Transcript What can “Economics of Information Security”

What can “Economics of
Information Security” do for SMEs
Richard Henson, University of Worcester
[email protected]
Bruce Hallas, Marmalade Box
[email protected]
Objectives
• Sum up the lack of research Interest to
date in certification and especially SME
certification
• Identify how “Economics of Information
Security” research could really help SMEs
• Propose examples of assistance that could
be provided
Measures on Certification
• ISO27001 certificates awarded all
meticulously recorded
• Shows very wide discrepancies across
countries
• Mostly NOT SMEs, but comparison
interesting
• totals for whole countries may be cause
for congratulation/concern
UK SMEs and Certification
• Practitioner experience suggests that SMES only getting
•
•
ISO27001 certified if required to by supply chain
partners:
Question: why not doing so because it will improve their
business?
Research (Worcester Business School, small sample,
regional)
– 7% of SMEs been approached by corporate partners about
ISO27001 (need advice… not just from consultants)
– even lower figures for IS policy than BERR UK survey 2008
(42%, compared to 54%)
– 28% aware of PCI DSS
– full results will be available once fully analysed…
• Is the recession effectively pushing SMEs backwards in
terms of security safeguards?
– if so, why is this a concern?
What can EIS studies do for SMES
• SMEs very concerned about:
– efficient use of resources
– ROI
– Reputation
• Also could be persuaded about:
– information risk management
– keeping legal
• EIS studies could provide useful guidance information for all of the above
– Provided pointers towards calculation of value of corporate data
– Govt agencies would especially like also to see a value for typical records of
personal data…
• Easier to justify a ROI of £2000 on improving security procedures if
value of 1000 records perceived at £50000…
Do SMEs matter?
• More than we all realise…
– In UK
• 99% of all businesses
• 50% of GDP
– Increasing linking into national (global?) supply chain as they
increasingly engage electronically with corporate partners
• UK govt recognises the problem
– not much of a rush for a solution
– hence the call to colleagues researching in EIS
• We neglect SMEs at our peril…
– “weakest link” etc…
– easy prey for cyberattacks