Content uploaded by Margit Christa Scholl
Author content
All content in this area was uploaded by Margit Christa Scholl on Mar 04, 2022
Content may be subject to copyright.
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
1
Foreword and Reflection on the Findings Contained in
Report 1 of the Project Awareness Lab SME (ALARM) Information Security
Background
As digitization becomes increasingly ubiquitous, the importance of information security for every
institution is growing more evident year by year. According to the German Federal Office for
Information Security (BSI), the term “information security” is more comprehensive than “IT
security” or “cybersecurity”, as it covers safeguarding the confidentiality, availability, and
integrity of all the information held in an institution. Moreover, anyone who is active in the digital
sphere is exposed to threats from cyberspace, whether privately or in a work context, regardless
of whether or not this is a conscious consideration. There are a range of potential threats, which
become real threats when weaknesses are encountered in the system—this can result in
significant damage being caused. Security vulnerabilities can be infrastructural in origin and may
be associated with a technical system failure. However, they may also be the product of
organizational flaws combined with human error. In the corporate context, information security
should thus be a concern for top-level management and must be viewed in holistic terms. After
all, the possible damage caused can be associated with the non-fulfilment of tasks or non-
compliance with laws and contracts and may result in negative financial effects and a blow to the
company’s image.
Without proper information security, a company’s survival is at risk. Top management should thus
be aware of the responsibilities they have in this area: it is their task to initiate and establish an
information security management system (ISMS)—determining its strategic focus, the resources
(time, money, staff) assigned to it, and the measures to be taken based on it—and to act as role
models. This also includes introducing specific awareness-raising and training measures for all
employees: such measures are of great importance in increasing staff awareness of security and
enhancing the institution’s levels of security. Furthermore, all employees are personally
responsible—within the context of the particular work they do and settings they operate in—for
being vigilant and minimizing risks relating to security. The term “security awareness” is defined
in NIST Special Publication 800-16 [1:15] as follows: “Awareness is not training. The purpose of
awareness presentations is simply to focus attention on security. Awareness presentations are
intended to allow individuals to recognize IT security concerns and respond accordingly.” For Bada
et al. (2019), it is thus clear where the focus of awareness-raising measures should be: not only
do people need to be made aware of possible cyber risks at an individual level, they must also
behave appropriately [2].
In 2019, I developed the complex project Awareness Lab SME (ALARM) Information Security with
the idea of creating an innovative overall scenario for building up information security in small
and medium-sized enterprises (SMEs). A funding proposal for the project was submitted to the
Federal Ministry for Economic Affairs and Energy (BMWi) with a planned start date of 2020. One
of the project’s intermediate objectives was to use the activity profiles of staff involved in
company operations to deduce appropriate security profiles and to ultimately create competence
profiles. Based on this, it is hoped that security awareness can be improved in SMEs across the
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
2
country by means of awareness-raising measures aimed at particular groups. To this end, working
together with the SMEs taking part in the pilot programme, a systematic approach is developed
to expose areas of weakness in key business processes [3] and extrapolate specific activity
profiles, since this is of key importance for digitization in SMEs, as shown by the Digital Office
Index [4:7]. When the project started in October 2020, preparations were made for performance
analysis in conjunction with subcontractors, pilot companies, and associated partners, and this
was carried out in February 2021.
The performance analysis used to derive the profiles for SMEs consisted of in-depth interviews
and an online questionnaire. The planned innovative learning process for raising awareness in
SMEs is based overall on the performance analysis with specific reference to the profile
definitions. The project’s innovative awareness-raising measures are being developed in the form
of seven analogue and digital learning scenarios tailored to participant experience. These are
coupled with “in situ attack” training and awareness measurements with and for SMEs. However,
the Covid pandemic has obviously made the communication, personal exchange, and
development process more difficult and delayed the deployment of the learning scenarios.
Nonetheless, the results of the in-depth psychological interviews have now been published in the
project’s first study, Qualitative Impact Analysis of Security Awareness in SMEs [5]. After a further
minor delay, the outcomes of the first of three planned online surveys are now included in this
report (Report 1 of the project).
