Prices Start from

£25

1000 Words 24hrs Delivery!

Order Your Assignment

Delivered on-time or your money back

Request a call back

Start a live chat

Cyber Security Management

Cyber Security Management in UK SMEs – Investigation on Cybercrime and Risks

Table of Contents

Chapter 1: Introduction. 5

1.1 Introduction. 5

1.2 Research Background. 5

1.3 Research Rationale. 6

1.4 Research Aims and Objectives. 7

1.5 Research Questions. 8

1.6 Research Methodology. 8

2. Chapter 2: Literature Review.. 10

2.1 Introduction. 10

2.2 Cyber Security and its Significance in Business. 10

2.3 Risks and Threats Related to Cyber Security. 11

2.4 Challenges of the Cyber Security. 15

2.5 Countermeasures towards Addressing the Risks and Threats in the Cyber World. 17

2.5.1 Security by Design. 17

2.5.2 Security Architecture. 18

2.5.3 Security Measures. 18

2.5.4 Vulnerability Management 19

2.5.5 Reducing Vulnerabilities. 20

2.5.6 Mechanisms of Hardware Protection. 20

2.5.7 Secure Operating Systems and Secure Coding. 20

2.6 Protections from Cyber Security Risks and Threats for Ecommerce Business Models. 21

2.6.1 Ecommerce Security Standards. 21

2.6.2 Security Policies. 21

2.6.3 Physical Security. 22

2.6.4 Access Control 22

2.6.5 Monitoring. 22

2.6.6 Authentication. 23

2.6.7 Biometrics. 23

2.6.8 Cryptography. 23

2.6.9 Wireless Security. 23

2.6.10 Smartcards. 24

2.7 Summary. 24

Chapter 3: Research Methodology. 25

3.1 Introduction. 25

3.2 Research Philosophy. 25

3.3 Research Approach. 26

3.4 Research Design. 27

3.5 Sampling. 29

3.6 Data Collection. 29

3.7 Data Analysis. 30

3.8 Accessibility Issues. 31

3.9 Ethical Considerations. 32

3.10 Gantt Chart 32

Chapter 4: Data Analysis. 34

4.0 Introduction. 34

4.1 Quantitative Data Analysis. 34

Descriptive Statistics. 44

Multivariate analysis. 45

4. 2 Qualitative Data Analysis. 48

4.3 Discussion. 51

4.4 Summary. 52

Chapter 5: Conclusion. 53

5.1 Conclusion. 53

5.2 Linking Objective with Conclusion. 53

References. 58

 

Chapter 1: Introduction

1.1 Introduction

Cyber security is defined as the body of practices, processes as well as technologies designed for protecting data, programs, devices and networks from damage, attack or the unauthorized accesses. The process of managing cyber security can be referred to that initiative that an organization does for the purpose of the protection of its information systems as well as computer networks from the malware, intrusions, cyber-attacks as well as several types of data breaches (Meszaros and Buchalcevova, (2017). Organizations all over the globe are reassessing their measures for information security and relying increasingly on the expertise of the context of cyber security management while the cyber criminals develop the new approaches of finding as well as exploiting vulnerabilities within the computer systems. Proper cyber security management simply accomplishes its responsibilities through implementing and planning the measures of security over all the networks and the information systems as well. In this particular context, the entire research simply demonstrates the importance of the cyber security management within the SMEs in the United Kingdom by conducting a thorough investigation over the risks as well as cybercrime.

1.2 Research Background

The rise in the use of the IoT devices as well as internet systems has interestingly enhanced the threats as well as risks in association with the cybercrime from the perspectives of the users. The threats as well as issues related to the cyber security exist for the enterprise level users, online retail buyers along with the personal users of the Small and Medium Sized Enterprises. Gap in the focus on the cyber security can be damaging greatly to a business. The direct economic cost of such attacks is there associated with the businesses like disruption towards trading or even having for repairing impacted systems all resulting in the financial loss (Van Schaik et al., 2017). The technical controls over the measures to protect the information system has gone through the failure of mitigating the problems in association with cyber security. The entire research has been conducted for obtaining the approach of social science in order to explore the strategies of the small and medium enterprises in the United Kingdom for tackling the risks as well as threats of the cybercrime. Therefore, the entire research would investigate over the change in decision making process, culture, communication, leadership as well as managerial roles in order to manage the risks of the cyber security. All the government agencies as well as business organizations are vulnerable towards the cyber-attacks, which are rising in number and in sophistication as well. Maintaining the smoothness and flexibility of the networks through the protection of the sensitive data being transformed over the network takes the continuous monitoring as well as the appropriate management of the cyber security.

1.3 Research Rationale

Second Language Acquisition

It has been significantly observed that there are three major targets in the threat associated with cyber security such as the individuals, businesses and government bodies as well. As per the data published by the government of the United Kingdom about the cybercrime, it can be seen that near about one third of the internet users have faced the threat associated with security or the negative online incident. On the other side, the cost associated with the cybercrime has risen up to GBP 27 billion per annum and at this place, businesses hold near about 78% of this expense on a yearly basis. The average cost on a global basis for each organization for the cybercrime purpose is about $8.7 million at the time period of 2013 – 2017 (HM Government, 2016). Thus, in this context, the major cybercrime context has turned into the businesses reflecting the justification in order to secure the business interests of the businesses by the governing body of the country. They have to work on two important threats on a regular basis including the financial fraud as well as the cyber terrorism in the online spaces. Therefore, this particular study is considered to be the significant one based on the current issues regarding the cyber security context for the Small and Medium Sized Enterprises in the United Kingdom. Apart from that, the pandemic situated by the COVID 19 outbreak may also need these enterprises about properly dealing with the consumers in the online sectors more as well as the transactions made in the ways of ecommerce sector in the near future (Newhouse et al., 2017). The Small and Medium Sized Enterprises need to keep their business focus on the development of their businesses through the online platform as well as in this context, the threats associated with cyber security would be risen in the future days. Thereby, the UK government should have to come up about taking the proper protective measures for the SMEs as well as its online transactions in the future days in terms of making this research paper much more crucial and a timely investigation as well.   

1.4 Research Aims and Objectives

The goal of this study is to explore the current cyber security management status in SMEs in the UK. The objectives of this research are as follows:

  • To identify the risks and threats related to cyber security against SMEs in the UK
  • To investigate the preparation of SMEs for addressing and containing those risks and threats in cyber world
  • To recommend the framework, which would effectively protect SMEs from cyber security risks and threats for their e-commerce business models

1.5 Research Questions

There are four research questions related to this study, which are as follows:

  1. How much SMEs of UK is exposed to cyber security risks and threats?
  2. How much SMEs of UK is prepared to counter threat and risks involving cyber security of their e-commerce business model?
  3. Why government should take measures for protecting businesses of SMEs from cyber security threats and risks?
  4. What should be the proposed framework through changing policy of government to protect the interests of e-commerce model of SMEs?

1.6 Research Methodology

The entire research work has been aimed to be conducted on the basis of the positivism theory at the initial stage from the philosophical foundation. In addition, the implementation of the recommendations to the framework is aimed to be done depending on the interpretivism philosophy. On the other side, the entire section based on the review of literature related to the cyber security management within the SMEs also focuses on being conducted based on the positivist nature of the research finding. Besides that, the documentary studies have been aimed to be performed by the researcher from the previous literatures for finding the real risks as well as threats in relation to the cyber security aspects. In order to conduct the overall research, the mixed method research design has been focused in this paper to be used because it deals with allowing the researchers in carrying out comprehensively the investigation along with comparing the outcomes from both the qualitative and the quantitative studies. Apart from that, this particular method also provides ample support in the process of the empirical investigation to be performed from the qualitative findings from the conduction of interviews of the SME’s managers.

The primary information regarding the whole study is aimed to be provided by the literature review section that can effectively help in finding the gap of the whole research in this field. In addition, the documentary research has the potential of allowing the researcher in building the empirical model for the whole analysis. Hence, in this regard, the research obtains the secondary data from the previous studies for constructing the hypothesis of this particular paper. In addition, in this dissertation, the quantitative research is aimed to be performed for the purpose of the conduction of investigation over the retrieval of the answers to the questions of the research. Therefore, the researcher keeps emphasis on the conduction on the online survey among the officers as well as managers of the SMEs based in the United Kingdom. This particular study sends the survey questionnaires towards the intended SMEs as well as the present ecommerce organizations for the purpose of running their retail business operations over the online transactions. Questionnaires have not been sent by this study to the SMEs of the service providers or the manufacturers based in the United Kingdom for successfully executing the whole study. Furthermore, the semi-structured questions have also been sent by the survey for the IT professionals from the SMEs in the IT system as well as building security system for the other SMEs based in the United Kingdom.

2. Chapter 2: Literature Review

2.1 Introduction

The key purpose of this particular chapter is about gaining an in-depth understanding regarding the existing debates as well as research relevant towards a particular area or topic of study for representing knowledge in the form of the written report. In the context of this particular research, conduction of a proper literature review would help in building deepened knowledge in the field of the management of cyber security management in the SMEs in the United Kingdom.

