Decision Support Systems: Stefano Armenia, Marco Angelini, Fabio Nonino, Giulia Palombi, Mario Francesco Schlitzer

Decision Support Systems xxx (xxxx) xxx
Contents lists available at ScienceDirect
Decision Support Systems

journal homepage: www.elsevier.com/locate/dss
A dynamic simulation approach to support the evaluation of cyber risks and

security investments in SMEs
Stefano Armenia a, *, Marco Angelini b, Fabio Nonino b, Giulia Palombi b, Mario
Francesco Schlitzer a
a
Department of Research, Link Campus University of Rome, Rome, Italy
b
Department of Computer, Control and Management Engineering, Sapienza University of Rome, Rome, Italy
A R T I C L E I N F O A B S T R A C T
Keywords: The growing amount of cyberspace threats highlights the need to evaluate cybersecurity risks and to plan for
Cybersecurity effective investments. One internationally recognized document for cybersecurity risk management is the
SME framework for Improving Critical Infrastructure Cybersecurity by the US National Institute of Standards and
Risk assessment
Technology (NIST). It provides guidelines, best practices and standards for cybersecurity risk management.
Risk management
Nevertheless, as other self-assessment frameworks, it produces a static view of an organization’s cyber posture
System dynamics
Modeling & simulation and does not capture the dynamics of organizational changes and cyberattacks. Moreover, the current situation
sees small and medium enterprises (SMEs) in a critical position since they need to manage their cybersecurity
while usually not being skilled or equipped enough to internalize this process. Therefore, there is a need for a
practical and easily applicable model able to identify a cybersecurity risk profile and its dynamics. This study
proposes a system dynamics methodology and tool (SMECRA - SME Cyber Risk Assessment) for supporting
cybersecurity investment decisions for SMEs through the evaluation of cyber risk and previous investments.
SMECRA addresses dynamic organizational complexity and can be used to assess cyber risks and related dy
namics over time. Three case studies demonstrate its capability to assess a SME’s cybersecurity status and to
evaluate investments impacts on an organization’s risk profile, raising cybersecurity awareness. This study is
important for SMEs wishing to manage their own cybersecurity risk and for insurance companies in their eco
nomic evaluation of residual risks that SMEs wish to externalize.
1. Introduction information on the potential threats can be incomplete or require an

outsized effort compared to the organization’s size. The need to evaluate
In our increasingly digitalized world, organizations rely on cybersecurity risks and hence plan for effective investments using
constantly connected information systems. This means that even small appropriate tools has been already largely recognized [5], and several
and medium enterprises (SMEs) represent potential targets for cyber studies focused both on cyber risk management [4,6–11] and on the
criminals which can exploit vulnerabilities to cause economic and allocation of a budget related to cyber defense for risk mitigation
reputational damage to them [1,2]. [8,12–14]. These approaches represent a guidance for cybersecurity
Under this perspective, cyberattacks are able to affect and disrupt investments but lack the capacity to integrate across multiple domains of
critical infrastructures of our contemporary society across different cyber-physical systems (such as threat, vulnerability and consequence
sectors such as healthcare, energy, transportations, banking and stock [11]), and to capture their complexity [15]; moreover, they are static, i.
markets [3]. Furthermore, it is now widely accepted that cybersecurity e., they do not take into account the cause-effect interdependencies and
is not only a technological issue, but it is inherently multidisciplinary as are unable to include the “dynamics of cyberattacks” as well as uncer
its potential vulnerabilities which comprise a vast range of aspects tainty [14]. According to Nazareth and Choi [9] any attempt to manage
including the human factor [4]. The growing amount of cyber threats resources to improve information security must entail an understanding
highlights the need to define security policies in a context where of the dynamic aspects of security threats. Multiple different factors and
* Corresponding author.
E-mail addresses: [email protected] (S. Armenia), [email protected] (M. Angelini), [email protected] (F. Nonino), giulia.palombi@
uniroma1.it (G. Palombi), [email protected] (M.F. Schlitzer).
https://doi.org/10.1016/j.dss.2021.113580
Received 26 June 2020; Received in revised form 24 April 2021; Accepted 26 April 2021
Available online 29 April 2021
0167-9236/© 2021 Elsevier B.V. All rights reserved.
Please cite this article as: Stefano Armenia, Decision Support Systems, https://doi.org/10.1016/j.dss.2021.113580
S. Armenia et al. Decision Support Systems xxx (xxxx) xxx
many dynamic relations are involved and can be investigated through actions aimed at managing cybersecurity risk [4,6–11,13]. This group
simulation, which is one of the most accurate methodologies when it includes the risk-based cybersecurity framework designed by Collier
comes to embodying and interconnecting all of these aspects. et al. [6] which shows how to be more resilient to dynamic threats by
Another limitation of current studies is related to the analyzed con moving from the standard risk assessment, and the Jensen study [7]
texts, i.e.: mainly large enterprises and critical infrastructures. The which suggests how to improve the classical risk management approach,
increasing number of cyberattacks towards Small or Middle-Sized introducing informational campaigns about the specific cyber risk the
Businesses1 and the fact that these companies often do not deploy organization faces and the pressure from customers. The Cybersecurity
effective defenses against attackers because of their limited economic Framework published by the US National Institute of Standards and
resources and shortage of skilled security workers [16], calls for the Technology (NIST) offers important guidance and provides guidelines,
need to undertake relevant cybersecurity actions in SMEs.2 Hence, in best practices and standards for cyber security risk management. The
this study we propose a system dynamics-based methodology and tool NIST Framework lays the basis for several studies on cybersecurity by
that allows for a systemic assessment and evaluation of a SME’s cyber providing new phases [8], samples on unit and system tests for each
security risk profile as well as planning for effective investments aimed framework phase [10], and pillars for cyber resilience [4], and several
at risk mitigation: the SMECRA (SME Cyber Risk Assessment) tool. The countries (i.e.: Canada, Italy and Spain) designed their own cyberse
NIST Cybersecurity Framework3, whose Italian extension is called Ital curity framework starting from it. In the next paragraph, we will spe
ian National Cybersecurity Framework [17], has been adopted as a basis cifically focus on the US NIST Framework since we have chosen it as one
to develop the initial assessment (through a method that we named of the main building blocks of our proposed methodological approach.
“Snapshot Survey”) that is used to collect data defining the actual SME’s Ganin et al. [11] proposed a multi-criteria decision framework for
risk profile at the start of the analysis. In this paper we show the cybersecurity risk assessment and management by a hypothetical case
application of the tool to different case studies, evidencing their dy study exemplifying the process of evaluating and ranking five cyberse
namic behavior over time in cyber-environments characterized by curity enhancement strategies: hardware and software upgrade,
different threat levels, thus allowing the simulation of different possible personnel training, insurance against data losses, data handling policy
investment scenarios for each case. SMECRA allows users to set up and just do nothing (so no action plan as elective alternative).
different strategic priorities for cybersecurity-related investments, thus The second group of research focuses on the allocation of a protec
giving the possibility to compare and evaluate the future outcomes tion budget across a spectrum of possible alternatives after an evaluation
caused by different investment choices. of viable options [8,12–14]. According to Jeong et al. [21], many firms
This work is structured as follows: the relevant literature on cyber are not capable of immediately seeing the expected financial loss due to
risk management is outlined in section 2, together with the gap of security breaches or, likewise, the expected gain from their investments
research and the objective of the study. The methodology used to in information security. Bojanc and Jerman-Blažič [12] allow the se
develop the SMECRA tool is described in section 3, while section 4 lection of the best investment in cybersecurity based on the quantifi
provides the simulation results for the three chosen case studies and cation of value of each protected system. An approach called Cyber
section 5 comprises the discussion and a strategic focus. Finally, section Security Risk Management (CSRM) proposed by Katsumata et al. [8]
6 draws the conclusions of our study. adds the risk-management planning phase to the ones of risk assessment,
risk mitigation and monitoring/control adopted by the NIST Frame
2. Cybersecurity risk management work. The model presented by Chen et al. [13] analyzes the effectiveness
of a diversification strategy under different operating conditions and in
Cybersecurity is the set of tools, policies, security concepts, security presence of different vulnerabilities, suggesting that this is advanta
safeguards, guidelines, risk management approaches, actions, training, geous not only to a risk averse firm but also to a risk-neutral firm
best practices, assurance and technologies that can be adopted to protect interested in minimizing mean downtime.
the cyber environment, organization and user’s assets [1]. Cyber crim Recent contributions to this branch of literature includes the study by
inals use the internet to launch malware and social engineering cam Nazareth and Choi [9] in which the authors, by using a system dynamics
paigns; employees do not always comply with the internet use policy model, evaluate alternative security management strategies through an
unless the risks of deterrence can be justified by the perceived benefits of investment and security cost lens, providing managerial guidance for
personal internet use at work [18]. Threats can come from outside security decision such as the fact that investing in security detection
(external threats) but also from the internal environment: insider threats tools has a higher payoff than investments into deterrence ones. Zeij
represent one of most relevant topics in cybersecurity and they include lemaker et al. [22] also address the topic of the influence and impact of
fraud, sabotage, theft of intellectual property, and copyright violation systems complexity for what concerns decisions related to investments
[19]. The management of cyber risk is a process related to and included in cybersecurity. Finally, Paté-Cornell et al. propose a general probabi
in a currently critical survival strategy for business continuity, which is listic risk analysis framework for cyber risk management in the domain
cyber resilience [20]. In this section, various aspects of cybersecurity of critical infrastructures suggesting and analyzing three related case
risk management, as proposed in the literature, and the key documents studies [14]. They present several ways to quantify the cyber risk using
related to a few cybersecurity strategies, are reviewed.8 not only past statistics but also other available features characterizing
the specific cases, like the statistical analysis of a real database, a sys
tems analysis of cyber risk for a smart grid and an analysis of sequential
2.1. Approaches to Cybersecurity risk management
decisions to upgrade the software of an actual cybersecurity system.
The existing approaches to cyber risk management in literature can
2.2. The Italian National Strategy on cyber risk management: an
be divided into two broad groups.
extension of the NIST framework
The first one proposes theoretical frameworks and/or an agenda of
Cybersecurity is a central theme for the national digital trans

