EPSRC Project: Enhancing Cyber Resilience of Small and Medium-sized Enterprises through Cyber Security Communities of Support

Project Summary

Small and Medium-sized Enterprises (SMEs) are a vital element of the economy, accounting for 99.9% of UK businesses, generating three fifths of employment and turnover of £2.3 trillion. They are a crucial asset requiring protection as part of our overall national resilience. Unfortunately, the UK Cyber Security Breaches Survey indicates that half of small and a third of micro businesses experienced breaches or attacks in the last year. Moreover, while they frequently seek external guidance in relation to cyber security, they do so via a huge range of sources, and often find themselves overwhelmed with information and unable to understand the advice. Research is required to better understand SME needs and the perspective of those that they turn to for support, and to then use these insights as a foundation for the design and evaluation of a new and more accessible approach.

The research begins with an investigation of the support needs of small businesses, to establish their current understanding and confidence around cyber security, and their awareness and perceptions of available support. The investigation will seek to determine the scenarios in which cyber security advice is sought (e.g. during product evaluation, at point of purchase, in response to threats and incidents), and whether it is deemed effective. In parallel, the project analyses support routes available to these businesses, with focus upon the coverage and consistency of advice, as well as the confidence and capacity of those providing it. This will include a range of online and in-person sources, in order to capture the diversity of routes that businesses themselves tend to pursue, and will include those specifically designated to provide support (e.g. Cyber Resilience Centres) and those that may find themselves facing cyber security queries when potentially less well-placed to handle them (e.g. retailers).

From these foundations, the research then conducts more detailed analysis of business and advisor experiences by tracking individual support journeys as they occur. This offers more direct intelligence on the nature and volume of support being sought, as well as the extent to which the requests led to an effective outcome. The analysis delivers a series of case studies identifying factors that led to successful or unsuccessful outcomes.

The findings inform activities to enhance support provision through the design, implementation and pilot evaluation of Cyber Security Communities of Support (CyCOS), representing local collaboration and cooperation between SMEs and advisory sources. The foundations include the creation of an online Support Broker, enabling the SMEs to identify support needs and contact advisory sources positioned to help them (which, as the community develops and grows in experience, may include peer support from other SMEs). In parallel, the project offers upskilling opportunities for advisors and interested SMEs, via foundational cyber security certification to increase their related knowledge and capability. The project will then trial the operation of the CyCOS via three pilots. This will enable practical evaluation of the approach, culminating an established and repeatable model that can then be adopted more widely.

The delivery of the research is supported by relevant industry partners, including those providing expertise and resources to support the CyCOS, and those offering channels for engagement with the SME community. Partner representatives will form an Advisory Board, meeting regularly throughout the project, offering input and feedback to further guide the activities.

The resulting 30-month project contributes to national resilience by addressing an area of existing vulnerability and potential compromise. It will enhance understanding of SMEs’ cyber security support needs and the ability to address them, while enabling SMEs themselves to recognise and embrace a core aspect of their digital responsibility.

Project Team and RISCS Project Fellows

Professor Steven Furnell
Dr Maria Bada
Dr Jason Nurse
Steve is Professor of Cyber Security in the School of Computer Science at the University of Nottingham. His research interests include security management and culture, usability of security and privacy, and technologies for user authentication and intrusion detection. He has authored over 370 papers in refereed international journals and conference proceedings, as well as various books, book chapters, and industry reports. Steve is the UK representative to Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a board member of the Chartered Institute of Information Security, and a member of the Steering Group for the Cyber Security Body of Knowledge (CyBOK) and the Careers and Learning Working Group within the UK Cyber Security Council. Maria Bada is a Lecturer at Queen Mary University in London and is a Co-I for the project 'Enhancing Cyber Resilience of Small and Medium-sized Enterprises through Cyber Security Communities of Support - CyCOS'. She is a behavioural scientist, and her work focuses on the human aspects of cybersecurity and cybercrime. Her research looks at the effectiveness of cybersecurity awareness campaigns trying to identify factors which potentially lead to failure of changing the information security behaviour of consumers and employees. She has collaborated with government, law enforcement and private sector organisations to assess national level cybersecurity capacity and develop interventions to enhance resilience. She is a member of the National Risk Assessment (NRA) Behavioural Science Expert Group in the UK, working on the social and psychological impact of cyber-attacks on members of the public. She is a member of the British Psychological Society. Jason R.C. Nurse is a Reader in Cyber Security at the University of Kent and the Institute of Cyber Security for Society (iCSS). Dr Nurse is a Co-I on the “Enhancing Cyber Resilience of Small and Medium-sized Enterprises through Cyber Security Communities of Support” (CyCOS) project. He holds the roles of Visiting Fellow in Defence & Security at Cranfield University, Associate Fellow at the Royal United Services Institute for Defence and Security Studies (RUSI), and Co-Chair of the Research Institute for Sociotechnical Cyber Security (RISCS) Advisory Board. His conducts research on cyber insurance and its interplay between security and threats such as ransomware, security risk management, corporate communications and cyber security, and security culture. Dr Nurse was selected as a Rising Star for his research into cybersecurity, as a part of the UK's Engineering and Physical Sciences Research Council's Recognising Inspirational Scientists and Engineers (RISE) awards campaign. Dr Nurse has published over 100 peer-reviewed articles in internationally recognised security journals and conferences, and he is a professional member of the British Computing Society. His research has been featured in various national and international media including the BBC, Newsweek, Associated Press, Wall Street Journal, and Wired.