2.2 Cyber Security and its Significance in Business

According to the viewpoint of Sun, Hahn and Liu, (2018), Computer Security or Cyber Security is referred to the protection of the networks as well as systems of computer from the damage or the theft of their electronic data, software or hardware and from the misdirection or disruption of the services provided by them. This particular area or field has turned into more important as a result of the enhanced reliance over the computer systems, the wireless network as well as the internet standards like Wi-Fi and Bluetooth along with the growth of the televisions, smartphones and several other devices, which constitute the IoT or Internet of Things (Newhouse et al., 2017). Owing towards its level of complexity, cyber security has been turned into one of the major challenges in the modern world both in terms of both the technologies and politics.

At today’s date, cyber security is very significant as well as essential because the medical, financial, corporate, military and government companies store, process and collect the unprecedented data amounts on computers as well as the other devices. As opined by Berman et al., (2019), the key portion of those data can be considered as sensitive details whether that be personal information, financial data, intellectual property or the other data types for which the exposure or unauthorized access can create the negative consequences. Bada, Sasse and Nurse, (2019) have also mentioned the fact that the sensitive data are transmitted by the organizations over the networks as well as towards the other devices as well in the course of business conduction and cyber security deals with describing the disciplines dedicated towards the protection of that information along with the systems utilized for processing or storing it. Organizations focusing on safeguarding information in relation to the national security, financial or health records should take steps for protecting their sensitive personnel and business information as the sophistication and volume of cyber-attacks grow. As per the opinion of El Mrabet et al., (2018), the top intelligence officials of the nations all over the world cautioned that digital spying as well as cyber-attacks is considered to be top threat towards national security, eclipsing even terrorism. In the business world, cyber security is very important as it encompasses everything, which pertains towards the protection of the sensitive data of businesses, protected health information, personally identifiable information, and personal information and so on (Gupta, 2018). It should be seamless as well as thorough regardless of the organizational standing or size. Computer networks would be forever the target of the criminals as well as it can also be argued in this context that the danger from the breaches related to cyber security would enhance only in the upcoming days as networks continue to expand (Husák et al., 2018).

2.3 Risks and Threats Related to Cyber Security

The rise in the utilization of the IoT devices as well as internet has enhanced the threats from the cybercrime from the perspectives of the users. The threats as well as risks of cyber security are present for the online retail purchasers, personal users as well as the enterprise level users of the Small and Medium Sized Enterprises or SMEs. In accordance with the viewpoint of Bada, Sasse and Nurse, (2019), various enterprises have encountered cyber-attacks at some point over their operations technology.

Data Breach – At present time, the storage of data on cloud is becoming increasingly popular all over the world.  In accordance with the point of view of Sun et al., (2018), a data breach generally results in the form of cyber-attack, which deals with allowing the cybercriminals in gaining the unauthorized access towards a computer network or system along with stealing confidential, sensitive or private financial as well as personal data of the users or the consumers contained within.

Insecure Application User Interface or API – The Insecure Application User Interface or API keys are generally utilized by the cloud as well as the web services for the purpose of the identification of the third-party applications with the use of the services. An attackers with the access towards the key can easily be capable of causing a denial-of-service or racking-up fees on behalf of the victim if carefulness is not noticed among the service providers. Tsirtsis et al., (2018) have stated that this particular interface’s security primarily lies in the hands of the service providers. The breaches encountered through APIs are generally resulted by the lack of tight security beginning from authentication towards encryption.

Cloud Abuse – The storage system on cloud is unfortunately susceptible for abusing. Hence, a huge risk factor is present in accordance with which IaaS or Infrastructure as a Service has the responsibility for functionality as well as it does not have the secure process of registration (Weerakkody and Sinopoli, 2019). The simplicity of this system in turn can make the entire cloud system very vulnerable for the criminals, the spam mails as well as the other malicious attacks. In this particular context, Meszaros and Buchalcevova, (2017) have advised that the providers of the cloud services would have to develop registration and the authentication processes. In addition, they should also keep the way of monitoring the transactions of credit card. The thorough network traffic evaluation is also important in the elimination of the cyber abuses.

Malware Attack – These attacks are the other consequences of the breaches, which the organizations need to watch out for the future days. Aldawood and Skinner (2018) have portrayed that this kind of attack is mainly referred to the activities of the platforms of malicious software that the system owner is not aware of. Several causes of the malware attacks are there. First attack is about the use of the bundled free programs of software, file sharing such as the use of Bit-torrent, removable media as well as having a software program of internet security in place (Batten, Moonsamy and Alazab, 2016). The important solution of this risk about cyber security is about the implementation of the strict security compliance as well as mechanism.

Loss of Data – Due to several reasons, important data can be lost. Use, alteration as well as deletion of the unreliable storage medium is one of the reasons. Such type of breach can have serious implications over the business. As mentioned by Berry and Berry, (2018), the loss of data can play the significant role in spoiling a business reputation and it can thus also cause a loss of consumers along with draining their finances as well.

Hacking – For a long time now, hacking has been a huge concern all around the globe. More number of weak points can be easily created in the computer systems as the Internet of Things take over. Kumar and Agarwal, (2018) have identified the fact that it is important not to share the credentials as hacking is generally caused by sharing access as well as credentials to the passwords. Hacking can be defined as the process of gaining the authorized access into the group of computer systems or a single computer system. Sun, Hahn and Liu, (2018) have also specified that this process is mostly done through cracking of codes as well as passwords, which give access to the systems. The computer networks are consequently under the high risk exposure towards the outside world of hackers as well as hacking as a whole.

Single Factor Passwords – The rapidly growing rate of the utilization of the single-factor passwords has turned into a large security risk. Easy access to the data is given by the use of such passwords. Companies should have to be much more serious with the passwords for the purpose of reversing the situation.

Insider Threat – Companies would continue in facing the insider threat in terms of the key form of the breaches of cyber security (Tsirtsis et al., 2018). The weak link is the group of the users within the organizations as well as the ex-staff is also the key threat to the cyber security. It is not about mentioning the significance of monitoring the staff, training them regarding the way through which the weak points can be patched up easily along with measuring their activity. Thomas, (2018) has identified the key antidote for this particular issue as the providence of education to the staff on cyber, testing as well as monitoring their activities as well.

Internet of Things – The devices connected through the Internet of Things create the weak points. According to Batten, Moonsamy and Alazab, (2016), the deployment of the IoT devices has also brought along the concerns of security. IoT also possesses the architectural flaws such as the inadequate measures of security stemming from the weak points. The appropriate ways of the deployment of the awareness as well as the security systems would go a long path in order to ensure that the entire threat is under control.

Shadow IT systems – It is referred to such software that is utilized within a company but it is not supported by the central IT system of the organization. Breach caused in the Shadow IT system is the fact that the data loss risk does not receive much more attention while it comes towards the backups of data (Van Schaik et al., 2017). Moreover, recovery as well as backup processes do not have anyone to monitor. Thus, the system becomes vulnerable towards the hackers as a result of the occurrence of such inefficiencies. Awareness should be spread for mitigating these risks based on the security threat, which are brought the Shadow IT system.

2.4 Challenges of the Cyber Security

Weerakkody and Sinopoli, (2019) have shed light on the fact that an enterprise should have to properly deal with coordinating effectively its efforts throughout its entire information system for an efficient cyber security. Cyber elements mainly encompass several aspects, which are as follows:

Application Security – Hence in this particular aspect, applications need the continuous testing as well as updates for ensuring these programs, which are secure from the attacks.

Network Security – Rantos et al., (2020) have defined the network security as the process of the providence of protection to the network from the unwanted intrusions, attacks as well as users.

Endpoint Security – Kimani, Oduol and Langat, (2019) have enlightened the fact that the remote access is widely considered to be the essential part of the businesses but it can also seem to be the weak point the data to be transmitted over the network. El Mrabet et al., (2018) have demonstrated endpoint security as the process of giving protection to the remote access towards the network of an organization.

Identity Management – Alnasser, Sun and Jiang, (2019) have referred identity management essentially as the process of properly understanding the access that every individual has in the organizations

Database as well as Infrastructure Security – Within a network, everyone specifically involves the databases as well as the physical equipment. It is equally important to protect these equipment as well.

Data Security – Data is the core part of the networks as well as applications. Baig  et al., (2017) have specified that the protection to be given to the consumer information as well as company information is the separate security layer.

Mobile Security – Tablets as well as cell phones virtually involve every security challenge categorization in and of themselves as well

Business Continuity Planning or Disaster Recovery – In accordance with the viewpoint of Sundararajan et al., (2019), natural disaster or the other event data must be protected as well as the businesses must go on in the event of a breach. In regards to this, the organizations need to prepare a proper plan on the basis of the end-user education. The users may be the employees, who are accessing the consumers or the networks logging on to an organizational application (Batten, Moonsamy and Alazab, 2016). Educating about the good habits such as the two factor authentication, changes of password and so on is the key part of the cyber security context.

Patel and Doshi (2019) have enlightened that in the area of cyber security, the most difficult challenge is the ever-evolving nature of the risks about security themselves. The government and the organizations have traditionally aimed on most of their resources of cyber security over the security of perimeter for protecting only their most important components of the system along with defending against the known treats. At today’s date, this particular process or approach is not sufficient enough because the threats involved within this approach change as well as advance more quickly than the companies can keep up with. Therefore, more adaptive as well as proactive approaches can be promoted by the advisory companies towards the cyber security.