1 formation of many countries. Upon request from the US Government, the
State of Cybersecurity in Small & Medium Size Businesses (SMBs). Research
Report, Ponemon Institute, 2018. NIST introduced the Cybersecurity Framework, which proposes a risk-
2
ENISA Threat Landscape Report 2018, The European Union Agency for based approach to manage cybersecurity risks and constitutes the refer
Cybersecurity (ENISA), 2019. ence document for the US national strategy for cybersecurity risk man
3
Framework for Improving Critical Infrastructure Cybersecurity (Version agement. We focus on the NIST framework as it is used as the building
1.1), National Institute of Standards and Technology, 2014. block of our methodology. It consists of three parts: core, tiers and profiles.
2
The first one introduces a set of cybersecurity activities, desired outcomes systems based on the combination of business objects and system
and references common across critical infrastructure sectors, a framework structure [24], to the best of our knowledge, a practical, dynamic and
core that is designed for communication between and within organiza easy to use model, able to identify and estimate the cyber risk related to
tions and it is constituted by five concurrent and continuous functions: a specific SME, does not exist yet.
Identify, Protect, Detect, Respond and Recover. These are divided in 21 Therefore, the aim of this study is to propose a methodology and tool
categories and 98 subcategories, with each subcategory listing the related named SMECRA (SME Cyber Risk Assessment methodology and tool),
practices and standards. The four frameworks tiers range from partial comprising two modules, the Snapshot Survey and the System Dynamics
(informal, reactive responses) to adaptive (agile and risk-informed en simulation model (both based on the NIST Cybersecurity Framework),
tity). The framework profiles define practices which best match the busi that allow for the evaluation of cyber risks and for the planning of
ness needs of an organization and that can be obtained from the effective investments in SMEs.
Framework Core. Profiles can be useful to identify opportunities for The SMECRA tool aims at supporting decision makers in under
improving cybersecurity level by comparing the current (“as-is”) profile standing how to improve the resilience of a SME against cyber-threats by
with the desired target (“to-be”) one, and this offers a uniform, voluntary following investments in certain business areas (i.e.: investments on HR,
approach for tackling cybersecurity in order to reduce cyber risks. In the on production systems, on Information/Security Systems, etc.). We
Italian context, the National Cybersecurity Framework [17] represents a argue that the use of systems thinking and system dynamics in the field
key document for cybersecurity risk management. The Italian National of cybersecurity is proving its value as well as introducing advantages
Cybersecurity Framework extends the NIST Framework by allowing a for this and a number of other problems (particularly, on investments
broader application to different contexts outside of critical in sustainability). Other examples include understanding the dynamics of
frastructures, such as public administrations, private companies and cyberwarfare [25,26]; the evaluation of financial impacts of cyberse
SMEs. At the same time, it maintains full compatibility with the NIST curity and Data Protection Impact Assessments (DPIA).
Framework, sharing its framework core and enriching it with three new The system dynamics model at the root of the SMECRA methodology
key concepts: priority levels, maturity levels, contextualization prototypes (i. and tool has been developed by starting from a qualitative causal loop
e., GDPR prototype). Priority levels are used to define each Framework diagram (CLD) model, proposed by Armenia et al. [27], that in
Core subcategory’s implementation priority, depending on the business’ terconnects, through a typical Systems Thinking approach, the cate
nature, size and profile risk. Maturity levels allow to choose between gories of the Italian Cyber Security Framework to the generic
different modalities for the implementation of each subcategory and organizational structure of a SME, and that identifies some levers for
must be set carefully as a higher maturity level will reduce risk exposure improving the cyber-risk profile of such organizations.
but will increase costs and management complexity. Anyone willing to In that study, the authors argue that the NIST framework categories can
implement the framework can choose the functions, categories and be directly linked to various areas and aspects of an organization (for
subcategories that fit the organization and define for them priority levels, instance, investments in cybersecurity are generally connected to an in
maturity levels and security checks. The resulting scheme takes the name crease in the number and use of security devices and tools needed for ag
of “Framework Contextualization” and is particularly useful to measure gregation and correlation of event data from multiple sources and sensors:
the actual exposure of a generic organization (and not only a critical this is strictly connected to the subcategories DE.AE - anomalies and events
infrastructure) towards cyber-threats (actual profile) and to define the - and DE.DP - detection process - from the “Detection” NIST category), and
new desired posture (target profile). Finally, these two profiles allow such aspects are in turn interconnected due to the intrinsically systemic
defining and prioritizing the list of corrective actions (or accepted risks). nature of organizations [28,29]. This implies that, by “projecting” the
Another key document was introduced in 2018, when the CINI framework categories on the “organizational plane”, which shows how
Italian Cybersecurity National Laboratory produced the White Paper on organizational aspects are interconnected, it is possible to infer that the
Cybersecurity4, presenting the main cybersecurity challenges Italy had framework categories are also systemically interconnected among them
to face in the next five years. It outlined a set of focus areas and actions selves through organizational relationships and links (see Fig. 1).
that the Italian research community considered essential to implement The research from Armenia et al. [27] did not include the connection
and support what was foreseen in an executive decree on cybersecurity with other aspects of cyber-physical systems, as it did not delve into
issued in February 2017 by the Italian Government. The White Paper further details: the aim was mostly to show that the framework cate
examines different aspects of cybersecurity, including the definition of gories are systemically related, and that investments to improve the
infrastructures and centers for organizing defense, the actions and cyber-posture in those categories need to take this aspect into account.
technologies to improve protection, the identification of the main de In this paper, we are starting from those assumptions and are trying to
fense technologies, and the proposal of a set of horizontal actions for build a quantitative tool that captures those systemic interconnections.
training, awareness, and risk management. This implies that not all of the possible feedback loops are included in
the current SMECRA formulation, but just those that are linking,
2.3. Gaps in research and objectives of this study through interconnected organizational aspects, some specific frame
work categories. We will postpone the evaluation of the inclusion of
The above-mentioned cyber-risk management models identify best other subsystems to a future elaboration of the SMECRA model, but it is
practices and processes to follow in order to improve organizational worth mentioning here that the inclusion of all possible feedback loops
cybersecurity. However, “existing approaches (...) lack the ability to inte is well beyond the scope of this initial research and not necessarily a
grate across multiple domains of cyber systems to provide guidance for needed aspect. In fact, building on a relevant system dynamics tenet
enhancing cybersecurity” [[15]: 1] and from the defender point of view, stating that “simpler is better” [30], usually the fundamental loops
“the analysis has to include uncertainty and the dynamics of cyberattacks” derive by the inclusion of specific relevant relationships among the main
[[14]: 240]. Recent evidence also suggests extending the attention to SMEs parts of the system. In this case, we have included all mainly relevant
given the increasing number of cyber attacks they experienced [16] and the relationships that describe the interdependencies between the specified
limited resources they own to contrast them. framework categories and main organizational variables.
Although system dynamics tools have already been proposed to
support investment decisions [23] in the form of decision support 3. Description of the SMECRA methodology
3.1. Concept and architecture

