Security Risk Management in IT Small and Medium Enterprises

H.F.Kluitenberg
University of Twente P.O. Box 217, 7500AE Enschede The Netherlands

s1017500@student.utwente.nl ABSTRACT
Data breaches, security incidents and the threat landscape has been widely researched and documented. Different defence measures and policies, their effects and implications have also been researched extensively. However, most security research focuses on different sectors or on large companies. This research aims to map the prevalence of defence measures, policies and their use in small medium enterprises (SMEs) in a single industry (the IT service industry). Data is elicited by using a questionnaire. Results imply that SMEs indicating that their infrastructure is vital to the business, did not log access to their website, while SMEs indicating that their websites are unimportant did often log access. Therefore, SMEs are often not able to tell if they are victimized. Furthermore, the use of the cloud for file-exchange increases as opposed to the use of thumb drives. This trend introduces new security risks and allows attackers to access this storage via stolen mobile devices. Furthermore, the rampant use of pirated software and lack of enforcement of installation policies allow authentication details to be stolen rather easily. Those stolen details are a precursor for more targeted privilege escalation. SMEs reported theft of mobile devices, yet they did not have any policy or recovery plan concerning this matter. Most operating systems do offer remote wipe functionality to prevent escalation of this kind attack. This can be a cost effective solution and is presumably an easy-to-implement solution. of the study's sample is based in the United States. To further illustrate the severity of cyber-crime, Kaspersky's Global Corporate IT Security Risks[14] provides insight. According to their survey, a single serious incident inflicts an average of $649,000 in losses for a large company. For small and medium enterprises (SMEs) this loss is $50,000[14] on average. Especially for SMEs, a loss of $50,000 implies a serious threat to continuity of the organization. Despite, the seemingly importance of preventing such incidents in SMEs, IT security is an investment still not deemed necessary by a significant percentage of these companies. A security survey[7] conducted among SMEs located in Europe and the USA concluded that only 15% of the surveyed SMEs has funding allocated to security of IT resources. Several studies[4, 9, 11] have already been concluded on the prevalence of cyber security measures and victimization[4, 9, 22]. However, most available cybercrime research focuses on large organizations with national interest as is the case with the target audience of the Australian CERTs cyber-crime survey[4]. Other research focuses mainly on the similarities between different sectors. It is safe to assume that firms in different sectors do have different IT architecture in use. In contrast to inter-sector surveys, this study aims to map the cyber security landscape within the IT-service industry. From this industry one might expect to lead by example, however this is not always the case as demonstrated by a digital certificate supplier[18]. In this particular case, hackers where able to issue themselves an authentic certificate for *.google.com. This allows for a man-inthe-middle attack without invalid certificate warnings.

Keywords
Cyber security, SME, policies, victimization, pirated software, cybercrime, IT Risk Management

1. INTRODUCTION 1.1 Problem Statement
While measuring, validating and eliciting the true cost of cybercrime is hard [10, 17, 23], cybercrime seems to become an increasingly popular activity for criminals to obtain political and financial gain. Statistics from the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) confirm this in their 2013 Internet Crime victimization report[20]. According to validated complains received by the NW3C the amount of losses increased with 8.3% since 2011 to an adjusted amount of $525,441,110. The same study shows that victimization occurs worldwide, even though the majority
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. 20th Twente Student Conference on IT, January 24, 2014, Enschede, The Netherlands. Copyright 2014, University of Twente, Faculty of Electrical Engineering, Mathematics and Computer Science.

