Structuring the Chaos: Enabling Small Business Cyber-Security

Risks & Assets Modelling with a UML Class Model

Tracy Tam, Asha Rao, Joanne Hall

arXiv (arXiv: 2403.14872v1)

Generated on April 20, 2025

Structuring the Chaos: Enabling Small Business Cyber-Security Risks & Assets Modelling
with a UML Class Model

Abstract
Small businesses are increasingly adopting IT, and consequently becoming more
vulnerable to cyber-incidents. Whilst small businesses are aware of the
cyber-security risks, many struggle with implementing mitigations. Some of
these can be traced to fundamental differences in the characteristics of small
business versus large enterprises where modern cyber-security solutions are
widely deployed.
Small business specific cyber-security tools are needed. Currently available
cyber-security tools and standards assume technical expertise and time
resources often not practical for small businesses. Cyber-security competes
with other roles that small business owners take on, e.g. cleaning, sales etc.
A small business model, salient and implementable at-scale, with simplified
non-specialist terminologies and presentation is needed to encourage sustained
participation of all stakeholders, not just technical ones.
We propose a new UML class (Small IT Data (SITD)) model to support the often
chaotic information-gathering phase of a small business' first foray into
cyber-security. The SITD model is designed in the UML format to help small
business implement technical solutions. The SITD model structure stays relevant
by using generic classes and structures that evolve with technology and
environmental changes. The SITD model keeps security decisions proportionate to
the business by highlighting relationships between business strategy tasks and
IT infrastructure.
We construct a set of design principles to address small business
cyber-security needs. Model components are designed in response to these needs.
The uses of the SITD model are then demonstrated and design principles
validated by examining a case study of a real small business operational and IT
information. The SITD model's ability to illustrate breach information is also
demonstrated using the NotPetya incident.

Structuring the Chaos: Enabling Small Business

Cyber-Security Risks & Assets Modelling with a
UML Class Model
Tracy Tam
RMIT University, Melbourne, Victoria
Asha Rao
RMIT University, Melbourne, Victoria
Joanne Hall
RMIT University, Melbourne, Victoria
Abstract
Small businesses around the world are increasingly adopting IT, and
consequently becoming more vulnerable to cyber-incidents. Whilst small
businesses are aware of the cyber-security risks around their business,
many struggle with implementing mitigations. Some of these can be
traced to fundamental differences in the characteristics of small business
versus large enterprises where modern cyber-security solutions are widely
deployed.
Small business specific cyber-security tools are needed. Currently
available cyber-security tools and standards assume technical expertise
andtimeresourcesoftennotpracticalforsmallbusinesses. Cyber-security
competes with other roles that small business owners take on, e.g. clean-
ing, sales etc. A small business model, salient and implementable at-scale,
with simplified non-specialist terminologies and presentation is needed to
encourage sustained participation of all stakeholders, not just technical
ones.
We propose a new UML class (Small IT Data ( SITD)) model to sup-
port the often chaotic information-gathering phase of a small business’
first foray into cyber-security. The SITDmodel is designed in the UML
format to help small business implement technical solutions. The SITD
model structure stays relevant by using generic classes and structures that
evolve with technology and environmental changes. The SITDmodel
keeps security decisions proportionate to the business by highlighting re-
lationships between business strategy tasks and IT infrastructure.
We construct a set of design principles to address small business cyber-
securityneeds. Modelcomponentsaredesignedinresponsetotheseneeds.
The uses of the SITDmodel are then demonstrated and design principles
validated by examining a case study of a real small business operational
1arXiv:2403.14872v1 [cs.CR] 21 Mar 2024

and IT information. The SITDmodel’s ability to illustrate breach infor-

mation is also demonstrated using the NotPetya incident.
1 Introduction
Small business (0-19 employees [4]) plays a crucial role in the global economy,
measured by the number of small enterprises [20], employment statistics [10,
33] and other contributions [36, 47]. The pandemic propelled small businesses
globally into a new world driven by technology. Small business cyber-security
has, thus, become a problem that can no longer be ignored. As the number
of novice small businesses adopting technology increases [17], so does the cyber
attack surface [48]. Getting small businesses to a cyber-security ready state
has proved challenging, with many small business owners aware of the need for
cyber-security but unsure of what to do [8, 43].
Small business differs from larger enterprises in many ways, ranging from
communication style, financial resources, internal expertise available, to a lack
of immediate incentives [49]. Unlike larger enterprises, the majority of small
businesses have less time and resources to study and manage IT and cyber-
security. Small businesses with less than 5 employees make up nearly 90% of
all businesses in Australia [11]. In these micro businesses, a business owner
often takes on ancillary jobs such as cleaner, security guard and IT support, in
addition to core business responsibilities. Cyber-security is only one of many
competing priorities (e.g. generating sales, making products etc.) needed to
keep the business alive.
Cyber-security analysis of a small business is often left up to individual
implementers, using tools meant for large businesses, producing sub-optimal
results for this resource-constrained cohort. [49]. There is need for an effective
model to organise and analyse critical small business cyber-security information.
Cyber-security tools and processes lack focus on small business priorities
and are not proportionate to the size of a small business. Fundamental to any
new tools or processes is a consistent and enduring way of organising cyber-
security information for subsequent analysis. Here, inspiration could come from
IT where sorting and storing of information is often done via data models [26].
Adatamodelfoundationallowsrapiddeploymentinvarioussolutiontechnology
stacks for any potential small business security solutions.
This paper proposes a UML data model, the Small IT Data ( SITD) model,
and process to support the often overwhelming information-gathering phase of a
small business cyber-security journey. We first describe the rationale behind the
new approach and model in section 2. Section 4 describes the design principles.
In section 5 we justify the choice of UML as a modelling tool. The new class
model and its components are introduced in section 6, before validation via ap-
plication to real-life small businesses (case study) in section 7. The insights and
analysis gained from the resulting models are discussed throughout. Section 8
discusses how the model’s aligns with the aims and design principles.
2

2 Problems with Existing Tools

Many existing cyber-security analyses and tools are designed with the flexibility
to allow for use in any organisation. This flexibility requires inherent technical
expertise to understand and apply appropriately. This expertise is not available
within the small business space [49].
The following issues arise when a small business tries to use current tools:
•Attack Based Lists (e.g. OWASP [55], Mitre Att&ck [51]) – A busi-
ness needs to navigate through a repository of attack techniques with no
relation to business priorities. IT training is needed to understand the
terminology used, as well as the implications and issues discussed.
•Controls Based Lists (e.g. CIS Controls [15], Essential 8 [9]) – Use
of generic terms e.g. systems, applications, requires a small business to
further investigate what the controls apply to. This risks things, e.g. IoT
devices, being left out altogether because they don’t fall into an easily
recognisable category .
•Risk Management Based Standards (e.g. ISO 27001 [45], NIST Cy-
bersecurity Framework [31]) – Include broad statements that require in-
terpretation of how controls and processes apply to a business. The results
of this process often have technical consequences which are not obvious
without technical training.
The vast majority of small businesses have no technical expertise [7]. With
limited turnover and budget, the average small business cannot afford a cy-
ber security professional [49]. As a non-revenue-generating task, cyber-security
needs to be understandable and usable by these non-technical small business de-
cision makers. A more approachable tool, from both technical and investment
perspectives, is needed to make cyber-security accessible for small businesses,
making participation more attractive.
2.1 New Approach Needed
The lack of tailoring to small businesses undermines the effectiveness of any
analytic tools or assistance. New approaches are needed to take into account
the human aspects of small businesses [39, 13, 49]. Humans (employees and
owner) are a critical part of cyber-security plans and posture [54]. In addition,
a good security strategy requires involvement from stakeholders at all levels in
a business [50].
Maintaining cyber-security ownership over the long term in a small business
can be challenging when many cyber-security resources require a level of techni-
cal understanding. The majority of adults in developed countries do not have a
high level of technical skills [34]. Expecting non-technical small business owners
to gain the requisite cyber-security technical knowledge unassisted undermines
a business’ cyber-security self-efficacy. Lack of self-belief in the effectiveness of
3

