Structuring the Chaos: Enabling Small Business Cyber-Security Risks & Assets Modelling with a UML Class Model

Tracy Tam,Asha Rao,Joanne Hall
2024-03-22
Abstract:Small businesses are increasingly adopting IT, and consequently becoming more vulnerable to cyber-incidents. Whilst small businesses are aware of the cyber-security risks, many struggle with implementing mitigations. Some of these can be traced to fundamental differences in the characteristics of small business versus large enterprises where modern cyber-security solutions are widely deployed.
Cryptography and Security
What problem does this paper attempt to address?
This paper focuses on the cyber security risks faced by small businesses and the asset modeling problem. Existing cyber security tools and standards often assume technical expertise and time resources, which is not practical for small businesses. Small business owners typically wear multiple hats, including janitorial, sales, and IT support, so cyber security is just one of many competing priorities. The paper proposes a new unified modeling language (UML) class model called Small IT Data (SITD) model, aiming to assist small businesses in dealing with the chaotic information gathering phase when entering the field of cyber security for the first time. The SITD model adopts generic classes and structures that can evolve and remain relevant with changes in technology and environment. It emphasizes the relationship between business strategy tasks and IT infrastructure to ensure that security decisions align with the scale of the enterprise. The paper also formulates a set of design principles to meet the cyber security needs of small businesses and validates the effectiveness of the model and design principles through empirical case studies. The model components are designed to meet the needs of small businesses by simplifying non-technical terminology and presentation styles, encouraging continuous involvement of all stakeholders rather than just technical participants. Through the SITD model, security vulnerability information can be displayed, such as demonstrating the use of the NotPetya incident. The paper points out that current cyber security tools and standards are too complex for small businesses and calls for a more understandable and implementable solution. The SITD model aims to approach cyber security analysis from a business perspective, placing more emphasis on business priorities while considering the scale and resource constraints of small businesses. In this way, the paper aims to reduce the barriers for small businesses to participate in cyber security management and enhance their cyber security capabilities.