1.2 Research Focus
This research will primarily target small and medium enterprises with in-house technical knowledge. This group of SMEs consists of (but is not limited to) web developers, application developers and ISPs. In order to approach this research in a structured way, the ISO27000[12] series will act as a guideline. Attacks executed via an online medium are - as the Verizon data breach report show the main cause of data breaches in SMEs. A subset of the ISO/IEC 27000:2012 guidelines, ISO/IEC 27032:2012 has outlined a scope relevant to cyber security. In this research this subset will be used as a scope with regards to information sharing, cyber asset security (both personal and professional) and malware threats. As suggested in the ISO/IEC 27032:2012 standard, assets posing a threat should first be identified. SMEs vary in the assets they have at their disposal. Defining these assets is necessary since each asset introduces a potential security risk[24]. For this research a selection of all assets will be used. This selection includes assets which are most commonly used in IT service firms will be included. Policies on and usage of the

following assets will be considered: servers, desktops, laptops and mobile devices. To assess policies and behaviour on these assets, the different governmental guidelines mentioned in the literature review about cyber security within the scope of ISO/IEC 27032:2012 is used. The full ISO/IEC 27032:2012 is not used due to its steep cost and limited time available for this research.

2.1.1 Lack of understanding
Firms often fail to understand why cyber security is essential[14, 27]. In addition, investing in security does not provide easily measurable benefits besides the perception of security.

2.1.2 Perceived cost of security
IT security is not a one-time investment. According to the ENISA Threat Landscape Report Mid-year 2013[8] the threat landscape is highly dynamic and therefore continued adaptation is necessary. For example, criminals are now utilizing cloud services to distribute their malicious payloads. Another interesting development is the rise of denial-of-service attacks, which might be linked to hactivism[15]. Instead of a group of highly sophisticated individuals, hactivism can be executed by a large group of motivated but unskilled individuals.

1.3 Research Questions
The main focus of this research is to map out the current security measures and policies in place. Victimization and incidents are also questioned. To achieve that objective, the following research question is formulated: How are IT risk management policies used and adopted in SMEs with in-house technical knowledge? The conceptual framework proposed in Lijiao Cheng et al.[6] dictates that Information Security Policy violations are a function of both formal and informal control. Therefore it is useful to map both formal control measures, responsibility of security measures and employee behaviour. These control measures as well as the scope outlined in the research focus are used to construct a number of sub questions.

2.1.3 International law difficulties
Cyber Crime is highly organized, highly profitable and highly globalized. This globalization means that it is difficult to track a cybercriminal which might be active on the other side of the globe. Cybercriminals have multiple assets at their disposal to mask the true origin of an attack. These assets include botnets, open proxy servers and the TOR-network[5].

1.3.1. How are the defined assets used in the operational process of a SME?
What is the normal usage of the asset and who has access to it. Mapping the place of the asset in the operational procedure of the SME will provide information about security risks. For example, if a server is reachable without firewall, an adversary may have attack vectors he normally would not have. Furthermore, it shows which data can be collected about cyberattacks on that asset (successful or unsuccessful). In addition, knowing the context helps assessing potential risks being introduced due to the absence of specific policies.

2.1.4 Commercial guidelines
Currently a number of policies and guidelines exists. The commercial ISO-27000 [12] series provide a framework to model a firm's security policies with. Especially ISO-270032 (cyber security), ISO-270031 (business continuity) and ISO270002 (security controls) and 270032 (cyber security) are relevant to SMEs. However, the main downside of commercial guidelines is their steep costs of compliance and certification.

1.3.2. Which formal constraints are imposed on personal and professional asset usage in SMEs?
Are employee allowed to install software or allowed unsupervised access from another asset? This question will map how a SME’s asset is meant to be used by the policy makers.

2.1.5 Government guidelines
It is no surprise to see commercial parties like anti-virus companies and security concerns exploiting the demand for security. In addition, the various government agencies presumably grasp the importance of cyber security to national interests and infrastructure. This is indicated by the availability of guidelines about securing different assets by governments all over the world. Furthermore, the 'Table of Eleven’[3] - which is used by Dutch law enforcement to monitor the level of compliance for a specific legislation - might be useful as a reference to evaluate the effects of compliance (or lack of). Basically, the Table substantiates eleven different components to predict if a target group (in this case SMEs) will be compliant. Those eleven elements are: knowledge of rules, costs/benefits, extent of acceptance, respect for authority, social control, risk of being reported, risk of inspection, risk of detection, selectivity and risk of sanction and severity of sanction.