one’s action can undermine the motivation to engage [25]. According to the
EAST principle [42] of human behavioural insights, making something easy also
helps encourage the desired behaviour. Improving the overall ease of access for
non-technical stakeholders can improve the outcome of a cyber-security solution
by facilitating effective and ongoing participation.
To enable small business engagement with any new cyber-security tool, it
is essential to redesign the current highly technical mental structure of cyber-
security analysis. A cyber-security system with infinite flexibility has proven
to be an issue for small business adoption (as mentioned above), so any new
approach has to address this gap by tailoring to small business operational and
humancharacteristics. Toachievethis, are-definingofthefundamentalbuilding
blocksofhowcyber-securityispresentedtosmallbusinessisneeded. Technology
and cyber-risk-centric language, common in existing security frameworks, need
to give way to concepts familiar to non-technical business owners. The proposed
data model needs to center on business concepts and terms that an average
person with no technical training can understand.
Building on the above, to support a business-friendly cyber-security process,
we propose a new class model (referred to as SITDmodel) to help a small busi-
ness organise and record its priorities and its IT. For a small business operator,
a model needs to document IT details as these are often not at the forefront of
their mind [41], with many relying on informal communication [46]. The initial
cyber-security step of recording the IT being used can require significant effort
from small businesses. The SITDmodel eases the cognitive load by beginning
with information in areas of familiarity, e.g. day-to-day tasks, before tying it
back to cyber-security.
3 Target Users and Businesses of SITD Model
At a technical level, the SITDmodel serves as the data foundation for future
small business cyber-security analysis tools and processes. There are 2 primary
target stakeholders for the SITDmodel: the small businesses to be protected,
and the cyber-professionals implementing cyber-security tools to be used by the
small business.
3.1 Target Modelled Businesses
TheSITDmodel is designed to model small businesses with 0 -19 employees [4],
in order to protect them. (Sole traders/single person companies are considered
to have 0 employees.) One exclusion to this broad scope is small businesses
that offer IT-centric services and products, as they are likely to have additional
security considerations (e.g. DevSecOps [27]) and technical skills.
4

3.2 Target Data Structure Users

TheSITDmodel is created for modelling non-technical small businesses. The
large number of small businesses means that any small business cyber-security
tools need to be deployable at-scale. Technology will likely play a vital role in
the tool’s dissemination. Consequently, the SITDmodel needs to provide a
structure that is easily implementable using technology. Due to this, the more
immediate users of the SITDdata model are likely to be prospective cyber-
security tool developers or professionals looking for a common way to structure
information in a quest to protect small businesses.
TheSITDmodel gives developers and professionals the data foundation for
future security tools with a small business-centric approach. The model will
help solution implementers to move away from the traditional cyber-security
and technology centric approaches.
4 Model Design Principles
In addition to the small business and developer characteristics discussed in Sec-
tion 3, the SITDmodel is designed with the following guiding principles to
facilitate small business applications.
4.1 Focus on Business Priorities
SITDmodel needs to start from the perspective of business goals, the job tasks
supporting these goals, and the IT tools needed to support these job tasks. The
goal of cyber-security is to facilitate secure business use of IT. To be used, IT
needs to deliver value to the business. In small businesses, IT tools are often
chosen because the IT solution is more convenient or efficient than its manual
counterpart (e.g. digital spreadsheet for sales recording).
The re-focus towards business priorities also serves as a reminder that the
business value of the IT tool needs to be preserved, even after securing it.
However, business value cannot be judged from a technology-centric view alone.
Another important consideration is ensuring incident response and recovery are
business goals.
4.2 Capture Intangible Factors and Relationships
TheSITDmodel needs to illustrate relationships between physical and intan-
gible components.
Past cyber-security incidents and attack techniques have involved many fac-
tors ranging from technology and operations to people [21, 23]. Social engi-
neering attacks illustrate the need for technology to work with the less tangible
aspects of an organisation such as human behaviour. The SITDmodel needs to
capture the impacts of the non-tangible factors on the overall posture of a busi-
ness, e.g. being in a highly competitive field (industrial espionage), or having
disgruntled employees.
5

The documentation of physical and intangible factors provides opportunities

forusingthedefenceindepthsecuritystrategy[32]. Thisstrategyallowssmaller
tools/solutions to be combined to form better overall security postures. The
ability to combine smaller controls is advantageous to small business due to
their resource constraints [49], which makes them unlikely to be able to afford
large ready-made cyber-security solutions.
4.3 Allow for Incomplete Information
The threat landscape is ever-evolving [1, 18] and cyber-security is never ‘fi-
nalised’. Hence, the SITDmodel needs to support cyber-security as a contin-
uous improvement process along with the need for it to function even in an
incomplete state. In addition, businesses, particularly those in a startup phase
(especially small businesses) often change on a day to day basis. As such, tools
expecting linear progression or completion (e.g. waterfall methodologies) are
not practicable from either a logistics or ongoing relevance perspective. There-
fore, the SITDmodel needs to view incomplete information as an opportunity
for further discussion and exploration, rather than a roadblock.
4.4 Agnostic
For maintainability into the future the SITDmodel should be agnostic with
regards to several factors:
1.Language – Cyber-security crosses international borders: many cyber-
crimes have transnational elements [53]. Minimising textual information
provides room for visual representations. A combination of textual and
visual information has been shown to increase understanding [2] and re-
call [14]. Where possible the SITDmodel needs to prioritise visual cues
over words.
2.Technology – Where applicable the SITDmodel needs to be technology
agnostic to ensure continued relevance as technology or attack techniques
evolve. The SITDmodel needs to serve as a record of the ongoing rele-
vance of IT to the small business, and not as a static picture.
3.Standards, Legislation and Industry – A mobile phone used in a food
service business essentially has the same technical vulnerabilities as the
same one in a legal practice. However, the context of supported business
goals sets these 2 phones apart as do the ramifications if the phenes are
breached or lost. Rather than specifically including locale-specific condi-
tions such as HIPAA, GDPR, Reportable Breach scheme etc, the SITD
model needs to capture local context in the business part of the model,
e.g. job function, tasks, strategies.
6

4.5 Enable Cyber-Security Analysis

Ultimately the SITDmodel should aim to capture sufficient information about
the small business to enable further risk analysis and discussions. Most cyber-
security standards [30] emphasise the need for IT inventory recording. The
SITDrecord, especially when linked to its users, needs to serves as input to
allow planning of further security steps for the business.
In addition, the SITDmodel needs to capture sufficient detail to conduct
cyber-security risk analysis, including assessing Common Vulnerability and Ex-
posures (CVE) impacts, risk mitigation planning and incident analysis.
5 Choice of Modelling Tool
Our choice of the SITDmodel tool is driven by the needs of potential imple-
menters of small business cyber-security solutions - IT developers and cyber-
security professionals, for reasons discussed in Section 3.2.
Hence we focus on data model formats common within the IT industry. The
following candidate approaches were identified and evaluated:
•Spreadsheets/Data Tables with Custom Relationships.
•Entity Relationship Diagram (ERD) [16].
•Unified Modelling Language (UML) [24].
The table/databases approach is unsuitable due to lack of a standardised
way for entities and relationships to be modelled in cyber-security. The table
approach requires creation of a new ecosystem: with new rules needing to be
created, tested and maintained. A new standard only serves to add complexity
within a field already overflowing with information.
5.1 Advantages of UML
While small business IT can technically be modelled within both ERD and
UML, UML is more suitable for the following reasons:
•Holistic nature of the UML ecosystem – UML encompasses technical
and non-technical aspects. This aligns with the aim of describing struc-
tural, intangibleanddynamicaspectsofsmallbusinesscyber-security. For
future work, UML can inherently model behaviour, business processes,
timing, actions etc.
•UML allows for different perspectives – UML natively recognises
that the same piece of data can be viewed from different perspectives (or
‘views’). For example, customer information is a piece of data inside a
business database, but UML can recognise that it is used by staff when
a customer enquires about their account. Given that the SITDmodel is
concerned with cyber-security in both the data itself as well as transitory
events on the data, UML’s view better aligns with our aims.
7

