Um framework para planejamento e gerenciamento de projetos de cibersegurança em pequenas e médias empresas

Autores

DOI:

https://doi.org/10.5585/gep.v13i3.23083

Palavras-chave:

Cibersegurança, Gerenciamento de riscos, Gerenciamento de custos, Gerenciamento de projetos.

Resumo

Investimentos adequados em cibersegurança continuam sendo um dos principais pilares para  empresas que necessitam proteger seus negócios em uma era digital. Para isto, é essencial compreender os diferentes passos necessários para implementar uma estratégia adequada de cibersegurança, que pode ser vista como um projeto de cibersegurança a ser desenvolvido, implementado e operado por uma empresa. Este artigo propõe o SECProject, um framework que define e organiza as etapas técnicas e econômicas necessárias para o planejamento e implementação de uma estratégia de segurança cibernética econômica em Pequenas e Médias Empresas (PMEs). Como resultado, as etapas do SECProject permitem um planejamento guiado e organizado de cibersegurança que considera tanto elementos técnicos quanto econômicos necessários para uma proteção adequada. Isto ajuda até mesmo empresas sem experiência técnica a otimizar seus investimentos em segurança cibernética enquanto reduzem seus riscos comerciais devido a ciberataques. A fim de mostrar a viabilidade do framework proposta, foi realizado um estudo de caso dentro de uma PME suíça do setor farmacêutico, destacando as informações e artefatos necessários para o planejamento e implantação de estratégias de cibersegurança. Os resultados mostram os benefícios e a eficácia da gestão de riscos e custos como um elemento-chave durante o planejamento de projetos de cibersegurança, utilizando o framework SECProject como diretriz.

Biografia do Autor

Muriel Figueredo Franco, USP/ESALQ

Muriel Franco is a Junior Researcher and PhD student in Computer Science at University of Zuririch UZH, Switzerland, within the Communication Systems Group CSG of the Department of Informatics IfI. Since September 2018 Muriel is working in Zurich on cybersecurity, economics, blockchains, Software-defined Networking (SDN), and Network Function Virtualization (NFV), participating and driving the work of the CONCORDIA project within a team of networking, security, and economic researchers. Besides that, from 2017 to 2020, Muriel developed jointly a federated ecosystem for offering, distributing, and execution of Virtual Network Functions (FENDE project). Muriel holds an MSc from 2017 in Computer Science from the Federal University of the Rio Grande do Sul UFRGS, Brazil, and obtained a BSc from 2014 in Computer Science from the Federal University of Pelotas UFPEL, Brazil.

Referências

Behnia, A.; Rashid, R.; Chaudhry, J. (2012). A Survey of Information Security Risk Analysis Methods. Smart Computing Review, Vol. 2, No. 1: 79-94.

Cairns-Lee, H.; Lawley, J.; Tosey, P. (2022). Enhancing Researcher Reflexivity About the Influence of Leading Questions in Interviews. The Journal of Applied Behavioral Science, 58(1): 164–188.

CONCORDIA Consortium. (2022). Deliverable D4.3: 3rd Year Report on Cybersecurity Threats. Available at https://www.concordia-h2020.eu/wp-content/uploads/2022/07/CONCORDIA-D4.3.pdf. Accessed on: October 14 2022.

Cybersecurity Ventures. (2020). Cybercrime to Cost The World $10.5 Trillion Annually By 2025. Available at https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021. Accessed on: 18 April 2022.

Cynet. (2021). Survey of CISOs with Small Cyber Security Teams. Available at https://hubs.ly/H0FrnJ40.Accessed on: 18 April 2022.

European Digital Alliance. (2020). Skills for SMEs: Cybersecurity, Internet of things and Big Data for Small and Medium-sized Enterprise. European Commission, Brussels, Belgium.

European Watch on Cybersecurity & Privacy. (2021). Cybersecurity Label. Available at https://label.cyberwatching.eu/. Accessed on: October 24, 2022.

ENISA - European Union Agency for Cybersecurity. (2021). Cybersecurity for SMEs: Challenges and Recommendations. Available at https://www.enisa.europa.eu/publications/enisa-report-cybersecurity-for-smes. Accessed on: October 12 2022.

Fielder, A.; König, S.; Panaousis, E; Schauer, S; Rass, S. (2018). Risk Assessment Uncertainties in Cybersecurity Investments. MDPI Games, Vol. 9, No. 2: 1-14.

Franco, M.; Rodrigues, B.; Stiller, B. (2019). MENTOR: The Design and Evaluation of a Protection Services Recommender System. In:15th International Conference on Network and Service Management (CNSM 2019), Halifax, Canada, October 2019, p. 1-8.

Franco, M.; Sula, E.; Rodrigues, B.; Scheid, E.; Stiller, B. (2020). ProtectDDoS: A Platform for Trustworthy Offering and Recommendation of Protections. In: International Conference on Economics of Grids, Clouds, Software and Services (GECON 2020), Izola, Slovenia, September 2020, p. 1–12.

Franco, M.; Lacerda, F. M. (2021). SECProject: A Framework for the Assessment and Management of Cybersecurity Projects in Small and Medium-Sized Enterprises. MBA Report, University of São Paulo, ESALQ/PECEGE, Piracicaba, São Paulo, Brazil. Available at https://figueredofranco.com/static/files/MBA-M-Franco.pdf. Accessed on: November 10 2022.

Franco, M. F.; Sula, E.; Scheid, E.; Granville, L. Z.; Stiller, B. (2022). SecRiskAI: a Machine Learning-based Approach for Cybersecurity Risk Prediction in Businesses, In: 24th IEEE International Conference on Business Informatics, Amsterdam, Netherlands, June 2022, p. 1-10.