4
CINI (2018). The future of Cybersecurity in Italy: Strategic focus areas.
White book. CINI - Consorzio Interuniversitario Nazionale Informatica. Following the need to effectively assess the current cyber risk of a
3
Fig. 1. (Projection 1) sub-categories relate to organizational variables, interconnected according to a systemic perspective; (Projection 2) then, NIST sub-categories
get systemically interrelated, into an organizational perspective.
SME and to support its decisions on cybersecurity investments in order determining the system’s structure and ultimately its behavior. In fact,
to mitigate such a risk, we built a tool that first analyzes the cyber- positive, negative, and delayed feedback loops can create a variety of
posture of a SME and then simulates the effect of different investment recurring systemic structures, named Systems Archetypes, which can
strategies (see Fig. 2). The core of the methodology is based on a assist in analyzing the problem displayed by a certain system and in
quantitative SD simulation model (as said, built starting from the diagnosing the optimal solution [36]. Notwithstanding its qualitative
qualitative model presented in Armenia et al. [27]) that takes into ac value, the analysis of CLDs can introduce several important results. The
count the systemic, feedback-based relationships among the various, main advantage in using this type of analysis is that it provides a vision
interdependent aspects addressed by the NIST framework and their that considers many themes inside a system as interconnected with each
dynamic behavior over time. other, contrary to those past approaches where systems are analyzed
The initialization parameters of such a “stocks and flows” model (see individually and on a sectoral basis. Understanding the dynamics of
next paragraph for a brief explanation of stocks and flows) derive from stocks and flows is key to figuring out the behavior over time of complex
the use of the NIST framework itself in a first instance when the initial systems [36]. Stocks and flows symbolism can be explained as follows:
assessment of the “as-is” cybersecurity risk profile of a SME is per (1) a stock represents things in the model that can accumulate, it will
formed. Such an assessment translates qualitative evaluations into the rise and drop depending on its flows and will remain constant while in
quantification of core parameters depicting the starting situation (initial equilibrium; (2) a flow is (one of the) rate(s) of change of a stock: inflows
risk profile), which are then used in scenario simulations. It is worth add to a stock, outflows take away from the stock: equilibrium occurs
mentioning that the presence of several initialization parameters does when inflows to all stocks are equal to the outflows; and (3) the infor
not invalidate the robustness of the model, which is mainly rooted into mation links represent a variable’s direct influence on another one. It is
another important System Dynamics principle, stating that it is the important to note that stocks, especially large ones, tend to change
structure of a system that influences its behavior. slowly, even when the flows into or out of them change suddenly, simply
because it takes time for the flow itself to accumulate into them [31]. For
this reason, stocks act as delays or shock absorbers in systems, and
3.2. Modeling approach: systems thinking and system dynamics therefore the presence of stocks allows inflows and outflows to be in
dependent of each other and temporarily out of balance which leads to
System Dynamics consists of an iterative process used to define a the need of a controlling mechanism, that is feedback. Furthermore,
dynamic hypothesis, develop a formal model to test and validate it, then feedback loops are generally linked together, often in quite intricate
formulate and evaluate different intervention policies [31]. The patterns: a stock might very well have several reinforcing or balancing
approach was developed in the ‘60s by Jay W. Forrester [32] in order to loops of differing strengths pulling it in several directions, and a flow
study complex business situations and was later expanded to study could be influenced by the contents of multiple stocks and fill one stock
problems associated with the dynamics of growth and decline in urban while draining another one and feeding into decisions that impact a
centers [33], in the world as a whole [34,35], as well as other complex third stock or even more. The many feedback loops within a system can
problems such as climate change. The features of system dynamics tug against each other, trying to make stocks grow, die off, or balance
modeling and simulation include the possibility to account for non each other. As a result, complex systems do much more than just stay
linearities, information feedbacks, time delays, and dynamic complexity steady, explode exponentially, or approach goals smoothly [36].
[31].
System Dynamics employs various tools for extrapolating informa
tion on the behavior over time of complex systems, hence discovering 3.3. Snapshot survey
hidden or even counterintuitive behaviors. The causal-loop diagram
(CLD) approach, aimed at understanding the interdependencies among In order to build effective tools using established parameters for self-
various parts of a complex system (and that is thus typical of the Systems assessment, a proper data acquisition structure was needed. Such an
Thinking approach), while being inherently qualitative, is also the instrument has been elaborated building on the Cybersecurity Essential
starting point for the subsequent development of a quantitative model. Controls,5 a paper that introduces “15 essential controls” that can be
Causal loop diagrams [31] are used to map the causal relationships
between pairs of elements within a system and to identify the feedback
loops that link together all the relevant aspects of a system, hence 5
CIS Sapienza (2017). 2016 Italian Cybersecurity Report
4
Fig. 2. Architectural concept of the SMECRA tool.
adopted and implemented by Italian SMEs in order to increase their been created. Each business will of course utilize those data to develop a
defenses against cyberattacks without excessive costs or complexity for unique strategy founded on different strengths, goals and budget con
businesses of that size. Building on these controls (which are inherently straints. The survey data is then used to populate the system dynamics
NIST-based as they are a relevant subset, for SMEs, of the full set of model described in the next section, and every answer translates into
categories in the NIST framework), a survey has been developed, in values of the model’s variables and parameters, following the mapping
order to collect the data needed to capture the “as-is” risk profile (hence shown in Table 1.
the name of Snapshot Survey) of a given SME at the time of analysis,
through 24 easy to understand questions regarding the state of the
company’s cyber defenses. The results of the Snapshot Survey constitute 3.4. Model description
an initial “as-is” defense assessment score for the SME in question,
mapping the compliance with the aforementioned Essential Controls The SMECRA system dynamics simulation model has been developed
expressed with a coverage score ranging from 0 to 100%, plus four sub- using Powersim® software with a specific focus on a generic SME
scores that can be helpful to quickly pinpoint the weak points in the context, and adopting the Snapshot Survey as an input for the initial
SME’s defenses and to emphasize areas of possible further improve state variables and parameters, before simulating different scenarios.
ments. A 100% score represents the target cyber posture, also called the The overall model includes the network of relationships among the
“to-be” risk profile. In fact, in order to provide an accurate snapshot of previously mentioned variables (and their equations) as well as struc
the SME’s situation, using simple binary Yes/No choices would not tures related to funding, resource allocation, eventual capability and
provide the desired level of detail for many questions; thus, multiple capability loss related to each variable. The overall model comprises
possible options are offered when needed, thus ensuring higher accuracy more than 50 equations describing the relationships among its variables.
without an excessive increase in complexity. The rationale of the In Table 2 the example of backup-related equations is provided. In a
coverage score is to capture the cyber posture of the organization with similar way, respecting their meanings and interdependencies, the other
respect to each of the Essential Controls, thus it is displayed in per variables have been modeled too.
centage form. The more a control is covered, the higher will be the It is useful to look at the model’s most significant causal loop dia
coverage score. If the score is below 70% it means that at least an grams (CLD) in order to understand the main functionalities and basic
important part of the control is missing; if it is lower than 50%, it means dynamics of SMECRA (Fig. 3). First, without proper cyber defenses in
that the organization is not compliant with the control. The inspection of place, any business can quickly fall into a spiral of escalating damage, as
the snapshot survey will also allow those in charge to focus on the shown by the Reputational Damage Reinforcing Loop (RDRL, high
missing cybersecurity features. A weighing system is also used to model lighted in green in Fig. 4). In fact, Successful Attacks increase the
the relative importance of a question with respect to the category it Damage from Attacks, which in turn increase the Vulnerability Percep
belongs to, so that the maximum score achievable by selecting the tion, as the business is now perceived as an easier target for other po
higher grade in all the questions belonging to one category is always tential attackers (increasing both Expected Damage and Attractiveness -
100. This way, we managed to avoid a potential bias towards any see Eq. 1 and Eq. 2, and their related behaviors in Fig. 6).
Attractiveness = ((1 − Prevention Capability) + (0.1*Vulnerability Perception) )*(Financial Result) (1)
Expected Damage = Avg.Attack Damage*(Blocked Attacks + Detected unblocked)*(1 − Mitigation Cap.) (2)
particular category and to highlight the more important questions for

each of the cyber-defense categories. This approach allows mitigating This increases the Attack Rate, which in turn is assumed to mean
the arbitrariness of the assessment by being based on an accepted more Successful Attacks, thus dealing more damage, and escalating the
standard for risk management, namely the NIST Cybersecurity Frame loop. Strictly related to this loop, yet operating differently, is the Eco
work and its derivates, that helps in categorizing and homogenizing the nomic Damage Balancing Loop (EDBL, shown in orange in Fig. 4): while
collected evidences on cyber-posture. On the other hand, it allows the it looks similar to the previous one, this is a balancing loop, not a
needed degree of customizability that SMEs require in order to be reinforcing one. Here, the Damage from Attacks results in a financial loss,
modeled convincingly, given the heterogeneity of their domains and reducing the Actual Financial Result and therefore reducing the business’
inner structures, and for which the Cybersecurity Essential Controls have Attractiveness, leading to a reduced Attack Rate, which in turn means a
5
Table 1 Table 1 (continued )