•UML can be converted into ERD – A UML class diagram can be

converted to ERD, making, reversion to ERD possible in the future.
•Slimline presentation of information – UML allows for attributes and
operations to be applied to individual entities. A similar entity within
ERD requires multiple objects making the entity more complex in visual
appearance.
•Use of UML within the industry – UML has been adopted widely
into the IT and business worlds, where it can be used to describe whole
ecosystems of software, hardware, processes and actors involved. This
focus is important given the potential developers of future small business
security solutions.
Inconclusion, UMLdesignphilosophyisbetteralignedwiththe SITDmodel
goals and the possible future extensibility of small business cyber-security.
6 The SITD Model
In this section, we present details of each sub-part of the SITDmodel, before
linking the parts together into an overall structure. Real life business oper-
ations and IT architectures are then used to illustrate the model’s use. The
SITDmodel centers on the business and branches out to the connected IT
infrastructure.
TheSITDmodel relies heavily on the class and object diagrams within
UML. These diagrams operate on the concept of class and associations between
these classes. All other details are defined within this construct. For a quick
start guide on reading UML models and conventions, please see Appendix 9.
6.1 The SITD Model Classes
The classes in the SITDmodel reflect important small business and cyber-
security entities, and as such are not restricted to physical entities. Table 1
identifies critical concepts which are treated as classes in the SITDmodel.
Note: Some concepts, described in multiple classes within IT architecture
design and modelling conventions, have been simplified into a single construct.
The reasons and implications are discussed in each part below. Associations
(used to describe class relationships between 2 classes) contain additional infor-
mation, including relationship multiplicity as well as direction. These are noted
in standard UML notations.
In the next four subsections, we will look at sub-components of the SITD
model. Section 6.6 connects the sub-models back into the overall model struc-
ture.
8

Class Areas Examples

Business entity Doe’s Gardening Service
Human/group actors Owner; Employees
Job tasks & roles Payroll Processing; Manufacturing
Physical location Office; Client Site
Selected hardware & software de-
tailsMobile Phone; CAD
Remote/cloud IT systems Client IT Systems; Cloud Data Storage
Data/information Customer Data; Audit Records
Motivations and strategies Stay in Business; Lifestyle; Product Qual-
ity
Table 1: Class areas (discussed in section 6.1) covered as part of the SITD
model’s aim of capturing cyber and business salient information.
6.2SITD Submodel: Business
Toensuresecuritydecisionsarerelevantandproportional, thebusinessiscentral
to the SITDmodel. The Business Strategy of the SITDmodel (Figure 1)
captures the fundamental relationships between the business, its aims and the
people working in it.
The base class is centred on the business entity being protected, i.e. the
business itself. Basic details of the business are captured within the attributes.
The business’ maturity stage and strategy [28], which affects its behaviour pro-
file [41], are recorded for influence on business activities. The derived char-
acteristics are placed into 3 broad categories, Entrepreneurial, Administrative
andEngineering , which are then linked to individual day-to-day tasks. En-
trepreneurial characteristics capture any growth ambitions e.g. partnerships,
branding, while Engineering characteristics describe operational matters e.g.
factory building. Administrative characteristics keep the business running, e.g.
business registration, tax management, legal compliance. (For businesses with
narrow business goals, the characteristics and job tasks can be combined into a
single layer to streamline the SITDmodel.)
This view of the SITDmodel highlights that without the business reasons
stemming from the business strategy (e.g. keeping the business alive), the tasks
would not be done.
Thenumberofphysicalpersons(andmanagementhierarchy)workingwithin
a business is also recorded, since business is a human endeavour. In a small
business, the distinction of physical people is important given the manual (and
often adhoc) processes that exist [28]. The multiple hats worn by small business
employees leads to informal and less defined communication and processes than
those in larger corporations. Since human communication forms the basis of
many social engineering attacks [29], the number of employees is an important
part of cyber-security strategies.
9

Figure 1: UML class structure diagram showing the connections between dif-
ferent parts of the business. (Described in section 6.2.)
6.3SITD Submodel: Job Function
TheJob Function part of the SITDmodel describes the links between job tasks
and the roles performing the tasks (Figure 2).
The job tasks described as part of business goals are linked to the human
responsible for the task. The task is performed in the context of the person’s
job role. The SITDmodel allows for more than one person to work on the same
task using a collaboration link in the context of different roles (e.g. business
plans being completed in collaboration between the owner and accountant).
Conversely, multiple physical people can work on the same job task via the same
function roles (e.g. multiple sales assistants in a retail shop). This model allows
for the same physical person to take on multiple job functions, as is common in
micro-enterprises where the owner can also be the security, janitor and website
administrator. In early analysis, the function role can be synonymous with a
physical person; role information can be added after further analysis. This is
particularly useful in sole trader/micro-companies where roles are not formally
assigned or defined.
The job function model links job tasks to the data item(s) needed to per-
10

Figure 2: The UML class structure diagram showing how job functions lead
to people working together and hence needing access to specific data within the
business. (Details in section 6.3.)
form the tasks. Every business task requires some sort of data item to be used,
whether it is the product price in a sales transaction, a recipe within a manu-
facturing plant, or lesson plans within an education setting. Data is considered
at a more fundamental level than just the electronic storage of the information.
6.4SITD Submodel: IT Interaction
We now link data to the IT systems used to store and use this data (Figure 3).
TheSITDmodelonlyincludesanydatastoredelectronically. Itisassumedthat
any physical data stored is handled according to the existing risk management
plan and outside the scope of cyber-security. Inspite of the SITDmodel’s elec-
tronic focus, ISO27001 [45] includes physical access as part of risk management.
Hence, any system implementing the SITDmodel needs to include reminders
that physical security is still required.
The data item must be stored within a destination (target) system. This
is intended to be a generic container that records details of where the data
is stored. The target system can range from a local drive on a laptop/phone
to cloud services or records held by another business/entity. The details of
the service and location are captured in the classes associated with the data.
We recognise that data (class Alternate Access) can be retrieved by another
party off the same system, e.g. business registration details can be requested
by a member of the public using the registration body website. The target
system classes are deliberately light on technical detail to reflect the reality
that most small businesses have limited influence on the technical details of
the electronic data storage. For example, hosted websites only allow limited
customisation from a look and feel perspective, webmail providers dictate the
login process and whether multi-factor authentication mechanisms are offered,
retail hardware/software manufacturers decide whether memory is encrypted by
11
Figure 3: UML class structure diagram showing how a person accesses specific
data in target systems using their devices and network connection. (Discussed
in section 6.4.)
default etc.
On a physical front, the SITDmodel links the access to the data via a physi-
cal location and device, and ultimately to a physical person. The link highlights
that physical access to this device-connection pipeline plays an important part
in the security posture. For example, if someone has physical access to a Wi-Fi
router, then no matter how secure the target system, the risk of a man in the
middle attack increases.
At a physical device level, the classes are simplified from a technical view-
point e.g. the OSI 7 layer model [19], to capture only applications, operating
system (OS) and network connector classes - components the business worker
interacts with. This is to ensure focus on the components under the worker’s
control on a day to day basis. An application is any software program that
the business uses on a physical device, ranging from productivity suites such
as Microsoft Office to browsers for access to cloud services/web pages. While
the simplification does make technical vulnerability analysis more difficult, most
vulnerability notifications, common vulnerabilities & exploits, vendor notifica-
tions today relate impacts to applications and/or operating systems [52].
In its current version, the SITDmodel does not consider system to system
IT events e.g. batch jobs, scheduled events. The SITDmodel’s target audi-
ence are non-technical small businesses; the utilisation of automated events is
minimal [5].
6.5SITD Submodel: Threats
Finally, to illustrate deviations in risk between different industries and busi-
nesses, a threat model is included in the SITDmodel to describe any specific
or general threat to the business. This section again focuses on human threat
12