The first study [5], which focused on the in-depth interviews in SMEs, showed that “information
security” is still a vague concept for many people and is often categorized as an area for experts
and service providers. This suggests that in future we need to sharpen people’s personal sense of
individual responsibility for information security in the workplace. Moreover, a strategy for
information security awareness in all areas of work has not so far been put in place in SMEs to
support a sustained process of awareness raising [5]. A strategy of this kind should also underpin
the requisite security culture in SMEs. It is thus imperative that the activity profiles of key day-to-
day business processes in SMEs be studied—these are the starting point for extrapolating the
necessary security and competence profiles. The updated IT baseline protection protocols (IT-
Grundschutz) and the standards established by the BSI [6] are also used for this purpose. The
derived security and competence profiles are designed to be transferable for all: they clarify the
so-called basic security protection in line with the updated IT-Grundschutz, making it possible for
SMEs to implement such measures at a practical level and bolstering their competitiveness and
ability to innovate.
To ensure that awareness raising has a long-term effect, activating measures exemplifying
realistic scenarios that reflect day-to-day business operations are being developed, tested, and
evaluated with and for the people covered by the profile definitions. When the project comes to
an end in September 2023, these awareness-raising measures will be made available to the SMEs
free of charge as a best-practice manual. The following topics emerged from our project study [5]
as being of key importance for awareness raising in SMEs:
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
3
1. Password
2. Phishing, CEO fraud, etc.
3. Social engineering, manipulation, etc.
4. Apps, software, etc.
5. Home office security
6. Data protection in the cloud and with customers and suppliers
7. Instant messaging, secure data transmission, storage, encryption, etc.
8. Information classification (only relevant where it is already implemented as a process in
SMEs)
Summary of Results
The results of our initial online questionnaire within the ALARM Information Security project
indicate that security is not actually seen holistically in all SMEs. According to BSI Standard 200-1
[7:6], holistic security should, by definition, be “an integral element in the planning, design, and
operation of business processes and data processing”. The upshot of this is that information
security management based on the IT-Grundschutz also includes infrastructural, organizational,
and HR aspects alongside technical considerations, and a sustained enhancement of information
security is possible using a holistic approach of this kind [7:6]. This is an ongoing process whose
strategies and concepts must be constantly reviewed to check their performance and
effectiveness and updated as necessary [8:11]. The company thus needs to establish a sustained
process of improvement. The BSI’s IT-Grundschutz methodology suggests taking a large number
of small steps in the interests of long-term improvement without making any significant
investments at the start: the process initially involves putting basic protection in place to
implement urgently required precautions [8:14] and continues with narrowly defined core
protection to protect the institution’s assets and resources that need to be kept particularly safe
[8:69] before culminating in comprehensive standard protection on a holistic level [8:169].
The statements made here in Report 1 should not be regarded as representative, and any
assessment of them must take into account the limitations inherent to a small sample of this kind.
It is also possible that there was some distortion in the selection process when test subjects were
being chosen for the survey within the SMEs. Nevertheless, the report provides a more
concretized, up-to-date insight into how SMEs are actually faring in the conditions imposed by
the pandemic. Here are some examples:
• Most staff have a fixed workstation.
• The home office option is used with particular frequency by people working in research and
development.
• With movement restrictions in place as a response to the pandemic, travel played a negligible
role for the groups taking part in the study.
• Mobile working is very uncommon for people fulfilling traditional core functions—it is more
of a feature for those working in the areas of IT/administration, sales/field sales, customer
management/service.
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
4
• The pervasive mode of communication is email—encryption does not yet figure as a routine
security feature in SMEs.
• Biometric access control has not been used to date—passwords are used across the board.
• The overwhelming majority of people taking part in the survey think that there should be
training in SMEs on the topic of information security—staff in different areas of work
participate in training and awareness-raising measures with varying regularity.
The following areas of work are studied in this report (Report 1):
• Manufacturing / Production
• Materials management / Logistics / Warehousing
• Purchasing / Procurement
• Sales / Field sales
• Customer management / service
• Process management / Quality assurance / Controlling
• Research / Development
• IT / technical Administration
• Administrative office / Reception / Doorman / Mail department
• Finance / Bookkeeping / Accounting
• HRM / HR
• Marketing / Communication.
