Abstract
Small and medium-sized enterprises (SME) are considered an essential part of the EU economy; however, highly vulnerable to cyber-attacks. SMEs have specific characteristics which separate them from large companies and influence their adoption of good cybersecurity practices. To mitigate the SMEs’ cybersecurity adoption issues and raise their awareness of cyber threats, we have designed a self-paced security assessment and capability improvement method, CYSEC. CYSEC is a security awareness and training method that utilises self-reporting questionnaires to collect companies’ information about cybersecurity awareness, practices, and vulnerabilities to generate automated recommendations for counselling. However, confidentiality concerns about cybersecurity information have an impact on companies’ willingness to share their information. Security information sharing decreases the risk of incidents and increases users’ self-efficacy in security awareness programs. This paper presents the results of semi-structured interviews with seven chief information security officers (CISOs) of SMEs to evaluate the impact of online consent communication on motivation for information sharing. The results were analysed in respect of the Self-Determination Theory (SDT). The findings demonstrate that online consent with multiple options for indicating a suitable level of agreement improved motivation for information sharing. This allows many SMEs to participate in security information sharing activities and supports security experts to have a better overview of common vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cranor, L.F.: A framework for reasoning about the human in the loop. In: 1st Conference on Usability, Psychology and Security. San Francisco, CA, USA (2008)
Shojaifar, A., Fricker, S., Gwerder, M.: Elicitation of SME requirements for cybersecurity solutions by studying adherence to recommendations. In: REFSQ Workshops (2018)
Lewis, R., Louvieris, P., Abbott, P., Clewley, N., Jones, K.: Cybersecurity information sharing: a framework for sustainable information security management in UK SME supply chains. In: Proceedings of the European Conference on Information Systems (ECIS) (2014)
Ryan, R.M., Deci, E.L.: Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. Am. Psychol. 55(1), 68–78 (2000)
Deci, E.L., Connell, J.P., Ryan, R.M.: Self-determination in a work organisation. J. Appl. Psychol. 74(4), 580–590 (1989)
Christopherson, K.M.: The positive and negative implications of anonymity in Internet social interactions: ‘‘On the Internet, Nobody Knows You’re a Dog’’. Comput. Hum. Behav. 23(6), 3038–3056 (2007)
Deci, E.L., Ryan, R.M.: Intrinsic Motivation and Self-determination in Human Behaviour. Plenum Publishing Co, New York (1985)
Gefen, D.: E-Commerce: The role of familiarity and trust. Omega 28(6), 725–737 (2000)
Robinson, N., Disley, E.: Incentives and challenges for information sharing in the context of network and information security. In: European Network and Information Security Agency (ENISA) (2010)
Yin, R.K.: Case Study Research: Design and Methods. Sage, Thousand Oaks, CA (2009)
Furnell, S.M., Gennatou, M., Dowland, P.S.: A prototype tool for information security awareness and training. Log. Inf. Manag. 15(5/6), 352–357 (2002)
Muller, P., Julius, J., Herr, D., Koch, L., Peycheva, V., McKiernan, S.: Annual report on European SMEs 2016/2017: Focus on self-employment. European Commission (2017)
Gupta, A., Hammond, R.: Information systems security issues and decisions for small businesses. Inf. Manag. Comput. Secur. 13(4), 297–310 (2005)
Runeson, P., Höst, M., Rainer, A., Regnell, B.: Case Study Research in Software Engineering - Guidelines and Examples. Wiley, Hoboken (2012)
Choo, K.-K.R.: The cyber threat landscape: Challenges and future research directions. Comput. Secur. 30(8), 719–731 (2011)
West, R.: The psychology of security. CACM 51(4), 34–40 (2008)
Kurpjuhn, T.: The SME security challenge. Comput. Fraud Secur. 2015(3), 5–7 (2015)
Gal-Or, E., Chose, A.: The economic incentives for sharing security information. Inf. Syst. Res. 16(2), 186–208 (2005)
Rhee, H., Kim, C., Ryu, Y.: Self-efficacy in information security: It’s influence on end users’ information security practice behavior. Comput. Secur. 28(8), 816–826 (2009)
Puhakainen, P., Siponen, M.: Improving employees’ compliance through information systems security training: an action research study. MIS Q. 34(4), 757–778 (2010)
Bedrijfsrevisoren, D., Muynck, J.D., Portesi, S.: Cyber security information sharing: An overview of regulatory and non-regulatory approaches. In: The European Union Agency for Network and Information Security (ENISA) (2015)
Beebe, N.L., Rao, V.S.: Examination of organizational information security strategy: A pilot study. In: Americas Conference on Information Systems (AMCIS), USA (2009)
Birkás, B., Bourgue, R.: EISAS-european information sharing and alerting system. In: European Union Agency for Network and Information Security (2013)
Osborn, E.: Business versus technology: Sources of the perceived lack of cyber security in SMEs. In: The 1st International Conference on Cyber Security for Sustainable Society (2014)
Hosmer, L.T.: Trust: The connecting link between organisational theory and philosophical ethics. Acad. Manag. Rev. 20(2), 379–403 (1995)
Yoon, C., Rolland, E.: Knowledge-sharing in virtual communities: familiarity, anonymity and self-determination theory. Behav. Inf. Tech. 31(11), 1133–1143 (2012)
Vallerand, R.J.: Toward a hierarchical model of intrinsic and extrinsic motivation. Adv. Exp. Soc. Psychol. 29, 271–360 (1997)
Chang, H.H., Chuang, S.: Social capital and individual motivations on knowledge sharing: Participant involvement as a moderator. Inf. Manag. 48(1), 9–18 (2011)
Deci, E.L., Ryan, R.M.: The General Causality Orientations Scale: Self-determination in personality. J. Res. Pers. 19(2), 109–134 (1985)
Geer Jr., D., Hoo, K.S., Jaquith, A.: Information security: Why the future belongs to the quants. IEEE Secur. Priv. 1(4), 24–32 (2003)
European Commission. What is an SME? https://ec.europa.eu/growth/smes/business-friendly-environment/sme-definition_en
Acknowledgments
This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 740787 (SMESEC), No. 883588 (GEIGER), and the Swiss State Secretariat for Education‚ Research and Innovation (SERI) under contract number 17.00067. The opinions expressed and arguments employed herein do not necessarily reflect the official views of these funding bodies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Shojaifar, A., Fricker, S.A. (2020). SMEs’ Confidentiality Concerns for Security Information Sharing. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2020. IFIP Advances in Information and Communication Technology, vol 593. Springer, Cham. https://doi.org/10.1007/978-3-030-57404-8_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-57404-8_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57403-1
Online ISBN: 978-3-030-57404-8
eBook Packages: Computer ScienceComputer Science (R0)