I.

Introduction:

In 1988, issues of cybersecurity first began appearing in United States as well as all

around the world. Technology was becoming increasingly advanced and people became more

reliant on technology to complete their daily tasks. Simultaneously, hackers have started using

these technological advances to their advantage. However, “as information technology has

advanced, so has the threat of security problems for the small business owner” (Johnson & Koch,

2006). Over 76% of all cyber attacks affect companies with less than 100 employees. However,

the main issue is that roughly 50% of these companies believe that they are too small or

insignificant to be noticed by mainstream hackers. While companies have been spending their

budget on technology that will increase their profit, the advanced computers and other machinery

that hackers have purchased have already become more than capable enough to bypass a

companies’ old security system. Additionally, modern cybersecurity companies have begun to

design and manufacture their systems around the needs of larger companies simply for the

increase in money that would be obtained from larger companies compared to smaller ones.

Small companies with less than 200 employees have become too dismissive of the huge

amounts of risk that they face, and when combined with the widespread growth of

technology that has become increasingly in favor of hackers, these companies could lose

thousands of dollars without the proper defense. Implementing a real-time risk

management system as well as raising awareness for employees would provide small

companies with a way to determine their risk tolerance and improve their security overall.

II. Background
A. Technology is an ever growing world
 1. With this growth, it is difficult for companies to stay constantly updated
with the technology because of the costs
2. Makes it easier for hackers to infiltrate, they will always be one step ahead
3. It’s no longer realistic or fair to expect an IT department to mitigate every
IT security risk
a) Companies have to be able to come up with plans to defend
themselves as well
b) “2013, there was approximately 30 million security breaches, a
12.8% annualized growth since 2011” (3)
c) “Rise in the widespread use of technology brought with it a rise in
cybercrime and antivirus software is still an essential part of the IT
security armoury, but it’s not enough – by itself – to protect from
modern threats” (5)
B. How did cybersecurity begin and how it grew over time till now
1. The issue and problem of viruses and infiltrations began in 1988 when ​a
man by the name Robe​rt Morris wanted to gauge the size of the internet
2. He wrote a program designed to propagate across networks, infiltrate Unix
terminals using a known bug, and then copy itself
3. The Morris worm ended up replicating so aggressively that the early
internet slowed to a crawl, causing untold damage.
4. Robert Morris became the first person successfully charged under the
Computer Fraud and Abuse Act
5. This act also led to the formation of the Computer Emergency Response
Team
C. Well-known
1. WannaCry is well-known as being one of the biggest ransomware
offensive in history
2. Within 24 hours, WannaCry had infected more than 230,000 computers in
over 150 countries.
3. An estimated 1.3 billion endpoints were eventually infected
4. In the UK, the National Health Service – a major client for Sophos – had
to cancel 20,000 appointments and operations due to the ransomware
I. Current issues with cybersecurity
A. Small companies are too ignorant to the huge amounts of risk that they are facing
and the possible impact that an infiltration could have
1. They believe that that since hackers are able to make more of a profit from
infiltrating, “Results of their research showed a moderate level of security
awareness (60-70%) and a rather low level of implementation (34-45%)
for the simplest of all technology levels.” (Johnson & Koch, 1)
a) Even though some companies are aware of the fact that they face
risk, they fail to implement systems and even the most simple
technology to defend against these risks
2. “In 1998, 50 percent of businesses survey reported no attack-related
downtime.” (2)
a) In other words, 50% of businesses don’t spend any time focusing
on the potential attacks that their companies could face and how to
better their security systems
B. Existing cybersecurity systems are too complex, too large, and too expensive for
small companies to implement as they are mainly designed for larger companies
1. “50 percent of organizations polled have annual IT budgets of $5,000 or
less, and 50 percent of those have security budgets of less than $1,000.”
(8)
a) $1,000 isn’t enough for a SMB to afford a cybersecurity system
that is well designed for them much less one that
2. “The average cost to deploy security automation is $2.88 million,
according to the study. Without cybersecurity solutions, a company could
risk up to $4.43 million in breach costs.” (7)
C. “The biggest challenges SMBs face regarding IT security, according to
respondents, are budget constraints (48 percent), limited time to research and
understand new threats (37 percent) and lack of manpower to monitor and manage
security (34 percent).” (11)
II. Real-time risk management can help
A. Creating a system that can measure the risk rather than simply be an indicator
1. “If the right controls are applied to the right assets and they are
implemented effectively relative to the level of threat, then the
organisation will be able to defend itself against the threat.” (3)
a) If a system is designed to be able to measure the amount of risk
that a company faces rather than simply
2. “Threats will aim to exploit weaknesses (or vulnerabilities) in controls to
access data.” (8)
B. With this, companies can determine their risk tolerance
1. “Only by understanding and measuring our status can companies manage
their cyber risks and, given the very high threat that hackers have on small
companies, managing cyber risks is an absolute necessity” (10)
a) Companies need a way to determine how much risk that they face
rather than utilize a system which only acts as an indicator of risk.
2. “Metrics measuring patch status on affected assets will indicate weak
performance.” (2)
a) This is one example of what an real-time risk management system
could do for a company. These systems utilize certain metrics that
can measure and indicate weak security areas in a certain company
and exploit their vulnerabilities.
C. To maintain their system, systems must constantly be updated
 1. “To maintain a real-time view of cyber security risk status we need to be
able to update our risk measurements whenever relevant changes occur.”
(6)
a) Without a system that is being constantly updated, companies will
not be able to have a systems that correctly displays the level of
risk that they are facing at a certain time.
2. “Review risks and see whether measured changes to risk levels are
tolerable individually and are within overall appetite.” (9)
III. Incidents are caused by people ignoring mainstream advice around avoiding clicking on
suspicious links and maintaining secure passwords
A. Companies should place educating their employees on the basics of cybersecurity
at a higher priority because most infiltrations occur due to human error
1. “66% of SMB employees and 44% of leaders connect to public Wi-Fi to
do work, 62 percent of employees and 44% of leaders use their work
computers to access personal social media accounts” (12)
2. “69% of employees and 76% of leaders don't protect their work email with
multi-factor authentication.” (3)
B. Becoming aware of security risks can positively impact the average person’s
career by portraying to their company that they can be trusted with additional
responsibilities such as educating the rest of your company of all the security risks
and how to prevent breaches
1. “​A study conducted by Ponemon Institute, 25% of data breaches in the
U.S. are triggered by human error (3)
2. “Many security breaches are caused by human error such as clicking
foreign links as well as one’s failure to properly delete data from devices.”
(4)
C. Companies should limit the amount of people who have special access to certain
sensitive data and to closely monitor those people who have access to the data
IV. Conclusion:
 Computer security is a growing problem for all businesses large and small and, according

