A review of key papers about automation opportunities in the
ISO 27001 risk control process

Clause 6.1.3 of ISO 27001:2013, identifies how an organisation can respond to risks with a risk treatment plan; a key being the selection of suitable controls. This paper provides an analysis of the automation opportunities for those controls and critically analyse previous automation research using ISO 27001:2005 controls and considers the automation opportunities with the current controls. The results from this whitepaper demonstrate that automation opportunities do exist across ISO 27001:2013 controls and highlights operation security as a control domain with the most potential. The automation opportunities identified to support any organisation’s need for greater productivity, cost-saving, availability, reliability, and performance whilst implementing controls for their information security management system.

Defining a new composite cybersecurity rating scheme for SMEs - ISPEC 2019 Conference

The 5.7 million small to medium enterprises (SMEs) in the U.K. play a vital role in the national economy, contributing 51% of the private sector. However, the cyber threats for SMEs are increasing with four in ten businesses experiencing a cyber attack in the last twelve months. One significant treatment of this growing concern is in the implementation of long-established information security standards and best practices. Yet, most SMEs are not undergoing the certification process, even though the current threats are now widely published by the U.K. government. This paper investigates the disconnect of cyber threats facing SMEs with their current security postures and perceptions. This paper also identifies the influencing factors needed to improve SMEs’ security behaviours and engagements with information security best-practices. This paper proposes a new composite cybersecurity rating...

Developing a security behavioural assessment approach for cyber rating UK MSBs - Cyber Security 2020

Micro and small businesses in the UK account for over 99% of all UK businesses. Still, a growing perception gap is how these businesses perceive the relevance and value of cyber security and the potential impacts from this. Recent UK government studies have shown a significant increase in the average cost to these smaller businesses after suffering a disruptive attack. Yet, their engagement with recognised standards and best practices is still relatively low. This paper aims to evaluate current behavioural models in the context of information security and develop a new influence-led approach to help ensure smaller businesses are both cyber ready and secure behaviours can be developed. To help achieve this, new engagement channels are identified and methods to understand inferential and influencing factors for effective behaviour change.

​