Strategic Cybersecurity Risk Management Practices for Information in Small and Medium Enterprises

Abstract

Over the past decade, the number of cyberattacks affecting United States small- and medium-sized enterprises (SMEs) has increased substantially; with an average per-breach loss of $500,000 USD. Cyber-breaches most often result in business closure within 6 months of the breach. A modified Delphi technique used with a 20-member panel of cybersecurity experts was conducted to discover ways SMEs could prevent these breaches. Using four sequential survey rounds sent using confidential SurveyMonkey links, information and cybersecurity experts shared their ideas about forward-looking practices for strategic cybersecurity risk management for SMEs and then, after data analysis reduction occurred, provided expert opinions regarding their level of agreement with and consensus regarding strategic, cybersecurity, risk-management practices for SMEs. The experts were located through the UserInterviews platform, and their credentials were validated using LinkedIn data. Both qualitative and quantitative analyses led to a final list of 20 practices that could protect and secure business information, organized among three previously identified categories: security culture, strategic alignment, and value. After acquiring the list of practices, the final survey round asked the experts to rate the practices for desirability and feasibility. Comments from experts regarding their reasons for their choices and ratings were also documented, analyzed thoroughly, themed and discussed. The identified practices led to a new framework: the Ashley Information Protection Framework (AIPF). SME information professionals could use the AIPF to improve the overall security posture of their businesses and protect business intelligence from cyberattack. Other cybersecurity researchers could use the AIPF for future research on specific practices identified by this study.