A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs

The growing amount of cyberspace threats highlights the need to evaluate cybersecurity risks and to plan for effective investments. One internationally recognized document for cybersecurity risk management is the framework for Improving Critical Infrastructure Cybersecurity by the US National Institute of Standards and Technology (NIST). It provides guidelines, best practices and standards for cybersecurity risk management. Nevertheless, as other self-assessment frameworks, it produces a static view of an organization's cyber posture and does not capture the dynamics of organizational changes and cyberattacks. Moreover, the current situation sees small and medium enterprises (SMEs) in a critical position since they need to manage their cybersecurity while usually not being skilled or equipped enough to internalize this process. Therefore, there is a need for a practical and easily applicable model able to identify a cybersecurity risk profile and its dynamics. This study proposes a system dynamics methodology and tool (SMECRA - SME Cyber Risk Assessment) for supporting cybersecurity investment decisions for SMEs through the evaluation of cyber risk and previous investments. SMECRA addresses dynamic organizational complexity and can be used to assess cyber risks and related dynamics over time. Three case studies demonstrate its capability to assess a SME's cybersecurity status and to evaluate investments impacts on an organization's risk profile, raising cybersecurity awareness. This study is important for SMEs wishing to manage their own cybersecurity risk and for insurance companies in their economic evaluation of residual risks that SMEs wish to externalize.