toplogo
サインイン

A Dissertation Exploring Threat Modeling Frameworks and Developing a Web-Based Tool for Micro Businesses


核心概念
Micro businesses (MBs) face unique challenges in implementing cybersecurity due to limited resources and technical expertise, necessitating a non-technical, asset-centric threat modeling framework and an accompanying web-based tool to bridge this gap.
要約

Research Paper Summary

Bibliographic Information: Getir, E. (2024). Development of a threat modelling framework and a web-based threat modelling tool for micro businesses. [Master's Dissertation, University of Essex Online].

Research Objective: This dissertation investigates the challenges micro businesses face in threat modeling and aims to develop a non-technical threat modeling framework and a web-based tool to address these challenges. The research seeks to answer three key questions:

  1. Are existing threat modeling frameworks applicable to micro businesses?
  2. Are there relevant aspects of existing frameworks applicable to micro businesses?
  3. Is it possible to design a non-technical framework and tool for micro business owners to model cybersecurity threats without prior expertise?

Methodology: The study employs a seven-step qualitative methodology:

  1. Literature review on cybersecurity in micro businesses.
  2. Initial qualitative survey of micro business owners/managers on their cybersecurity practices and challenges.
  3. Analysis of survey results to identify problem areas in threat modeling.
  4. Identification of relevant aspects of existing threat modeling frameworks for micro businesses.
  5. Design of a non-technical, asset-centric threat modeling framework.
  6. Development of a web-based threat modeling tool based on the framework.
  7. Follow-up survey to assess the perception and impact of the new tool on micro businesses.

Key Findings:

  • Existing threat modeling frameworks are generally too technical for micro business owners.
  • An asset-centric, inside-out approach is more suitable for micro businesses.
  • A mnemonic framework can aid in raising awareness and creating a cybersecurity mindset.

Main Conclusions:

  • A non-technical, asset-centric threat modeling framework (SEANCE) is proposed, focusing on six hierarchical layers: Self, Employees, Assets, Network, Customers, and Environment.
  • A web-based tool based on the SEANCE framework is developed to facilitate its implementation and provide actionable recommendations.

Significance: This research contributes to the field by addressing the gap in threat modeling solutions specifically designed for micro businesses, empowering them to improve their cybersecurity posture.

Limitations and Future Research: The study is limited by the small sample size of the initial survey. Future research could focus on validating the framework and tool with a larger and more diverse sample of micro businesses. Additionally, exploring the integration of the tool with existing government-led cybersecurity initiatives could enhance its impact.

edit_icon

要約をカスタマイズ

edit_icon

AI でリライト

edit_icon

引用を生成

translate_icon

原文を翻訳

visual_icon

マインドマップを作成

visit_icon

原文を表示

統計
In 2023, 10% of MBs experienced a cyber-crime and 31% of the MBs have identified attacks or breaches. In 2024, 47% of MBs identified attacks or breaches. 95% of all businesses in the UK in 2022 were MBs. These businesses were also responsible for 19% of total turnover and 32% of total employment in the country in 2022. In the EU, MBs made up 94.1% of all businesses in 2023, generating 16.6% of total turnover and employing 30.1% of the total workforce.
引用

深掘り質問

How can government agencies and industry bodies collaborate to effectively promote the adoption of cybersecurity best practices among micro businesses?

Government agencies and industry bodies can play a crucial role in promoting cybersecurity best practices among micro businesses through a multi-pronged approach: 1. Develop Tailored Resources and Training: Simplified Guidance: Create easy-to-understand guides, checklists, and templates specifically designed for micro businesses with limited technical expertise. Utilize clear language, avoid jargon, and focus on practical steps. Industry-Specific Resources: Develop sector-specific cybersecurity resources that address the unique threats and vulnerabilities faced by businesses in different industries (e.g., retail, hospitality, professional services). Accessible Training Programs: Offer affordable or subsidized cybersecurity awareness training programs tailored for micro business owners and employees. These programs should cover basic concepts, common threats, and practical mitigation strategies. 2. Provide Incentives and Support: Financial Assistance: Offer grants, subsidies, or tax breaks to micro businesses for implementing cybersecurity measures, such as purchasing security software, conducting vulnerability assessments, or obtaining cybersecurity certifications. Cybersecurity Insurance Guidance: Provide clear and concise information about cybersecurity insurance options tailored for micro businesses, including coverage details, costs, and benefits. Mentorship and Support Networks: Establish mentorship programs or peer-to-peer networks that connect micro business owners with cybersecurity experts or experienced business leaders who can provide guidance and support. 3. Raise Awareness and Build a Security Culture: Targeted Awareness Campaigns: Launch public awareness campaigns specifically targeting micro businesses, highlighting the importance of cybersecurity and the potential consequences of cyberattacks. Success Stories and Case Studies: Share real-life examples of micro businesses that have successfully implemented cybersecurity measures and the positive impact it has had on their operations. Collaboration with Business Associations: Partner with industry associations and chambers of commerce to disseminate cybersecurity information and resources to their micro business members. 4. Foster Collaboration and Information Sharing: Cybersecurity Threat Information Sharing Platforms: Establish platforms or forums where micro businesses can share information about cyber threats, vulnerabilities, and best practices. Joint Exercises and Simulations: Conduct tabletop exercises or simulations involving government agencies, industry experts, and micro businesses to test incident response plans and improve cyber resilience. By working together, government agencies and industry bodies can create a supportive ecosystem that empowers micro businesses to prioritize and implement effective cybersecurity measures.