1.3.3. Which behaviours occur in SMEs with regards to personal and professional asset usage?
Employees might use work related assets for personal use too. This introduces a security risk as personal usage might result in unknowingly installing malware or losing the asset.

1.3.4. Which policies do the defined SMEs have in place?
Firms may have set other policies than policies on the usage of their employee's assets. To get the full picture it is important to elicit any spanning policies which might be in place. In order to gather data a questionnaire will be used. In order to approach these research questions structurally, a literature review is first conducted on available policies and guidelines and the perception of cyber security.

2.1.6 Certifications
Having a mark has advantages for an SME. A certification is a way to convey more trust from potential clients, since it implies that the firm meets the requirements for that certification. Security requirement are often also imposed on e-commerce related marks. For example, the Dutch 'Thuiswinkel'certification[26] requires bearers of the mark to have a privacy policy and to use secure socket layer (SSL). Furthermore, part of the requirement are to perform a security test regularly and to document the test and the results of this test. This has to be done at least once per year.

2. LITERATURE
A number of difficulties exist with tackling the problem of cybercrime. Those problems consist of (but are not limited to): • • • • lack of understanding, perceived cost of security measures relaxed enforcement of policies international law difficulties.

3. METHOD
The difficulty with a research about cyber security is that firms do not always want to expose their measures[6] (9.5%), or simply do not respond to survey (25.7%). An initial gathering with VNO-NCW MKB-Nederland and an interview with one SME provided direction about how to approach SMEs and their main problems with regards to cyber security. Based on that session, an initial pilot interview and the literature review a questionnaire is designed to elicit more information about security policies and victimization in SMEs with a technical area of operation.

client might impact the business of another. Virtual Private Servers are the same as shared servers in the sense of multiple client per physical machine. However, each individual client is assigned a virtualized operating system which is (almost) fully isolated from other clients. These four system architectures will be included in the questionnaire.

3.2.3 Application layer assets
As the Verizon report [28] show the main cause of data breaches in SMEs is through the application layer. Questions about how this layer is in use and secured will also be included. The most important part of this layer is the website of a company. Mainly for this reason, it is important to determine how important the website is in the operational process of a SME. The Guidelines on Securing Public Web Servers[2] as published in the National Institute of Standards and Technology by the U.S. Department of Commerce will be a guideline (where applicable) for the questionnaire. In addition, perception of policies may vary from the actual policy. Hence, questions which implicitly indicate the presence or absence of a policy will also be included. This includes a survey for victimization of defacement (replacement of the front-page), ex-employee breaches, database breaches and unauthorized access. Another important application in this layer is the e-mail server and client. While the amount of spam did decrease in 2012, it is still a problem of large proportions. Therefore, questions are included about how spam is handled, how often filters are revised and about the knowledge about spam within the firm.

3.2 Questionnaire
In order reduce the effect of language-barriers, the questionnaire is composed in Dutch. This is the native language of both the author and the surveyed target group. The purpose of the questionnaire is to elicit usable data to answer the main research question. In order to do that, the questions in this questionnaire are designed to answer the sub questions. Furthermore, open fields are included where applicable to elicit contextual and/or deviating data. If the same deviating data is encountered a significant number of times it will be coded into a separate field. In addition, since surveys do have a low response, the question set will be limited for the main purpose of increasing the likelihood of the designated person within the SME to fill in the questionnaire.

3.2.1 Contextual questions
Since exposure of victimization can be disastrous to the continuity of a firm, anonymity has to be guaranteed in order to get (truthful) responses. This can be done by assigning a random key to each company. The downside of this method is that respondent cannot forward the questionnaire to other interested parties. The latter is a reason why the questionnaire does include a question about the companies name with the notion that it won't be tied to any other results in the questionnaire.

