Automating the Communication of Cybersecurity Knowledge: Multi-case Study
2020 (English)In: IFIP Advances in Information and Communication Technology / [ed] Drevin L.,Von Solms S.,Theocharidou M., Springer Science and Business Media Deutschland GmbH , 2020, Vol. 579, p. 110-124Conference paper, Published paper (Refereed)
Abstract [en]
Cybersecurity is essential for the protection of companies against cyber threats. Traditionally, cybersecurity experts assess and improve a company’s capabilities. However, many small and medium-sized businesses (SMBs) consider such services not to be affordable. We explore an alternative do-it-yourself (DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC, implements the Self-Determination Theory (SDT) to guide and motivate SMBs to adopt good cybersecurity practices. CYSEC uses assessment questions and recommendations to communicate cybersecurity knowledge to the end-user SMBs and encourage self-motivated change. In this paper, the operationalisation of SDT in CYSEC is presented and the results of a multi-case study shown that offer insight into how SMBs adopted cybersecurity practices with CYSEC. Effective automated cybersecurity communication depended on the SMB’s hands-on skills, tools adaptedness, and the users’ willingness to documenting confidential information. The SMBs wanted to learn in simple, incremental steps, allowing them to understand what they do. An SMB’s motivation to improve security depended on the fitness of assessment questions and recommendations with the SMB’s business model and IT infrastructure. The results of this study indicate that automated counselling can help many SMBs in security adoption. © 2020, IFIP International Federation for Information Processing.
Place, publisher, year, edition, pages
Springer Science and Business Media Deutschland GmbH , 2020. Vol. 579, p. 110-124
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238
Keywords [en]
Capability assessment and improvement, Cybersecurity, Do-it-yourself, Multi-case study, Small and medium-sized businesses, Information technology, Business modeling, Confidential information, Cyber security, Cyber threats, Do it yourself, IT infrastructures, Self-determination theories, Small and medium sized business, Security of data
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:bth-20561DOI: 10.1007/978-3-030-59291-2_8Scopus ID: 2-s2.0-85092115002ISBN: 9783030592905 (print)OAI: oai:DiVA.org:bth-20561DiVA, id: diva2:1477548
Conference
13th IFIP WG 11.8 World Conference on Information Security Education, WISE 2020, Maribor, Slovenia, 21 September 2020 through 23 September 2020;
Funder
EU, Horizon 2020, 740787
Note
open access
2020-10-192020-10-192022-05-04Bibliographically approved