Strengthening SMEs and CSOs: Vulnerability Self-Assessment Application
The CC-DRIVER project aims to examine the drivers behind cybercriminality in the European Union (EU), emphasising the factors that lead young people to cybercrime, as well as Cybercrime-as-a-Service. Part of this project is the creation of a Vulnerability Self-Assessment Questionnaire (SAQ) that can help Small and Medium-sized Enterprises (SMEs) and Civil Society Organisations (CSOs) to protect themselves by embarking on cybersecurity defences, organisational measures, cost-benefit considerations, awareness of fundamental rights such as the rights to privacy, protection of personal data and the free movement of persons. The key building blocks and application features of the SAQ are introduced by this blogpost.
The scope of the SAQ in CC-DRIVER project is twofold: the application and the questionnaire. Below we describe the two core aspects of the self-assessment tool.
The application – The application itself allows users to design questionnaires, track, and study statistics in a graphical mode. The SAQ application is independent of the content of the questionnaire. This tool can be used to define any type of self-assessment questionnaire, which need not be related to cybersecurity alone. Many companies, along with those involved in the CC-DRIVER project, can use this tool to strengthen their cybersecurity. The application does not collect any personal information about the respondents as all the responses are anonymous and do not contain any identification data.
The content – The content of the questionnaire itself allows content creators to define various questionnaires. The questionnaires can be defined as a graphical interface that can be used by a person with or without technical skills. As part of the CC-DRIVER project we defined a questionnaire of 45 questions that will be given to CSOs and SMEs to assess their cyber vulnerability. These entities will receive a comprehensive report containing practical guidelines on how to strengthen their security posture. The questions in the questionnaire were carefully selected to fit the SMEs and CSOs and not large enterprises. Our project focus is on the most vulnerable entities in the cyber space: the SMEs and CSOs who don’t have the resources both human and technical to implement adequate security measures for their IT infrastructure.
Below we showcase the key features of the vulnerability self-assessment application:
Easy creation and viewing of questionnaire – the application has a simple and uncluttered interface that allows creators to view existing questionnaires and easily create new ones.
Figure 1. Questionnaire list
Graphical interface questionnaire definition – a creator can easily define a new questionnaire by manually introducing question after question or bulk upload using an excel file.
Figure 2. Questionnaire creation - Part 1
Figure 3. Questionnaire creation - Part 2
Campaign statistics – once a questionnaire is created, a campaign can be initiated which allows creators to run the same questionnaire by various groups simultaneously by creating two different campaigns. An active campaign can receive answers and generate real time statistics like, average score obtained by all respondents, maximum and minimum scores, number of respondents with a score over 70%, number of respondents with a score below 50%. The application generates comprehensive graphs per every question showing the distribution of overall scores. The statistics help organisation see overall trends and most importantly spot weaknesses and strengths.
Figure 4. Statistics - Part 1
Figure 5. Statistics - Part 2
Figure 6. Statistics - Part 3
The self-assessment report – after the user (CSO or SME) fills in the questionnaire that they will be able to download as the self-assessment report. In order to fill in the questionnaire the respondents will receive a link, where they can provide the required information anonymously (no log-in required). The report includes improvement recommendations for every question. These recommendations will help respondents enhance their security posture. As stated above, the application does not store any of the respondents’ data, all the responses are anonymous and the CC-DRIVER consortium DOESN’T collect any other identifying information (like IP etc).
Figure 7. Assessment report
The self-assessment questionnaire will be launched by the end of this month. We are aiming to obtain 100 anonymous responses. As part of the CC-DRIVER project we will publish a report containing the quantitative and qualitative statistics about SMEs and CSOs security posture.
The self-assessment questionnaire is intended to help SMEs and CSOs receive a comprehensive report on their current security posture and most importantly improvement recommendations. These recommendations can be used by aforementioned entities to strengthen their security posture. The self-assessment questionnaire becomes a powerful tool for SMEs and CSOs because they usually lack the resources to hire the required cyber security professionals to make such an assessment.