3.2.4 Mobile assets
In this research, both laptops and mobile devices are referred to as mobile assets. In order to asses which behaviours are posing risks to a firm's security it is important to know how the asset is used in the operational process. To structurally elicit policies regarding professional and personal usage of mobile assets (laptop, tablet, phone), the guidelines [21, 29] as provided by the U.S Computer Emergency Response Team (CERT) are used. The usage of illegal software, secure connections and "bring your own device" policies are also evaluated. Furthermore, malware infection, suspicion of infection are also evaluated. As the case Tonino [25] and several others imply, policies regarding theft and replacement of the specified devices is also an important security precaution. For that reason questions about those events are also included.

3.2.2 Architectural assets
This study includes questions about which assets are currently in use and which architecture is available. Only the current solution is considered in this questionnaire. While installing and planning server usage is an important aspect in cyber security and necessary as stated in the guidelines, is not taken into account for this research. Many SMEs take advantage of the economics of scale by utilizing shared or virtualized hosting[19]. A setup with multiple clients on one system does introduce new security vulnerabilities, these are easily mitigated with open-source solutions. These solutions are usually build-in (SELinux for example) and therefore usage of those solutions is presumably highly prevalent. Furthermore, the ENISA Threat Landscape[8] shows that the application, service and authentication layers are one of the most frequent targeted vectors for unauthorized access attempts. In this questionnaire, questions about the server architecture which is in use are asked. The reason for this is that it provides insight in the severity of incidents and the opportunity of privilege escalation. The most common server architectures are dedicated servers, shared servers and virtual private servers. Shared servers limit the application to websites only (which is enough for lots of SMEs). The main downside of shared servers is lack of isolation. Multiple websites reside on the same physical server. Thus a security incident originating from one

3.2.5 Data storage and exchange
It is vital for any organization to store and exchange data about their customers, ongoing projects and authentication details. The exchange of data in any organization is also risky if not done right. The Stuxnet infection of Iranian nuclear facilities [16] is an example of this. In this case infection occurred trough an infected USB-drive left at the parking lot of the facility. In addition, the amount of viruses and malware using file exchange (such as USB-devices) to spread is also rampant. These viruses often indiscriminately target both personal and professional devices with the intention to extract usernames and passwords. Therefore, question are included about which file-exchanges are used, how they are secured and when they are permitted to be used. File-exchange and storage is not only a vector of infection, improper management of this technology can also result in leakage of internal document or customer data. The questionnaire includes questions about incidents resulting in

data loss and about policies reducing the risk of these events occurring.

4. RESULTS
In total nine respondent partake in the questionnaire, giving a total of 393 answers. The sample within the defined population consists of five web designers, three web application developers, two marketing firms and one other. The company in the 'other'-category employed web filtering as their core business activity. One company indicated that their main area of operation consists of multiple answers from the list, thus the resulting total is higher than the amount of participants. The average number of employees of the surveyed SMEs is 8.78. With a standard deviation of 7.95.

respondents). Support and point-of-sale followed both with three respondents. All of the answers given in the 'other'-field (two) are the equivalent of portfolio function and therefore coded as such. From the architecture on which the SMEs are running, a completely outsourced solution and the virtual private server are the most popular (both SMEs, three respondents). One respondent did not fall into any category and was left out. He was running multiple clusters for their client, but the respondent did not explain their own infrastructure. Another asset in use by all respondents is the website. One respondent is using their website to exchange files, while every respondent is publishing documents to this publicly available server. On average, four employees have publishing access to the main server.

Figure 1 Distribution of employees The majority of the respondents fulfilled the role of CEO and / or manager within the small firm. Table 1 Roles of the respondent within the organization

Figure 2 Distribution of publishing rights All respondents whose websites are either important or vital for their core process didn't log access to their system. Two of the respondents classified the importance of their website as low, however those were the only ones logging access to the system. The SME marking the importance of their website as vital did have an incident related to unauthorized access within the last 12-24 months. This is quite interesting, since they couldn't have noticed by examining the log file. The only logical other explanation would be a notice in difference between the normal operation of a system and the current operation of a system. Regarding websites, defacement of the front-page would be such an indicator. However, other incident revolving around ‘silently’ copying data would go unnoticed.

