, there are no tools or documents specifically targeted for SMEs.…”

Section: State Of the Artmentioning

confidence: 99%

“…However, the apparently slight change of perspective from cybersecurity to cyber resilience brings several consequences for companies trying to operationalize it. Recent research has defined the dimensions (or domains) and actions (or policies) that need to be understood and implemented for an SME to be cyber resilient [7]. These dimensions and policies include technical solutions, but also governance, risk management, personnel training and awareness, etc.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Cyber Resilience Self-Assessment Tool (CR-SAT) for SMEs

et al. 2021

Self Cite

View full text Add to dashboard Cite

On the current environment, companies face risks and threats to the systems they need to operate often known as cyber threats. Most of these companies are small and medium-sized enterprises (SMEs) and they are exposed to these cyber threats. To mitigate the risks and be able to thrive with as little disruption as possible, SMEs require cyber resilience capabilities. However, due to their limited resources, SMEs usually have no dedicated personnel for cyber resilience operationalization and thus lack the experience this discipline requires to implement. To aid SMEs in their cyber resilience operationalization, the current literature offers several kinds of solutions, but these solutions are usually targeted for companies with more resources than SMEs and do not aid in the complete process of assessing their current cyber resilience, deciding actions to improve it and prioritizing these actions. To aid companies in this systematic process to operationalize or implement cyber resilience, this article develops and tests an operational webbased tool in which companies can follow the complete process described before. To achieve this, a cyber resilience framework with the essential policies for SMEs, descriptions of their natural progressions in a progression model and a prioritization of these policies have been developed. In this article, this framework, progression model and prioritization are later transformed into one cyber resilience self-assessment tool (CR-SAT) and are tested in three case studies to qualitatively evaluate the tool by trying to ascertain its usefulness and completeness as well as improving it with the feedback from the end-users.

show abstract