From NIST phases to SMECRA model variables. Essential control (by NIST Phase) Snapshot survey question(s) Model
Essential control (by NIST Phase) Snapshot survey question(s) Model variable
variable
Respond Respond
Identify Identify 13. Networks and systems are 20. Networks and systems are Network
1. Systems, devices, software, 1. Systems, devices, software, Inventory protected against protected against unauthorized Protection
services, accounts and web services, accounts and web unauthorized accesses using accesses using proper tools,
applications used within the applications used within the proper tools, such as firewalls. such as firewalls.
business perimeter are business perimeter are 21. All wireless networks are
inventories, with the inventory inventories, with the inventory protected.
being updated regularly. being updated regularly. 14. In the event of an accident 22. In the event of an accident Respond
2. Third-party web services 2. Third-party web services (such as malware or other (such as malware or other
(social network, cloud (social network, cloud attacks being detected), those attacks being detected), those
computing, email, web computing, email, web hosting, in charge of security are in charge of security are
hosting, etc.) are only used etc.) are only used when strictly informed, and IT systems are informed, and IT systems are
when strictly necessary. necessary. secured by experienced secured by experienced
3. Critical information, data and 3. Critical information, data personnel. personnel.
systems are identified in order and systems are identified in 15. All software, firmware 23. All software, firmware Inventory
to ensure adequate protection. order to ensure adequate included, is updated to the included, is updated to the
protection. latest version suggested by the latest version suggested by the
4. A responsible for information 4. A responsible for manufacturer. manufacturer.
and IT systems management information and IT systems Obsoleted software or devices 24. Obsoleted software or
and protection activities management and protection that cannot be upgraded are devices that cannot be
coordination has been activities coordination has disposed of. upgraded are disposed of.
appointed. been appointed.
5. Laws and/or regulations 5. Laws and/or regulations Regulation
regarding cybersecurity regarding cybersecurity
applicable to the business have applicable to the business have Table 2
been identified and complied been identified and complied Example of PowerSim® model equations.
with. with.
Backup capability loss IF(Backups>30,’Backup Funding’,0)
Detect Detect
Backup Funding GRAPHSTEP ((‘Backup Resources Allocation’),100 <
6. Regularly updated protection 6. Protection software Accounts
<EUR>>,500 < <EUR>>,{2,10,15,20,25,30,30//
software (antivirus, anti- (antivirus, anti-malware, etc.)
Min:0;Max:100//}) + Inventory*0.05
malware, etc.) is installed is installed wherever possible.
Backup Resources Resources*(30/570)*(‘Strategic Focus’ [5]/
wherever possible. 7. Frequency of protection
Allocation (EUR) ARRAVERAGE(‘Strategic Focus’))
software updates.
Backups 3*’Initial State’[16]+6*’Initial State’[17]+3*’Initial
8. Typology of protection
State’[18]+3*’Initial State’[19]
software updates.
Protect Protect
7. Passwords are adequately 9. Passwords are adequately
complex and different for complex and different for every
reduction in Damage from Attacks, balancing the loop. At first glance, this
every account, and the account. might seem like a good thing, but what is actually happening is that the
adoption of safer 10. Two-factor authentication business has lost so much money from previous attacks and indirect
authentication methods is is adopted. consequences that criminals do not even consider it a worthy target
considered. 11. The business utilizes
anymore. As this loop’s strength increases, staying in business becomes
password managers.
8. Personnel granted with remote 12. Personnel granted with increasingly challenging.
or local access to IT systems is remote or local access to IT A simplified view of the SFD model pertaining to the RDRL and EDBL
provided with personal systems is provided with is shown in Fig. 4. Beyond those, the larger Cyber Defense Reinforcing
accounts that are not shared personal accounts that are not Loops (CDRL) represents the effects of investing in cybersecurity for a
with others, and access is shared with others, and access
properly protected. is properly protected.
generic SME.
Old, unused accounts are 13. Old, unused accounts are At least eight of such loops can be identified in the full model, and
deleted or deactivated. deleted or deactivated. again the choice of showing the CDRL pertaining to the Mitigation
9. Each user can only access 14. Each user can only access component (see Fig. 5, highlighted in blue) does not lead to any loss of
information and systems that information and systems that
generality.
are needed and pertaining to are needed and pertaining to
his job. his job. Here, an increase in Mitigation Funds leads to higher investment,
10. Employees are aware and 15. Employees are aware and HR Skills which improves the business’ Mitigation Capability, one of the key factors
trained to understand trained to understand in raising the Mitigation Level. This, in turn, leads to more Blocked At
cybersecurity risks and the cybersecurity risks and the tacks, therefore reducing the Damage from Attacks and increasing the
practices needed to safely practices needed to safely
operate the business’ IT operate the business’ IT
Actual Financial Result, allowing for more cybersecurity investment.
systems. systems. These loops are virtuous loops that counter the negative effects of the
11. Experienced personnel, 16. Experienced personnel, Backups ones shown before, protecting the business from a potentially downward
bearing responsibility for such bearing responsibility for such spiral.
task, is in charge of the initial task, is in charge of the initial
While the model’s logical architecture has already been discussed, it
set up for all systems and set up for all systems and
devices. devices. is worth giving a more in-depth look to its stocks and flows structure.
Default access credentials are 17. Default access credentials Starting from the bottom left part of Fig. 4, the Attack Rate is a
always replaced. are always replaced. Poisson distribution based on the selected environment’s Threat Level
12. Critical information, data 18. Critical information, data (more on it in the following) and the company’s Attractiveness, about
and systems, identified at #3, and systems, identified at #3,
are periodically backed up. are periodically backed up.
which much has been already said with the help of the causal loop di
Backups are safely stored and 19. Backups are safely stored agram. Obviously, Attack Rate controls the flow populating the Incoming
periodically checked. and periodically checked. Attacks stock, whose two outflows both depend on the Detection Rate,
itself a function of the company’s Detection Capability. Attacks that can
be detected with the current capabilities end up in the Detected Attacks
6
Fig. 3. Causal Loop Diagram (CLD) of the SMECRA model with significant loops highlighted.
stock, while the rest goes Undetected and therefore Not Blocked,
increasing the Damage from Attacks. On the other side, a part of Detected
Attacks ends up as Blocked Attacks, at a rate linked to the business’ This is quite interesting, as management now feels the pressure to
Mitigation Capability, while the rest leaves the stock as Detected but not invest in cybersecurity yet has less resources available to do so. In fact,
Blocked, still increasing the Damage from Attacks. From there, the in both those variables drive the Resources Acquisition Rate (see related
crease in Damage from Attacks both reduces the company’s Actual behavior in Fig. 6b, right side, and Eq. 4).
Financial Result and increases the Vulnerability Perception (see related Such a rate controls the flow that increases the large Resources stock
behavior in Fig. 6a, left side, and Eq. 3). at the top, which in turn is depleted by seven different outflows,
Vulnerability Perception = 0.7*Expected Damage Rate + Attacks Damage − Expected Damage Rate (3)
Resource Acquisition Rate = 0.025*Actual Financial Result*Vulnerability Perception (4)
7
Fig. 4. A simplified view of the S&F model pertaining to the RDRL and EDBL.
Fig. 5. A simplified view of the S&F model pertaining to the Mitigation CDRL.
Fig. 6. Attractiveness and vulnerability perception (a) - Expected damage and resource acquisition rate (b).
representing Resource Allocation for each of the seven model variables: three main capabilities, namely Prevention, Detection and Mitigation. For
Regulations, Accounts, Inventory, Backup, Protection, Damage Mitigation example, an increase in HR Skill Level will end up raising all three of
and Human Resources Skills. The aforementioned allocated resources are them, emphasizing the importance of a cyber-educated workforce. In
then invested and converted into actual Funding flows, each one of which turn, those three variables respectively affect the already mentioned
in turn increases a capability stock bearing the same name of the Attractiveness, Detection Rate and Mitigation Rate, completing the system
respective cybersecurity areas, as can be seen in the central area of the dynamic model. Having displayed the model’s general functioning, we
model. From there, each flow goes on to influence one or more of the focus on few useful features of this tool, namely the input variables that
8
allow the user to control the simulations. Table 4

