Description
i have attached one document in the attachments i need 200 words summary and 50 comments for that article.
Unformatted Attachment Preview
Journal of Cybersecurity Education, Research and Practice
Volume 2022
Number 2
Article 4
January 2023
Cybersecurity Continuity Risks: Lessons Learned from the
COVID-19 Pandemic
Tyler Fezzey
University of West Florida, [email protected]
John H. Batchelor
University of West Florida, [email protected]
Gerald F. Burch
University of West Florida, [email protected]
Randall Reid
University of West Florida, [email protected]
Follow this and additional works at: https://digitalcommons.kennesaw.edu/jcerp
Part of the Information Security Commons, Management Information Systems Commons, and the
Technology and Innovation Commons
Recommended Citation
Fezzey, Tyler; Batchelor, John H.; Burch, Gerald F.; and Reid, Randall (2023) “Cybersecurity Continuity
Risks: Lessons Learned from the COVID-19 Pandemic,” Journal of Cybersecurity Education, Research and
Practice: Vol. 2022: No. 2, Article 4.
DOI: 10.32727/8.2023.3
Available at: https://digitalcommons.kennesaw.edu/jcerp/vol2022/iss2/4
This Article is brought to you for free and open access by DigitalCommons@Kennesaw State University. It has been
accepted for inclusion in Journal of Cybersecurity Education, Research and Practice by an authorized editor of
DigitalCommons@Kennesaw State University. For more information, please contact
[email protected].
Cybersecurity Continuity Risks: Lessons Learned from the COVID-19 Pandemic
Abstract
The scope and breadth of the COVID-19 pandemic were unprecedented. This is especially true for
business continuity and the related area of cybersecurity. Historically, business continuity and
cybersecurity are viewed and researched as separate fields. This paper synthesizes the two disciplines as
one, thus pointing out the need to address both topics simultaneously. This study identifies blind spots
experienced by businesses as they navigated through the difficult time of the pandemic by using data
collected during the height of the COVID-19 pandemic. One major shortcoming was that most continuity
and cybersecurity plans focused on single-axis threats. The COVID-19 pandemic resulted in multi-axes
threats, pointing out the need for new business strategies moving forward. We performed multiple
regression analysis and constructed a correlation matrix to capture significant relationships between
percentage loss of revenue and levels of concern for different business activities moving forward. We
assessed the most pervasive issues Florida small businesses faced in October 2020 and broke these
down by the number of citations, the total number of impacts cited, and industry affectedness. Key
security risks are identified and specific mitigation recommendations are given.
Keywords
cybersecurity, COVID-19, business continuity planning, information security
This article is available in Journal of Cybersecurity Education, Research and Practice:
https://digitalcommons.kennesaw.edu/jcerp/vol2022/iss2/4
Fezzey et al.: Cybersecurity continuity risks
INTRODUCTION
The COVID-19 pandemic proved to be a global event that damaged economic
activity irrespective of the business sector. Many firms were caught unprepared,
rushing to form contingency plans that could have been in place years prior.
Additionally, cybersecurity is at the forefront of the minds of many organizations
following recent highly publicized ransomware attacks. As one delves deeper into
the matter, it becomes apparent that human and organizational factors are the
principal vulnerabilities for such attacks (Kraemer et al., 2009). As such,
organizations must develop a culture of information security awareness (Ahlan et
al., 2015) to deal with such issues related to business continuity planning (BCP)
and cybersecurity. BCP and cybersecurity are linked through their purpose of
managing risk. Burch et al. (in press) suggest three steps to address both BCP and
mitigate cybersecurity threats: 1. Successfully identify major threats, 2. Develop a
plan to reduce (or mitigate) the impact of these threats, and 3. Train employees on
how to execute and test the plan.
These recommendations are not considerably different from what has been
recommended in the past. However, there are lessons to be taken from recent
events. This article seeks to identify these lessons by comparing how organizations
addressed BCP and cybersecurity before and after the COVID-19 pandemic and
discusses changes organizations need to implement to successfully mitigate risk
going forward (i.e. lessons learned from COVID-19).
