Structuring the Chaos: Enabling Small Business Cyber-Security Risks & Assets Modelling with a UML Class Model (2403.14872v1)

Abstract: Small businesses are increasingly adopting IT, and consequently becoming more vulnerable to cyber-incidents. Whilst small businesses are aware of the cyber-security risks, many struggle with implementing mitigations. Some of these can be traced to fundamental differences in the characteristics of small business versus large enterprises where modern cyber-security solutions are widely deployed. Small business specific cyber-security tools are needed. Currently available cyber-security tools and standards assume technical expertise and time resources often not practical for small businesses. Cyber-security competes with other roles that small business owners take on, e.g. cleaning, sales etc. A small business model, salient and implementable at-scale, with simplified non-specialist terminologies and presentation is needed to encourage sustained participation of all stakeholders, not just technical ones. We propose a new UML class (Small IT Data (SITD)) model to support the often chaotic information-gathering phase of a small business' first foray into cyber-security. The SITD model is designed in the UML format to help small business implement technical solutions. The SITD model structure stays relevant by using generic classes and structures that evolve with technology and environmental changes. The SITD model keeps security decisions proportionate to the business by highlighting relationships between business strategy tasks and IT infrastructure. We construct a set of design principles to address small business cyber-security needs. Model components are designed in response to these needs. The uses of the SITD model are then demonstrated and design principles validated by examining a case study of a real small business operational and IT information. The SITD model's ability to illustrate breach information is also demonstrated using the NotPetya incident.