There is also a more detailed focus on the following groups within the organization:
• Executive team / Top management
• Middle management
• Employees
• Trainees / Interns.
Senior managers in SMEs typically have foreign-language skills and use social (career) networks;
they need to rely on online bookings and make use of data encryption, digital signatures,
freeware, and backup software. Their activities are characterized by mobile working and
travelling, coupled with frequent usage of USB sticks, external hard drives, credit cards, WLAN,
cloud services, video conferencing, and databases. There is thus a significant risk facing the
executive team/top management group in SMEs and, in my opinion, they need specific
awareness-raising coaching.
The middle-management group also makes frequent use of databases, ERP programs, and video
conferencing in the course of their duties and “invariably” uses printers and scanners. This group
probably needs a mix of awareness-raising measures, both general and customized.
Conversely, the employees involved in the survey hardly ever use social media, tablets,
smartphones, payware, and USB sticks / hard drives; they are also not entrusted with confidential
data, downloads, email encryption, data deletion, or data encryption. However, printing and
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
5
scanning form part of their day-to-day routine. In my opinion, this group needs general awareness
raising on the topic of information security.
Trainees do not go on business trips and therefore do not make any overnight stays. Nor are they
visited in their workplace by customers and business partners. They make no use of mobile
working, freeware, instant messenger services, or ERP programs. By the same token, they rarely
use mobile-telephone and video conferencing or VPN/remote services. They seldom have contact
with business partners, government authorities, or customers and make little use of digital
signatures. However, they are often given a company key, while also handling document
shredding, using landline phones, and making external phone calls. Since trainees get experience
of a number of different departments, they move between workstations. My recommendation
for this group is to combine general awareness raising with an introduction to the SME’s specific
policy on information security. It is worth noting that one of the main reasons for sub-optimal
behaviour among users can be found in the poor design and inadequate communication of
security systems and policies [9].
Corroborating the psychology-based study [5] that was conducted as part of the ALARM
Information Security project, the online questionnaire carried out for Report 1 also revealed that
the respondents view many security topics in such general terms that it is hard to limit them to
just one profile. As a result, the activity profiles defined in this report are lumped together into
profile groups as follows:
• General basic competences
• Production, development, sales
• Data processing and IT infrastructure
• Maintenance and communication
• Organizational and PA work
• Administration and HR
• Strategic planning and management.
In the “General basic competences” profile group, the focus should be on the basic protection set
out in the BSI’s IT-Grundschutz methodology [8] and on a general basic knowledge of information
security. It is important that the design of any awareness-raising measure for this group be
broadly applicable to all fields of activity—the learning scenarios should also include awareness-
raising material on emails (phishing), password construction, and CEO fraud.
In addition to this basic knowledge of information security, specific aspects relating to
development and process-intensive tasks should be covered in the “Production, development,
sales” profile group. In my opinion, encryption, corporate espionage, and travel security are
apposite topics for the learning scenarios.
The “Data processing and IT infrastructure” profile group plays a key role in setting up and
maintaining the technical infrastructure. In Report 1 the group is thus regarded as one of the four
gatekeepers with control over technical access. It develops technical guidelines and coordinates
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
6
the relevant security trainings—as a result, this group prioritizes the need for training. In addition
to placing particular emphasis on communicating the latest guidelines relevant to the SME, this
group should also receive technical training on topics like ransomware and data availability. Those
in the group who are responsible for the security training should, in my opinion, also be schooled
in effective awareness-raising methods and be trained as facilitators.
Staff in the “Maintenance and communication” profile group are responsible for the building’s
technical infrastructure. In addition to this, they also have organizational duties and are involved
in managing contacts, personnel flows, and analogue communication channels. In Report 1 this
group is thus regarded as a second “gatekeeper”. Although in terms of the hierarchy it occupies
a rather lower level, it should be regarded as playing a critical part in the implementation of
security measures. As a result, a heightened awareness of disinformation and social engineering
should be fostered here. In the report this specifically includes jobs like facility manager or
positions in reception and the mail department.