First, the data collected through the Snapshot Survey presented Snapshot Survey results.
earlier, and modeled according to Framework categories in order to Question Parameters Weight Alpha Beta
avoid excessive arbitrariness, is used as an input (in the Initial State
Identify
variable), to initialize the model with the actual state of the business in 1. Systems, devices, software, 0: No 10 0 0
question at the current time. Furthermore, the model gives the user the services, accounts and web 1: Yes, but not
possibility to simulate a cyber-environment with different risk scenarios applications used within the updated
(acting on the Threat Level variable), displaying the effect of the chosen business perimeter are 2: Yes, and
inventories, with the updated
actions in a Low, Medium or High Threat Environment (for a Threat Level inventory being updated
value of 1, 2 and 3 respectively). Threat Level values represent the risk regularly.
associated with a threat, nominally a combination of likelihood and 2. Third-party web services 0: No 6 0 0
impact, where the former is influenced by the sophistication of the (social network, cloud 1: Yes
computing, email, web
relative attack and the second represents the potential damage to the
hosting, etc.) are only used
company. This way, the three levels represent three different scenarios when strictly necessary.
of “exposure” to cyber-attacks (or with a bigger attack surface in terms 3. Critical information, data and 0: No 10 0 0
of likelihood and impact) according to which different actions can be systems are identified in order 1: Yes, part-time
planned. On top of that, the model also lets the user set different stra to ensure adequate protection. 2: Yes, full-time
4. A responsible for information 0: No 18 1 2
tegic priorities for cybersecurity-related investments, giving him the and IT systems management 1: Yes, part-time
possibility to compare and evaluate the future outcomes caused by and protection activities 2: Yes, full-time
different spending choices. This can be done by acting on the Strategic coordination has been
Focus parameter, shown in red in Fig. 5, above. By default, the model appointed.
5. Laws and/or regulations 0: No 14 1 2
acts “rationally”, allocating resources to the various areas proportionally
regarding cybersecurity 1: Partially
to the cost of investing to improve the respective capabilities. However, applicable to the business 2: Totally
a business might be unable and/or unwilling to invest that way, have been identified and
preferring to distribute its funds differently or merely wanting to complied with.
compare the results of different potential choices. Therefore, the Stra Detect
6. Protection software 0: Nowhere 15 1 4
tegic Focus parameter constitutes an effective means to increase or
(antivirus, anti-malware, etc.) 1: Somewhere
reduce cybersecurity spending across the seven categories used by the is installed wherever possible. 4: Everywhere
model. 7. Frequency of protection 0: None or 7 1 3
It is worth noting that the three aforementioned capabilities (Pre software updates. occasional
1: At least
vention, Detection and Mitigation) are modeled in a scale ranging from
quarterly
zero to one, where zero stands for total exposure and one for perfect 3: At least monthly
defense. Needless to say, a “perfect defense” is not achievable in a real- 5: At least weekly
life situation, no matter how permissive the environment might be (even 8. Typology of protection 0: Manual 5 0 1
more so when operating on a SME’s limited budget), which is why each software updates. 1: Automatic
Protect
capability has been assigned its own “hard cap” ceiling, representing the
9. Passwords are adequately 0: No, same 4 1 2
actually achievable maximum instead of the theoretical one. complex and different for passwords
every account. 1: Different
4. Scenarios and simulation results passwords
2: Different and
complex
Simulations have been run in order to understand what could actu passwords
ally happen to one or more SMEs in realistic scenarios. For this purpose, 10. Two-factor authentication is 0: No 6 0 0
we have selected two different SMEs that, for non-disclosure of identity adopted. 1: Yes
purposes, we will call Alpha and Beta, and we have tested their behavior 11. The business utilizes 0: No 5 0 0
password managers. 1: Yes
in SMECRA according to the following scenarios:
12. Personnel granted with 0: No 3 0 0
remote or local access to IT 1: Yes
• Scenario 1: An “average” company (Alpha) that does not pay systems is provided with
particular attention to cybersecurity, in a medium-threat personal accounts that are not
shared with others, and access
environment.
is properly protected.
• Scenario 2: The same company as before, Alpha, this time in a high- 13. Old, unused accounts are 0: No 2 0 0
threat environment. deleted or deactivated. 1: Yes
• Scenario 3: A second company, Beta, which is modeled as identical to 14. Each user can only access 0: No 2 0 0
Alpha with the significant difference of cybersecurity preparedness, information and systems that 1: Yes
are needed and pertaining to
again in a high-threat environment.
his job.
15. Employees are aware and 0: No 8 1 1
Common parameters (e.g.: total simulation time, timestep, etc.) for trained to understand 1: Partially
all simulations are listed in Table 3 below, whereas detailed survey re cybersecurity risks and the 3: Completely
sponses for Alpha and Beta can be found in Table 4. For example, a practices needed to safely
operate the business’ IT
systems.
16. Experienced personnel, 0: No 3 1 1
Table 3
bearing responsibility for such 1: Yes
Constant simulation parameters. tasks, is in charge of the initial
Simulation parameter Standard value set up for all systems/devices.
17. Default access credentials 0: No 6 0 0
Total simulation time 5.00 years are always replaced. 1: Yes
Timestep 1 week
(continued on next page)
SME income € 1,300,000
9
Table 4 (continued ) 4.1. The first scenario: company alpha

Question Parameters Weight Alpha Beta
Our first company, called Alpha, is a typical SME that does not pay
18. Critical information, data 0: Never 3 0 2
and systems, identified at #3, 1: Sporadically
particular attention to cybersecurity, which is not unusual nowadays.
are periodically backed up. 2: At least twice a While there are some basic safety measures in place, Alpha’s manage
quarter ment has never really thought about cyber risk as an actual threat or has
4: At least twice a never properly invested to protect the company from cyberattacks,
month
therefore the initial analysis finds out that the business starts out in a
19. Backups are safely stored 0: No 3 0 1
and periodically checked. 1: Yes significantly unprotected position. Examining Alpha through the pre
20. Networks and systems are 0: No 8 0 1 viously mentioned Snapshot Survey results in generally inadequate
protected against 1: Yes scores, 33% for Identify, 22% for Detect, 33% for Protect and 65% for
unauthorized accesses using Respond, resulting in a meager 38% overall.
proper tools, such as firewalls.
21. All wireless networks are 0: No 18 1 1
First, the company’s real income (compared to the income without
protected. 1: Yes (or, there cyber-attack losses) over time is displayed in Fig. 7. As the graph shows,
are no wireless as soon as the simulation starts, cyber criminals and other malicious
networks) actors quickly target Alpha, since its lack of adequate defenses make it a
Respond
rather easy prey. After six months, these attacks are costing Alpha more
22. In the event of an accident 0: No 35 1 1
(such as malware or other 1: Yes than 16% of its original income. This means that, as the losses increase,
attacks being detected), those management starts to realize the company’s vulnerability and decides to
in charge of security are allocate more funds towards cybersecurity, improving Alpha’s once poor
informed, and IT systems are defense capabilities in order to reduce losses from cyber-attacks.
secured by experienced
personnel.
Starting from the second semester, the situation improves signifi
23. All software, firmware 0: No 15 2 2 cantly even though the losses remain relatively high for a few semesters,
included, is updated to the 2: Occasional and only in the fourth year cyber losses are definitely reduced. In this
latest version suggested by the manual updates first simulation, for example, Alpha avoided a crippling and potentially
manufacturer. 4: Automatic or
business-ending scenario by spending just 4% of its earnings at its peak,
frequent updates
24. Obsoleted software or 0: No 5 0 0 and less than 2% once the situation stabilized.
devices that cannot be 1: Yes
upgraded are disposed of. 4.2. The second scenario: increasing threats
The second simulation sees the same company (Alpha), this time
standard five years’ period that has been kept constant for all simula
operating in a different, high threat environment, meaning more
tions, since the rapidly evolving nature of cyber threats would make
frequent and dangerous attacks, not to mention lower capability ceil
decade-plus timespans excessive. The business income for Alpha and
ings. Alpha started out woefully unprepared, but this time attackers are
Beta, before any cyber losses, is also set to the mean income for Italian
more aggressive and targeted it much harder, leading to a loss of almost
SMEs. It is worth noting that if cyber-defense preparedness is the only
25% of its original income after a few months (see Fig. 7). Even more
difference between Alpha and Beta, that will ensure that any difference
worrisome is the fact that, despite the company enacting proper coun
in their outcomes will be due to cyber-related factors, preemptively
termeasures due to massive damage, the situation does not improve
removing any risk of confusion from miscellaneous elements and
enough. While the trend is positive, five years later Alpha is still losing
increasing the simulations’ signal-to-noise ratio.
around 12% of its original income and will likely be going out of busi
These scenarios allow us to show the effects of an increasingly
ness anyway, as very few SMEs can absorb such significant losses
dangerous cyber-environment on undefended businesses, as well as
without succumbing to competition or just going bankrupt. In this case,
understand how cybersecurity investment “pay for themselves” by
the negative feedback loops involving economic and reputational
preventing significant economic damage, and that a cyber-defense
damage have gained so much strength that they will still be influencing
advantage can be used by SMEs to exploit an unprepared competitor’s
the system for years to come, likely for longer than Alpha can afford.
weakness and increase market share, or to strengthen their position in
Looking at the company’s defense capabilities over time underscores
other ways.
this point. In this situation, alarmed by the sizable losses, Alpha’s
management invests around 40% more than before and reaches the
capability ceilings before the end of the first year. Yet, that does not
result in a fully acceptable outcome, as the mistake had already been
made when the business decided to operate in such a challenging
environment despite being clearly unprepared, as it takes more time for
cyber damages to be reduced, due to intrinsic system delays and harmful
feedback loops (e.g. RDRL). Once again, this shows that prevention can
be a much more effective strategy than accepting potentially crippling
damage, and the last simulation will make this even clearer.
4.3. The third scenario: company Beta
The third and final scenario involves a different company, Beta,

