Cybersecurity for SMEs: Introducing the Human Element into Socio-technical Cybersecurity Risk Assessment

Abstract: Small and medium-sized enterprises (SMEs) rarely conduct a thorough cyber-risk assessment and they may face various internal issues when attempting to set up cyber-risk strategies. In this work, we apply a user-journey approach to model human behavior and visually map SMEs’ practices and threats, along with a visualization of the socio-technical actor-network, targeted specifically at the risks highlighted in the user jour-ney. By using a combination of cybersecurity-related visualizations, our goals are: i) to raise awareness about cybersecurity, and ii) to improve communication among IT personnel, security experts, and non-technical personnel. To achieve these goals, we combine two modeling languages: Customer Journey Modelling Language (CJML) is a visual language for modeling and visualization of work processes in terms of user journeys. System Security Modeller (SSM) is an asset-based risk-analysis tool for socio-technical systems. By demonstrating the languages’ supplementary nature through a threat scenario and considering related theories, we believe that there is a sound basis to warrant further validation of CJML and SSM together to raise awareness and handle cyber threats in SMEs.