Towards an Empirical Assessment of Cybersecurity Readiness and Resilience in Small Businesses

Towards an Empirical Assessment of Cybersecurity Readiness and Resilience in Small Businesses

KC 462

Many small businesses struggle to improve their cybersecurity posture despite the risk to their business. Small businesses lacking adequate protection from cyber threats, or a business continuity strategy to recover from disruptions, have a very high risk of loss due to a cyberattack. These cyberattacks, either deliberate or unintentional, can become costly when a small business is not prepared. This developmental research is focused on the relationship between two constructs that are associated with readiness and resilience of small businesses based on their cybersecurity planning, implementation, as well as response activities. A Cybersecurity Preparedness-Risk Taxonomy (CyPRisT) is proposed using the constructs of cybersecurity preparedness and small businesses decision maker’s perceived risk of cyberattack. This work-in-progress study will provide an empirical assessment of small businesses’ level of cybersecurity preparedness relative to their decision maker’s perceived risk of cyberattack. Subject matter experts (SMEs) will be used to validate a set of cybersecurity preparedness activities for small businesses in efforts to develop a benchmark scoring for the measure of cybersecurity preparedness. The SMEs will also identify weights for preparedness activities to enable benchmark scoring of cybersecurity preparedness that mitigate common cyber threats among small businesses. The construct of the decision maker’s perceived risk of cyberattack is based on prior research. Additionally, this work-in-progress study will develop and validate the Cybersecurity Assessment of Risk Management to optimize Readiness and Resilience (cyberARMoRR) program for small businesses. The CyPRisT scores will be used to evaluate significant differences before and after participation in cyberARMoRR program.