actors rather than the technical threat. Removing human motivation eliminates
many reasons for exploiting a vulnerable system. This human threat actor class
can describe single actors e.g. an industry competitor, or groups e.g. Advanced
Persistent Threat (APT)/nation state actors.
Figure 4: UML class structure diagram showing how certain threat motiva-
tions can mean specific data (and IT system by association) can require more
attention. (Discussed in section 6.5.)
The majority of small businesses, before having a cyber-incident, do not
perceive cyber incidents as likely [8]. The threat model is important to docu-
ment motivations, especially in specialised industries (e.g. defence contractors,
fiercely competitive market conditions etc.). The threat model highlights any
part of the business that may require a higher level of priority, to help assess
adequate level of investment.
6.6 Overall SITD Model
Each subpart of the SITDmodel described in sections 6.2 - 6.5 can be used
independently. However, when linked together with common classes, the model
creates a picture of the interrelations between IT and business goals (Figure 5).
Based on the linked business goal, the business can prioritise the parts of IT
needing attention from a cyber-security perspective.
Fromananalyticsperspective, therelationshipsshowhowunconnectedparts
of the business can lead to an asset needing protection from motivated actors.
A class and relationship model highlights gaps without impeding progress.
Partial data is of use to trigger investigation and further discussions.
13

Figure5: UMLclassoverviewshowingtherelationshipsbetweenvariousfactors
within a (sample) small businesses’ overall cyber-security posture, discussed in
section 6.6.
7SITD Model Applications
We will now demonstrate the use of the SITDmodel by modelling a case study
business. Business operation modelling of cyber-security relevant concerns is
done using source data from a non-cyber-security small business case study [37]
1to emulate a small business owner’s point of view. Technical modelling is
sourced from a UK small scale IT architecture case study [35] , including small
business participants. Finally, we utilise a NotPetya breach analysis to illustrate
theSITDmodel use in incident analysis.
1As the business is currently operating, all identifying information of the small business,
individuals, specific products and locations are redacted in the public version of this article
to protect their privacy, including citations. Original information and citations were provided
for review purposes.
14

7.1 Modelling Business Point of View

An academic case study of an agricultural small business [37] is used to demon-
strate the SITDmodel. The case study was originally constructed to illustrate
quality control considerations and includes details of business tasks. The small
business is in the agriculture industry and manufactures products from the main
crop. A labour study of another comparable region in the same country [38]
indicates that similar businesses of the same size as the agriculture business
tend to operate on 1.5 FTEs (Full Time Equivalent) staff throughout the year.
Seasonal workers are brought in for harvesting. For this analysis, the seasonal
workers were not counted towards the employee count as they are contracted for
a specific manual task (harvesting) and are likely to have minimal interaction
with the business’s IT infrastructure.
7.1.1 Entering Data into the Model
Using NVivo software, the information for the business operation from the case
study was coded to the SITDmodel’s classes. When a piece of pertinent in-
formation (e.g. job task, person or piece of data) is discussed, it is marked
with NVivo code tags of the relevant class together with a unique label (Tag
of “Job Task: Harvest” is tagged in the text when harvest is mentioned). Each
code tag corresponds to a single object in the object diagram (even if it is refer-
enced/taggedmultipletimes). Thisresultedin31codes/objectsbeinggenerated
across Business, Persons, Location, Job Task and Entrepreneurial Characteris-
tics. Two codes (Destination: Email Host and Product Competition Organiser)
were reclassified to Destination System after subsequent public information re-
search. Product Import Data was recoded to Destination System: Email Host
from Data Item because the international product importation process relies
on email. Product Competition Organiser was also given a Destination System
class as some of the competitions listed in the case study allow for complete
online applications.
The objects were initially placed in proximity to other instances of the same
class, e.g. job tasks near other job tasks. The case study was then examined
again for the relationship between objects. These relationships are drawn di-
rectly in the object diagram.
7.1.2 Analysing the Result
The processing of the agriculture small business case study produced Figure 6.
Based on Figure 6, the following areas of hyper or lack of connectivity need
discussion from a cyber-security perspective:
1.Critical Point of Failure - Owner 1 (marked with a diamond ◆in
Figure 6) is involved in the majority of the tasks required to keep the small
business running. Any device or system Owner 1 relies on is critical to the
business running smoothly, e.g. mobile phone, laptop or cloud services.
Further examination and discussion on additional security controls such
15

Figure 6: Agriculture small business case study result as depicted by the SITD
model. The reclassified items, Product Competition Organiser and Email Host,
are unshaded. Areas of possible investigation and discussion are marked with
added symbols. Discussion in section 7.1.2.
as anti-virus and backups, needs to happen to ensure availability of their
devices and systems. Owner 1 may need additional training to prevent
phishing [56].
2.Orphaned Components - There are location (Home), person (Owner 2)
and data (Tax Data) items (marked with a triangle ▲in Figure 6) noted
in the business, but the information in the case study does not indicate
relationships between these and other components.
3.Tasks with No Details - There are several tasks: Harvest Sale, Gen-
eral Marketing and Product Design, identified (marked with a star ★in
Figure 6), noted in the case study in general, but with no information
given regarding the tools/devices needed to perform them. Most tasks
need information, so further exploration is required on whether there are
dependencies on IT.
The lack of information by itself is not treated as a point of concern within
theSITDmodel process. It is an expected by-product of the focus of small busi-
ness owners, viz to keep business activities running. The purpose of this model
is to help obtain the relevant details needed from a cyber-security perspective.
16

7.1.3 Task-Based Analysis

TheSITDmodel facilitates a job task-oriented approach where each job task
is laid out. From the case study, there is the job task of crop management
which covers looking after the crops and managing harvest time. Based on the
information available in the case study, we get the object diagram in Figure 7.
Figure 7: Elements involved in agricultural small business crop management
basedoninformationavailableinthecasestudy[35]. Discussioninsection7.1.3.
The case study information is inserted into the SITDmodel structure in
Figure 8. Missing information is unshaded.
Figure 8: Known elements from agricultural small business crop management
discovery depicted in the SITDmodel are shaded in blue. Areas for discussion
are unshaded. Discussion in section 7.1.3.
The unshaded elements indicate missing information that needs further ex-
ploration in the cyber-security analysis. In the case study, crop management
decisions are dependent on data like crop ripeness. Storage, management and
access of data is not specified in the case study. Further information around
the devices and data storage needs to be clarified. By moving through each
job task, missing cyber-security context information can be further fleshed out
by the cyber-security tool/professional. This information will inform further
cyber-security analysis and risk mitigation.
17