to many of the studies that were analyzed, hackers are clearly doing a better job of

infiltrating systems than small companies are at defending against them. While

implementing real-time risk management systems are not the only solution to the ongoing

issues that small companies are facing, utilizing them are certainly the most ideal way for

companies to resolve those issues. Real-time management systems are not only more

easy to employ in a company, but they are also more beneficial. They can provide a

constantly updated measure of risk rather than a indicator of risk that needs to be

constantly manually refreshed. Additionally, companies should put more effort into

providing their employees with the information necessary to ensure that no company

infiltrations occur due to a simply human error such as clicking a mysterious link or

opening a certain email.

Works Cited

1) Burstein, Aaron J. ​Conducting Cybersecurity Research Legally and Ethically​. p. 8. Accessed

on 22 Dec. 2018.

2) Carin, Lawrence, et al. ​Quantitative Evaluation of Risk for Investment Efficient Strategies in
Cybersecurity: The QuERIES Methodology​. 2007, p. 18.

3) Columbus, Brian B. “INVESTING IN A CENTRALIZED CYBERSECURITY

INFRASTRUCTURE: WHY ‘HACKTIVISM’ CAN AND SHOULD INFLUENCE
CYBERSECURITY REFORM.” ​BOSTON UNIVERSITY LAW REVIEW,​ vol. 92, p. 49.

4) Creery, A., and E. J. Byres. “Industrial Cybersecurity for Power System and Scada
Networks.”
Record of Conference Papers Industry Applications Society 52nd Annual Petroleum and
Chemical Industry Conference​, IEEE, 2005, pp. 303–09,
doi:​10.1109/PCICON.2005.1524567​.
6) Delgado, Rick. “A Hacker’s Perspective on Cyber Security.” ​The State of Security,​ 5 Apr.
2017, ​https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/
hackers-perspective-cyber-security/​.

