Design development and evaluation of the cybersecurity risk tool: a case of small and medium-sized enterprises in South Africa

Abstract

The increased convenient use and the openness of cyberspace increased cyberrisks in all institutions. The cybercriminals use innovative ways to gain unauthorised access to systems and leave them vulnerable to cyberthreats and cyberattacks. The common cyberthreats range from intrusion, ransomware, fraud, unauthorized access and modification of information, malicious codes, and denial of service. The exposure of small and medium-sized enterprises (SME) to these cyber attacks compromises business and information systems. When cyber attacks materialize they pose risks that impact SME’s business continuity client trust, economic growth and performance. This study designed, developed and evaluated cyberrisk tools for SMEs in South Africa using AgenaRisk package with artificial intelligence (AI) capabilities through the Bayesian network tools. Within the qualitative approach, the study purposive sampling to select 45 respondents (females and males) from the businesses that operated during the Covid-19 pandemic. Data were collected using a questionnaire deployed in Google Forms. The research gathered qualitative and quantitative data about the existing cybersecurity risks, their impact, likelihood and current protection measures. The collected data were analysed and interpreted using thematic analysis and descriptive statistics. In addition, the study used quantitative risk assessment using the modelling and analytical techniques to perform sensitivity analysis, scenario analysis, Tornado graphs, decision trees, and expected monetary value. Lastly, the work adopted the NIST framework to align with the existing cybersecurity controls to improve cybersecurity, employee awareness, and training, aiding the extensive implementation of cybersecurity. The results indicated that all small businesses have been affected by different cyberthreats and cyberattacks that compromise the entire information systems resulting in cyberrisks. Some risks are planned and some are unplanned. Even though some SMEs implemented mitigation measures, the extent of their usage and implementation still needs to be improved. Simulated cases demonstrated different threat levels, which ultimately led to unauthorised information being accessed These different cases act as a clear guide showing the threat level, its impact and the risk likelihood. The framework shared insights about cybersecurity risk management and highlighted the strategies to promote the use of cyberspace and improve secure surfing. The developed risk tool illustrated the risk likelihood and the risk impact based on the key dependent and independent variables, prior indicators, as well as posterior indicators. Cyberrisk models demonstrated possible risks that SMEs are exposed to, different connected variables that determined the risk likelihood of the uncertain variables and the risk impact. Recommendations to improve the state of cybersecurity in the context of SMEs were made, followed by suggestions for future work and a conclusion.