2.5 Countermeasures towards Addressing the Risks and Threats in the Cyber World

Organizations including SMEs or MSMEs or the large and multinational corporations are greatly focusing more at investigating as well as implementing the countermeasures for the purpose of addressing all the threats as well as risks in association with the cyber security context. According to the viewpoint of Bendovschi and Al-Nemrat, (2016), a countermeasure in the computer security can be termed as an important action, procedure, technique or device, which simply aims at reducing an attack, a vulnerability or a threat with the help of the prevention as well as elimination of those issues. Moreover, Mawgoud et al., (2019) have also specified that corrective actions can also be taken into consideration or implemented with the minimization of the harm caused by the threats or the risks associated with the cyber security. Some common and important countermeasures in regards to the elimination of the threats are as follows,

2.5.1 Security by Design

Samaila et al., (2018) have defined security by design as the software system that can be designed from the ground up for being secure. Security can be considered to be the key feature in this case. This particular countermeasure is appropriate for the SMEs as this method simply involves some important techniques including the principle of least privilege, automated theorem proving, and defense in depth, code reviews and unit testing default secure settings, audit trails as well as full disclosure.

2.5.2 Security Architecture

In accordance with the point of view of Zerzri, (2017), the security architecture within the area of cyber security can be defined as the artifacts of design, which demonstrates the way through which the controls or the countermeasures of ensuring security are positioned as well as the way through which they can easily relate to the entire architecture of the Information Technology. The purpose of maintaining the quality attributes of the system by these controls or countermeasures such as accountability, availability, integrity, confidentiality as well as assurance services as well. As per the opinion of Johansson, (2019), a unified design of security, which addresses the potential risks and necessities involve within some specific scenario or environment as well. With the adoption of this particular countermeasure, the SMEs would be more specified about the time as well as the place of the application of the security controls. The design process is reproducible in general. The important attributes in association with this control aspect or countermeasure are the relationship of different components and the way through which they depend on each other, the control determination depending on the assessment of risks, evaluation of the legal matters, finances and good practices as well as the controls standardization.

2.5.3 Security Measures

Conteh and Schmick (2016) have recognized the computer security as the conceptual idea, which is attained by the utilization of the three important processes such as response, detection and prevention of the threats. These processes are mainly implemented on the basis of several system components and policies that would incorporate the cryptography, intrusion detection system, firewalls as well as user account access controls. According to Malik, et al., (2020), cryptography as well as the user account access controls can easily protect the files as well as data. On the other hand, firewalls are considered to be the most common prevention systems from the perspective of network security because they can easily shield the access towards the internal network services as well as can also be capable blocking specific types of attacks through packet filtering. Firewalls can be both based on software or hardware. Intrusion Detection System is mainly developed as well as designed for the purpose of the detection of the network attacks in progress along with assisting the post-attack forensics while the logs as well as the audit trails serve the same function for the individual systems (Alnasser, Sun and Jiang, 2019). In recent times, few SMEs are also turning to the platforms of big data like Apache Hadoop, SAP for the purpose of extending the accessibility of data as well as machine learning for detecting the persistent threats that are advanced enough.

2.5.4 Vulnerability Management

Vulnerability management is defined as the cycle of mitigating, remediating as well as recognizing vulnerabilities particularly in firmware as well as software. Kimani, Oduol and Langat, (2019) have specified the process of managing vulnerability as the integral to the network security as well as computer security. Vulnerabilities can be easily discovered with the scanner of vulnerability that deals with analyzing the computer system in search of the known vulnerabilities like the insecure software configuration, open ports, susceptibility to malware. They must be kept up to date with every new updates released by the vendors in terms of maintaining the efficacy level of these tools (Baig et al., 2017). Many SMEs are also contracting the outside auditors of security regards beyond the scanning done on vulnerability for running the regular penetration test against their systems in identifying the vulnerabilities.

2.5.5 Reducing Vulnerabilities

Alnasser, Sun and Jiang, (2019) have identified the two factor authentication as the important method to mitigate the unauthorized access towards a certain system or the sensitive information. Moreover, it also play an important role in enhancing security in such a manner that an unauthorized person requires both of these for gaining access. According to Sun, Hahn and Liu, (2018), the attacks of the social engineering as well as the direct computer access can be only prevented by the means of non-computer aspects that can be difficult for the enforcement and relative to the information sensitivity.

2.5.6 Mechanisms of Hardware Protection

Computer security assisted or based on hardware offers the efficient alternative towards the software only security in computer systems. Mobile enabled access, disabling USB ports, drive locks, intrusion aware cases, trusted platform modules, dongles and so on may be taken into consideration as more secure towards the physical access needed in terms of being compromised.

2.5.7 Secure Operating Systems and Secure Coding

An effective utilization of computer security can be referred to the technology, which is utilized for implementing the secure operating systems. On the other hand, as stated by Bada, Sasse and Nurse, (2019), secure coding in the domain of software engineering focuses on guarding against the accidental introduction of the vulnerabilities of security. It is also possible for creating the software developed from the ground up to be secure and these systems can be considered to be secure by design. Formal verification beyond this focuses on proving the correction of the algorithms underlying a system that is important for the protocols of cryptography. 

2.6 Protections from Cyber Security Risks and Threats for Ecommerce Business Models

Security of computer network and information systems is very important for individuals, families and businesses for staying protected from the online predators, scam artists and malicious hackers. In case of the ecommerce business of models of SMEs, maintaining the network security is a very important concern for everyday regardless of status (El Mrabet et al., 2018). Management of availability, integrity and confidentiality is a very important objective of the network security context. Several types of security are necessary for accomplishing the goal of confidentiality, integrity and availability and provide a protection system in a well-rounded manner. There are some important processes of protecting the ecommerce business models of the SMEs from the associated cyber security risks as well as threats are as follows:

2.6.1 Ecommerce Security Standards

SMEs should have to comply with some specific regulations and laws in relation to their operational activities (Meszaros and Buchalcevova, 2017). The security concern has resulted to the development of regulations and standards towards safeguarding the essential data.

2.6.2 Security Policies

Any particular SME being concerned with the protection of its ecommerce assets should have a policy of security in place. These policies should demonstrate and identify the important asset to be protected and these policies would also recognize who is responsible for the protection. According to the viewpoint of Aldawood and Skinner (2018), the security policies simply play the role of the guide for the workers thus they know what needs to be done before, after as well as during the incident. Therefore, the employees need to keep all the awareness regarding the policies set by the ecommerce businesses and tests or assessments can also be conducted for ensuring their level of competency (Newhouse et al., 2017). These assessment or evaluation can be done in several formats such as in the written, scenario based as well as oral test formats. As opined by Kimani, Oduol and Langat, (2019), these assessments should be developed in such a way that the workers can be very comfortable with the information within the policies as well as comfortable in response to a variety of scenarios. 

2.6.3 Physical Security

It is the first type of security that needs to be implemented for resolving the cyber security threats associated with the ecommerce business models of SMEs. Tsirtsis et al., (2018) have stated that the physical security can be considered to be the also same procedures of locking the doors of home but leaving the windows open. It can be even in the form of the access control devices as well as the video monitoring systems. It is the best to limit the chances of being a victim while there is not any way to be secure completely.

2.6.4 Access Control

Controlling access towards a regions or facility is a core part of security. guards should be there utilized for roving ID verifications of the workers. The issue with the security guards is that the social engineering and human can be utilized for manipulating them (Batten, Moonsamy and Alazab, 2016). Passwords, biometric scanners and locks should be taken into consideration for the access control because of the concerns of social engineering.

2.6.5 Monitoring

It is also very significant as the hackers can be capable of sneaking in without an organization knowing and causing a lot of damage. According to the opinion of Kimani, Oduol and Langat, (2019), the network and the facility should be mentioned for preventing the hackers from causing irreversible damage along with penetrating defenses as well. security would be capable of detecting an attack as well as stopping it before the occurrence of the damage with constant monitoring.

2.6.6 Authentication

Sundararajan et al., (2019) have mentioned that several methods are there for verification, which are utilized by the different agencies for preventing the unauthorized users from the access of their services, systems as well as facilities.

2.6.7 Biometrics

This system utilizes the body of a specific person for the purpose of access verification. Palm print readers, finger and retinal scans as well as the other body scanners are typically utilized for the access control for verifying the identity of a person. As mentioned by Sundararajan et al., (2019) it is an authentic and an efficient method as it utilizes the body parts, which are authentic towards that particular individual.

2.6.8 Cryptography

Kimani, Oduol and Langat, (2019) have specified the fact that his method is generally used by the organization for turning the plaintext into the algorithm that is referred to the Ciphertext and this algorithm is a complicated mathematical sequence that cannot be read by anyone without the code of deciphering it.

2.6.9 Wireless Security

The days of computer connectivity with wires have gone and now businesses are widely utilizing the wireless connections for accessing, receiving and sending information. Receiving and sending information over the wireless connection makes it susceptible in terms of being apprehended (Van Schaik et al., 2017). Information can be received and sent by the systems over a wireless router, which is connected to the modem that is connected to the internet as well.

2.6.10 Smartcards

These are generally utilized in several facilities for controlling access towards a specific service, system or area. Smartcards also deal with allowing person in accessing without remembering a password (Sundararajan et al., 2019).