LITERATURE REVIEW
Cybersecurity is defined as the “organization and collection of resources, processes,
and structures used to protect cyberspace and cyberspace enabled systems from
occurrences that misalign de jure from de facto property rights” (Craigen et al.,
2014, p. 13). There is a robust technical side of cybersecurity, but people also play
a critical role. For instance, creating a secure organizational culture wherein
employees know not to share passwords and adhere to other company protocols is
essential (da Veiga, 2019). Building a strong security culture must include
considering organizational factors such as policies, communication, and structure
(Kraemen & Carayon, 2007). Thus, this article views cybersecurity as one
component of an overall organizational risk management framework.
Like cybersecurity, BCP is also a form of risk management. BCP is defined as
a plan designed to “avoid, or mitigate, risks: to limit the effect of a crisis: and reduce
the time needed to restore operations to a state of business as usual” (Burch et al.,
in the press). Thus, continuity planning focuses on planning for and/or mitigating a
business disruption (i.e., ransomware or pandemic) and moving forward (Torabi et
Published by DigitalCommons@Kennesaw State University, 2022
1
Journal of Cybersecurity Education, Research and Practice, Vol. 2022, No. 2 [2022], Art. 4
al., 2016) with all components of a security culture. Kraemer et al. (2009) discuss
the importance of understanding relationship complexities related to security. In
this vein, cybersecurity is a part of this risk management process and BCP.
Many businesses lack an effective business continuity response plan. These
organizations focus on mitigating risk and their response plan rather than ensuring
the organization can function in the interim (Phillips & Tanner, 2018). This is also
the case with cybersecurity. We recommend that cybersecurity and BCP be linked
together, not function as two separate silos. For instance, what good is cybersecurity
so strong it is unusable? This means organizations should bring their cybersecurity
staff and BCP staff together and form one cohesive planning team that articulates
their response and recovery plan for various risks and periodically tests these plans.
Page and Yeoman (2006) outlined how VisitScotland had emergency plans in
place for a possible flu pandemic fifteen years before COVID hit. Rightfully, Page
and Yeoman (2006) remarked that the process of business continuity planning is a
vital step for many organizations in relation to risk assessment and preparations in
the event of a major event that interrupts normal business activity. Although a flu
pandemic is not identical to the issues created by the COVID-19 pandemic, a firm
that has planned and created operating procedures for a flu pandemic scenario
would be much more likely to have successfully weathered the COVID-19
pandemic than those who had not.
PRE-COVID-19
CYBERSECURITY
CONTINUITY PLANNING
AND
Before the COVID-19 pandemic, BCP and its cybersecurity components
functioned under a different paradigm than they do now. Pre-COVID-19 plans
focused primarily on potential attacks such as phishing, ransomware, and cryptojacking that were started by an outsider (see Phillips & Tanner, 2018). Following
the pandemic, the flux of workers to remote environments, and the increase of
business performed online, attacks are now often multipronged and connected to
insider threats and poor cybersecurity practices (i.e., accessing sensitive
information on an unsecured network). Before March 2020, the focus for many
cybersecurity personnel was on recognizing threats- such reactive attitudes are
often the weakest point in an organization’s cybersecurity network (Qian et al.,
2012). Currently, the majority of energy has been shifted to creating continuity
plans and ensuring that employees follow up-to-date best cybersecurity practices.
As such, firms must center on creating a security culture that starts in the boardroom
and is pervasive throughout the organization.
https://digitalcommons.kennesaw.edu/jcerp/vol2022/iss2/4
DOI: 10.32727/8.2023.3
2
Fezzey et al.: Cybersecurity continuity risks
WHAT WE LEARNED FROM COVID-19
The COVID-19 pandemic was unprecedented in the modern, cyber security-aware
world. Up to this point, few organizations saw the need or viewed it possible that a
majority of the economies in the world would essentially shut down due to a
pandemic (see Page & Yeoman, 2006 for a BCP article that came close). This event
resulted in lockdowns, closure of institutions, avoidance of in-person shopping,
online service growth, and the explosion of virtual meetings. Government and
individual reactions to the pandemic resulted in a tectonic shift in the behavior of
almost all societies across the globe.
So how has this social/institutional shift affected BCP and cybersecurity? To
answer the question, the environment that organizations function in has changed
and now organizations must adapt and plan for this new atmosphere. As such,
organizations have already or are shifting from focusing predominantly on threats
such as phishing, ransomware, and crypto-jacking. New risks include Zoom
bombing, COVID-19 specific phishing attacks, malware, decreased network
availability due to suddenly increased traffic (Weil & Murugasen, 2020), and VPN
issues (i.e., not turning it on when working from home) are climbing up the ranks
of issues prompting new security policies.
