Risk and the small-scale cyber security decision making dialogue — a UK case study

Journal article

Despite a long-standing understanding that developments in personal and cloud computing practices would change the way we approach security, small-scale IT users (SSITUs) remain ill-served by existing cyber security practices. This paper discusses results from a survey that considered (in part) cyber security decisions made by SSITUs. We determine that: SSITUs are focusing on easy-to-implement technical measures, leading to a disconnect between the security implemented and any risks identified; available resources, knowledge, prioritisation of business processes, reduced system control and a lack of threat intelligence all combine to limit the ability to make cyber security decisions; and assessing risk in SSITUs will not lead to sufficient investment to mitigate risks for risk-holding stakeholders in the supply chain. We conclude that the constraints faced by SSITUs have far greater impact on the decisions they make than either our risk-holding, or security- providing, participants may have anticipated. Any limitations faced by SSITUs as they make their security decisions will have a significant impact on both the measures they are able to apply and the security of the supply chain as a whole.

Authors: Osborn, E; Simpson, A

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Oxford University Press
• Journal: Computer Journal
• Volume: 61
• Issue: 4
• Pages: 472–495
• Publication date: 2017-09-28
• Acceptance date: 2017-07-27
• DOI: 10.1093/comjnl/bxx093
• EISSN: 1460-2067
• ISSN: 0010-4620
• Keywords: cyber security; decision making; home users; supply chain; charity; risk management; SME