There are two broad objectives of the research reported in this paper. First, we assess whether government-provided cyber threat intelligence (CTI) is helpful in preventing, or responding to, cyber-attacks among small businesses within the U.S. Defense Industrial Base (DIB). Second, we identify ways of improving the effectiveness of government-provided CTI to small businesses within the DIB. Based on a questionnaire-based survey, our findings suggest that government-provided CTI helps businesses within the DIB in preventing, or responding to, cyber-attacks providing a firm is familiar with the CTI. Unfortunately, a large percentage of small firms are not familiar with the government-provided CTI feeds and consequently are not utilizing the CTI. This latter situation is largely due to financial constraints confronting small businesses that prevent firms from having the wherewithal necessary to effectively utilize the government-provided CTI. However, we found a significant positive association between a firm’s familiarity with the government-provided CTI and whether a firm is being periodically reviewed by the Defense Counterintelligence and Security Agency (DCSA) or is compliant with the Cybersecurity Maturity Model Certification (CMMC) program. The findings from our study also show that the participating firms believe that external cyber threats are more likely to be the cause of a future cybersecurity breach than internal cybersecurity threats. Finally, our study found that the portion of the IT budget that small businesses within the DIB spend on cybersecurity-related activities is dependent on the perception that a firm would be the target of an external cyber-attack.
References
[1]
U.S. Chamber of Commerce (2023) The State of Small Business Now. https://www.uschamber.com/small-business/state-of-small-business-now
[2]
Fanelli, B., Pessanha, R., Gwiazdowski, A., Chng-Castor, A. and Auger, G. (2017) State of Cybersecurity among Small Businesses in North America. Council of Better Bureaus. https://saginllc.com/wp-content/uploads/2017/10/Cybersecurity_FINAL_LoRes_Embargoed.pdf
[3]
Hayes, J. and Bodhani, A. (2013) Cyber Security: Small Firms under Fire. Engineering & Technology, 8, 80-83. https://doi.org/10.1049/et.2013.0614
[4]
Onwubiko, C. and Lenaghan, A.P. (2007) Managing Security Threats and Vulnerabilities for Small to Medium Enterprises. 2007 IEEE Intelligence and Security Informatics, New Brunswick, 23-24 May 2007, 244-249. https://doi.org/10.1109/ISI.2007.379479
[5]
Dykstra, J., Gordon, L.A., Loeb, M.P. and Zhou, L. (2022) The Economics of Sharing Unclassified Cyber Threat Intelligence by Government Agencies and Departments. Journal of Information Security, 13, 85-100. https://doi.org/10.4236/jis.2022.133006
[6]
Dykstra, J., Gordon, L.A., Loeb, M.P. and Zhou, L. (2023) Maximizing the Benefits from Sharing Cyber Threat Intelligence by Government Agencies and Departments. Journal of Cybersecurity, 9, tyad003. https://doi.org/10.1093/cybsec/tyad003
[7]
Alahmari, A. and Duncan, B. (2020) Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, 15-19 June 2020, 1-5. https://doi.org/10.1109/CyberSA49311.2020.9139638
[8]
Paulsen, C. and Toth, P. (2016) Small Business Information Security: The Fundamentals. https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
[9]
Chadwick, D.W., Fan, W., Costantino, G., De Lemos, R., Di Cerbo, F., Herwono, I., Manea, M., Mori, P., Sajjad, A. and Wang, X.S. (2020) A Cloud-Edge Based Data Security Architecture for Sharing and Analysing Cyber Threat Information. Future Generation Computer Systems, 102, 710-722. https://doi.org/10.1016/j.future.2019.06.026
[10]
U.S. Small Business Administration Press Release 23-52, U.S. Small Business Administration Announces New Cybersecurity Grant Recipients for 2023. https://www.sba.gov/article/2023/08/14/us-small-business-administration-announces-new-cybersecurity-grant-recipients-2023.
[11]
Strohmier, H., Stoker, G., Vanajakumari, M., Clark, U., Cummings, J. and Modaresnezhad, M. (2022) Cybersecurity Maturity Model Certification Initial Impact on the Defense Industrial Base. Journal of Information Systems Applied Research, 15, 17-29.
[12]
Etchie, M. (2021) The Biggest Cyber Threat Isn’t Hackers, It’s Insider Threats. Infosecurity Magazine. https://www.infosecurity-magazine.com/next-gen-infosec/cyber-threats-hackers-insider/
[13]
Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security (TISSEC), 5, 438-457. https://doi.org/10.1145/581271.581274
[14]
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) A Model for Evaluating IT Security Investments. Communications of the ACM, 47, 87-92. https://doi.org/10.1145/1005817.1005828
[15]
Hausken, K. (2006) Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability. Information Systems Frontiers, 8, 338-349. https://doi.org/10.1007/s10796-006-9011-6
[16]
Gordon, L.A., Loeb, M.P. and Zhou, L. (2016) Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security, 7, 49-59. https://doi.org/10.4236/jis.2016.72004
[17]
Wang, S.S. (2019) Integrated Framework for Information Security Investment and Cyber Insurance. Pacific-Basin Finance Journal, 57, Article 101173. https://doi.org/10.1016/j.pacfin.2019.101173
[18]
Fedele, A. and Roner, C. (2022) Dangerous Games: A Literature Review on Cybersecurity Investments. Journal of Economic Surveys, 36, 157-187. https://doi.org/10.1111/joes.12456
[19]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015a) Increasing Cybersecurity Investments in Private Sector Firms. Journal of Cybersecurity, 1, 3-17. https://doi.org/10.1093/cybsec/tyv011
[20]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015b) The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519. https://doi.org/10.1016/j.jaccpubpol.2015.05.001
[21]
Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, 22, 461-485. https://doi.org/10.1016/j.jaccpubpol.2003.09.001
[22]
Gordon, L.A. (2007) Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective, Congressional Testimony before Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, and published in Congressional Record. https://docplayer.net/2498875-Incentives-for-improving-cybersecurity-in-the-private-sector-a-cost-benefit-perspective.html
[23]
Gordon, L.A., Loeb, M.P. Lucyshyn, W. and Zhou, L. (2018) Empirical Evidence on the Determinants of Cybersecurity Investments in Private Sector Firms. Journal of Information Security, 9, 133-153. https://doi.org/10.4236/jis.2018.92010
[24]
Ponemon Institute (2021) The State of Threat Feed Effectiveness in the United States and United Kingdom.