Now the focus is on creating a security culture to protect the digital fabric of
their organization. This fabric is now used to conduct remote work, address
changing customer needs, and comply with governmental restrictions on businesses
and citizens alike. Organizational BCP and cybersecurity managers understand this,
but it is important to do a better job of explaining this to employees and to be sure
to explain why it is important (Parsons et al., 2014).
Effects of COVID-19 on Small Businesses
The impacts of the COVID-19 pandemic present new considerations regarding
cybersecurity for small businesses. Many small ventures believe they are exempt
from digital attacks and have little regard for cybersecurity. This attitude means
that most do not have continuity plans or incident responses to prevent or react to
many of the potential risks that come from the global, digital transition COVID-19
thrust upon the world. As such, McCormac et al. (2017) point out the need to clearly
explain to individuals (even small business owners) the importance of adhering to
security awareness policies.
Small businesses are attractive targets because they have the sensitive
information cybercriminals are after, yet lack the security infrastructure of larger
corporations (U.S. Small Business Administration, 2021). Experts estimate
cyberattacks have increased by more than 20% since 2016, and 66% of small and
Published by DigitalCommons@Kennesaw State University, 2022
3
Journal of Cybersecurity Education, Research and Practice, Vol. 2022, No. 2 [2022], Art. 4
medium-sized businesses (SMBs) have experienced a cyberattack in the last 12
months. Another 45% of SMBs globally indicated their organization’s security
posture was ineffective at mitigating attacks (Keeper Security, Inc. & Ponemon
Institute, 2019). This highlights the need for increased security awareness in the
SMB community.
Methodology
At the heart of the COVID-19 pandemic (October 2020), the Florida Small
Business Development Center (SBDC), the University of West Florida Haas
Center, and the Florida Chamber of Commerce Foundations engaged in a joint
effort to survey small business owners in Florida. This survey included 4,842 small
businesses and asked owners a series of questions about the pandemic and how it
affected their businesses. The result is a mixed-methods approach to analysis that
includes regression analysis, a correlation matrix, and figures of survey responses
that support our suggestion that COVID-19 revealed massive holes in business
continuity planning and cybersecurity measures.
Regression Analysis and Correlation Matrix
Businesses self-reported their estimated percentage of lost revenue due to the
COVID-19 pandemic and consequential business lockdowns. Additionally, they
were asked to report their level of concern moving forward regarding the following:
● Loss of revenue
● Acquiring capital
● Business continuity
● Business cost
● Business revenue
● Economic uncertainty
● Government regulation
● Supply chain
● Workforce quality
We performed multiple regression analysis (Figure 1) and constructed a
correlation matrix (Figure 2) for all variables to assess the relationships between
each concern and the percentage of revenue lost that the business had already
incurred.
https://digitalcommons.kennesaw.edu/jcerp/vol2022/iss2/4
DOI: 10.32727/8.2023.3
4
Fezzey et al.: Cybersecurity continuity risks
Figure 1: Multiple Regression Analysis
Multiple regression showed that just under 30% of the variance (r2 = .296) in
the percentage of lost revenue could be explained by the variables chosen in this
study. Six of eight predictor variables were significant at the 0.05 level: acquiring
capital, business continuity, business cost, business revenue, supply chain, and
workforce quality. Economic uncertainty and government regulations were not
significant. Economic uncertainty and government regulations might have been
significant if other variables were removed since these two variables are
significantly correlated to the other six variables used in the model.
Published by DigitalCommons@Kennesaw State University, 2022
5
Journal of Cybersecurity Education, Research and Practice, Vol. 2022, No. 2 [2022], Art. 4
Figure 2: Correlation Matrix of Percentage of Revenue Lost and Levels of Concern
Figure 2 shows correlations between the percentage of lost revenue and all of
the predictor variables. All correlations were positive and significant at the .05
level. Concern with business continuity had the strongest correlation (r = 0.485)
with the percentage of revenue lost. Economic uncertainty (r2 = 0.328) and
government regulations (r = 0.209) were both correlated (p
Purchase answer to see full
attachment
