Small-Scale Cyber Security

Mapping security requirements for IT users at home and in small organisations

Emma Osborn

University of Oxford

November 2018 Thesis

Despite a long-standing assumption that developments in personal and cloud computing models would change the way we approach security, small-scale IT users (SSITUs) remain underserviced by existent cyber security models. This dissertation discusses survey results relating to the technology employed by SSITUs and their engagement with cyber security.

We determine that: SSITUs are focusing on easy-to-implement technical measures, leading to a disconnect between the security implemented and any risks identified; few SSITUs face more than basic threats or employ more than basic security measures; available resources, knowledge, prioritisation of business processes, reduced system control and a lack of threat intelligence all combine to limit the ability to make cyber security decisions; and assessing risk in SSITUs will not lead to sufficient investment to mitigate risks for risk-holding stakeholders in the supply chain.

We also found that: the system architectures employed by SSITUs are significantly different to those employed by large corporate or government entities; the architecture of a small organisation’s digital footprint has far more impact on their overall security than would be the case for a large organisation; and SSITUs do not hold sufficient influence within the supply chain to manage cyber security in their interactions with service providers.

We show that improving small-scale cyber security architectures is not simply about developing new technology — there is a need to consider technology use in context of interactions within a broader ecosystem of a supply chain, users with multiple roles and conflicts of interest, as well as the increased importance of SSITUs’ digital footprints on their security.

In order to improve the cyber security posture of the smallest organisations, security providers need a better understanding of their requirements and the role of larger stakeholders within the supply chain. They also need a business case for investing in products for this marketplace. To this end we have developed a framework of global requirements and constraints for small-scale cyber security, which should have the potential to assist in the development of products adapted for this user group.

For contrast we have provided a requirements framework developed from the perspective of the risk-holding stakeholders in the supply chain, to illustrate the differing expectations of the best-resourced stakeholders in their interactions with SSITUs. This highlights the difficulties posed by incumbent best practices, where many security measures are beyond the grasp of SSITUs and the risks some stakeholders expect to be reduced far exceed the means of the smaller organisations.

We conclude that, with a better understanding of the context within which SSITUs operate, combined with a suitable expectation of how much risk can be transferred to them within the supply chain, it is possible to improve small-scale cyber security.

Access the full thesis on Oxford Research Archive