On average the SMEs questioned are nine years in business, with a standard deviation of 2.6 years.

5. CONCLUSIONS
The main purpose of this research is to determine how IT risk management policies are used and adopted in SMEs with inhouse technical knowledge. In order to answer this explorative main question, risk management policies about the following subareas are elicited:     Asset usage in the operational process Formal constraints put on asset usage Behaviour of employees Spanning policies in place

5.1.2 Which formal constraints are imposed on personal and professional asset usage in SMEs?
In four of the cases employees were allowed to install software from third parties at their own discretion, in two cases they were sometimes allowed to. However, enforcement of this policies is very unlikely since the survey also shows that in 6 firms, the employees were allowed to bring their own devices, presumably without filtering software. 5 respondents also answered that it is possible (even if it is not allowed) to install software at the employees discretion. A significant number of firms did have policies on secure configuration of servers (two, 34%) and usage of secure connections (two, 34%). This has an interesting implication. Usage of secure connections reduces the risk of an incident while using a public Wi-Fi network for example. Secure connections make sure that it is not possible (under normal circumstance) to be a victim of man-in-the-middle attacks.

5.1.1 How are the defined assets used in the operational process of a SME?
The SMEs websites are used for select number of reasons. A portfolio was the most important function of the website (seven respondents), followed by customer acquisition (six

Only one firms had a policy in place of not allowing to reuse passwords. Reusing passwords already in use on different platforms can be a security hazard. It introduces a new risk of intrusion, since the current authentication details can be leaked from a different environment not under the firm's control (for example an online forum or game).

6. FUTURE WORK
This questionnaire sample was too low to be conclusive on any implied correlation. However, it can be used as direction to policy making and policy violation. A proposed method is to initiate a questionnaire from a business-spanning organization like the Dutch VNO-NCW MKB Nederland, while reducing the target group to only one specific area of operation. That organization already has relations with numerous SMEs. As the Australian CERT research shows, is that a similar research will achieve a much higher response rate. This allows mapping of problems, policies and incidents within a similar operational context and significantly more viable conclusions.

5.1.3 Which behaviours in SMEs occur with regards to personal and professional asset usage?
The main finding of personal asset usage, is that employees do not fear the usage of illegal or pirated software. Five of the questioned SMEs admitted occasionally installing pirated software. The questioned SMEs who didn't install pirated software, also didn't report security incidents. The three SME had their homepage replace or had their website or database intruded by a third party. According to a survey from the Business Software Alliance (BSA)[1], 21% of all firms surveyed in the Netherlands admitted using software obtained from questionable sources, yet they didn't see the risk of attracting malware or viruses. Research conducted about insights into the anti-copy protection ecosystem by Kammerstetter et al.[13] has concluded that pirating software is a high risk activity. From the 43.900 download links, 23.100 samples were infected resulting in infection. For popular applications (like Photoshop®), the percentage of uninfected download versus infected downloads was even higher (50%). These statistics paired with this questionnaire’s results indicate that there is a need for either policy on illegal software usage or the distribution of legal licenses. Furthermore, respondents are occasionally victim of mobile phone theft, while they did not have specified a replacement or data loss policy. Losing mobile devices can be disastrous to businesses when no contingency plan is defined. Information stored on mobile phones could be extracted. This includes unauthorized access to bank accounts, social networks and email. With access to the victims e-mail account, access privilege to other platforms can be gained by issuing a password reset mail to that associated e-mail account. Therefore, loss of mobile devices can regarded as a precursor to more serious (targeted) intrusions. Most operating systems do offer remote wipe functionality to prevent escalation of this kind attack. This can be a cost effective solution.

7. ACKNOWLEDGMENTS
The authors' appreciation and thanks goes to his supervisor Prof.dr. M. Junger for providing him with valuable insight and direction in her field of expertise.