The left side of the diagram in Figure 8 clearly links the key reasons for the
business to protect crop management data with the core task of crop manage-
ment. This relationship information keeps forefront the business value protected
byanypotentialsecuritycontrol. Adiscussiontoprotectcropmanagementdata
is needed as it enables the business to maintain a high-quality brand (by timing
the harvest) and supports production. The context helps stakeholders assign
the right level of resources and importance.
7.1.4 Change in Operating Environment
We now demonstrate the SITDmodel’s ability to handle external changes to
a small business, with the example of legislative change in the introduction
of Australian Goods and Service Tax (GST). GST is a percentage tax that
merchants collect on consumer sales [12]. The collected tax is then passed on to
thegovernmentinBusinessActivityStatements(BAS)returnstotheAustralian
Taxation Office (ATO). Initially, most international sellers were exempt from
collectionduetothelowvalueofindividualorders(suchasprocessedagriculture
products in the case study). Subsequently international merchants who achieves
a substantial amount of low value sales to Australian customers [12] were also
included. The GST collection requirement applies to our case study business.
To comply with the GST rule using guidance from ATO [12], the SITD
model will be expanded with the following class instances which were not in the
case study:
•ABN: Data Item (Australian Business Number)
•Australian GST Collected: Data Item
•Lodge Tax/BAS Return: Job Task
•Pay GST: Job Task
•Customs Information: Data Item
•Customer Invoice: Data Item
•ATO: Destination System
In addition, the following existing instances are modified:
•Sell Processed Product: Job Task – Link to additional instances to comply
with GST requirements.
•Production & Sale: Engineering Characteristics – Link to the need to
lodge additional tax (BAS) returns to the ATO, and the payment of the
GST collected using data collected during sales process .
The resulting SITDmodel due to external GST change is illustrated in
the Figure 9, with the added instances highlighted in yellow. Note that the
18

SITDstructure fundamentally does not change, despite the change in legisla-

tive environments. The SITDmodel is designed such that changes to specific
environment factors can be handled within the confines of existing SITDmodel
structure and items.
Figure 9: GST introduction for Australian customers resulted in additional
instances and links in the small business SITDmodel, highlighted in yellow.
Missing security component are denoted in non-shaded boxes, denoting areas for
furtherexplorationtoprotecttheproductproductionbusinessvalue. Discussion
in section 7.1.4.
Using the SITDmodel structure, the missing instances in Figure 9 show
up as unshaded items. These instances highlight the impacts that the change
has on the business in terms of cyber-security. In this GST example, the SITD
diagram shows that the business needs to clarify the channels (technology, job
function and person) which the required information and tasks entails. As such,
to ensure contiued compliance to the product production and sale, these tools
need to be protected proportionate to the business value brought by production.
7.2 Modelling IT Information
The case study in Section 7.1 was written from a business operations point of
view, and contains little technical information. To emulate, in general, what
technical information may be discovered in a small business, we now leverage
the small scale IT architectures found in the UK [35]. To be consistent with
the previous business operation example of 2 FTE operators, we focus on the
micro-companies (1-8 employees) described in the UK study. Figure 10 gives
the overall picture.
Followingtheprocessusedinthebusinessoperationsanalysis(Section7.1.1),
components described in the article [35]2were assigned to the corresponding
2As the business is currently operating, all identifying information of the small business,
individuals, specific products and locations are redacted in the public version of this article
to protect their privacy, including citations. Original information and citations were provided
for review purposes.
19

SITDclasses (e.g. laptop/PC/phone to device class, internet to network con-

nection). Any connected classes, according to the SITDmodel, to the article-
identified components that were not discussed in the article were highlighted as
missing information in the SITDstructure between devices and people.
Figure 10: Model depicting micro company (1-8 employees) architecture. Area
highlighted in blue defines components discovered by the case study [35]. Any
missinginformation/areasofconcernareleftunshaded. Discussioninsection7.2
.
In Figure 10, relationships have been assumed to facilitate ease of reading.
The relationships between individual employees and their devices, while hard
to present in a single page pictorially, can be stored in a data repository easily.
When the typical micro-company case study architecture is mapped onto
the structure of the SITDmodel, the following topics are highlighted from a
cyber-security perspective:
1.Alternative Access Missing for Cloud Backup and Webmail –
20
Cloud backup and webmail are not mentioned in the case study [35]. The
business’s understanding of the configuration and the ways both systems
allow third party access to the business data needs to be evaluated. The
discussion needs to be from both technical (e.g. login security, sharing
settings) as well as business process (e.g. terms and conditions, privacy
policies) perspectives. The importance of understanding both technical
and process aspects is demonstrated in past breaches of misconfigured
Amazon S3 buckets [57] and Zoombombing attacks [23].
2.Unknown device applications and operating systems - A discus-
sion around operating systems in use prompts thoughts around the level
of support and processes needed to secure these environments. For ex-
ample, updating an Android phone and applications is a different process
to updating iOS phones. The architecture states that devices are used by
both business and personal users. This raises a number of questions. Does
the mixed use extend to applications? Are there any applications that are
shared with personal use or of untrusted origins? Such cyber hygiene mat-
ters are often covered in acceptable use policies in larger enterprises [15]
and need to be addressed in small businesses.
3.SharingtheNetwork –Themixed usesofnetworksaredepictedinboth
thenetworkconnectionaswellasfamilymemberssharingthatconnection.
The blending of personal and business use is often not addressed explic-
itly in cyber-analysis today. Ideal control conditions explicitly discourage
shared network outside the business, which is unrealistic in a small busi-
ness. By recognising a blended scenario, discussion can be held around
mitigations based on the situation of the small business worker and sharer.
4.Mobile Network – A phone necessitates a mobile network connection.
Most modern phone plans include mobile data. From the case study in-
formation, it is unclear whether this network is being used to access the
business target systems. Given this network has potential as a backup
data connection in the case of an incident, mitigation strategy plan can
involve the owner-operator being trained on how to use mobile data to
ensure business continuity.
5.BYOD Device – Workers are permitted to use their own devices and
networkconnectiontoaccessbusinesssystems. Hencedatatransitsecurity
is another area of concern. Given that both data transit and devices are
notunderthesmallbusinesscontrol, measuresmaybewarrantedtosecure
data depending upon the sensitivity of the data.
6.Target Systems Security - Given the increase in devices connected
to corporate systems, the issue of lateral movement during an incident
becomes much more prominent. The breach at a target system (e.g. a
cloud provider) can potentially result in a higher impact as attackers can
move sideways and onto other devices. A business needs to understand the
nature of the connection to each site/system. This can be strengthened
21

by exploring procedural or technical safeguards that can be applied. The

fallout of supply chain incidents were made clear with past examples such
as NotPetya [21].
7.Customer Site - Small Office/Home Office (“SOHO”) routers are not
typically known for VPN, so in this scenario of connecting to customer
site, any work from home employees are most likely connecting via their
home network to the customer site. Clarification around any commercial
and security implications around this data transit path is needed. From a
commercial perspective, business needs to understand whether this path
contravenes terms of agreement with customer. Alternatively from a tech-
nical mitigation perspective, whether VPN can be set up via the existing
corporate network routers can influence risk management decisions.
7.3 Modelling Breach Information
To illustrate the use of the SITDmodel for incident analysis purposes, Maersk’s
experience from the NotPetya event is modelled within the SITDmodel struc-
ture. TheNotPetyaincidentfromMaersk’sexperienceischosenforthefollowing
similarities to small business characteristics:
•Maersk was “collateral damage” [58] of a wider state attack – Very few
small businesses, especially micro-businesses, have sufficient resources (fi-
nancial, intellectual property & data) alone to motivate lone targeted at-
tacks. Most incidents are likely to be underpinned by an opportunistic
element.
•The attack came from a Maersk’s supplier – Maersk was compelled to
use M.E.Doc accounting software to comply with Urkranian accounting
norms [21]. This is reflected in small businesses often having very little
negotiation power against, or sometimes in the choice of, their IT supplier
relationships.
•Maersk uses IT to support the core business activity of logistics – Most
small businesses are not technical [6] and employ IT as a tool to increase
productivity. IT is a support function, not their core business.
The incident’s information was collated using public reports of the incident
[21, 22], statements from Maersk’s chairman [58] and accounts of employees
involved [44, 3].
1. A Maersk computer in Odessa (Ukraine) received malicious code through
an update from M.E.Doc, a legitimate accounting software. [21]
2. The update contained malicious code, later named NotPetya, which in-
cludedexploitsMimikatzandEternalBlue. EternalBlueleveragedanSMB
version 1 vulnerability to spread the malicious code to systems across the
Maersk network. [44]
22

