Cyber Resilience Self-Assessment Tool (CR-SAT) for SMEs

On the current environment, companies face risks and threats to the systems they need to operate often known as cyber threats. Most of these companies are small and medium-sized enterprises (SMEs) and they are exposed to these cyber threats. To mitigate the risks and be able to thrive with as little disruption as possible, SMEs require cyber resilience capabilities. However, due to their limited resources, SMEs usually have no dedicated personnel for cyber resilience operationalization and thus lack the experience this discipline requires to implement. To aid SMEs in their cyber resilience operationalization, the current literature offers several kinds of solutions, but these solutions are usually targeted for companies with more resources than SMEs and do not aid in the complete process of assessing their current cyber resilience, deciding actions to improve it and prioritizing these actions. To aid companies in this systematic process to operationalize or implement cyber resilience, this article develops and tests an operational web-based tool in which companies can follow the complete process described before. To achieve this, a cyber resilience framework with the essential policies for SMEs, descriptions of their natural progressions in a progression model and a prioritization of these policies have been developed. In this article, this framework, progression model and prioritization are later transformed into one cyber resilience self-assessment tool (CR-SAT) and are tested in three case studies to qualitatively evaluate the tool by trying to ascertain its usefulness and completeness as well as improving it with the feedback from the end-users.

Automated summary

Small and medium-sized enterprises are facing cyber threats but lack the experience and resources for proper cyber resilience. Current literature offers solutions, but they are not tailored for SMEs and do not support a complete assessment and improvement of cyber resilience. To aid companies in operationalizing cyber resilience, an operational web-based tool has been developed and tested in this article.