8. REFERENCES
[1] Business Software Alliance 2011. Piracy Study. http://globalstudy.bsa.org/2010/downloads/study_pdf/201 0_BSA_Piracy_Study-Standard.pdf. Accessed: 2014-0101. [2] Carlos M. Gutierrez James Turner, Acting Director, S. 2007. Guidelines on Securing Public Web Servers. (2007). [3] Centre, L.E.E. 2004. The “Table of Eleven” A versatile tool. http://www.sam.gov.lv/images/modules/items/PDF/item_6 18_NL_The_table_of_Eleven.pdf. Accessed: 2013-12-30. [4] CERT Australia 2012. Cyber Crime and Security Survey. http://www.canberra.edu.au/cis/storage/Cyber Crime and Security Survey Report 2012.pdf. Accessed: 2014-01-01. [5] Chaabane, A. et al. 2010. Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network. Network and System Security (NSS), 2010 4th International Conference on. (2010). [6] Cheng, L. et al. 2013. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers and Security. (2013). [7] Dimopoulos Steven Jennex, Murray Kritharas, Ioannis, V.F. 2004. Approaches to IT Security in Small and Medium Enterprises. Australian Information Security Management Conference. [8] European Union Agency for Network and Information Security 2013. ENISA Threat Landscape. http://www.enisa.europa.eu/activities/riskmanagement/evolving-threatenvironment/ENISA_Threat_Landscape/at_download/full Report. Accessed: 2013-12-30. [9] Huygens, M.G. 2012. Informatiebeveiliging in kleinere organisaties . (2012). [10] Hyman, P. 2013. Cybercrime: it’s serious, but exactly how serious? Commun. ACM. 56, 3 (2013), 18–20. [11] International Cyber Security Protection Alliance 2012. Impact of cyber crime on businesses in Canada. https://www.icspa.org/media/icspa-news/icspa-newspublications/article/icspa-launches-study-to-measure-the-

5.1.4 Which policies do the defined SMEs have in place?
The questioned SMEs also have spanning policies in place in the form of internal documents. Most respondents did spread available documentation within the organization on different security measures. However, no SME from the response group had defined action plans on data loss. This might be due to the fact that only two of the respondents still used USB-devices or thumb drives for data exchange. The cloud gained in popularity for file exchange. However, this introduces different security issue which might not be fully mapped and mitigated. The questionnaire did show that a majority (five) of the survey firms did make daily backups, potentially reducing the risk of unrecoverable data. While backups prevent data loss, misuse of stolen data or alteration of private data can be disastrous. For example, loss of a mobile phone that has access to cloud storage utilities (like dropbox, skydrive and rsync) results in leakage of all documents shared.

impact-of-cyber-crime-on-businesses-in-canada29/abp/38. Accessed: 2014-01-01. [12] International Organization for Standardization 2012. ISO/IEC 27000:2012. http://www.iso27001security.com/html/iso27000.html. Accessed: 2013-12-30. [13] Kammerstetter, M. et al. 2012. Vanity, cracks and malware: insights into the anti-copy protection ecosystem. Proceedings of the 2012 ACM conference on Computer and communications security. ACM. [14] Kasperky Lab 2013. Kaspersky Global IT Security Risks Survey 2013. http://media.kaspersky.com/en/businesssecurity/Kaspersky_Global_IT_Security_Risks_Survey_re port_Eng_final.pdf. Accessed: 2014-01-01. [15] Kelly, B.B. 2012. Investing in a centralized cybersecurity infrastructure: Why “hacktivism” can and should influence cybersecurity reform. Boston University Law Review. 92, 5 (2012), 1663–1711. [16] Kim, D.Y. 2014. Cyber security issues imposed on nuclear power plants. Annals of Nuclear Energy. 65, (2014), 141– 143. [17] Kotulic, A.G. and Clark, J.G. 2004. Why there aren’t more information security research studies. Information and Management. 41, 5 (2004), 597–607. [18] Leavitt, N. 2011. Internet security under attack: The undermining of digital certificates. Computer. 44, 12 (2011), 17–20. [19] Mirheidari, S.A. et al. 2012. Performance evaluation of shared hosting security methods. (Liverpool, 2012), 1310 – 1315. [20] National White Collar Crime Center 2012. Internet Crime Report. http://www.ic3.gov/media/annualreport/2012_IC3Report. pdf. Accessed: 2014-01-01.