3. The malicious code, when encountering a non-patched operating system,

encrypted the systems. The encryption effectively wiped the system as
NotPetya did not have a built-in decryption capability. [44]
4. Maersk workers started seeing computers being reset and locked through-
out the corporate network [3]. Attempts to limit damage and stop the
outbreak were not successful, including physical disconnections of equip-
ment [22].
5. Workers were sent home as the extent of the computer unavailability be-
came apparent [22].
6. The assessment and recovery process started on 45,000 PCs, 4,000 servers
and 2500 applications [3, 58] within Maersk globally. Most of the recov-
eries, including cleaning and restarting assets, involved labour-intensive
processes.
TheSITDmodel illustrates the infrastructure (Figure 11) that enabled the
breach, as well as the flow-on human and operational impacts.
Figure 11: The Maersk NotPetya incident mapped onto the SITDmodel with
publiclyknowninformation, asdiscussedinSection7.3. Unshadeddenotesareas
with unknown components. Dashed arrow lines and numbers in green outline
the steps (as listed in Section 7.3) and infrastructure that was involved in the
incident.
The known information around software trojan from M.E.Docs, the initial
point of infection in an office PC and subsequent impact to other Maersk PCs
were widely discussed within available sources. These three aspects are recorded
in respective Applications and Devices classes. When these elements are plot-
ted on the SITDmodel structure in Figure 11, the roles that the corporate
network (Network Connection class) played in disseminating the software are
added. This is derived from the fact that NotPetya malware must jump from
the originating Office PC to other devices through a network connection. The
23

SITDalso shows the knock-on impact to operational servers (Destination Sys-

tem class), which in turn led to the dock computer(s) at shipping ports being
infected.
The links between the paralysis of the corporate servers and the shutdown
of dock computers, while hinted at and easily derivable by an IT worker, is not
always immediately apparent to a non-technical audience. The SITDmodel
provides a way to visually ‘hop’ within an often invisible IT architecture, thus
laying out the severity and spread of an incident.
7.3.1 Missing Breach Information
In addition, the SITDmodel emphasises the unknown elements, (left unshaded)
in-spite of the public information about the incident. The model underscores
the insufficient information available about the following areas:
•The corporate network served as the central point of the outbreak. Fur-
ther investigation from the incident could focus on whether there are any
controls allowing ecosystem compartmentalisation. (A lack of network
segmentation was raised as an existing issue for the company by an IT
employee in a post-incident discussion. [3].)
•Unknowns around the network connectivity mode of devices (& associated
application and tasks) indicate opportunities for future incident response
planning. As an example, as part of incident response planning, can each
physical site identify key (wireless/wired) router(s) that can isolate an en-
tire site? Anecdotally, employees unsuccessfully tried to stop the spread
by switching off and/or disconnecting individual workstations in an un-
planned manner, not as part of a rehearsed response [21].
•The source of entry needs further investigation. How was access (legiti-
mate or not) to Linkos (maker of M.E.Doc) group’s infrastructure granted
and/or managed. While this may not be resolved technically, as the mal-
ware was part of a legitimate update, the missing information can drive
conversationsbetweenMaerskandLinkosaspartofthesupplier/customer
relationship and commercial liability issues.
Examination of the above points can provide potentially valuable information
for future cyber-security tightening or setup. The structure of the SITDmodel
highlights gaps or questions that may be overlooked under the pressure of an
active incident and post incident reviews. The SITDmodel structure ensures
that, even under pressure, a systematic examination of available information
can be conducted regardless of completeness.
8 Discussion
Section 7 shows how the SITDUML model records and maps cyber-security-
relevant information for a small business. A business case study, IT architecture
24

case study and breach incident were used to show the SITDmodel recording
security-relevant business, and technical and incident details. Due to the socio-
technical nature of cyber-security [40], all 3 types of details support the analysis
of a business’ cyber-security posture.
Table 2 shows, in detail, how the SITDmodel design and usage examples
demonstrate the fulfilment of design principles set out in Sections 3 and 4.
Design Principles Met
NeedsSection(s) of This Article

ployees)✓ 7.1 Modelling Business Point of

Modelling Small Business (<20 em-

Usable for Tool Developers ✓ 5.1 Advantages of UML

View

Business Priorities Focused ✓6.2SITDSubmodel: Business

6.3SITDSubmodel: Job Function
6.5SITDSubmodel: Threats
7.1 Modelling Business Point of View

tionships✓ 7.1.3 Task-Based Analysis

Capture Intangible Factors & Rela-

Allows Incomplete Information ✓7.1.3 Task-Based Analysis

Language Agnostic ✓6.6 Overall SITDModel

7.3.1 Missing Breach Information

7.1.3 Task-Based Analysis

Technology Agnostic ✓ 7.2 Modelling IT Information

7.3 Modelling Breach Information

Agnostic✓7.1 Modelling Business Point of View

Standards, legislation & industry

Enable Cyber-Security Analysis ✓7.1.2 Analysing the Result

7.1.4 Change in Operating Environment

7.1.3 Task-Based Analysis

7.2 Modelling IT Information
7.3 Modelling Breach Information
Table 2: Design principles (section 4) versus proposed model (section 6) com-
parison. The SITDmodel met the principles set out in Sections 3.
The modelling of three widely-varying sources of information types demon-
strated that the SITDmodel is capable of modelling different types of busi-
nesses, situations and information sources. The SITDmodel’s adaptability is
useful in cyber-security where small businesses have a variety of different char-
acteristics, ranging from industry nuances to market disruption. Over the long
term, this adaptability helps the SITDmodel stay relevant during times of
change.
25

9 Conclusion
We proposed the SITDUML data model as a way to gather and organise small
business cyber-security information. Big standards, whilst flexible, lead to big
knowledge requirements and resource commitments, making them difficult to
adopt for resource-scarce small businesses. The SITDmodel helps alleviate
some barriers faced by small businesses in understanding cyber-security focused
security processes and utilising tools currently available. The SITDmodel
proposes a new way of working towards a small business cyber-security posture.
TheSITDmodel’s analysis of case studies of a micro agricultural busi-
ness, UK micro-businesses’ architecture and NotPetya breach incident shows
the capability of the SITDmodel in capturing and organising security-relevant
information. The SITDmodel highlights the value of cyber-security decisions
by linking the decisions to the business’ operational activities, via SITDlinks
between objects. The examples provided above demonstrated the ability of the
SITDmodel to model businesses in varied environments, giving structure to an
often qualitative, open-ended cyber-security process.
TheSITDmodel’s UML foundation gives a ready channel and a structured
way for any prospective solution developers (technical or otherwise) to ensure
relevant information is captured and organised. Furthermore, UML can readily
be accommodated by technologies that allow databases, thus minimising imple-
mentation issues and effort.
TheSITDmodel does not seek to replace existing cyber-security standards,
but rather fill the existing gaps with respect to small business needs. It is a
streamlined way of organising the often informal and piecemeal nature of busi-
ness information relevant to a cyber-security posture, facilitating the analysis
process. Rather than starting from a technological or risk management per-
spective, the SITDmodel leads discussion from business-centric perspectives.
Structurally, the SITDmodel provides a pathway to connect the business in-
formation to IT information.
Ultimately, the SITDmodel serves as a pathway towards a more inclusive
small business cyber-security process, by taking into account the needs of both
cyber-security solution developers and small businesses.
Acknowledgments
This research is supported by an Australian Government Research Training
Program (RTP) Scholarship. This project was conducted under an Approval
from the RMIT Human Ethics Committee (Approval Number: 23928). Au-
thors’ Note: The business case study, in section 7.1, citations and identifying
information in text and figures have been anonymised to protect the privacy of
the small business in publication.
26

