Development of a cyber risk assessment tool for Irish small business owners
Miriam Curtin, Brian Sheehan, Melanie Gruben, Nikoletta Kozma, Gillian O'Carroll, Hazel Murray
TL;DR
This study develops and iteratively refines a national cyber risk assessment tool tailored for Irish SMEs with minimal cybersecurity knowledge. Through a three-part design—international-tool analysis, think-aloud interviews, and focus groups—the authors identify SME-specific needs, extract SME-relevant risk themes, and implement a user-friendly tool with 10-minute completion. Iterative feedback from 29 participants drives terminology, backup questions, and usability improvements, resulting in a version that educates users about cybersecurity gaps while guiding risk prioritization. Key SME risk areas emerge, including GDPR compliance, data protection, training, and incident preparedness, underscoring the tool’s practical impact for increasing cyber resilience. The work lays a foundation for an action-plan extension and potential nationwide deployment via the ourRAT platform.
Abstract
Small and medium enterprises (SMEs) are increasingly vulnerable to cyber threats due to limited resources and cybersecurity expertise, in addition to an increasingly hostile cyber threat environment at national and international levels. This study aims to improve the cyber resilience amongst SMEs by developing a national risk assessment tool. This research is guided by three key questions: 1. What current international SME risk assessment tools are available and supported or endorsed by national cybersecurity centres? 2. How can a risk assessment tool be created that is accessible to SME owners with little to no cybersecurity knowledge? 3. What are the key areas of cybersecurity risks for SMEs? To answer these questions, a comprehensive review of existing risk assessment tools was carried out. Through iterative collaboration with SMEs, the development of a user-friendly tool that simplifies risk for non-expert users was made possible.