TY - GEN

T1 - A large-scale interview study on information security in and attacks against small and medium-sized enterprises

AU - Huaman, Nicolas

AU - von Skarczinski, Bennet

AU - Stransky, Christian

AU - Wermke, Dominik

AU - Acar, Yasemin

AU - Dreißigacker, Arne

AU - Fahl, Sascha

N1 - Funding Information: This research has been partly funded by the Federal Ministry for Economic Affairs and Energy Germany with the project “Cyberangriffe gegen Unternehmen” (BMWi-VID5-090168623-01-1/2017).

PY - 2021

Y1 - 2021

N2 - Cybercrime is on the rise. Attacks by hackers, organized crime and nation-state adversaries are an economic threat for companies world-wide. Small and medium-sized enterprises (SMEs) have increasingly become victims of cyberattacks in recent years. SMEs often lack the awareness and resources to deploy extensive information security measures. However, the health of SMEs is critical for society: For example, in Germany, 38.8% of all employees work in SMEs, which contributed 31.9% of the German annual gross domestic product in 2018. Many guidelines and recommendations encourage companies to invest more into their information security measures. However, there is a lack of understanding of the adoption of security measures in SMEs, their risk perception with regards to cybercrime and their experiences with cyberattacks. To address this gap in research, we performed 5,000 computer-assisted telephone-interviews (CATIs) with representatives of SMEs in Germany. We report on their experiences with cybercrime, management of information security and risk perception. We present and discuss empirical results of the adoption of both technical and organizational security measures and risk awareness in SMEs. We find that many technical security measures and basic awareness have been deployed in the majority of companies. We uncover differences in reporting cybercrime incidences for SMEs based on their industry sector, company size and security awareness. We conclude our work with a discussion of recommendations for future research, industry and policy makers.

AB - Cybercrime is on the rise. Attacks by hackers, organized crime and nation-state adversaries are an economic threat for companies world-wide. Small and medium-sized enterprises (SMEs) have increasingly become victims of cyberattacks in recent years. SMEs often lack the awareness and resources to deploy extensive information security measures. However, the health of SMEs is critical for society: For example, in Germany, 38.8% of all employees work in SMEs, which contributed 31.9% of the German annual gross domestic product in 2018. Many guidelines and recommendations encourage companies to invest more into their information security measures. However, there is a lack of understanding of the adoption of security measures in SMEs, their risk perception with regards to cybercrime and their experiences with cyberattacks. To address this gap in research, we performed 5,000 computer-assisted telephone-interviews (CATIs) with representatives of SMEs in Germany. We report on their experiences with cybercrime, management of information security and risk perception. We present and discuss empirical results of the adoption of both technical and organizational security measures and risk awareness in SMEs. We find that many technical security measures and basic awareness have been deployed in the majority of companies. We uncover differences in reporting cybercrime incidences for SMEs based on their industry sector, company size and security awareness. We conclude our work with a discussion of recommendations for future research, industry and policy makers.

UR - http://www.scopus.com/inward/record.url?scp=85108825706&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85108825706

T3 - Proceedings of the 30th USENIX Security Symposium

SP - 1235

EP - 1252

BT - Proceedings of the 30th USENIX Security Symposium

T2 - 30th USENIX Security Symposium, USENIX Security 2021

Y2 - 11 August 2021 through 13 August 2021

ER -