References
[1] Ande, R., Adebisi, B., Hammoudeh, M., Saleem, J.: Inter-
net of Things: Evolution and Technologies from a Security Per-
spective. Sustain. Cities Soc. 54(February 2019), 101728 (2020).
https://doi.org/10.1016/j.scs.2019.101728
[2] Angeli, C., Valanides, N.: Examining the Effects of Text-Only and
Text-and-Visual Instructional Materials on the Achievement of Field-
Dependent and Field-Independent Learners During Problem-Solving with
Modeling Software. Educ. Technol. Res. Dev. 52(4), 23–36 (2004).
https://doi.org/10.1007/BF02504715
[3] Ashton, G.: Maersk, me & notPetya (Jun 2020), https://gvnshtn .com/
maersk-me-notpetya/, accessed: 01/12/2021
[4] Australian Bureau of Statistics: 1321.0 - Small Business in Australia, 2001
(2001), https://www .abs .gov .au/ausstats/abs@ .nsf/mf/1321 .0
[5] AustralianBureauofStatistics: 8167SelectedCharacteristicsofAustralian
Business (2019), https://www .abs .gov .au/statistics/industry/technology-
and-innovation/characteristics-australian-business/2017-18
[6] Australian Bureau of Statistics: 8165.0 - Counts of Australian
Businesses, Including Entries and Exits, June 2015 to June 2019
(2020), https://www .abs .gov .au/AUSSTATS/abs@ .nsf/DetailsPage/
8165 .0June2015toJune2019?OpenDocument
[7] Australian Bureau of Statistics: Australian Industry by Divi-
sion, Australian Industry, Financial Year 2019-20 (May 2021),
https://www .abs .gov .au/statistics/industry/industry-overview/
australian-industry/2019-20/81550DO001_201920 .xls
[8] Australian Cyber Security Centre, Australian Signals Di-
rectorate: Cyber Security and Australian Small Businesses
(2020), https://www .cyber .gov .au/sites/default/files/2020-07/
ACSCSmallBusinessSurveyReport .pdf
[9] Australian Cyber Security Centre, Australian Signals Directorate:
Essential Eight Maturity Model (2021), https://www .cyber .gov .au/
sites/default/files/2021-10/PROTECT-EssentialEightMaturityModel%
28October2021%29 .pdf
[10] AustralianSmallBusinessandFamilyEnterpriseOmbudsman: SmallBusi-
ness Counts (2020), https://www .asbfeo .gov .au/sites/default/files/2021-
11/ASBFEOSmallBusinessCountsDec2020v2_0 .pdf
[11] AustralianSmallBusinessandFamilyEnterpriseOmbudsman: SmallBusi-
ness Matters (2023), https://www .asbfeo .gov .au/sites/default/files/2023-
10/SmallBusinessMatters_June2023 .pdf
27

[12] Australian Taxation Office: International Tax for Business (2021),

https://www .ato .gov .au/businesses-and-organisations/international-tax-
for-business, accessed: 28/11/2023
[13] Bada, M., Nurse, J.: Developing Cybersecurity Education and Awareness
Programmes for Small- and Medium-Sized Enterprises (SMEs). Inf. Com-
put. Secur. 27(3), 393–410 (2019). https://doi.org/10.1108/ICS-07-2018-
0080
[14] Blanco, C.F., Sarasa, R.G., Sanclemente, C.O.: Effects of Visual and Tex-
tual Information in Online Product Presentations: Looking for the Best
Combination in Website Design. Eur. J. Inf. Syst. 19(6), 668–686 (2010).
https://doi.org/10.1057/ejis.2010.42
[15] Center for Internet Security: Learn about CIS Controls v8 (2023), https:
//www .cisecurity .org/controls/v8, accessed: 20/11/2023
[16] Chen, P.P.S.: The Entity-Relationship Model—Toward a Unified
View of Data. ACM Trans. Database Syst. 1(1), 9–36 (1976).
https://doi.org/10.1145/320434.320440
[17] Chiappetta,M.: UberEatsDemandSoarsDueToCOVID-19Crisis.Forbes
(Mar 2020), https://www .forbes .com/sites/marcochiappetta/2020/03/25/
uber-eats-demand-soars-due-to-covid-19-crisis
[18] Colbaugh, R., Glass, K.: Proactive Defense for Evolving Cyber Threats.
Proc. 2011 IEEE Int. Conf. Intell. Secur. Informatics, ISI 2011 pp. 125–130
(2011). https://doi.org/10.1109/ISI.2011.5984062
[19] Day, J.D., Zimmermann, H.: The OSI Reference Model. Proc. IEEE
71(12), 1334–1340 (1983), http://www .inf .ufes .br/~zegonc/material/
Redes_de_Computadores/TheOSIReferenceModel .pdf
[20] Department for Business Energy & Industrial Strat-
egy: Business Population Estimates for the UK and Re-
gions 2021 (2021), https://assets .publishing .service .gov .uk/
government/uploads/system/uploads/attachment_data/file/1019907/
2021_Business_Population_Estimates_for_the_UK_and_regions_Statistical_Release .pdf
[21] Greenberg, A.: The Untold Story of NotPetya, the Most Devastating Cy-
berattack in History. Wired Mag. (Aug 2018), https://www .wired .com/
story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
[22] Greenberg, A.: Sandworm : A New Era of Cyberwar and the Hunt for the
Kremlin’s Most Dangerous Hackers. Knopf Doubleday Publishing Group
(2019)
[23] Greenberg, A.: Why Insider ‘Zoom Bombs’ Are So Hard to Stop. Wired
Magazine (Mar 2021), https://www .wired .com/story/zoombomb-inside-
jobs/
28

[24] International Organization for Standardization, International Electrotech-

nical Commission: Information technology - Open Distributed Process-
ing - Unified Modeling Language (UML) Version 1.4.2 (2005), https:
//www .omg .org/spec/UML/ISO/19501/PDF
[25] Maddux, J.E., Rogers, R.W.: Protection Motivation and Self-Efficacy: A
RevisedTheoryofFearAppealsandAttitudeChange.J.Exp.Soc.Psychol.
19(5), 469–479 (1983). https://doi.org/10.1016/0022-1031(83)90023-9
[26] Microsoft: 10 Benefits of Data Modeling Tools (2023), https:
//powerbi .microsoft .com/en-us/what-are-the-advantages-of-data-
modeling-tools/, accessed: 09/11/2023
[27] Microsoft: What is DevSecOps? (2023), https://www .microsoft .com/
en-us/security/business/security-101/what-is-devsecops, accessed:
01/12/2023
[28] Miles, R.E., Snow, C.C., Meyer, A.D., Jr, H.J.C.: Organizational strategy,
structure, and process. Acad. Manag. Rev. 3(3), 546 (1978)
[29] Mouton, F., Malan, M.M., Leenen, L., Venter, H.S.: Social Engineering
Attack Framework. 2014 Inf. Secur. South Africa - Proc. ISSA 2014 Conf.
(2014). https://doi.org/10.1109/ISSA.2014.6950510
[30] National Cyber Security Centre: Asset Management (May 2021), https:
//www .ncsc .gov .uk/guidance/asset-management, accessed: 13/12/2021
[31] National Institute of Standards and Technology: NIST Frame-
work for Improving Critical Infrastructure Cybersecurity (2018).
https://doi.org/10.6028/NIST.CSWP.04162018
[32] National Institute of Standards and Technology: Security and Pri-
vacy Controls for Information Systems and Organizations (2020).
https://doi.org/10.6028/NIST.SP.800-53r5
[33] Organisation for Economic Co-operation and Development (OECD): Small
Businesses, JobCreationAndGrowth: Facts, ObstaclesAndBestPractices
(Jun 1997), https://www .oecd .org/cfe/smes/2090740 .pdf
[34] Organisation for Economic Co-operation and Development (OECD): Key
FactsSurveyofAdultSkills(PIAAC):FullSelectionofIndicator-UK,US,
Australia and OECD Data Table (2018), https://gpseducation .oecd .org/
IndicatorExplorer, accessed: 15/03/2021
[35] Osborn, E., Simpson, A.: On Small-Scale IT Users’ System Architectures
and Cyber Security: A UK Case Study. Comput. Secur. 70(Section 3),
27–50 (2017). https://doi.org/10.1016/j.cose.2017.05.001
29