In Report 1 the “Organizational and PA work” profile group is the third SME “gatekeeper”,
controlling all communication flows—for example, to the management or a company
department—and has administrative duties and access to financial areas such as online bookings
and orders and credit cards. In my opinion, the staff in this profile group should be made aware
of disinformation, social engineering, and CEO fraud in addition to specific security aspects
relating to the particular tasks they perform.
It is normal for staff in the “Administration and HR” profile group to handle highly sensitive data
while carrying out administrative tasks relating to the company’s finances and human resources.
Although there are tight restrictions on access to this data, it is possible for employees in this
group to delve deeper into it than is the case, for example, with the “Organizational and PA work”
profile group. In Report 1 this group is called the fourth “gatekeeper” because it controls financial
flows and staff access. What is most notable here is that this group has access to company master
keys, the vault, and the most sensitive personal data as well as to company-issued smartphones.
This is coupled with responsibility for destroying documents and deleting data. The group also
has a wide range of external and internal contacts. Its job activities for the most part combine
HRM/HR and Finance/Accounting/Bookkeeping. In my opinion, depending on the specific
situation in the company, awareness-raising measures should also cover information security
issues like data protection.
The “Strategic planning and management” profile group is responsible for making decisions and
promulgating company policy. This group has partial or total physical and logical access to all areas
of the company, including to sensitive data, vaults, and security-related mechanisms. It is also
highly mobile and extremely exposed to security risks through constant contact with all
stakeholders. Besides the (top) management, it also covers job activities in marketing and PR. This
profile group should be kept up to date with information about all security areas and must itself
be protected. Top management need to be aware of an ISMS’s strategic focus, specific
vulnerabilities, and risk management.
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
7
Outlook
In the Awareness Lab SME (ALARM) Information Security project, the results of our initial study
[5] and the outcomes of Report 1 are the basis for developing new awareness-raising measures
tailored to SMEs and personal engagement with the issues. The goal here—and thus the value
added for SMEs—is to provide integrative interlocking measures that contribute to systematic
awareness raising and help, in actual terms, to develop a security culture. The project departs in
this respect from unsuccessful forms of classical training. The surveys and summaries of the
current situation are intended to generate recommendations for the introduction of modular
awareness-raising measures and low-threshold security concepts in German SMEs.
The term “activating learning scenarios” specifically refers to learning experiences that are
interactive, entertaining, team-based, discursive, and emotionalizing. Information security is
something that should be experienced and discussed. In addition to this, new types of company
awareness measurements are being planned, which should lead to maturity assessments, low-
threshold security concepts, and specific recommendations for action in SMEs. It is not an easy
task to produce awareness measurements, because the existence of measures does not provide
any real insight into their success in altering behaviour, and neither their value nor the headway
they have made have been gauged as yet [2]. It is also important not to entertain any unrealistic
expectations of people and their motivations. Bada et al. (2019) point out that in the realm of
cybersecurity there is a potential for measuring behavioural change in terms of risk reduction, but
not on the basis of what people know, disregard, or are ignorant of [2]. We will come back to this
problem in our own scientific publications.
In developing the results of the Awareness Lab SME (ALARM) Information Security project going
forward, it is important to continue focusing on the need to alter people’s security-related
behaviour. Effecting behavioural change is not just a matter of providing information about risks
and reactive patterns of behaviour. Rather, people need to understand the advice they receive
and be able to apply it—at the same time, they need to be motivated and willing, with willingness
being of key importance, as a change in personal attitudes and intentions is required [2]. One of
the conclusions arising from their study of international literature and the question of why
security awareness campaigns often fail is that while knowledge and awareness are prerequisites
for behavioural change, they are not necessarily sufficient in themselves [2]. For Bada et al.
(2019), understanding people’s perception of risk is key to creating effective awareness-raising
campaigns [2].
