Threat modeling during the times of hybrid work: A tech SME perspective
Ladataan...
1.74 MB
suljettu
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
Pysyvä osoite
Verkkojulkaisu
DOI
Tiivistelmä
Cybersecurity has become a highly relevant area in the industry that organizations
of all sizes need to consider to stay relevant and viable. In order to consider
cybersecurity at a sufficient level general, "best practices" for security are simply
inadequate, and security measures like threat modeling are required. An increased
amount of cyber-attacks during the last few years has further highlighted the importance
of proper security management in an organizational context. In addition, the
COVID-19 pandemic led to a sudden widespread shift from traditional on-site work
to remote and hybrid work (a combination of on-site and remote work), which has
created more challenges for effectively managing cybersecurity risks. While larger
enterprises tend to have the resources for meeting the cybersecurity needs of new
work models and associated risks, the same does not apply to small and medium-sized
enterprises.
Researchers had already found that risks of hybrid work need to be accounted for
and had recognized ways to do so, but the question of how SMEs view these risks
was left unanswered. This thesis aims to learn how tech SMEs view cybersecurity
risks associated with hybrid work and what strategies are adopted to deal with
them, and whether threat modeling is a tool tech SMEs consider in their cybersecurity
management. To reach these goals, the author collected data using a case
study approach from 9 employees of a Finnish tech SME through semi-structured
interviews, which were then analyzed together with observational data collected by
the thesis author.
The findings show that SMEs, even tech SMEs, rely on the most known best cybersecurity
practices, such as using VPN, to deal with cybersecurity risks related
to hybrid work. SMEs also view threat modeling as an optional security tool they
usually do not have much knowledge or experience of. In addition, the study results
revealed that it is feasible to implement threat modeling into a tech SME’s existing
security practices if the general limitations of SMEs and specific requirements of
that specific SME are considered beforehand.