[21] Paul Ruggiero, J.F. 2011. Cyber Threats to Mobile Phones. https://www.uscert.gov/sites/default/files/publications/cyber_threatsto_mobile_phones.pdf. Accessed: 2013-12-30. [22] PwC network 2013. US State of Cybercrime Survey. https://www.pwc.com/en_US/us/increasing-iteffectiveness/publications/assets/us-state-ofcybercrime.pdf. Accessed: 2013-12-30. [23] Ross Anderson Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, Stefan Savage, C.B. 2012. Measuring the Cost of Cybercrime. Weis. 2012 (2012). [24] Sánchez, L.E. et al. 2010. Managing the asset risk of SMEs. (Krakow, 2010), 422–429. [25] Sanoma Media Group 2004. Officier zet pc vol gevoelige informatie op straat. http://www.nu.nl/algemeen/422656/officier-zet-pc-volgevoelige-informatie-op-straat-video.html. Accessed: 2013-12-30. [26] Stichting Thuiswinkel 2012. Thuiswinkel criteria. http://www.thuiswinkel.org/criteria. Accessed: 2013-1230. [27] Suchan, W. and Sobiesk, E. 2006. Strengthening the weakest link in digital protection. IEEE Security and Privacy. 4, 6 (2006), 78–80. [28] Verizon 2013. Verizon 2012 Data breach Investigations Report. http://www.verizonenterprise.com/resources/reports/rp_da ta-breach-investigations-report-2012-ebk_en_xg.pdf. Accessed: 2013-12-01. [29] Wang, R. et al. 2013. Unauthorized origin crossing on mobile platforms: Threats and mitigation. (Berlin, 2013), 635–646.

APPENDIX A. RESULTS A.1 Incidents Reported
event / past months Defacement of the front-page Unauthorized access to the database by third parties Unauthorized access to the database by external parties Theft of the clients list Unauthorized access to the website 0-2 2-6 6-12 12-24 1 1 24+ Never 7 7

-

-

-

-

1

8

-

-

-

1

-

8 7

A.2 Policies and Behaviour
Yes Employees are issued an pre-installed laptop from the company Employees are allowed to install software from third party sources at their own discretion. Employees may use social networking website. Employees are able to install software from third parties at their own discretion. Employees are allowed to bring their own mobile devices. Employees are informed explicitly about the importance of antivirus and firewall solutions. The website which employees visits are being logged. Employees can bring their own laptop to work. Employees can bring their own laptops to customers 1 Sometimes 2 No 4 Don't know -

4

1

2

-

6 5

1 -

2

-

7

-

-

3

-

6

-

2

-

6

-

6 3

2

1 2

-

A.3 Frequency of Events
Never Theft of mobile equipment Virus or malware infection Suspicion infection of malware or 5 4 virus 2 Daily Weekly Monthly Quarterly 1 Incidentally 2 3 3

Replacement of mobile equipment

3

-

-

-

-

4

Installation of illegal software Spam filter revision Email log files are checked Backup of important files and data Removal of the spam directory

2 2 3 1 3 Never

1 5 Daily -

1 Weekly -

3 1 1 Monthly -

Quarterly 1

5 1 4 4 Incidentally 2 3 3

Theft of mobile equipment Virus or malware infection Suspicion infection of malware or

5 4 virus 2

Replacement of mobile equipment Installation of illegal software Spam filter revision Email log files are checked Backup of important files and data Removal of the spam directory

3 2 2 3 1 3

1 5 -

1 -

3 1 1

-

4 5 1 4 4

A.4 Original survey
The full original survey can be viewed at https://www.esurveycreator.com/s/7e4cdb6.

Sign up to vote on this title
UsefulNot useful