operating in a high threat environment again. Beta is identical to Alpha
under almost every organizational aspect, with the significant exception
of a higher cyber preparedness: while Beta’s cyber defenses are still far
from perfect, its management and employees pay attention to cyberse
curity and have adopted a series of good practices and countermeasures.
Fig. 7. Income over time for each simulation scenario. This time, examining Beta through the previously mentioned
10
Fig. 8. Defense capabilities over time in the three scenarios
5. Discussion and strategic focus on cybersecurity investments

Table 5
Simulation comparison under three different scenarios.
The simulations, whose results have been summarized in Table 5 and
Company Threat Peak Losses in Losses in Time to Fig. 9b, ultimately show how much better Beta is able to resist cyber
environment losses year 3 year 5 plateau
attack waves, particularly in the first two, crucial, years. Even if both
Alpha Medium 16% 7% 4% 16 months companies will eventually achieve a similar result (as said, everything
Alpha High 25% 14% 11% 13 months
about them being identical except for the starting situation), Alpha’s
Beta High 17% 12% 11% 18 months
lack of initial defenses has led to a critical vulnerability, and it is
reasonable to imagine Alpha going out of business in the near future,
Snapshot Survey results in significantly higher scores, with a 64% for being unable to deal with heavy economic and/or reputational losses.
Identify, 86% for Detect, 54% for Protect and 65% for Respond. Despite In a scenario where Alpha and Beta are actually in competition, this
the obvious margins for improvement, the resulting 67.25% is almost would obviously lead to Beta gaining Alpha’s market share, simply
twice Alpha’s, already telling even an unskilled third party that Beta will thanks to proper and timely attention to cybersecurity.
likely be less vulnerable. As expected, Beta responded much better to this Fig. 9a compares cybersecurity expenditures with the damage caused
highly challenging situation. At its worst, the company experiences a ~ by cyberattacks over time and offers two extremely valuable pieces of
17% loss, which is lower than Alpha’s from the previous simulation, and information. First, as properly accounted for in the model, businesses
said loss is quickly reduced to around 60% compared to the second sce tend to spend very little on cybersecurity even when they are being
nario. As shown in Fig. 8, since Beta had better cyber defenses already in targeted and suffering serious damage. Furthermore, it is also worth
place, it is in a stronger position to face the initial waves of attacks, noting that this kind of investment is cheap when compared to the
preventing the harmful feedback loops from gaining excessive strength damage from attack, generally amounting to less than 25% of the
and therefore managing to keep the situation under control much better. aforementioned damages.
Fig. 9. Damages and acquisition rate over time (a) - Effects of different strategies adopted by scenarios 2 and 3 (b).
11
By delving deeper into the results of the SD-model simulations, the Table 7
following data refer to the high threat environment simulation runs (#2 Cost-effectiveness of a standard approach vs SMECRA.
and #3), and display each business’ cash outflows for every year, Basic approach Alpha Beta
including:
Cybersecurity expenses € 500 € 116,200 € 62,050
Damage from attacks € 1,430,000 € 312,000 € 226,000
• The cost of enacting the initial cyber-defense measures detailed in Total € 1,430,500 € 428,200 € 298,050
the Snapshot Survey and extrapolated from the Essential Controls,
which amounts to 12 k€ for Alpha and 19 k€ for Beta (added to the
first year’s expenditures). based assessment support system. We demonstrated that, through the
• The further costs sustained each year by both SMEs to mitigate cyber- use of the SMECRA model, different SMEs can incur in significantly
attack damage, as shown in the aforementioned simulations. reduced cybersecurity costs (sum of investments and damages),
• The damage inflicted by cyber-attacks on each SME during the five depending on the appropriateness and type of the adopted measures, as
years according to simulations. rated by the Snapshot Survey.
In Fig. 10, a decision tree clarifying how this study can significantly
Clearly, the combined impact of the three economic components support the investment decisions of SMEs is displayed. The focus of the
outlined above can be used to compare the different strategies adopted attention that has to be paid when allocating the budget must be on
by the two SMEs, and allow us to fully appreciate Beta’s advantage over some of our model’s variables, i.e. Regulations, Accounts, Inventory,
a less cyber-ready competitor (see Table 6). Protection Software, Network Protection, Damage Mitigation, HR Skill
To validate those results, a paired t-test has been performed, and the and Backups. The adequacy of decisions in cybersecurity investments for
corresponding two-tailed P value equals 0.022: thus, by conventional SMEs is a strategic asset that finds its operative instrument in the budget
criteria (95% confidence interval), this difference is considered to be allocation to cover one or more of those areas.
statistically significant. The second graph in Fig. 9 displays the afore
mentioned difference, and thus Beta’s undeniable advantage in an easy- 6. Conclusions
to-understand form.
The advantages of the SMECRA approach are in fact be even more In this paper we have introduced a System Dynamics-based simula
noticeable when compared with an unfortunately common approach to tion methodology and tool, SMECRA (SME Cyber Risk Assessment), that
cybersecurity by many SMEs who spend, on average, under € 500 per initially allows an assessment of a SME’s current cyber risk profile
year on cybersecurity [37] and end up incurring in much more sub through the results of the Snapshot Survey, based on the NIST-driven
stantial costs than what they would have had using a systemic approach, Italian National Cyber Security Framework [17], and then enables the
as shown in Table 7. evaluation of systemic impacts deriving from investments in cyberse
Even following Alpha’s basic approach, an extra €115,700 expendi curity. We also showed some scenario simulations in order to highlight
ture results in a €1,318,000 damage reduction, greatly offsetting the the effect of different strategies. The SMECRA methodology and tool is
initial investment. Furthermore, it is interesting to note that Beta’s based on a systemic perspective linking the organization’s structure with
approach is superior to Alpha’s in both dimensions (costs and damages), the risks posed by the cyber environment through targeted investments.
underscoring the potentialities of a System Dynamics approach such as Its strength lies in the capability of considering how the dynamics
the one used in the SMECRA tool. arising from such interdependencies, in the form of cause-effect re
These simulations not only display the capability and versatility of lationships expressed according to the System Dynamics modeling and
this tool, but they also underscore the importance of prevention and simulation approach, can overcome the limitations of linear approaches
awareness regarding cybersecurity matters, not just for large corpora to investment policies in the cybersecurity field. With reference to the
tions but also for small and medium enterprises. NIST Framework (and, broadly speaking, to most types of cyber-posture
In order to create (and/or maintain) a competitive advantage in to assessment frameworks), the current mainstream perspective is that,
day’s digital world, a crucial aspect for a SME is to evaluate and decide on after an initial assessment of the “as-is” situation, investments are to be
its investments on cybersecurity. These have to be economically sus allocated to each category without paying too much attention on how
tainable (in terms of percentage of the SME’s income) and they must aim this might in turn affect other ones (“silo mentality”). Our point of view
at minimizing the sum of investments and damages in the following years. is that, as the categories are deeply interconnected with each other due
Hence, adequate cybersecurity investments are key for the success of to systemic organizational interdependencies, spending in one category
a SME: they depend not only on the environment, which can be more or might in turn generate an effect (whether positive or negative) on other