Could focusing solely on an asset-centric approach limit the identification of potential threats originating from less tangible aspects of a micro business, such as its online presence or social media activity?

Yes, relying solely on an asset-centric approach to threat modeling can create blind spots and limit the identification of potential threats stemming from less tangible aspects of a micro business, such as: Online Presence: An asset-centric approach might overlook threats related to the business's website, e-commerce platform, or online payment processing systems. These could include website vulnerabilities, DDoS attacks, phishing campaigns targeting customers, or data breaches affecting customer data stored online. Social Media Activity: Threats related to social media accounts, such as impersonation, social engineering scams, or brand reputation damage through negative reviews or comments, might be missed. Third-Party Risks: An asset-centric focus might not adequately address risks associated with third-party vendors or service providers that handle sensitive business or customer data. Data Flow and Storage: While identifying physical assets is important, understanding how data flows within the organization, including online interactions and data storage practices (cloud vs. local), is crucial for identifying data breach risks. To mitigate these limitations, a more holistic threat modeling approach is recommended, incorporating elements of: Attacker-Centric Thinking: Consider the motivations, tactics, and techniques of potential attackers targeting micro businesses in your industry. Data-Centric Security: Prioritize the protection of sensitive data, regardless of its location (physical or digital) or format. Threat Intelligence: Stay informed about emerging threats and vulnerabilities relevant to your industry and online activities. By combining asset-centric thinking with these broader perspectives, micro businesses can develop a more comprehensive understanding of their threat landscape and implement appropriate security controls.

How can the principles of this threat modeling framework be adapted and applied to promote a security-conscious mindset in other aspects of a micro business owner's life, beyond cybersecurity?

The SEANCE framework's principles, designed for cybersecurity, can be adapted to cultivate a security-conscious mindset in other areas of a micro business owner's life: 1. Self (Personal Security): Awareness: Just as in cybersecurity, personal security starts with awareness. Be mindful of surroundings, potential risks (theft, scams), and online safety practices. Physical Security: Implement basic physical security measures at home and while traveling, such as strong locks, alarm systems, and being cautious about sharing personal information. Digital Hygiene: Practice good digital hygiene by using strong passwords, being wary of phishing attempts, and limiting the personal information shared online. 2. Employees (Workplace Safety): Safety Culture: Foster a safety-conscious culture at the workplace by implementing clear safety protocols, providing regular training, and encouraging employees to report potential hazards. Ergonomics and Well-being: Prioritize employee well-being by ensuring ergonomic workstations, promoting mental health awareness, and addressing workplace stress. Emergency Preparedness: Develop and practice emergency response plans for various scenarios, such as fire, natural disasters, or medical emergencies. 3. Assets (Financial and Physical): Financial Planning: Just as you protect digital assets, safeguard financial well-being through budgeting, saving, and investing wisely. Insurance Coverage: Ensure adequate insurance coverage for personal and business assets, including health, property, and liability insurance. Physical Asset Protection: Implement measures to protect physical assets, such as inventory management systems, security cameras, and access control systems. 4. Network (Personal and Professional Relationships): Trust and Boundaries: Be mindful of building trust in personal and professional relationships, setting healthy boundaries, and being cautious about sharing sensitive information. Reputation Management: Cultivate a positive online and offline reputation by being mindful of your actions and interactions. Support System: Build a strong support network of family, friends, and mentors who can provide guidance and support during challenging times. 5. Customers (Client and Customer Relationships): Data Privacy: Extend the principle of data privacy beyond cybersecurity to all customer interactions, handling personal information responsibly and transparently. Ethical Business Practices: Operate with integrity and transparency, building trust and loyalty with customers. Customer Service: Prioritize excellent customer service, addressing concerns promptly and professionally. 6. Environment (Community and Sustainability): Social Responsibility: Promote social responsibility by supporting local initiatives, minimizing environmental impact, and operating ethically. Sustainability Practices: Implement sustainable business practices, such as reducing waste, conserving energy, and promoting recycling. Community Engagement: Engage with the local community, supporting local businesses and contributing to the well-being of the community. By adapting the SEANCE framework's principles to these broader aspects of life, micro business owners can develop a proactive and security-conscious mindset that extends beyond cybersecurity, contributing to their overall well-being and success.
0
star