2.7 Summary

The entire chapter has been completed based on the views of the authors or the researchers done in their respective research articles and journals regarding the cyber security concerns in associated with the business operations of the small and medium sized corporations. Hence, in this context, the over chapter of this research has significantly demonstrated the risks as well as threats in relation to the cyber security against the SMEs. On the other hand, the chapter has also portrays the effective countermeasures and controls that can be implemented for addressing the identified risks and threats. Moreover, this section has also some important frameworks based on which the SMEs are capable of reducing the security risks and threats in association with the ecommerce business models.

Chapter 3: Research Methodology

3.1 Introduction

Research methodology is defined as the composition of some particular techniques or processes utilized for selecting, processing, identifying and analyzing information or data based on a certain research subject (Mohajan, 2018). In this research study, this particular chapter on research methodology allows the readers in evaluating critically the overall reliability and validity of this study. This section of the research would highlight all the important methods used to conduct the entire research study along with providing the details regarding the justification of the use of the methods as well.

3.2 Research Philosophy

According to the viewpoint of Fletcher, (2017), research philosophy can easily be defined as the belief regarding the way with the help of which data regarding a specific phenomenon are generally utilized, analyzed as well as gathered. There are two major philosophies in association with conducting any researches such as the interpretivism and positivism (Kumar, 2019). Positivism can be defined as the term, which is utilized for describing an approach towards the society study, which simply relies over the scientific evidences like statistics and experiments for the purpose of revealing a true nature of the way through which society operates. On the other side, the interpretivism philosophy of research mainly states that the social world can easily be interpreted in the subjective way (Ngozwana, 2018). The wide range of attention is given here for the purpose of understanding the ways with the help of which people would experience the social world. Positivism method of research philosophy significantly relies over the quantitative data that the positivists believe is more reliable than the qualitative research (Basias & Pollalis, 2018). Interpretivism deals with portraying the idea where the use of the human feelings and thought are there and thus in this regard, this method specific operates with the utilization of the detailed understanding based on the human sayings about a specific subject (Clandinin, Cave & Berendonk, 2017). Use of statistical data is not applicable in case of this particular research philosophy and this method is dependent on the social sharing done by the human beings.

In order to conduct this particular research work, the positivism method has been preferred to be utilized in a specific study for making it more authentic based on the use of the statistical data, which can easily prove the hypothesis set for the research as well. In addition, the implementation of the recommendations to the framework is aimed to be done depending on the interpretivism philosophy. 

3.3 Research Approach

Research approach is referred to the procedure as well as the conceptual plans for the research, which span the steps from the broader range of assumptions towards the in-depth techniques of interpretation, analysis and collection of data (Mackey & Gass, 2015). The entire decision deals with involving which approach needs to be utilized for studying a particular topic of research. This method is simply based on the nature of the problem of the research being addressed. the research approaches have two major classifications including the deductive and the inductive methods (MacDonald, 2012). Inductive research approach begins with the theories as well as observations that are proposed to the end of the process of the research in terms of the observation of results. Regularities, resemblances and patterns in experiences are noticed for the purpose of reaching an appropriate conclusions or generating theory as well. On the other side, the deductive approach is mainly concerned with the development of a hypothesis depending on the existing theory and then developing a strategy of research for testing the hypothesis (Ledford & Gast, 2014). Inductive approach of research starts with the set of empirical observations along with seeking the patterns within those observations. However, in case of the deductive technique, it starts with a theory, developing hypotheses from that theory and then analyzing and collecting data for testing those hypotheses.

In case of this particular research, the deductive approach has been selected to be used because this method is comprised of the theories that could be examined in this particular study. The purpose of the use of this method is about thoroughly validating the theoretical understanding with the help of deduction. The researcher subject’s participants can easily help in the understanding of the deductive approach for coming to the appropriate conclusion. The utilization of this particular method of the research approach has simply taken the part in the formation of the strong base for analyzing the subject.

3.4 Research Design

Research design is mainly demonstrated as the set of the processes as well as methods utilized in the analysis as well as the collection of the measures for the variables specified in the research of a specific process (Mohajan, 2018). In other words, research design is also considered to be the whole strategy, which is selected by the researcher for integrating the different components of the study in a logical and coherent way and thus such assurance would address effectively the problem in association with the research (Fletcher, 2017). Moreover, it also deals with constituting the blueprint for the analysis, measurement as well as the collection of data. Function of the research design method lies in ensuring that the obtained evidence enables the researcher in effectively addressing the research problem as unambiguously as possible (Kumar, 2019). Within the research studies, obtaining evidences relevant to the research problems entails generally the specification of the evidence type required for testing a theory, evaluating a program or describing accurately a phenomenon. Nevertheless, researchers can easily be capable of beginning their investigations far too early before they have critically though about the type of the information required for answering the questions associated with a certain research. Research design of any study can be conducted based on either of the three frameworks such as the descriptive, explanatory and the exploratory framework (Ngozwana, 2018). Exploratory design for a research is mainly executed for a specific problem of research while the researcher does not have any previous data or only a few studies for references. Sometimes, this particular research is unstructured and informal (Basias & Pollalis, 2018). On the other hand, explanatory design of research is conducted for a specific issue that was not properly researcher previously, demands for the priorities as well as generates the operational definitions along with that provides with a thoroughly researched model (Clandinin, Cave & Berendonk, 2017). This particular method mainly aims at explaining the aspects of the entire research study. Apart from that, the descriptive method of research design focuses on describing systematically as well as accurately a phenomenon, situation or population as well. This method can have the potential of utilizing a wide variety of both the qualitative as well as the quantitative methods for investigating one or more number of variables.

In order to conduct this particular research, the descriptive research design method has been selected because this technique has effectively helped the researcher in getting into the thorough idea regarding the management process of the cyber security by the SMEs operating in the marketplaces of the United Kingdom. In addition, the entire research would be capable of rightfully analyzing with the descriptive method that the SMEs needs to utilize the effective management strategies in order to eliminate all the severe issues in association with the cyber security.

3.5 Sampling

Sampling can be defined as the process utilized within the statistical analysis within which a predetermined observations number are considered from a larger population (Mackey & Gass, 2015). The method or technique utilized to sample from a larger population set is mainly based on the analysis type that is being performed but it can incorporate systematic sampling or the simple random sampling (MacDonald, 2012). There are two major classifications of the sampling techniques such as the probability and the non-probability sampling (Ledford & Gast, 2014). The probability sampling method is chosen by the researchers for selecting samples from the larger population with the use of a method depending on the probability theory. On the other side, non-probability sampling is such a method where the odds of any member being chosen for a specific sample cannot be calculated and it is also referred to the reverse of the probability sampling where the researcher can be able to calculate the odds (Clandinin, Cave & Berendonk, 2017).

In case of this particular research, the probability sampling method has been done based on the simple random method. Near about 54 IT professionals have been selected through the simple random method. This particular procedure has been preferred to be used as it is cost effective and it is also a viable option within the time. On the other side, with the help of the convenience sampling method, 5 managers associated with the ecommerce SMEs have been selected. In addition, this method has made it easy for the researcher in accessing to the concerns of the managers.

3.6 Data Collection

Data collection can be defined as the process of collecting as well as measuring details regarding the interested variables within an established and systematic manner, which enables one in answering the stated questions based on the research, evaluating outcomes and testing hypotheses as well (Mohajan, 2018). This particular method of collecting data is mainly classified in two important techniques or methodologies such as the secondary and the primary research methods. Primary research is such an important process of data collection with the help of which the primary data collection sources are taken into consideration such as surveys, interviews and experiments as well (Fletcher, 2017). Apart from that, secondary data collection can be defined as the method where the data are gathered by someone with the help of the secondary sources of information accumulation including the research articles, journals, organizational data or records, websites and so on. Some important tools are associated with the accomplishment of the primary data collection method such as observations, interviews, case study method and many other methods.

In order to conduct this research, the primary data collection technique has been adopted based on the two important tools including the online survey questionnaire and the interviews. In this regard, 54 IT professionals associated with an ecommerce SME based in the United Kingdom have been selected as the major respondents for the online survey. On the other side, 5 managers associated with the organization have been selected for performing the entire interview process in this research.

3.7 Data Analysis

Data analysis can be defined as the process of modeling, transforming, cleansing as well as inspecting information or data in association with keeping focus on the discovery of the useful details, supporting decision making and informing conclusions as well (Basias & Pollalis, 2018). Important goal of the use of the method of data analysis during executing a specific research is about performing the extraction on the useful details from the data along with making decisions on the basis of the analyzed data. Data analysis method can be sub-divided into two important techniques such as the quantitative and the qualitative methods (Clandinin, Cave & Berendonk, 2017).

In case of this particular research, the quantitative method would be taken into consideration while analyzing the primary data collected from the online survey process. This particular method has simply been preferred for the purpose of the improvement of the accuracy level of the general outcome of the whole research. SPSS has been used as the professional and the technical tool for analyzing the data gathered from the online survey for getting an in-depth knowledge regarding the cyber security management processes used by the ecommerce SMEs. On the other side, the qualitative method has been used in this research for analyzing the data collected from the interviews that have been conducted between the researcher and the selected managers associated with the ecommerce SMEs.

