- Related item:
- On small-scale IT users' system architectures and cyber security: A UK case study
- Description:
-
Despite long-standing predictions that developments in, for example, personal and cloud computing practices would change the ways in which we approach security, small-scale IT users (SSITUs) remain ill-served by existing cyber security practices. Following an extensive study of the adoption of cyber security in UK-based SSITUs, this paper discusses results pertaining to technologies employed by such organisations, with respect to their ability to apply security measures. We determine: that the system architectures employed by SSITUs are significantly different from those employed by large corporate or government entities; that the architecture of a small organisation's digital footprint has far more impact on their overall security than would be the case for a large organisation; and that SSITUs do not hold sufficient influence within the supply chain to manage cyber security in their interactions with service providers. We show that improving small-scale cyber security architectures is not simply about developing new technology; rather, there are additional needs to consider, including technology use in the context of interactions that occur within a broader ecosystem of a supply chain, users with multiple roles, and the impact of the digital footprint on security.
- Related item:
- Small-Scale Cyber Security
- Description:
-
The nature of cyberspace continues to evolve, and so do the associated threats. The focus of the cyber security industry is typically (and understandably) on high-value assets. However, there is a large user group intersecting with corporate and government IT users, which lacks the resources -- in terms of finance, time and/or knowledge -- to deal with the threats that they face. We argue that greater attention needs to be given to this user group, differentiating these small-scale IT users when thinking about cyber security. Going further, we argue that it is essential that the research community starts to give consideration to what we term Small-Scale Cyber Security. To this end, we describe the results of an initial feasibility study, as well as a research agenda for tackling this cross-disciplinary problem.
- Related item:
- Business versus technology: Sources of the perceived lack of cyber security in SMES
- Description:
-
There is increasing concern about the standard of cyber security in SMEs, voiced by governments and the large companies who interface with them, yet many past initiatives seem to have failed to have a significant impact on the sector. In this paper, we report upon a study in which Small and Medium Enterprises (SMEs) were surveyed to establish what barriers they might face in terms of cyber security. The results were combined with publicly available information to identify how stakeholders in the SME cyber security ecosystem interact, and establish whether the perceived lack of uptake of cyber security measures in SMEs was accurate. The paper concludes by discussing how the refined understanding of the barriers faced by SMEs might influence development of future SME security solutions.
- Related item:
- Risk and the Small-Scale Cyber Security Decision Making Dialogue—a UK Case Study
- Description:
-
Despite a long-standing understanding that developments in personal and cloud computing practices would change the way we approach security, small-scale IT users (SSITUs) remain ill-served by existing cyber security practices. This paper discusses results from a survey that considered (in part) cyber security decisions made by SSITUs. We determine that SSITUs are focusing on easy-to-implement technical measures, leading to a disconnect between the security implemented and any risks identified; available resources, knowledge, prioritization of business processes, reduced system control and a lack of threat intelligence all combine to limit the ability to make cyber security decisions; and assessing risk in SSITUs will not lead to sufficient investment to mitigate risks for risk-holding stakeholders in the supply chain. We conclude that the constraints faced by SSITUs have far greater impact on the decisions they make than either our risk-holding, or security-providing, participants may have anticipated. Any limitations faced by SSITUs as they make their security decisions will have a significant impact on both the measures they are able to apply and the security of the supply chain as a whole.