less risky in terms of cyber threats, or on the overall amount of invested categories as well. In other words, while the management of a SME
money, but also on the nature of such investments, on how the cyber might decide to invest a specific amount of economic resources ac
security budget is allocated to the various possible investment areas. In cording to the evaluation of improvement needs for each category
order to support decisions on how to allocate a certain budget to (“linear” or “silo” approach), through a systemic approach they could
investing in specific cybersecurity areas, we suggest that SMEs use the realize that due to the aforementioned interconnections, they might be
SMECRA tool: first, by assessing their cybersecurity readiness through able to obtain the same “to-be” risk profile by spending less in each of
the Snapshot Survey and then by evaluating how future investments in the very same categories. Alternatively, they could find that expenditure
specific areas can improve their readiness and posture, through the SD- made with a linear-thinking approach would not be capable of lowering
the risk exposure as desired. This is the first very relevant managerial
implication, as SMECRA allows verifying the management mental
models with reference to effective results when compared to investment
Table 6
Different strategies adopted in scenarios 2 and 3. expectations.
It is worth noting that, in terms of managerial implications, SMECRA,
Years Costs + Damages (Alpha) Costs + Damages (Beta)
which is based on a new conceptual approach to impacts assessment
1 (includes initial costs) € 428,200 € 298,050 based on a systemic view of the related framework, could also be useful
2 € 379,600 € 328,000
to other organizations interested in evaluating risks and managing in
3 € 343,200 € 303,000
4 € 306,800 € 248,000 vestments in cybersecurity, as well as to third parties (i.e.: banks, in
5 € 270,400 € 236,000 surance companies) willing to define the residual risk level of a SME.
Total € 1,728,200 € 1,413,050 As far as research implications are concerned, through this paper we
12
Fig. 10. Decision tree supporting cybersecurity investment decisions for SMEs.
are contributing to the establishment of a pathway towards a new [4] E.G. Carayannis, E. Grigoroudis, S.S. Rehman, N. Samarakoon, Ambidextrous
cybersecurity: the seven pillars (7Ps) of cyber resilience, IEEE Trans. Eng. 68 (1)
perspective of evaluations based on “systemic and dynamics frame
(2021) 223–234.
works” [38]. In this paper, the latter concept has been applied to a [5] O. Khan, D.A.S. Estay, Supply chain cyber-resilience: creating an agenda for future
generic cybersecurity scenario, but the model could be customized research, Technol. Innov. Manag. Rev. 5 (4) (2015) 6–12.
further (i.e.: based on the importance of the context in which the or [6] Z.A. Collier, I. Linkov, J.H. Lambert, Four domains of cybersecurity: a risk-based
systems approach to cyber decisions, Environ. Syst. Decisions 4 (33) (2013)
ganization is embedded [39]) or even be likewise adopted by other 469–470.
fields, not necessarily (or only) security-based, such as energy, agricul [7] S.J. Jensen, S. Feldmann-Jensen, D.M. Johnston, N.A. Brown, The emergence of a
ture, sustainability, social issues, etc. In the field of cybersecurity, this globalized system for disaster risk management and challenges for appropriate
governance, Int. J. Disaster Risk Sci. 6 (1) (2015) 87–93.
paper constitutes an innovation that can lead to a new perspective in the [8] P. Katsumata, J. Hemenway, W. Gavins, Cybersecurity risk management, in: 2010
assessment of cyber risks through further research on this topic. Military Communications Conference (MILCOM), 2010, pp. 890–895.
In conclusion, this analysis helps in better defining the actual profile [9] D.L. Nazareth, J. Choi, A system dynamics model for information security
management, Inf. Manag. 52 (1) (2015) 123–134.
of cyber risks as well as the target profile to which the SME should be [10] P. Rohmeyer, T. Ben-Zvi, D. Lombardi, A. Maltz, Capability effectiveness testing for
aligned taking into consideration dynamics of the element modeled architectural resiliency in financial systems, in: 2017 Portland International
through the Italian and NIST Cybersecurity Frameworks and not only Conference on Management of Engineering and Technology (PICMET), 2017,
pp. 1–7.
through their static definition. Furthermore, the SMECRA methodology [11] A.A. Ganin, P. Quach, M. Panwar, Z.A. Collier, J.M. Keisler, D. Marchese, I. Linkov,
and tool proves itself especially valuable for planning and evaluation, Multicriteria decision framework for cybersecurity risk assessment and
ultimately allowing the user to simulate any number of highly different management, Risk Anal. 40 (1) (2020) 183–199.
[12] R. Bojanc, B. Jerman-Blažič, A quantitative model for information-security risk
cyber scenarios based on various strategic choices and environments
management, Eng. Manag. J. 25 (2) (2013) 25–37.
before actually committing manpower and financial resources. As a last [13] P.Y. Chen, G. Kataria, R. Krishnan, Correlated failures, diversification, and
note, we have argued that the advantages introduced by the SMECRA information security risk management, MIS Q. (2011) 397–422.
methodology and tool were made possible by recurring to the Systems [14] M.E. Paté-Cornell, M. Kuypers, M. Smith, P. Keller, Cyber risk management for
critical infrastructure: a risk analysis model and three case studies, Risk Anal. 38
Thinking/System Dynamics approach, which proved crucial for the pur (2) (2018) 226–241.
pose of this research, ultimately allowing SMEs in making their cyber risk [15] W.P. Nguyen, S.Y. Nof, Collaborative response to disruption propagation (CRDP) in
evaluations more accurate, dynamic and sustainable at the same time. cyber-physical systems and complex networks, Decis. Support. Syst. 117 (2019)
1–13.
[16] J. Saleem, B. Adebisi, R. Ande, M. Hammoudeh, A state of the art survey-Impact of
cyber attacks on SME’s, in: Proceedings of the International Conference on Future
Declaration of Competing Interest
Networks and Distributed Systems, ACM, 2017, p. 52.
[17] M. Angelini, C. Ciccotelli, L. Franchina, A. Marchetti-Spaccamela, L. Querzoni,
None. Italian National Framework for Cybersecurity and data protection, in: L. Antunes,
M. Naldi, G. Italiano, K. Rannenberg, P. Drogkaris (Eds.), Privacy Technologies and
Policy. APF 2020. Lecture Notes in Computer Science, Vol 12121, Springer, Cham,
Acknowledgements 2020, pp. 127–142.
[18] H. Li, X.R. Luo, J. Zhang, R. Sarathy, Self-control, organizational context, and
rational choice in internet abuses at work, Inf. Manag. 55 (3) (2018) 358–367.
This work is supported by the fund “Progetto di Eccellenza” of the
[19] S. Zeadally, B. Yu, D.H. Jeong, L. Liang, Detecting insider threats: solutions and
Department of Computer, Control and Management Engineering trends, Inform. Security J. Glob. Perspect. 21 (4) (2012) 183–192.
“Antonio Ruberti”, Sapienza University of Rome. The department has [20] J. Hua, Y. Chen, X.R. Luo, Are we ready for cyberterrorist attacks? — Examining
been designated by the Italian Ministry of Education (MIUR) for being the role of individual resilience, Inf. Manag. 55 (7) (2018) 928–938.
[21] C.Y. Jeong, S.Y.T. Lee, J.H. Lim, Information security breaches and IT security
“Department of Excellence” in advanced training programs in the field investments: impacts on competitors, Inf. Manag. 56 (5) (2019) 681–695.
of cybersecurity. This work is also partially supported through the ECHO [22] S. Zeijlemaker, E.A.J.A. Rouwette, Unravelling the dynamic complexity of cyber
Project (the European network of Cybersecurity centres and competence security investment decision making, in: One Conference 2019. The Hague, the
Netherlands. [Sl: sn], 2019.
Hub for innovation and Operations), which has received funding from the [23] A.C. Marquez, C. Blanchar, A decision support system for evaluating operations
European Union’s Horizon 2020 research and innovation programme investments in high-technology business, Decis. Support. Syst. 41 (2) (2006)
under the grant agreement no 830943. 472–487.
[24] A. Gregoriades, B. Karakostas, Unifying business objects and system dynamics as a
paradigm for developing decision support systems, Decis. Support. Syst. 37 (2)
References (2004) 307–311.
[25] S. Armenia, A. Cardazzone, C. Carlini, Understanding security policies in the cyber
[1] R. Von Solms, J. Van Niekerk, From information security to cyber security, warfare domain through system dynamics, in: Proceedings of the 4th International