3.8 Accessibility Issues

The researcher has utilized the online platform for getting access to the officers and the staff associated with the ecommerce SMEs while conducting the online survey. Nevertheless, the consumers need to be reminded within a time interval for the purpose of filling the survey questions and thus in this regard the data can easily be tabulated in the time constraint. In terms of successfully conducting the interview of the managers of the ecommerce SMEs, their permission should be taken primarily. On the other hand, there is a probability where time had to be changed for several times due to the inconvenience of the managers.

3.9 Ethical Considerations

Ethical considerations or the ethical boundaries associated with any specific research need to be maintained in a proper manner as a responsive researcher as the respondents’ personal experiences would be shared over the entire survey or interview method (Basias & Pollalis, 2018). While a researcher shows their open-minded professionalism at the time of the data collection process, then ethics of the entire research can be maintained specifically. Thus, the entire responses should be recorded in a very careful manner and in this context, the researcher needs to be very conscious so that the information manipulation cannot be encountered. All the respondents must not be forced for participating the survey as well as the interview process because it is considered to be a complete unethical process for any particular research. Any manipulation should not be permitted during any information loss is taken place. Therefore, the information backup needs to be stored in cloud as well as recorded within the written manner. Moreover, the researcher should not ask the questions that are completely out of context.

3.10 Gantt Chart

Main activities 1st week 2nd week 3rd week 4th + 5th week 6th week 7th week
Subject Selection            
Literature Review                  
Research methodology            
  Data collection- primary                
Data Analysis and Interpretation            
Findings            
conclusion            
Final work and submission            

 

Chapter 4: Data Analysis

4.0 Introduction

Cyber security management is considered to be a serious problem in almost all type of organization. For SMEs the problem tends be quite severe as the budget available is limited. In this section of the paper, the researcher is going to survey the SMEs in the UK to understand the way in which they tend to follow the cyber security procedure.

4.1 Quantitative Data Analysis

Table 1: Gender

 
  Frequency Percent Valid Percent Cumulative Percent
Valid Male 29 53.7 53.7 53.7
Female 25 46.3 46.3 100.0
Total 54 100.0 100.0  

The survey that was performed included both male and female professionals from the SME sector in the UK. There were 46.3% of them who were female and 53.7% of them were male.

Age Group
  Frequency Percent Valid Percent Cumulative Percent
Valid 18 -29 years 17 31.5 31.5 31.5
30-39 years 19 35.2 35.2 66.7
40-49 years 12 22.2 22.2 88.9
50+ years 6 11.1 11.1 100.0
Total 54 100.0 100.0  

The researcher has also surveyed the age group of the professionals. From the age group data, it can be found that 35.2% of the respondents belong to the age group of 30-39 years, 31. 5% of them were within the age group of 18-29 years, 22.2% of them were within the age of 40-49 years and 11.1% of them belong to more than 50+ years.  From the dataset, it can be seen that most of the professionals of SME’s were in their 20’s and 30’s age group.

  Revenue Stream of SME
  Frequency Percent Valid Percent Cumulative Percent
Valid Less than £1 million 8 14.8 14.8 14.8
£1-5 million 26 48.1 48.1 63.0
£6-10 million 11 20.4 20.4 83.3
More than £10 million 9 16.7 16.7 100.0
Total 54 100.0 100.0  

Revenue generation for the SME is important for it to sustain the competitive market. From the respondents it can be found that there were 48.1% of them stating that the revenue generated by SME was within 1-5 million pounds. , 20.4% of the SMEs were found to earn within 6 to 10 million pounds, 16.7% of them earned more than 10 million pounds. Only 14.8% of the respondents stated that their revenue generation is about less than 1 million pounds.

You are the manager in SME. What are the various devices used for work
  Frequency Percent Valid Percent Cumulative Percent
Valid Multi use Devices 11 20.4 20.4 20.4
BYOD phone and Company Laptop 24 44.4 44.4 64.8
BYOD phone and Laptop/PC 19 35.2 35.2 100.0
Total 54 100.0 100.0  

A large number of devices are being used in SMEs for the purpose of getting their work done. Out of all the devices used, the use of BYOD phone and Company Laptop is found to be maximum, 44%. Furthermore, 35.2% of the SMEs stated the use of BYOD phone and Laptop/PC with 20.4% of the respondents stating the use of multi-use devices.

Information security policy within your SME
  Frequency Percent Valid Percent Cumulative Percent
Valid Do not Know 8 14.8 14.8 14.8
No Policy 12 22.2 22.2 37.0
Informal Existing Policy 20 37.0 37.0 74.1
Formal Policy 14 25.9 25.9 100.0
Total 54 100.0 100.0  

Information security policy is responsible for ensuring that all the users of the network abide by the standard norms established as a means of data protection. The majority of the respondent, 37% stated the presence of an informal existing policy within their SME while 25.9% said the existence of a formal policy as a means of information security. However, 22.2% of the respondents said that no such policy exists with 14.8% being completely unaware of any form of information security policy within their organization.

Relevant reasons for security policy
  Frequency Percent Valid Percent Cumulative Percent
Valid Environmental Constraints 4 7.4 7.4 7.4
New Technology 17 31.5 31.5 38.9
Strategic Decision 15 27.8 27.8 66.7
Change of Work Practices 18 33.3 33.3 100.0
Total 54 100.0 100.0  

A large number of factors contribute to the implementation of proper security policies within the SME operational context. Majority of the respondents, comprising of 33.3% of the respondents stated that change of work practices makes it essential to implement proper security policies while 31.5% have highlighted the significance of new technology in this case. In this case, 27.8% of the respondents feel strategic decision making within SMEs require consideration of suitable security policies while 7.4% of them feels environmental constraints contribute towards it.

Reputation and Company Profile
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 1 1.9 1.9 1.9
Unimportant 10 18.5 18.5 20.4
Neutral 9 16.7 16.7 37.0
Important 19 35.2 35.2 72.2
Very Important 15 27.8 27.8 100.0
Total 54 100.0 100.0  

Reputation and company profile are identified to be notable risks associated with cyber crime and hence the survey process focused on gathering respondents view on it. Maximum number of respondents, 35.2% considers it to be an important aspect for a SME to consider along with 27.8% of them stating the variable to be very important. While 18.5% respondents feel it to be unimportant along with 16.7% respondents exhibiting a neutral response in this regard. In addition to that 1.9% of the SMEs feel to be very unimportant factors associated with cyber crime risks.

Customer data at various locations
  Frequency Percent Valid Percent Cumulative Percent
Valid Unimportant 4 7.4 7.4 7.4
Neutral 11 20.4 20.4 27.8
Important 17 31.5 31.5 59.3
Very Important 22 40.7 40.7 100.0
Total 54 100.0 100.0  

The presence of customer data across various locations of operational network signifies the risks associated with cyber crime two-fold. The respondents when asked stated it to be a crucial factor looked forward to by SMEs as a part of its cyber security management aspect. Majority of the respondents, 40.7% considers it to be a very important factor with 31.5% of the respondents too considering it to be important. However, 20.4% of the respondents surveyed provided a neutral response along with 7.4% of the respondents looking forward to presence of customer data at different locations as an unimportant factor in this regard.

Continued availability of internet connections
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 2 3.7 3.7 3.7
Unimportant 8 14.8 14.8 18.5
Neutral 8 14.8 14.8 33.3
Important 19 35.2 35.2 68.5
Very Important 17 31.5 31.5 100.0
Total 54 100.0 100.0  

About 35.2% of the people surveyed said internet connections and its continuous availability to be important when it comes to analyzing the cybersecurity risks. The data findings also stated that 31.5% of the respondents to consider it to be very important. However, 14.8% of the respondents shared a neutral response. On the other hand, 14.8% of the respondents considers internet connection and its continuous availability to be an unimportant aspect from SME operations point of view along with 3.7% of them further highlighting its increased unimportance. Based on the data findings, it is evident that majority of the respondents considers continuous availability of internet facilities to be a crucial cybersecurity risk. 

Valuable credentials such as login details, HMRC, social media accounts
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 1 1.9 1.9 1.9
Unimportant 5 9.3 9.3 11.1
Neutral 7 13.0 13.0 24.1
Important 18 33.3 33.3 57.4
Very Important 23 42.6 42.6 100.0
Total 54 100.0 100.0  

Nearly, 42.6% of the respondents which accounts for maximum number of total number of people surveyed, stated valuable details of customers, login details, social media accounts and HMRC to be very important. Furthermore, 33.3% of the respondents too stated it to be important while 13% shared a neutral response. On the other hand, only 9.3% of the respondents considers valuable credentials to be unimportant and 1.9% of the SMEs to be as very unimportant.

Customer systems with cloud application or VPN
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 1 1.9 1.9 1.9
Unimportant 7 13.0 13.0 14.8
Neutral 14 25.9 25.9 40.7
Important 19 35.2 35.2 75.9
Very Important 13 24.1 24.1 100.0
Total 54 100.0 100.0  

The risks relating to cyber crime signifies the consideration of VPM or customer systems interlinked with cloud applications. The survey data stated that 35.3% of the respondents feels it to be very important while 25.9% of them with a neutral feedback on the risk factor. However, 24.1% of the respondents considers it to be very important. On the other hand, 13% of the respondents considers the risk factor to be unimportant and 1.9% of them as very unimportant. In this case, since maximum number of respondents shared a positive feedback, therefore, SMEs largely considers the risk identified in this context of VPN and cloud applications integrated with customer systems.  

