Risk and the Small-Scale Cyber Security Decision Making Dialogue—a UK Case Study

Despite a long-standing understanding that developments in personal and cloud computing practices would change the way we approach security, small-scale IT users (SSITUs) remain ill-served by existing cyber security practices. This paper discusses results from a survey that considered (in part) cyber security decisions made by SSITUs. We determine that: SSITUs are focusing on easy-to-implement technical measures, leading to a disconnect between the security implemented and any risks identified; available resources, knowledge, prioritisation of business processes, reduced system control and a lack of threat intelligence all combine to limit the ability to make cyber security decisions; and assessing risk in SSITUs will not lead to sufficient investment to mitigate risks for risk-holding stakeholders in the supply chain. We conclude that the constraints faced by SSITUs have far greater impact on the decisions they make than either our risk-holding, or security- providing, participants may have anticipated. Any limitations faced by SSITUs as they make their security decisions will have a significant impact on both the measures they are able to apply and the security of the supply chain as a whole