7) Dunn Cavelty, Myriam. “Cybersecurity Research Meets Science and Technology Studies.”
Politics and Governance​, vol. 6, no. 2, June 2018, p. 22, doi:10.17645/pag.v6i2.1385

8) Ezrati, Milton. “Cybersecurity: A Major Concern And A Great Business Opportunity.”

Forbes​, ​https://www.forbes.com/sites/miltonezrati/2018/09/05/cyber-security-a-major-co
ncern-and-a-great-business-opportunity/​. Accessed 13 Sept. 2018.

9) Goolsby, Rebecca. ​On Cybersecurity, Crowdsourcing, and Social Cyber-Attack​. p. 9.

Accessed 10 Jan. 2019.

10) Gordon, Lawrence A., et al. “Investing in Cybersecurity: Insights from the Gordon-Loeb
Model.” ​Journal of Information Security​, vol. 07, no. 02, 2016, pp. 49–59,
doi:​10.4236/jis.2016.72004​.

11) Jang-Jaccard, Julian, and Surya Nepal. “A Survey of Emerging Threats in Cybersecurity.”
Journal of Computer and System Sciences,​ vol. 80, no. 5, Aug. 2014, pp. 973–93,
doi:​10.1016/j.jcss.2014.02.005​.

12) Meghji, Sultan. “Will People Start Taking Cybersecurity Seriously In 2018?” ​Forbes,​
www.forbes.com/sites/forbestechcouncil/2018/08/03/will-people-start-taking-cybersecuri
ty-seriously-in-2018/​. Accessed 9 Oct. 2018.

13) Morr​is, Thomas H.​, et al. “A Testbed for SCADA Control System Cybersecurity Research
and Pedagogy.” ​CSIIRW,​ 2011, doi:​10.1145/2179298.2179327​.

14) Nurse, Jason R. C., et al. “Guidelines for Usable Cybersecurity: Past and Present.” ​2011
Third International Workshop on Cyberspace Safety and Security (CSS)​, IEEE, 2011, pp.
21–26, doi:​10.1109/CSS.2011.6058566​.

15) Penkala, Ross. “13 Cybersecurity Training Tips For Employees (From 7 Insiders).” BitSight,
https://www.bitsighttech.com/blog/13-cybersecurity-training-tips-for-employees​.
Accessed 10 Oct. 2018.
16) Sreedhar, Suhas. “Three Effective Approaches To Corporate Security.” ​Forbes,​
https://www.forbes.com/sites/sungardas/2014/04/09/three-effective-approaches-to-corpor
ate-security/​. Accessed 29 Sept. 2018.

17) Stevens, Melissa. “Cybersecurity Risk: A Thorough Definition.” BitSight,

https://www.bitsighttech.com/blog/cybersecurity-risk-thorough-definition​. Accessed 6
Oct. 2018.

18) Ten, Chee-Wooi, et al. “Anomaly Detection for Cybersecurity of the Substations.” ​IEEE
Transactions on Smart Grid​, vol. 2, no. 4, 2011, pp. 865–73,
doi:​10.1109/TSG.2011.2159406​.

19) Ten, Chee-wooi, et al. “Cybersecurity for Critical Infrastructures: Attack and Defense
Modeling.” ​In: Ieee Transactions on Systems, Man and Cybernetics, Part a: Systems and
Humans​, 2010, pp. 853–865.

20) ​Wright, A. (2011). Small Companies Targeted. Association for Computing Machinery.
Communications of the ACM, 54(9), 15-15.

21) Parker, Bob. ​“The History of Cyber Security — Everything You Ever Wanted to Know.”
SentinelOne​, 10 Mar. 2018, ​https://www.sentinelone.com/blog/history-of-cyber-security​/

22) Koulopoulos, Thomas. “60 Percent of Companies Fail in 6 Months Because of Cyber
Attacks.” ​Inc.Com​, 11 May 2017,
https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-elim
inated-heres-how-you-can-survive-i.html​.