The growing amount of cyberspace threats highlights the need to evaluate cybersecurity risks and to plan for effective investments. One internationally recognized document for cybersecurity risk management is the framework for Improving Critical Infrastructure Cybersecurity by the US National Institute of Standards and Technology (NIST). It provides guidelines, best practices and standards for cybersecurity risk management. Nevertheless, as other self-assessment frameworks, it produces a static view of an organization's cyber posture and does not capture the dynamics of organizational changes and cyberattacks. Moreover, the current situation sees small and medium enterprises (SMEs) in a critical position since they need to manage their cybersecurity while usually not being skilled or equipped enough to internalize this process. Therefore, there is a need for a practical and easily applicable model able to identify a cybersecurity risk profile and its dynamics. This study proposes a system dynamics methodology and tool (SMECRA - SME Cyber Risk Assessment) for supporting cybersecurity investment decisions for SMEs through the evaluation of cyber risk and previous investments. SMECRA addresses dynamic organizational complexity and can be used to assess cyber risks and related dynamics over time. Three case studies demonstrate its capability to assess a SME's cybersecurity status and to evaluate investments impacts on an organization's risk profile, raising cybersecurity awareness. This study is important for SMEs wishing to manage their own cybersecurity risk and for insurance companies in their economic evaluation of residual risks that SMEs wish to externalize.

A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs / Armenia, S.; Angelini, M.; Nonino, F.; Palombi, G.; Schlitzer, M. F.. - In: DECISION SUPPORT SYSTEMS. - ISSN 0167-9236. - 147:(2021), pp. 1-14. [10.1016/j.dss.2021.113580]

A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs

Armenia S.
;
Angelini M.;Nonino F.;Palombi G.;
2021

Abstract

The growing amount of cyberspace threats highlights the need to evaluate cybersecurity risks and to plan for effective investments. One internationally recognized document for cybersecurity risk management is the framework for Improving Critical Infrastructure Cybersecurity by the US National Institute of Standards and Technology (NIST). It provides guidelines, best practices and standards for cybersecurity risk management. Nevertheless, as other self-assessment frameworks, it produces a static view of an organization's cyber posture and does not capture the dynamics of organizational changes and cyberattacks. Moreover, the current situation sees small and medium enterprises (SMEs) in a critical position since they need to manage their cybersecurity while usually not being skilled or equipped enough to internalize this process. Therefore, there is a need for a practical and easily applicable model able to identify a cybersecurity risk profile and its dynamics. This study proposes a system dynamics methodology and tool (SMECRA - SME Cyber Risk Assessment) for supporting cybersecurity investment decisions for SMEs through the evaluation of cyber risk and previous investments. SMECRA addresses dynamic organizational complexity and can be used to assess cyber risks and related dynamics over time. Three case studies demonstrate its capability to assess a SME's cybersecurity status and to evaluate investments impacts on an organization's risk profile, raising cybersecurity awareness. This study is important for SMEs wishing to manage their own cybersecurity risk and for insurance companies in their economic evaluation of residual risks that SMEs wish to externalize.
2021
Cybersecurity; Modeling & simulation; Risk assessment; Risk management; SME; System dynamics
01 Pubblicazione su rivista::01a Articolo in rivista
A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs / Armenia, S.; Angelini, M.; Nonino, F.; Palombi, G.; Schlitzer, M. F.. - In: DECISION SUPPORT SYSTEMS. - ISSN 0167-9236. - 147:(2021), pp. 1-14. [10.1016/j.dss.2021.113580]
File allegati a questo prodotto
File Dimensione Formato  
Armenia_A-dynamic_2021.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 2.87 MB
Formato Adobe PDF
2.87 MB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1554749
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 64
  • ???jsp.display-item.citation.isi??? 40
social impact