Planning – Prioritizing security needs using IT support and continuous security audits
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 2 3.7 3.7 3.7
Unimportant 11 20.4 20.4 24.1
Neutral 12 22.2 22.2 46.3
Important 20 37.0 37.0 83.3
Very Important 9 16.7 16.7 100.0
Total 54 100.0 100.0  

The planning stage of the cyber security approaches used by SMEs focusses on prioritizing the needs in accordance to information technology support followed by performing continuous audit of security operational activities. The respondents survey was asked about the relative importance of the planning stage from their SME operational point of view and scope. Near about 37% of the respondents considers planning stage to be important while 22.2% exhibited a neutral response in this regard. Furthermore, 20.4% of the respondents considered it to be unimportant from SME operation point of view while 16.7% of the respondents feel planning to be very important stage of cyber security management. On the other hand, 3.7% of the respondents feels it to be completely unimportant. In this case, based on the majority response, planning is an important activity for SME cyber security management.

Implementation – using right controls in information Security (IS) and information assets (IA)
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 5 9.3 9.3 9.3
Unimportant 10 18.5 18.5 27.8
Neutral 12 22.2 22.2 50.0
Important 17 31.5 31.5 81.5
Very Important 10 18.5 18.5 100.0
Total 54 100.0 100.0  

The implementation process comprises making effective use of suitable controls as a part of information security and information assets management. Maximum number of respondents, 31.5% considers implementation stage to be important while 22.2% shared a neutral response in this case. On the other hand, 18.5% of the respondents each considers implementation to be a very important as well as an unimportant aspect in case of SME cyber security operations. However, 9.3% of the respondents considers implementation to be a very important aspect as a part of cyber security management.

Review – Identifying controls and practices, lookout for Vulnerabilities and up to date on threats to your activities
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 1 1.9 1.9 1.9
Unimportant 7 13.0 13.0 14.8
Neutral 13 24.1 24.1 38.9
Important 16 29.6 29.6 68.5
Very Important 17 31.5 31.5 100.0
Total 54 100.0 100.0  

The review process of cyber security approach in SMES takes into consideration identification of suitable control and practices as a means of identifying vulnerabilities and threats on operational activities. In this case, majority of the respondents 31.5% stated review stage o be very important while 29.6% of the respondents considers it to be important. Furthermore, 24.1% of the respondents shared response relating to the effectiveness of the review process. On the other hand, 13% of the respondents said that the review stage is unimportant while 1.9% looks forward to it very unimportant.

Risk analysis practice – Identifying equipment’s and  Procedures of sensitive information and whether linked to  social and technical system
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 4 7.4 7.4 7.4
Unimportant 8 14.8 14.8 22.2
Neutral 16 29.6 29.6 51.9
Important 17 31.5 31.5 83.3
Very Important 9 16.7 16.7 100.0
Total 54 100.0 100.0  

The risk analysis process is related to identifying the equipment and procedures relating to sensitive information and its linkage to social and technical system. The majority of the survey respondents, 31.5% considers it to be an important part while 29.6% shared a neutral feedback in this case. Furthermore, 16.7% of the respondents said that risk analysis practice is very important while 14.8% of them stated it to be unimportant. On the other hand, 7.4% of the respondents looks forward to risk analysis practice in SMEs to be not at all important.

Organization practices – Training, publication, practices, response mitigation and recovery, protection measures
  Frequency Percent Valid Percent Cumulative Percent
Valid Very Unimportant 9 16.7 16.7 16.7
Unimportant 12 22.2 22.2 38.9
Neutral 13 24.1 24.1 63.0
Important 10 18.5 18.5 81.5
Very Important 10 18.5 18.5 100.0
Total 54 100.0 100.0  

The security approach process of SMEs considers a series of organizational practices like training, publication, practices, response mitigation, protection measures and recovery. Majority of the respondents, 24.1% shared a neutral response in this case with 22.2% considering it to be unimportant. On the other 18.5% of the respondents each shared their feedback as important and unimportant when it comes to organizational practices of SME for security management in SMEs. It is to be also noted that 16.7% of the respondents consider it to be very unimportant. The data findings suggest that SMEs do not consider organizational practices like training, protection, response mitigation etc. to be that much important.

Descriptive Statistics

Descriptive Statistics
  N Range Minimum Maximum Mean Std. Deviation Skewness Kurtosis
Statistic Statistic Statistic Statistic Statistic Statistic Statistic Std. Error Statistic Std. Error
How long you have been associated with SME’s 54 17.00 1.00 18.00 6.0556 4.40590 .908 .325 -.017 .639
Significant changes of Information Security Cost in last 12 months (in percentage) 54 59.00 1.00 60.00 17.8889 13.60725 1.184 .325 1.132 .639
Valid N (listwise) 54                  

From the above table, it can be seen that the mean statistics obtained for the total time period for which the respondents are associated with SMEs is found to be 6.0556 while changes in information security cost for the past 12 months is 17.8889. While standard deviation for time duration of respondents is 4.40590 and that of costs associated with information security is 13.60725

Multivariate analysis

Multivariate Testsa
Effect Value F Hypothesis df Error df Sig. Noncent. Parameter Observed Powerd  
Intercept Pillai’s Trace .952 476.241b 2.000 48.000 .000 952.483 1.000  
Wilks’ Lambda .048 476.241b 2.000 48.000 .000 952.483 1.000  
Hotelling’s Trace 19.843 476.241b 2.000 48.000 .000 952.483 1.000  
Roy’s Largest Root 19.843 476.241b 2.000 48.000 .000 952.483 1.000  
PR4_Obs_on_changed_strategies Pillai’s Trace .048 1.223b 2.000 48.000 .303 2.445 .254  
Wilks’ Lambda .952 1.223b 2.000 48.000 .303 2.445 .254  
Hotelling’s Trace .051 1.223b 2.000 48.000 .303 2.445 .254  
Roy’s Largest Root .051 1.223b 2.000 48.000 .303 2.445 .254  
PR5_changes_in_ISC Pillai’s Trace .009 .228b 2.000 48.000 .797 .456 .084  
Wilks’ Lambda .991 .228b 2.000 48.000 .797 .456 .084  
Hotelling’s Trace .010 .228b 2.000 48.000 .797 .456 .084  
Roy’s Largest Root .010 .228b 2.000 48.000 .797 .456 .084  
PR6_Devices_used_forwork Pillai’s Trace .141 1.858 4.000 98.000 .124 7.431 .546  
Wilks’ Lambda .861 1.866b 4.000 96.000 .123 7.462 .547  
Hotelling’s Trace .159 1.871 4.000 94.000 .122 7.486 .548  
Roy’s Largest Root .144 3.523c 2.000 49.000 .037 7.045 .630  
a. Design: Intercept + PR4_Obs_on_changed_strategies + PR5_changes_in_ISC + PR6_Devices_used_forwork
b. Exact statistic
c. The statistic is an upper bound on F that yields a lower bound on the significance level.
d. Computed using alpha = .05 Tests of Between-Subjects Effects Source Dependent Variable Type III Sum of Squares df Mean Square F Sig. Noncent. Parameter Observed Powerc   Corrected Model RT_Risks_Threats 2.105a 4 .526 2.399 .063 9.597 .648   SA_Security_Approaches .404b 4 .101 .330 .856 1.321 .118   Intercept RT_Risks_Threats 113.340 1 113.340 516.708 .000 516.708 1.000   SA_Security_Approaches 100.621 1 100.621 328.950 .000 328.950 1.000   PR4_Obs_on_changed_strategies RT_Risks_Threats .526 1 .526 2.396 .128 2.396 .329   SA_Security_Approaches .004 1 .004 .012 .915 .012 .051   PR5_changes_in_ISC RT_Risks_Threats .082 1 .082 .373 .544 .373 .092   SA_Security_Approaches .045 1 .045 .147 .703 .147 .066   PR6_Devices_used_forwork RT_Risks_Threats 1.489 2 .745 3.395 .042 6.789 .613   SA_Security_Approaches .242 2 .121 .395 .676 .790 .110   Error RT_Risks_Threats 10.748 49 .219           SA_Security_Approaches 14.988 49 .306           Total RT_Risks_Threats 810.960 54             SA_Security_Approaches 628.800 54             Corrected Total RT_Risks_Threats 12.853 53             SA_Security_Approaches 15.393 53             a. R Squared = .164 (Adjusted R Squared = .096) b. R Squared = .026 (Adjusted R Squared = -.053) c. Computed using alpha = .05

Based on the above multivariate analysis table, it can be stated that the relationship existing in between the three variables, observations of change strategies, changes in ISC and the devices used by SME is crucial. Furthermore, each of the aspects relating to security threats and risk approaches are also found to be significant when it comes to analyzing the security operational activities of the SME business operations. In case of this statistical analysis, the dependent variables are identified as risk threats and security approaches while the independent factor is considered as managerial role. The covariates accounted for the total time period for which the respondents were associated with the SME and the significant changes that took place within information security cost aspects.

4. 2 Qualitative Data Analysis

The qualitative data analysis comprised of interpreting the data collected from IT professionals present associated with SMEs through an interview process. Semi-structured questions were asked to the professionals relating to their knowledge of cybersecurity management and the steps undertaken by organizations for the purpose. Interview was conducted on 5 IT professionals.

