Campus Access Only
All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.
Date of Award
Doctor of Philosophy (PhD)
College of Computing and Engineering
A cyber-attack can become costly if small businesses are not prepared to protect their information systems or lack the ability to recover from a cybersecurity incident. Small businesses that are not ready to deal with cyber threats are risking significant disruption and loss. In many cases the small business decision makers, owners or managers, do not have a strategy to improve their cybersecurity posture despite the known risk to their business. This research study focused on the relationship between two constructs that are associated with readiness and resilience of small businesses based on their cybersecurity planning, implementation, as well as response and recovery activities. An empirical assessment was conducted on small businesses’ level preparedness relative to their decision makers’ perceived risk of cyber-attack (perceived likelihood x perceived impact).
Subject matter experts (SMEs) were used to validate a set of cybersecurity preparedness activities for the construct of cybersecurity preparedness. The SMEs approved 70 cybersecurity preparedness activities among the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assess the level of cybersecurity preparedness of small businesses. The SMEs then assigned weights to the validated preparedness activities to enable an aggregated benchmark cybersecurity preparedness score (CPS). The construct the decision maker’s perceived risk of cyberattack (DMPRCA) was updated with a set of common cyber threat vectors and using simple definitions from the SMEs.
A Cybersecurity Preparedness-Risk Taxonomy (CyPRisT) was then developed using the theoretical foundation of prospect theory and status quo bias. The four quadrants of cybersecurity risk postures were defined as indifference, susceptible, aversive, and strategic. The aggregated scores of CPSs and DMPRCA were positioned on the CyPRisT for each of the 216 small businesses who participated in this study. Statistical differences were found in the CPSs and DMPRCA by demographics industry, size (number of employees), and Information Technology (IT) budget (%). The findings of the quantitative analysis are presented along with the position on the CyPRisT for each demographic indicator of the businesses.
The Cybersecurity Assessment of Risk Management to optimize Readiness and Resilience (cyberARMoRR) program for small businesses was developed as a cybersecurity strategy planning guide and collection of resources. The cyberARMoRR program was administered to 50 small business decision makers. The CPSs and DMPRCA were evaluated before and after participation in cyberARMoRR program and positioned on the CyPRisT to assess differences in the small businesses’ cybersecurity posture. The results of the paired sample t-test showed no significant differences between the pretest and posttest groups. However, there was an observed increase in both the CPSs and DMPRCA that moved the position toward the risk-aversive quadrant of the CyPRisT.
An analysis of the empirical data was conducted on the cybersecurity preparedness activities that participants identified as most challenging to implement and their explanations of why. Data were collected from 15 semi-structured interviews and 50 surveys with five open-ended questions, one per each function of the NIST Cybersecurity Framework. A two-cycle thematic analysis was performed using the responses that described the challenges of cybersecurity preparedness activities. The results of the qualitative analysis suggest that small business decision makers are more likely to improve their ability to mitigate cyber threats when the applicable technologies are uncomplicated, technical expertise is accessible, and cybersecurity educational material is easy to understand. The small business owners and managers also indicated that the cybersecurity preparedness activities are more attainable when the demand of their time did not change their focus away from business operations. Conversely, the small businesses that were able to improve their cybersecurity posture had committed to incorporating many of the cybersecurity preparedness activities into their routine business processes, such as allocating a budget for cybersecurity and performing vulnerability assessments. The effects of prospect theory and status quo bias are discussed in the context of the CyPRisT positions for the small businesses.
Darrell Eilts. 2020. An Empirical Assessment of Cybersecurity Readiness and Resilience in Small Businesses. Master's thesis. Nova Southeastern University. Retrieved from NSUWorks, College of Computing and Engineering. (1106)