| Summary: | The constantly evolving cyber threat landscape is a latent problem for today’s companies. This is especially true for the Small and Medium-sized Enterprises (SMEs) because they have limited resources to face the threats but, as a group, represent an extensive payload for cybercriminals to exploit. Moreover, the risk of cyber incidents is not only due to cybercriminals but can be evoked from multiple sources such as human error, system failure, etc. In any case, the costs of these cyber incidents are high and can considerably affect SMEs.
On the other hand, the traditional cybersecurity approach of protecting against known threats cannot withstand the rapidly evolving technologies and threats. In this sense, this study claims that cyber resilience, a more holistic approach to cybersecurity, could help SMEs anticipate, detect, withstand, recover from and evolve after cyber incidents. However, to operationalize cyber resilience is not an easy task since it requires technical and strategical knowledge and experience for its broad scope, holistic and multidimensional nature. Although the current literature regarding the operationalization of cyber resilience has widely covered the actions and areas of knowledge (often called policies and domains) required to operationalize cyber resilience, their prioritization and specific implementation strategies are not clear. Moreover, the differences between the actions suggested among the authors require companies to select one approach and later prioritize these actions. Therefore, it requires decision capabilities, knowledge and experience to know what is best for the company. In SMEs, this knowledge and experience might not be present since in most cases cybersecurity is not the core of their business. Therefore, this study tries to facilitate the cyber resilience operationalization process for SMEs.
To achieve the goal of aiding SMEs in cyber resilience operationalization, this study presents an operationalization framework to help them prioritize the required cyber resilience policies and develop effective strategies to implement them. For this, the study presents a classification with the essential cyber resilience domains and policies required to operationalize cyber resilience in SMEs. Once these policies have been established, it also presents an implementation order for effective a cyber resilience operationalization. Moreover, the study presents example progressions for each policy in a progression model in order for companies to be able to strategize how to implement and later improve the required policies. These results are combined into a self-assessment tool and simulation models that could be used by companies in their decision-making process in order to take into account the findings of this study when operationalizing cyber resilience.
|
|---|