The contemporary internet provisions increasingly sophisticated security attacks. Besides underlining the advanced nature of these attacks, the concept of an advanced persistent threat (APT) catalyzes the important perspective of longitudinal persistence; attacks are not only carefully planned and targeted but the subsequent exploitation period covers long periods of time. If an APT successfully realizes into such exploitation, information assets may be continuously monitored for harvesting business-critical information (BCI). These threats are relevant for the security of small enterprises, and this study aims to examine the qualitative factors that shape the security mindsets among these.
The data are collected with semi-structured interviews of six enterprises in a small regional market segment. The analysis is based on a fourfold taxonomy that delivers three mindset profiles, while particular emphasis is placed on the subjective security notions that shape the typical strategizing among enterprises.
APT is poorly understood among the observed segment, which tends to often also explicitly downplay the strategic relevance of the concept, but a more pressing challenge relates to the observation that business data is often perceived to have no value. The delivered results can be used to improve the situation.
This study is among the firsts to explore perceptions of small enterprises toward APT and BCI. The results reveal problematic mindsets and offers new avenues for practitioners as well as academics to study and improve the situation.
Jesse Kaukola, Jukka Ruohonen, Antti Tuomisto, Sami Hyrynsalmi,
Ville Leppänen (University of Turku): Tightroping between apt and bci in small enterprises.