Possible Measures for Combating Cybersecurity Management

According to respondent 1, external auditing and administrative security measures seems to be very important means of combating cybercrime. External auditing enables SME organizations to perform a detailed analysis of the data and information relating to wide range of operational activities followed by establishment of suitable internal control on the overall data management process. On the other hand, administrative security process also enables deployment of suitable professionals and process to ensure cybersecurity.

The respondent 2 stated that for SME operations, the consideration as well as adherence of suitable policies for cloud services as a means of data handling is significant. Furthermore, the data handling policies are also extended for securing social media and mobile devices too. In doing so, the operational activities is in a position to keep an eye on the flow of data across the cloud system.

The respondent 3 considers the use of internal communication devices as one of the suitable measures for dealing with issues relating to cybercrime. It enables effective dissemination of information to the people in charge of the data that has been affected or damaged in the process. For effective operations, a single source operational platform is developed to take care of the overall security planning process. In doing so, all the employees associate with handling IT channel operations are able to communicate among each other and share information as a means of dealing with issues.

The respondent 4 stated that internal communication process looks forward to engaging employees into several cybersecurity training exercises. Instead of just discussing about what damage or how the data has been affected, employees are educated about every detail relating to it. As the process involves simulating cybersecurity situations, the ability to deal with any form of consequences in this regard is significant. Therefore, the degree of preventing cybersecurity attack by SMEs increases significantly.

According to respondent 5, external auditing helps them to keep a track of all the necessary information and data that the SME business operations are dealing with. Furthermore, the internal communication process also enables free communication among several departments responsible for handling different aspects of data security within the organization.

Technical Assistance Offered to Organizations

The respondent 1 stated that notable technical assistance offered to SME operations are internal firewall, antivirus, data backup as a means of dealing with the consequence of cybersecurity. With the use of internet firewall, constant monitoring and control of the incoming as well as outgoing network traffic is easily done taking into consideration certain rule predetermined in the planning stage. Furthermore, use of antivirus and data backup further enables the ability to recover and retrieve information loss to potential data threats.

According to respondent 2, the logs of system events helps in providing a detailed record of all the programs that are installed on the operational interface. As a result, the process accounts for keeping a track of the entire operational activities. Moreover, the hardware and software inventory list further help in the process of keeping logs to be used for helping the technical operational scope of the SME largely.

The respondent 3 stated that installation of antivirus in the system helps in preventing and detecting presence of any form of malware in the operational process of SME. It is also integral to the process of removing the presence of any form of malware that might result in emerging as potential threat to the organization in the long run.

According to respondent 4, the SME technical assistance process requires consideration of internet firewall, antivirus, software and password regulations, logs of systems events and systems dedicated to effective data backup. Each of these factors are essential as a means of offering 360degree protection to the customer and business operational data from any form of vulnerability issues.

The respondent 5 considers establishment of suitable regulations while dealing with software applications and hence setting up password to prevent any form of unauthorized access. It is of immense significance in terms of taking the first step towards cybersecurity management within SME operational scope. Furthermore, the process also makes effective use of antivirus and internet firewall system too as an when required.

4.3 Discussion

The two sets of data, primary and secondary collected from the respondents and literature review respectively are considered for highlighting the degree of relevance existing in between them. It is to be noted the cybersecurity accounts for protecting the operational network integrated with internet technology from any form of operational uncertainty as well as threat (Sun, Hahn and Liu, 2018). Likewise, the SME business operations in the UK have too felt the necessity of cybersecurity with the increase dependence on technology and data as a means of accomplishing business. Cyber-attacks in the form of data breach, insecure application user interface, cloud abuse, malware attack, loss of data, hacking and insider threat are common occurrences in SME sector. As a result, the SME organizations are subjected to severe operational issues, requiring them to deploy suitable measures for dealing with the impact caused by cyber threats. The study conducted by Weerakkody and Sinopoli, (2019) stated the necessity of undertaking a collaborative approach as a means of developing an effective cybersecurity management process. The primary data findings highlighted how the UK based SMEs are taking an extra step in dealing with the consequences of the cyber threat that their business is exposed to. It accounts for use of a proper action plan that comprises of planning, implementation, review, risks analysis and organizational practices for combating cyber security. Bendovschi and Al-Nemrat, (2016) stated that cybersecurity countermeasures are responsible for deployment of suitable techniques as a means of reducing the impact of attack or vulnerability on the valuable customer data. Furthermore, the process is integral to the process of eliminating the likely chances of its occurrence within the business operational scope in the near future too.

4.4 Summary

The data collected from survey and interview process provided immense data relating to present cyber security management operational scope within the SME business context of the UK. The notable risks in this case is identified to lie in safeguarding the reputation of the organization as well as customer data. Moreover, a proper security management is also integral to help SMEs to enjoyed continued operations by making effective use of internet technology. It has also highlighted the relative importance of following a step by step approach as a means of dealing with the security issues with proper planning and deployment strategies.

Chapter 5: Conclusion

5.1 Conclusion

This particular chapter of this research paper has tried in bringing out the through observations, which have been found based on the collected statistical data. The goals as well as objectives associated with the subject have been framed in relation to the topic as well as collection of the data has been done based on the same. It has been seen in the quantitative as well as qualitative analysis that there is a connection between the management of cyber security as well as business efficiency level. The entire discussion conducted in this research has successfully demonstrated the importance of the cyber security management within the SMEs in the United Kingdom by conducting a thorough investigation over the risks as well as cybercrime. Moreover, this paper has portrayed how an efficient cyber security management simply accomplishes its responsibilities through implementing and planning the measures of security over all the networks and the information systems as well.

5.2 Linking Objective with Conclusion

  • To identify the risks and threats related to cyber security against SMEs in the UK

Increasing utilization of the IoT devices along with the internet systems has simply increased risks and threats in relation to the cyber security from the user contexts. The entire analysis and the discussion section based on the collected data from the online survey and interviews has simply shown that the threats as well as issues related to the cyber security exist for the enterprise level users, online retail buyers along with the personal users of the Small and Medium Sized Enterprises. The data gathered from the online survey has simply identified controls as well as practices by being up to date about the threats and vulnerabilities to the activities. Hence, the majority of the respondents have marked the identification of the controls and the practices to be applied for eliminating the vulnerabilities and the threats in association with the cyber security. Large number of organizations operating globally are facing the vulnerable issues and risks in regards to the cyber security purposes. Therefore, in this particular context, this research has thoroughly identified all the possible threats and risks that are existing at the enterprise level, personal users as well as online retailers as well. Some of these issues that have been widely identified as well as explored in this paper are the data breaches, insecure application user interface or API, cloud abuse, malware attack, loss of data, hacking, single factor passwords, insider threat and so on. The whole research has played the role of the exposure of the way through which the cyber security risk creates the probability or the scope towards the loss or the exposure resulting from the data breach or the cyber-attack within t the organizations in different business sector. This paper has simply portrayed the fact that potential harm or loss in relation to the use of technology or reputation of an organization as well as the technical infrastructure. Therefore, the importance of the elimination of the risks involved in the cyber security prospects has been shown. In this context, this paper has simply enlightened the fact that the cyber security encompasses everything, which simply pertains towards the protection of the sensitive data, protected health related information, intellectual property, industrial information systems, personally identifiable information and so on from the theft and attempted damages. Most importantly, the data analysis and interpretation part conducted in this research has successfully shed light on the matter that an enterprise should have to properly deal with coordinating effectively its efforts throughout its entire information system for an efficient cyber security by considering several important aspects such as application security, network security, endpoint security, identity management, infrastructure or database security, mobile security, disaster recovery or business continuity planning and so on. Thus, this paper emphasizes more on the fact that more adaptive as well as proactive approaches can be promoted by the advisory companies towards the cyber security. 

  • To investigate the preparation of SMEs for addressing and containing those risks and threats in cyber world

With the rapid increase of the threats and risks in association with the cyber security, it has become a huge concern for the organizations to implement the significant controls and countermeasures for the purpose of addressing the risks related to the cyber world. The entire research has successfully obtained the approach of social science in order to explore the strategies of the small and medium enterprises in the United Kingdom for tackling the risks as well as threats of the cybercrime. The technical controls over the measures to protect the information system has gone through the failure of mitigating the problems in association with cyber security. In addition to this, the entire analysis of data gathered from the online survey and interview has played the significant role in investigating over the change in decision making process, culture, communication, leadership as well as managerial roles in order to manage the risks of the cyber security. This paper has simply portrayed the fact that maintaining flexibility and smoothness of the networks through the sensitive data protection being transformed through the internet system needs to take the continuous monitoring as well as the appropriate management of the cyber security. In this context, the data analysis portion of this research paper has simply established the definition of the countermeasure to be taken for resolving the cyber security risks as an important action, procedure, technique or device, which simply aims at reducing an attack, a vulnerability or a threat with the help of the prevention as well as elimination of those issues. Moreover, this research has simply specified that the corrective actions can also be taken into consideration or implemented with the minimization of the harm caused by the threats or the risks associated with the cyber security. Hence, in this context, the overall research has simply shed light on some common and important countermeasures in regards to the elimination of the threats of cyber security depending on the analysis performed on the data gathered from the online survey. The overall analysis made in this paper has simply suggested the vulnerabilities of asset to be identified as well as documented for resolving those issues. Moreover, the entire research has also made the point very clear that the internal and external threats need to be documented as well as identified properly and along with that the vulnerabilities should also be assessed thoroughly.

