On Small-Scale IT Users' System Architectures and Cyber Security: A UK Case Study

Emma Osborn and Andrew Simpson

Computers & Security

2017 journal article

DOI: 10.1016/j.cose.2017.05.001

Despite long-standing predictions that developments in, for example, personal and cloud computing practices would change the ways in which we approach security, small-scale IT users (SSITUs) remain ill-served by existing cyber security practices. Following an extensive study of the adoption of cyber security in UK-based SSITUs, this paper discusses results pertaining to technologies employed by such organisations, with respect to their ability to apply security measures. We determine: that the system architectures employed by SSITUs are significantly different from those employed by large corporate or government entities; that the architecture of a small organisation's digital footprint has far more impact on their overall security than would be the case for a large organisation; and that SSITUs do not hold sufficient influence within the supply chain to manage cyber security in their interactions with service providers. We show that improving small-scale cyber security architectures is not simply about developing new technology; rather, there are additional needs to consider, including technology use in the context of interactions that occur within a broader ecosystem of a supply chain, users with multiple roles, and the impact of the digital footprint on security.