A framework for the planning and management of cybersecurity projects in small and medium-sized enterprises

Authors

DOI:

https://doi.org/10.5585/gep.v13i3.23083

Keywords:

Cybersecurity, Risk management, Cost management, Project management.

Abstract

Cybersecurity remains one of the key investments for companies that want to protect their business in a digital era. Therefore, it is essential to understand the different steps required to implement an adequate cybersecurity strategy, which can be viewed as a cybersecurity project to be developed, implemented, and operated. This article proposes SECProject, a practical framework that defines and organizes the technical and economics steps required for the planning and implementation of a cost-effective cybersecurity strategy in Small and Medium-sized Enterprises (SME). As novelty, the SECProject framework allows for a guided and organized cybersecurity planning that considers both technical and economical elements needed for an adequate protection. This helps even companies without technical expertise to optimize their cybersecurity investments while reducing their business risks due to cyberattacks. In order to show the feasibility of the proposed framework, a case study was conducted within a Swiss SME from the pharma sector, highlighting the information and artifacts required for the planning and deployment of cybersecurity strategies. The results show the benefits and effectiveness of risk and cost management as a key element during the planning of cybersecurity projects using the SECProject as a guideline.

Author Biography

Muriel Figueredo Franco, University of Zurich – UZH – Communication Systems Group.

Muriel Franco is a Junior Researcher and PhD student in Computer Science at University of Zuririch UZH, Switzerland, within the Communication Systems Group CSG of the Department of Informatics IfI. Since September 2018 Muriel is working in Zurich on cybersecurity, economics, blockchains, Software-defined Networking (SDN), and Network Function Virtualization (NFV), participating and driving the work of the CONCORDIA project within a team of networking, security, and economic researchers. Besides that, from 2017 to 2020, Muriel developed jointly a federated ecosystem for offering, distributing, and execution of Virtual Network Functions (FENDE project). Muriel holds an MSc from 2017 in Computer Science from the Federal University of the Rio Grande do Sul UFRGS, Brazil, and obtained a BSc from 2014 in Computer Science from the Federal University of Pelotas UFPEL, Brazil.

References

Behnia, A.; Rashid, R.; Chaudhry, J. (2012). A Survey of Information Security Risk Analysis Methods. Smart Computing Review, Vol. 2, No. 1: 79-94.

Cairns-Lee, H.; Lawley, J.; Tosey, P. (2022). Enhancing Researcher Reflexivity About the Influence of Leading Questions in Interviews. The Journal of Applied Behavioral Science, 58(1): 164–188.

CONCORDIA Consortium. (2022). Deliverable D4.3: 3rd Year Report on Cybersecurity Threats. Available at https://www.concordia-h2020.eu/wp-content/uploads/2022/07/CONCORDIA-D4.3.pdf. Accessed on: October 14 2022.

Cybersecurity Ventures. (2020). Cybercrime to Cost The World $10.5 Trillion Annually By 2025. Available at https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021. Accessed on: 18 April 2022.

Cynet. (2021). Survey of CISOs with Small Cyber Security Teams. Available at https://hubs.ly/H0FrnJ40.Accessed on: 18 April 2022.

European Digital Alliance. (2020). Skills for SMEs: Cybersecurity, Internet of things and Big Data for Small and Medium-sized Enterprise. European Commission, Brussels, Belgium.

European Watch on Cybersecurity & Privacy. (2021). Cybersecurity Label. Available at https://label.cyberwatching.eu/. Accessed on: October 24, 2022.

ENISA - European Union Agency for Cybersecurity. (2021). Cybersecurity for SMEs: Challenges and Recommendations. Available at https://www.enisa.europa.eu/publications/enisa-report-cybersecurity-for-smes. Accessed on: October 12 2022.

Fielder, A.; König, S.; Panaousis, E; Schauer, S; Rass, S. (2018). Risk Assessment Uncertainties in Cybersecurity Investments. MDPI Games, Vol. 9, No. 2: 1-14.

Franco, M.; Rodrigues, B.; Stiller, B. (2019). MENTOR: The Design and Evaluation of a Protection Services Recommender System. In:15th International Conference on Network and Service Management (CNSM 2019), Halifax, Canada, October 2019, p. 1-8.

Franco, M.; Sula, E.; Rodrigues, B.; Scheid, E.; Stiller, B. (2020). ProtectDDoS: A Platform for Trustworthy Offering and Recommendation of Protections. In: International Conference on Economics of Grids, Clouds, Software and Services (GECON 2020), Izola, Slovenia, September 2020, p. 1–12.

Franco, M.; Lacerda, F. M. (2021). SECProject: A Framework for the Assessment and Management of Cybersecurity Projects in Small and Medium-Sized Enterprises. MBA Report, University of São Paulo, ESALQ/PECEGE, Piracicaba, São Paulo, Brazil. Available at https://figueredofranco.com/static/files/MBA-M-Franco.pdf. Accessed on: November 10 2022.

Franco, M. F.; Sula, E.; Scheid, E.; Granville, L. Z.; Stiller, B. (2022). SecRiskAI: a Machine Learning-based Approach for Cybersecurity Risk Prediction in Businesses, In: 24th IEEE International Conference on Business Informatics, Amsterdam, Netherlands, June 2022, p. 1-10.

Franco, M. (2023). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment, PhD Thesis, University of Zurich, Zurich, Switzerland, February 2023.

