Defining a new composite cybersecurity rating scheme for SMEs in the U.K.

The 5.7 million small to medium enterprises (SMEs) in the U.K. play a vital role in the national economy, contributing 51% of the private sector. However, the cyber threats for SMEs are increasing with four in ten of businesses experiencing a cyber attack in the last twelve months. One significant treatment of this growing concern is in the implementation of long-established information security standards and best practices. Yet, most SMEs are not undergoing the certification process, even though the current threats are now widely published by the government. In this paper, we look at the disconnect of cyber threats faced by SMEs considering their current security postures and perceptions. We also identify the influencing factors needed to improve security behaviours and engagements with information security best-practices. We then propose a new foundational composite cybersecurity rating scheme aimed at SMEs. The focus of our scheme is to ascertain and measure the security behaviours, perceptions and risk propensity of each SME, as well as their technical systems. To that end, we define our 5x5 matrices based scheme by combining the measurements ascertained from the behavioural as well as technical audits. The preliminary evaluation results demonstrate that this approach provides a higher level of insight, engagement and accuracy as to an SME's individual security posture.