Comput. Security 38 (2013) 97–102. Defense and Homeland Security Simulation Workshop (DHSS 2014), 2014, ISBN
[2] D. Di Mase, Z.A. Collier, K. Heffner, I. Linkov, Systems engineering framework for 9788897999416, pp. 27–32.
cyber physical security and resilience, Environ. Syst. Decisions 35 (2) (2015) [26] S. Zeijlemaker, Zuna A. Montellano, Detection dynamics: The balancing act in the
291–300. realm of cyber security under conditions of staff shortage and attacker behaviour
[3] S.M. Rinaldi, J.P. Peerenboom, T.K. Kelly, Identifying, understanding, and growth, in: Proceedings of the 37th International System Dynamics Conference
analyzing critical infrastructure interdependencies, IEEE Control. Syst. Mag. 21 (6) (ISDC), Albuquerque, New Mexico, USA, 2019, ISBN 9781510897311, pp. 9–10.
(2001) 11–25.
13
[27] S. Armenia, E. Ferreira Franco, F. Nonino, E. Spagnoli, C.M. Medaglia, Towards the Management Sciences & Engineering, where he achieved is Ph.D. He is a researcher in the
definition of a dynamic and systemic assessment for cybersecurity risks, Syst. Res. Centre for Cyber-Intelligence and Security of “La Sapienza” University of Rome
Behav. Sci. 36 (2018) 404–423. ISSN: 1099-1743. (https://www.cis.uniroma1.it/en), where he participate in several projects about auto
[28] H. Mintzberg, Structure in 5’s: a synthesis of the research on organization design, matic detection, management and reaction to cyber-threats for Critical Infrastructures
Manag. Sci. 26 (3) (1980) 322–341. protection. Marco Angelini is member of CINI Cybersecurity National Laboratory
[29] R.L. Ackoff, Why few organizations adopt systems thinking, Syst. Res. Behav. Sci. (https://cybersecnatlab.it/), where he coordinates national projects with the goal of
23 (5) (2006) 705. strengthening the Cyber-Security status of an organization, both in public and private
[30] I. Martinez Moyano, G.P. Richardson, An expert view of the system dynamics sectors. He is a member and coordinates research projects of A.W.A.RE group (Advanced
modeling process: Concurrences and divergences searching for best practices in Visualization & Visual Analytics REsearch group) (http://aware.diag.uniroma1.it/). His
system dynamics modeling, in: Proceedings of the 20th International Conference of main research interests include Cybersecurity, focused on designing solutions for cyber-
the System Dynamics Society (Vol. 28), 2002, July. defense of critical infrastructures, security governance modeling and assessment of
[31] J. Sterman, Business Dynamics, Irwin/McGraw-Hill, 2000. cyber-risk, open-source intelligence, malware analysis, and Visual analytics, the process of
[32] J.W. Forrester, Industrial Dynamics, Productivity Press, Portland, Oregon, 1961. combining visualization of information, interaction by user and analytical computation for
[33] J.W. Forrester, Urban dynamics, IMR; Ind. Manag. Rev. (Pre-1986) 11 (3) (1970) solving heavy computational problems, applied specifically in the Cybersecurity domain.
67. As a result of these activities, Dr. Marco Angelini has published more than 49 paprs in
[34] J.W. Forrester, World Dynamics, J.W. Wright-Allen Press, 1971. peer-reviewed international journals and conferences. More about him can be found at: htt
[35] D.L. Meadows, D.H. Meadows, et al., The Limits to Growth, Potomac Associates, ps://sites.google.com/dis.uniroma1.it/angelini
1972.
[36] D.H. Meadows, Thinking in Systems, C.G. Publishing, 2008.
Fabio Nonino (PhD) is Associate Professor of Business Management and Project Man
[37] S. Morrow, T. Crabtree, The future of cybercrime & security, in: Threat Analysis,
agement at Sapienza University of Rome. He carries out his research activities in the field
Impact Assessment & Mitigation Strategies, 2019, pp. 2019–2024.
of Management focusing on Operations and Service Management, Innovation Manage
[38] S. Armenia, Taking decision making to the next level by integrating data analytics
ment and Organizational Behavior development. His main publications appeared in
with systems thinking and system dynamics, in: New Challenges in Corporate
Journal of Cleaner Production, Supply Chain Management: An international Journal,
Governance: Theory and Practice, 2019, pp. 41–42.
Production Planning & Control, Omega – The Journal of Management Science, Interna
[39] A. Annarelli, F. Nonino, G. Palombi, Understanding the management of cyber
tional Journal of Production Research and Technological Forecasting and Social Change.
resilient systems, Comput. Ind. Eng. 149 (2020) 106829.
He is a Member of the editorial board of Kybernetes – The International Journal of Cy
bernetics, Systems and Management Sciences and the International Journal of Information
Stefano Armenia (PhD, MBA) is a Senior Research Fellow in the Analysis and Manage Systems and Supply Chain Management.
ment of Complex Organization and Organizational Behavior through a Systems Thinking
and System Dynamics approach at the Link Campus University of Rome. He has a degree in
Giulia Palombi (PhD) is a Postdoctoral Research Fellow and Lecturer at Sapienza Uni
Computer Engineering, Industrial Automation & Control Systems from Sapienza Univer
versity of Rome in the field of Organization and Business Management. Previously she
sity of Rome, a Ph.D. in Business Engineering and a Master in Management and Business
obtained a PhD in Industrial and Management Engineering at Sapienza University of Rome
Administration from Tor Vergata University of Rome. He is Vice President for Chapters and
and she has been a visiting researcher at University of Kentucky (USA). Her research in
SIGs of the International System Dynamics Society (SDS), President of SYDIC - System
terests include Operations and Project Management, Cybersecurity Management and
Dynamics Italian Chapter (the Italian Network of the SDS) since 2011, member of WOSC,
Organizational Behavior. She presented her studies at several international conferences
World Organization on Systems and Cybernetics and EURAM. He has been the coordinator
including ISPIM, EUROMA, IFKAD, and DSI. Her main publications appeared in Journal of
of several EU proposals in various EU programmes. His research interests deal with the
Manufacturing Technology Management and Computers & Industrial Engineering.
analysis of complex systems dynamics in many fields: decision support systems, organi
zational behavior, logistics and transportation, finance, technological innovation, digital
transformation, food systems, assessment of impacts of innovation and policies on orga Mario Francesco Schlitzer(Msc.) successfully completed his MSc in Management Engi
nizational performance and society. He has been co-editor in chief (2016-2020) of the neering at Sapienza University of Rome in late 2019. His Master’s thesis, titled “A System
Kybernetes Journal (Emerald-Insights), Associate Editor of IJSS (International Journal of Dynamics Based Tool for Small and Medium Enterprises to Evaluate Cybersecurity Risk and Plan
Systems and Society) and IJOTS (International Journal on Organizations Theory and Effective Investments” has been referenced in further work such as “The Italian National
Behavior) as well as guest editor and reviewer in several other top scientific journals in the Cybersecurity Framework as the base for a dynamic approach to the evaluation of Cyber Risks in
field of management and business organizations. He currently holds the course on Business SMEs” (ITASEC 2020). He is currently employed as a consultant for Link Campus Uni
Information Systems at the Faculty of Economics and Management, Tor Vergata University versity in Rome, involved in various international research projects such ECHO (European
of Rome. Network of Cybersecurity Centres and Competence Hub for Innovation and Operations). His
research interests range from defense and geopolitics to logistics, history, cybersecurity,
finance, organization management and more.
Marco Angelini (PhD) is a Post-Doctoral Researcher in Engineering in Computer Science
at University of Rome “La Sapienza”, Italy, Department of Computer, Control and
14

Decision Support Systems: Stefano Armenia, Marco Angelini, Fabio Nonino, Giulia Palombi, Mario Francesco Schlitzer

Uploaded by

Copyright:

Available Formats

Decision Support Systems: Stefano Armenia, Marco Angelini, Fabio Nonino, Giulia Palombi, Mario Francesco Schlitzer

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Decision Support Systems: Stefano Armenia, Marco Angelini, Fabio Nonino, Giulia Palombi, Mario Francesco Schlitzer

Uploaded by

Copyright:

Available Formats

Decision Support Systems xxx (xxxx) xxx

Contents lists available at ScienceDirect