[36] Park, J., Campbell, J.M.: U.S. Small Business’s Philanthropic Con-
tribution to Local Community: Stakeholder Salience and Social Iden-
tity Perspectives. J. Nonprofit Public Sect. Mark. 30(3), 317–342 (2018).
https://doi.org/10.1080/10495142.2018.1452823
[37] Redacted: Redacted. Redacted
[38] Redacted: Redacted, Redacted
[39] Renaud, K.: How Smaller Businesses Struggle With Security Advice. Com-
puter Fraud and Security 8, 10–18 (2016). https://doi.org/10.1016/S1361-
3723(16)30062-8
[40] Schneier, B.: The Importance of Security Engineering. IEEE Security and
Privacy10(5), 88 (2012). https://doi.org/10.1109/MSP.2012.132
[41] Scott, M., Bruce, R.: Five Stages of Growth in Small Business. Long Range
Plann.20(3), 45–52 (1987). https://doi.org/10.1016/0024-6301(87)90071-9
[42] Service, O., Hallsworth, M., Halpern, D., Algate, F., Gallagher, R.,
Nguyen, S., Ruda, S., Sanders, M., Pelenur, M., Gyani, A., Harper, H.,
Reinhard, J., Kirkman, E.: EAST Four Simple Ways to Apply Behavioural
Insights (2014), https://www .bi.team/wp-content/uploads/2015/07/BIT-
Publication-EAST_FA_WEB .pdf, accessed:10/12/2021
[43] Small Business Digital Taskforce: Small Business Digital Taskforce, Re-
port to Government (2018), https://treasury .gov .au/sites/default/files/
2021-07/p2018-191027-sbdt-report .pdf
[44] Sood, K., Hurley, S.: NotPetya Technical Analysis (2017),
https://www .crowdstrike .com/blog/petrwrap-ransomware-technical-
analysis-triple-threat-file-encryption-mft-encryption-credential-theft/
[45] Standards Australia Limited: AS ISO/IEC 27001 Australian
Standard Information Technology - Security Techniques - Infor-
mation Security Management Systems - Requirements (2015),
https://infostore .saiglobal .com/en-au/Standards/AS-ISO-IEC-27001-
2015-111199_SAIG_AS_AS_232620/
[46] Street, C.T., Meister, D.B.: Small Business Growth and Internal Trans-
parency: TheRoleofInformationSystems.MISQ.Manag.Inf.Syst. 28(3),
473–506 (2004). https://doi.org/10.2307/25148647
[47] Sullivan-Taylor, B., Branicki, L.: Creating Resilient SMEs: Why One
Size Might Not Fit All. Int. J. Prod. Res. 49(18), 5565–5579 (2011).
https://doi.org/10.1080/00207543.2011.563837
[48] Tam, T., Rao, A., Hall, J.: The Invisible COVID-19 Small Business Risks:
Dealing with the Cyber-Security Aftermath. Digit. Gov. Res. Pract. 2(2)
(2020). https://doi.org/10.1145/3436807
30

[49] Tam, T., Rao, A., Hall, J.: The Good, the Bad and the
Missing: A Narrative Review of Cyber-Security Implications for
Australian Small Businesses. Comput. Secur. 109, 102385 (2021).
https://doi.org/10.1016/j.cose.2021.102385
[50] Tan, T., Maynard, S., Ahmad, A., Ruighaver, T.: Information Secu-
rity Governance: A Case Study of the Strategic Context of Informa-
tion Security. In: Pacific Asia Converence Inf. Syst. vol. 43. Association
for Information Systems Electronic Library (AISeL), Langkawi (2017),
http://aisel .aisnet .org/pacis2017/43
[51] The Mitre Corporation: Mitre Att&ck (2019), https://attack .mitre .org/,
accessed: 01/03/2021
[52] The Mitre Corporation: CVE (2023), https://cve .mitre .org/, accessed:
14/11/2023
[53] United Nations Office on Drugs and Crime: Comprehensive Study on
Cybercrime (2013), http://www .unodc .org/documents/organized-crime/
UNODC_CCPCJ_EG .4_2013/CYBERCRIME_STUDY_210213 .pdf
[54] Von Solms, R., Van Niekerk, J.: From Information Secu-
rity to Cyber Security. Comput. Secur. 38, 97–102 (2013).
https://doi.org/10.1016/j.cose.2013.04.004
[55] Watson, C., Zaw, T., Andriushchenko, I., Justiniano, G.M., Tesauro,
M.: OWASP Automated Threat Handbook Web Applications. OWASP,
Bel Air, United States (2018), https://owasp .org/www-pdf-archive/
Automated-threat-handbook .pdf
[56] Williams, E.J., Hinds, J., Joinson, A.N.: Exploring Susceptibility to Phish-
ing in the Workplace. Int. J. Hum. Comput. Stud. 120(June 2017), 1–13
(2018). https://doi.org/10.1016/j.ijhcs.2018.06.004
[57] WizCase Cyber Research Team: Over 80 US Municipalities’ Sensitive In-
formation, Including Resident’s Personal Data, Left Vulnerable in Mas-
sive Data Breach (2021), https://www .wizcase .com/blog/us-municipality-
breach-report/, accessed: 13/01/2021
[58] World Economic Forum: Securing a Common Future in Cy-
berspace (2018), https://www .youtube .com/watch?v=Tqe3K3D7TnI, ac-
cessed: 05/01/2022
Appendix - Reading the Model: UML Conven-
tions
Our model is highly reliant on UML. Here is an example to show how to inter-
prete UML class and object diagrams.
31

Class (drawn as rectangles) defines independent entities or objects. From

these classes, associations (drawn as lines) are used to illustrate relationships
between classes. A class can exist on its own but associations must have a
beginning and an ending class (which can be the same class). Classes convey
structural information only (i.e. the location of the class in relation to other
classes). When an instance of a class is defined, it is noted as an object.
Certain characteristics of the class are captured as attributes, primarily text
fields within each class. Enumerations, which restrict the possible values in an
attribute, are also defined. Despite their similarity in appearance to classes,
enumerations do not play a role in the structure of the model.
Figure 12 illustrates the class diagram for a car for example.
Figure 12: Example class showing the class structure of a car in relation to its
tires using UML. The ‘1..4’ notation specifies that a car can have 1 to 4 tyres.
Described in section 9.
This defines that structurally a car must have a minimum of 1 tyre to a
maximum of 4 as a relationship. These tyres do not need to be the same on
the same car (think early bicycles with 2 different size wheels). It also states
the attributes of cars and tyres (generally attributes are not mandatory unless
otherwise specified). At this stage, it is not instantiated i.e. it does not describe
a specific car, but rather a relationship between cars and tyres.
In describing individual cars e.g. John’s car with four tyres, the object
diagram is given in Figure 13.
Figure 13: Example object diagram showing how an instance of a car can be
represented using UML. Described in section 9.
For further information on UML, refer to UML ISO specification documen-
tation [24].
32