Freiburg School of Management. (2019). Swiss International Entrepreneurship Survey: Results of the Study on the Internationalization of Swiss SMEs. Available at https://www.heg-fr.ch/media/mgkmsc4s/sies-report-2019_en.pdf. Accessed on: October 10 2022.

Flyvbjerg, B. (2006). Five Misunderstandings About Case-Study Research. Qualitative Inquiry, Vol. 12, No. 2: p. 1-27.

Gordon, L.; Loeb, M. (2002). The Economics of Information Security Investment. ACM Transactions on Information and System Security: 438-457.

Gordon, L.; Loeb, M.; Zhou, L. (2021). Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security: 49-59.

Harrison, H.; Birks, M.; Franklin, B.; Mills, J. (2017). Case Study Research: Foundations and Methodological Orientations. Qualitative Social Research, Vol. 18, No. 1: 1-17.

Hofmann, A. (2019). Security Analysis of the Blockchain Agnostic Framework Prototype. Independent Study, University of Zurich, Communication Systems Group, Department of Informatics, Zurich, Switzerland.

IBM Security, Ponemon Institute. (2020). Cyber Resilient Organization Report. Available at https://www.ibm.com/security/digital-assets/soar/cyber-resilient-organization-report/. Accessed on: August 2, 2022.

Kaspersky. (2020). Investment Adjustment: Aligning IT Budgets with Changing Security Priorities. Available at https://media.kaspersky.com/en/business-security/Kaspersky_IT%20Security%20Economics%202020_Executive%20Summary.pdf. Accessed on: June 14 2021.

Lee, I. (2021). Cybersecurity: Risk Management Framework and Investment Cost Analysis. Business Horizons: 1-34.

Lima, M. C. R.; Goussi, S. G.; Costa Borba, M.; Marinho, M. L. M. (2022). Management of Uncertainty in Projects and Its Strategies, Revista Visão: Gestão Organizacional: 48-61.

Liu, L.; De Vel, O.; Han, Q.; Zhangm, J.; Xiang, Y. (2018). Detecting and Preventing Cyber Insider Threats: A Survey. IEEE Communications Surveys & Tutorials: 1390-1417.

Matejka, V.; Soto, J.; Franco, M. (2021). A Framework for the Definition and Analysis of Cyber Insurance Requirements. Master Project, University of Zurich, Communication Systems Group, Department of Informatics, Zurich, Switzerland.

National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. Available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. Accessed on: October 24 2022.

Qu, S. Q.; Dumay, J. (2011). The Qualitative Research Interview. Qualitative Research in Accounting & Management, 8(3): 238-264.

Presley, S.; Landry, J. (2016). A Process Framework for Managing Cybersecurity Risks in Projects. In: 19th Southern Association for Information Systems (SAIS 2016), Florida, USA, p. 1-4.

Project Management Institute. (2017). A Guide to the Project Management Body of Knowledge (PMBOK guide). 6th edition, Project Management Institute, Pennsylvania, USA.

Rodrigues, B.; Franco, M.; Parangi, G.; Stiller, B. (2019). SEConomy: A Framework for the Economic Assessment of Cybersecurity. In: 16th Conference on the Economics of Grids, Clouds, Systems, and Services (GECON 2019). Springer LNCS, Leeds, UK, p. 1-13.

Ross, A. (2001). Why Information Security is Hard - An Economic Perspective. In: 17th Annual Computer Security Applications Conference, New Orleans, USA, p. 358-365.

Ross, A.; Moore, T. (2006). The Economics of Information Security. Journal of Science, Vol. 314, Issue 5799: 610-613.

Sato, H.; Tanimoto, S.; Kanai, A. (2020). Risk Breakdown Structure and Security Space for Security Management. In: IEEE International Conference on Service Oriented Systems Engineering (SOSE), Oxford, UK, p. 7-16.

Sonnenreich, W.; Albanese, J.; Stout, B. (2005). Return On Security Investment (ROSI): A Practical Quantitative Model. Journal of Research and Practice in Information Technology: 239-252.

Swiss SME Portal. (2021). Figures on SMEs: Companies and Jobs. Available at https://www.kmu.admin.ch/kmu/en/home/facts-and-trends/facts-and-figures/figures-smes/companies-and-jobs.html. Accessed on: October 12 2022.

Teufel, S.; Teufel, B.; Aldabbas, M.; Nguyen, M. (2020). Cyber Security Canvas for SMEs. In: 19th Internacional Information Security Conference (ISSA 2020), Springer, Pretoria, South Africa, p. 20-33.

Von der Assen, J.; Franco, M. F.; Killer, C.; Scheid, E. J.; Stiller, B. (2022). CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling. In: IEEE International Conference on Cyber Security and Resilience, Rhodes, Greece, July 2022, p. 1-8.

Xiong, W.; and Lagerstrom, R. (2019). Threat Modeling - A Systematic Literature Review. Journal of Computers & Security, Vol. 84: 53-69.

Downloads

Published

2022-12-09

How to Cite

Figueredo Franco, M., Martins Lacerda, F., & Stiller, B. (2022). A framework for the planning and management of cybersecurity projects in small and medium-sized enterprises. Revista De Gestão E Projetos, 13(3), 10–37. https://doi.org/10.5585/gep.v13i3.23083