CRF

Question 1

when more is less

Answer 1

• “more is better” mentality for defending it systems - (multiple anti virus malware software conflict each other)
• often insufficient consideration of how different components in the overall system interact in complex ways
• new security controls may impact operation and functionality of existing defenses and mitigate their effect (use simplier passwords to remember them)
• Large organizations use an average of 47 different cybersecurity tools, and source them from an average of 10 different vendors this can create interoperability problems and can affect the products efficiency

Question 2

violation of information security policies

Answer 2

• many security breaches are a consequence of accidental employee policy violation (lack of awareness)
• policy design can impair behavior if policies are incompatible with or reduce efficiency of existing work practices and people prioritize work over security (group violates policy to work more efficiently)
• policies need to be practical and employee oriented tools

Question 3

sanctions and neutralization

Answer 3

• sanctions alone may be ineffective due to neutralization (formal (fine), informal (disapproval), shame) no effect in intention to violate
• Neutralization: finding reasons for justifying deviant behaviors (justifying why: believe they didn’t do harm)

Question 4

fatigue and habituation

Answer 4

neuroscientific perspective on security warning

• repetition of security warnings results in repetition suppression and ‘warning fatigue’ -> habituation (warnings ignoring)
• hence effectiveness of traditional security warnings is questionable
• polymorphic design (warning changes appearance attention rises)
• (changing security warnings) to reduce habituation

Question 5

are users more than just the weakest link

Answer 5

• users may be an important resource to information security by providing needed business knowledge that contributes to more effective security measures
• user participation in risk management also engages more protective actions
• buy-in: users begin to view the subject as personally important and relevant
• improved awareness: participation in risk management can lead to greater awareness
• business-alignment: security controls have greater alignment with business objectives/needs instead of being based on uninformed assumptions

Question 6

SMEs and IT security Investments

Answer 6

• Small and Medium sized companies make up over 90% of all companies globally
• > as the backbone of a country’s economy, sees are structurally different from large enterprises (they are not just ‘little big companies’
• > increasing investments in security: “In 2019, 23% of it budget within smbs was allocated to security, compared to 26% in 200”

decreasing it investments:

1. All over budget cuts
2. companies feel secure enough Unrealistic optimism (50 % say better than average with respect to skills)

Question 7

security between sees and large companies

Answer 7

problematic assumptions in information security research:

• > large enterprises can usually afford the ideas discussed in this course (dedicated security unit, CISO)
• > however these assumptions do not represent the reality of most smes

AIM: identify relevant sme constraints in an organizational it sec context and examine how these constraint influence it security investment decisions in smes

Question 8

Qualitative Study

Answer 8

interviews were recorded and transcribed

topics:
company profile: please provide you company and role

it security status quo: How would you rate it sec. awareness in your company

processes (How do you decide upon it sec investments)

stakeholder perspective: (which kind of external support do you consider regarding it security investments and implementation?

need for action: What need for action do you see in the are of it sec. especially for sees

Question 9

results: limited ressources

Answer 9

• limited budget: it security investments were seen as a strong cut
• limited time: dealing with it security was seen as an additional task that can only be performed by neglecting other important organizational duties
• limited knowhow: SMES do not employ and specialized it personnel with enough knowhow regarding it security

Question 10

Results: Low formalization level

Answer 10

-budget planing (lack thereof): no structured budget planning process in general or for it spending in particular

-multiple roles or responsibilities:
understaffing as a common feature in smes, so managing directors are additionally responsible for it and it security

-undocumented processes: non existent, undefinded or undocumented processes

Question 11

geographical insularity

Answer 11

• sourcing personnel; SMEs with more rural locations experienced difficulties to attract it personnel
• sourcing service providers: few expert in rural areas are often fully booked and cannot assist SME regarding IT security decisions

Question 12

strategic outlook

Answer 12

• Desicion makers in smes rather focused on short term success and neglected long term risks for their organizational it security
• Desicion makers might rely on their gut feeling due to the lack of information, knowhow, and time for decisions

Question 13

conslusion

Answer 13

non generaliazable assumptions and findings in the information security literature

• findings question assumptions commonly made by studies that implicitly consider smes as little big firms
• overlooked sme constraints in information security research such as limited resources low formalization, insularity, and others

practical implications

• resource constraint such as limited bought as an excuse to delay it security measures?
• documentation and formalization of processes ease the processes of decision making and lead to business sustaining investments in the long run