According to the literature review by Ertan et al. (2020), further research is also necessary to
create a better understanding of how we can promote behavioural change in the area of
cybersecurity on a day-to-day basis [10]. In particular, research needs to be conducted to
determine behavioural variances between different types of employees and within different
corporate environments, as these variances may also be reflected in different behaviours in
relation to cybersecurity issues [10]. Our report (Report 1) provides an interesting database on
the current situation in Germany. Ertan et al. (2020) identify four behavioural patterns that have
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
8
a major impact on how people practise cybersecurity: compliance with security guidelines,
coordination and communication between groups, phishing/email behaviour, and password
behaviour [10]. In addition, the concept of a security culture is an important overarching theme
straddling the four behaviours, which overlap within the frame it provides [10]. These
international findings coincide with our findings from the study [5] and from Report 1.
Furthermore, the report’s database with its seven profile groups offers an interesting option for
determining international research questions for German SMEs too.
Prof. Margit C. Scholl
December 2021
Translation March 2022
List of references:
[1] US Department of Commerce. Information Technology Security Training Requirements: A
Role- and Performance-Based Model. NIST Special Publication 800-16. April 1998. Retrieved
from:
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-16.pdf
Last accessed: 29 December 2021
[2] Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do
they fail to change behaviour? arXiv preprint arXiv:1901.02672. Retrieved from:
https://arxiv.org/ftp/arxiv/papers/1901/1901.02672.pdf.
Last accessed: 29 December 2021
[3] WIK (2017). Retrieved from: https://www.wik.org/fileadmin/Sonstige_Dateien/IT-
Sicherheit_in_KMU/Infoblatt_Handwerk_-_Aktuelle_Lage_der_IT-Sicherheit_in_KMU_-
_WIK_2017.pdf. Last accessed: 30 January 2019
[4] BITKOM (2018). Bitkom Digital Office Index 2018. Eine Studie zur Digitalisierung von Büro-
und Verwaltungsprozessen in deutschen Unternehmen. 28 June 2018.
[5] Scholl, M., Pokoyski, D., Matas, I., & Haucke, A. (2021). Qualitative Wirkungsanalyse Security
Awareness in KMU (Projekt “ALARM Informationssicherheit”). ISBN: 978-3-949639-00-5.
Wildau: Technische Hochschule Wildau. Retrieved from https://alarm.wildau.biz/
[6] Bundesamt für Sicherheit in der Informationstechnik. BSI-Standards. Retrieved from:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-
Zertifizierung/IT-Grundschutz/BSI-Standards/bsi-standards_node.html. Last accessed: 29
December 2021
Report 1 zur Informationssicherheit in KMU – Sicherheitsrelevante Tätigkeitsprofile
2022, ISBN: 978-3-949639-01-2
9
[7] BSI-Standard 200-1 Management für Informationssicherheit (ISMS), November 2017.
Retrieved from:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-
Zertifizierung/IT-Grundschutz/BSI-Standards/BSI-Standard-200-1-Managementsysteme-
fuer-Informationssicherheit/bsi-standard-200-1-managementsysteme-fuer-
informationssicherheit_node.html. Last accessed: 29 December 2021
[8] BSI-Standard 200-2 IT-Grundschutz-Methodik, November 2017. Retrieved from:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-
Zertifizierung/IT-Grundschutz/BSI-Standards/BSI-Standard-200-2-IT-Grundschutz-
Methodik/bsi-standard-200-2-it-grundschutz-methodik_node.html.
Last accessed: 29 December 2021
[9] Nurse, J.R.C., Creese, S., Goldsmith, M., Lamberts, K. (2011). Guidelines for usable
cybersecurity: Past and present, in: The 3rd International Workshop on Cyberspace Safety
and Security (CSS 2011) at The 5th International Conference on Network and System
Security (NSS 2011), Milan, Italy, 6–8 September.
[10] Ertan, A., Crossland, G., Heath, C., Denny, D., & Jensen, R. (2020). Cyber security behaviour
in organisations. arXiv preprint arXiv:2004.11768. Retrieved from:
https://arxiv.org/ftp/arxiv/papers/2004/2004.11768.pdf.
Last accessed: 29 December 2021