  • To recommend the framework, which would effectively protect SMEs from cyber security risks and threats for their e-commerce business models

It is important for the SMEs, which are operating based on the ecommerce business models to consider the risks of the cyber security as the key business concerns for these organizations.  Management of availability, integrity and confidentiality is a very important objective of the network security context. This particular research paper has successfully conducted a thorough investigation over the change in decision making process, culture, communication, leadership as well as managerial roles in order to manage the risks of the cyber security. Every business which is based on the ecommerce business operations needs to think about the consumer based as its extended family as well as these businesses also need to take care of them. Hence, in this regard, the ecommerce based SMEs should have to be concerned about ensuring that the consumers can easily feel safe while purchasing as well as accessing the websites of the ecommerce companies. Moreover, several types of security measures are necessary for accomplishing the goal of confidentiality, integrity and availability and provide a protection system in a well-rounded manner. The overall analysis made in this paper has simply identified some important processes about the protection of the ecommerce business models of the SMEs from the associated cyber security risks as well as threats in terms of the ecommerce security standards, security policies, physical security, access control, monitoring, authentication, biometrics, cryptography, wireless security and so on. In addition the entire research has also enlightened the fact that it is very significant for the SMEs which are operating based on the ecommerce business models for providing with the layered infrastructure of security along with performing the assessments on a regular basis for checking the security of their mobile and web applications, employees, networks as well as systems. The research has also identified penetration testing, vulnerability scanning, network firewalls, Web Application Firewalls or WAF, IDS or IPS devices, Security Information and Event Management and Security Operations Centre as the mechanisms for the protections to be provided by the ecommerce SMEs for the elimination and the minimization of the risks and threats in association with the cyber security system. Furthermore, the overall study done based on the collected data from the online survey has also explored some important and fundamental security measures including security certificates, digital signature and encryption that should also be taken into consideration while implementing the successful ecommerce business model based on the excellent cyber security system for the SMEs.

References

Aldawood, H., & Skinner, G. (2018). Educating and raising awareness on cyber security social engineering: A literature review. In 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), pp. 62-68

Alnasser, A., Sun, H., & Jiang, J. (2019). Cyber security challenges and solutions for V2X communications: A survey. Computer Networks151, 52-67.

Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?. arXiv preprint arXiv:1901.02672.

Baig, Z. A., Szewczyk, P., Valli, C., Rabadia, P., Hannay, P., Chernyshev, M., … & Syed, N. (2017). Future challenges for smart cities: Cyber-security and digital forensics. Digital Investigation22, 3-13.

Basias, N., & Pollalis, Y. (2018). Quantitative and qualitative research in business & technology: Justifying a suitable research methodology. Review of Integrative Business and Economics Research7, 91-105.

Batten, L. M., Moonsamy, V., & Alazab, M. (2016). Smartphone applications, malware and data theft. In Computational intelligence, cyber security and computational models (pp. 15-24). Springer, Singapore.

Bendovschi, A., & Al-Nemrat, A. (2016). Security countermeasures in the cyber-world. In 2016 IEEE International Conference on Cybercrime and Computer Forensic (ICCCF) (pp. 1-7). IEEE.

Berman, D. S., Buczak, A. L., Chavis, J. S., & Corbett, C. L. (2019). A survey of deep learning methods for cyber security. Information10(4), 122.

Berry, C. T., & Berry, R. L. (2018). An initial assessment of small business risk management approaches for cyber security threats. International Journal of Business Continuity and Risk Management8(1), 1-10.

Clandinin, D. J., Cave, M. T., & Berendonk, C. (2017). Narrative inquiry: a relational research methodology for medical education. Medical Education51(1), 89.

Conteh, N. Y., & Schmick, P. J. (2016). Cybersecurity: risks, vulnerabilities and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research6(23), 31.

El Mrabet, Z., Kaabouch, N., El Ghazi, H., & El Ghazi, H. (2018). Cyber-security in smart grid: Survey and challenges. Computers & Electrical Engineering67, 469-482.

Fletcher, A. J. (2017). Applying critical realism in qualitative research: methodology meets method. International journal of social research methodology20(2), 181-194.

Gupta, B. B. (Ed.). (2018). Computer and cyber security: principles, algorithm, applications, and perspectives. CRC Press.

HM Government. (2016). National Cyber Security Strategy 2016-2021. Retrieved from https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021

Husák, M., Komárková, J., Bou-Harb, E., & Čeleda, P. (2018). Survey of attack projection, prediction, and forecasting in cyber security. IEEE Communications Surveys & Tutorials21(1), 640-660.

Johansson, J. (2019). Countermeasures Against Coordinated Cyber-Attacks Towards Power Grid Systems: A systematic literature study.

Kimani, K., Oduol, V., & Langat, K. (2019). Cyber security challenges for IoT-based smart grid networks. International Journal of Critical Infrastructure Protection25, 36-49.

Kumar, R. (2019). Research methodology: A step-by-step guide for beginners. Sage Publications Limited.

Kumar, S., & Agarwal, D. (2018). Hacking attacks, methods, techniques and their protection measures. International Journal of Advance Research in Computer Science and Management4(4), 2253-2257.

Ledford, J. R., & Gast, D. L. (Eds.). (2014). Single case research methodology: Applications in special education and behavioral sciences. Routledge.

MacDonald, C. (2012). Understanding participatory action research: A qualitative research methodology option. The Canadian Journal of Action Research13(2), 34-50.

Mackey, A., & Gass, S. M. (2015). Second language research: Methodology and design. Routledge.

Malik, M. I., McAteer, I. N., Hannay, P., Ibrahim, A., Baig, Z., & Zheng, G. (2020). Cyber Security for network of things (nots) in Military Systems: Challenges and Countermeasures. Security Analytics for the Internet of Everything, 231.

Mawgoud, A. A., Taha, M. H. N., Khalifa, N. E. M., & Loey, M. (2019, October). Cyber Security Risks in MENA Region: Threats, Challenges and Countermeasures. In International Conference on Advanced Intelligent Systems and Informatics (pp. 912-921). Springer, Cham.

Meszaros, J., & Buchalcevova, A. (2017). Introducing OSSF: A framework for online service cybersecurity risk management. computers & security65, 300-313.

Mohajan, H. K. (2018). Qualitative research methodology in social sciences and related subjects. Journal of Economic Development, Environment and People7(1), 23-48.

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National initiative for cybersecurity education (NICE) cybersecurity workforce framework. NIST Special Publication800(2017), 181.

Ngozwana, N. (2018). Ethical Dilemmas in Qualitative Research Methodology: Researcher’s Reflections. International Journal of Educational Methodology4(1), 19-28.

Patel, C., & Doshi, N. (2019). Security challenges in IoT cyber world. In Security in Smart Cities: Models, Applications, and Challenges, pp. 171-191

Rantos, K., Spyros, A., Papanikolaou, A., Kritsas, A., Ilioudis, C., & Katos, V. (2020). Interoperability Challenges in the Cybersecurity Information Sharing Ecosystem. Computers9(1), 18.

Samaila, M. G., Sequeiros, J. B., Freire, M. M., & Inácio, P. R. (2018, August). Security threats and possible countermeasures in IoT applications covering different industry domains. In Proceedings of the 13th International Conference on Availability, Reliability and Security (pp. 1-9).

Sun, C. C., Hahn, A., & Liu, C. C. (2018). Cyber security of a power grid: State-of-the-art. International Journal of Electrical Power & Energy Systems99, 45-56.

Sun, N., Zhang, J., Rimba, P., Gao, S., Zhang, L. Y., & Xiang, Y. (2018). Data-driven cybersecurity incident prediction: A survey. IEEE Communications Surveys & Tutorials21(2), 1744-1772.

Sundararajan, A., Khan, T., Moghadasi, A., & Sarwat, A. I. (2019). Survey on synchrophasor data quality and cybersecurity challenges, and evaluation of their interdependencies. Journal of Modern Power Systems and Clean Energy7(3), 449-467.

Thomas, J. (2018). Individual cyber security: Empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. Thomas, JE (2018). Individual cyber security: Empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. International Journal of Business Management12(3), 1-23.

Tsirtsis, A., Tsapatsoulis, N., Stamatelatos, M., Papadamou, K., & Sirivianos, M. (2016). Cyber security risks for minors: a taxonomy and a software architecture. In 2016 11th International Workshop on Semantic and Social Media Adaptation and Personalization (SMAP), pp. 93-99.

Van Schaik, P., Jeske, D., Onibokun, J., Coventry, L., Jansen, J., & Kusev, P. (2017). Risk perceptions of cyber-security and precautionary behaviour. Computers in Human Behavior75, 547-559.

Weerakkody, S., & Sinopoli, B. (2019). Challenges and opportunities: Cyber-physical security in the smart grid. In Smart Grid Control (pp. 257-273). Springer, Cham.

Zerzri, M. (2017). The Threat of Cyber Terrorism and Recommen-da-tions for Countermeasures. Cyber Terror., 6.