Franco, M. (2023). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment, PhD Thesis, University of Zurich, Zurich, Switzerland, February 2023.

Freiburg School of Management. (2019). Swiss International Entrepreneurship Survey: Results of the Study on the Internationalization of Swiss SMEs. Available at https://www.heg-fr.ch/media/mgkmsc4s/sies-report-2019_en.pdf. Accessed on: October 10 2022.

Flyvbjerg, B. (2006). Five Misunderstandings About Case-Study Research. Qualitative Inquiry, Vol. 12, No. 2: p. 1-27.

Gordon, L.; Loeb, M. (2002). The Economics of Information Security Investment. ACM Transactions on Information and System Security: 438-457.

Gordon, L.; Loeb, M.; Zhou, L. (2021). Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security: 49-59.

Harrison, H.; Birks, M.; Franklin, B.; Mills, J. (2017). Case Study Research: Foundations and Methodological Orientations. Qualitative Social Research, Vol. 18, No. 1: 1-17.

Hofmann, A. (2019). Security Analysis of the Blockchain Agnostic Framework Prototype. Independent Study, University of Zurich, Communication Systems Group, Department of Informatics, Zurich, Switzerland.

IBM Security, Ponemon Institute. (2020). Cyber Resilient Organization Report. Available at https://www.ibm.com/security/digital-assets/soar/cyber-resilient-organization-report/. Accessed on: August 2, 2022.

Kaspersky. (2020). Investment Adjustment: Aligning IT Budgets with Changing Security Priorities. Available at https://media.kaspersky.com/en/business-security/Kaspersky_IT%20Security%20Economics%202020_Executive%20Summary.pdf. Accessed on: June 14 2021.

Lee, I. (2021). Cybersecurity: Risk Management Framework and Investment Cost Analysis. Business Horizons: 1-34.

Lima, M. C. R.; Goussi, S. G.; Costa Borba, M.; Marinho, M. L. M. (2022). Management of Uncertainty in Projects and Its Strategies, Revista Visão: Gestão Organizacional: 48-61.

Liu, L.; De Vel, O.; Han, Q.; Zhangm, J.; Xiang, Y. (2018). Detecting and Preventing Cyber Insider Threats: A Survey. IEEE Communications Surveys & Tutorials: 1390-1417.

Matejka, V.; Soto, J.; Franco, M. (2021). A Framework for the Definition and Analysis of Cyber Insurance Requirements. Master Project, University of Zurich, Communication Systems Group, Department of Informatics, Zurich, Switzerland.

National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. Available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. Accessed on: October 24 2022.

Qu, S. Q.; Dumay, J. (2011). The Qualitative Research Interview. Qualitative Research in Accounting & Management, 8(3): 238-264.

Presley, S.; Landry, J. (2016). A Process Framework for Managing Cybersecurity Risks in Projects. In: 19th Southern Association for Information Systems (SAIS 2016), Florida, USA, p. 1-4.

Project Management Institute. (2017). A Guide to the Project Management Body of Knowledge (PMBOK guide). 6th edition, Project Management Institute, Pennsylvania, USA.

Rodrigues, B.; Franco, M.; Parangi, G.; Stiller, B. (2019). SEConomy: A Framework for the Economic Assessment of Cybersecurity. In: 16th Conference on the Economics of Grids, Clouds, Systems, and Services (GECON 2019). Springer LNCS, Leeds, UK, p. 1-13.

Ross, A. (2001). Why Information Security is Hard - An Economic Perspective. In: 17th Annual Computer Security Applications Conference, New Orleans, USA, p. 358-365.

Ross, A.; Moore, T. (2006). The Economics of Information Security. Journal of Science, Vol. 314, Issue 5799: 610-613.

Sato, H.; Tanimoto, S.; Kanai, A. (2020). Risk Breakdown Structure and Security Space for Security Management. In: IEEE International Conference on Service Oriented Systems Engineering (SOSE), Oxford, UK, p. 7-16.

Sonnenreich, W.; Albanese, J.; Stout, B. (2005). Return On Security Investment (ROSI): A Practical Quantitative Model. Journal of Research and Practice in Information Technology: 239-252.

Swiss SME Portal. (2021). Figures on SMEs: Companies and Jobs. Available at https://www.kmu.admin.ch/kmu/en/home/facts-and-trends/facts-and-figures/figures-smes/companies-and-jobs.html. Accessed on: October 12 2022.

Teufel, S.; Teufel, B.; Aldabbas, M.; Nguyen, M. (2020). Cyber Security Canvas for SMEs. In: 19th Internacional Information Security Conference (ISSA 2020), Springer, Pretoria, South Africa, p. 20-33.

Von der Assen, J.; Franco, M. F.; Killer, C.; Scheid, E. J.; Stiller, B. (2022). CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling. In: IEEE International Conference on Cyber Security and Resilience, Rhodes, Greece, July 2022, p. 1-8.

Xiong, W.; and Lagerstrom, R. (2019). Threat Modeling - A Systematic Literature Review. Journal of Computers & Security, Vol. 84: 53-69.

Downloads

Publicado

2022-12-09

Como Citar

Figueredo Franco, M., Martins Lacerda, F., & Stiller, B. (2022). Um framework para planejamento e gerenciamento de projetos de cibersegurança em pequenas e médias empresas. Revista De Gestão E Projetos, 13(3), 10–37. https://doi.org/10.5585/gep.v13i3.23083

Edição

Seção

Artigos