The Ongoing Threat of Ransomware to Small Businesses: A Qualitative Case Study on the Impediments to the Application of Preventative, Detective, and Corrective Controls
1
Dissertation Defense Outline
Research Problem, Purpose, & Questions
Research Method & Design
Population & Sample
Materials & Instruments
Assumptions, Limitations, & Delimitations
Findings & Conclusions
Implications & Recommendations
2
Problem Addressed by the Study
Problem Statement:
3
Purpose of the Study
Purpose of the Study:
4
Research Questions
RQ1: What are the impediments for the application of ransomware-specific preventative controls by small business owners?
RQ2: What are the impediments for the application of ransomware-specific detective controls by small business owners?
RQ3: What are the impediments for the application of ransomware-specific corrective controls by small business owners?
5
Research Methodology
Research Methodology:
6
6
Population & Sample
Population:
7
7
Materials & Instruments
Data Sources:
Instrument(s):
Apparatus:
8
8
Assumptions, Limitations, & Delimitations
Assumptions:
Limitations:
Delimitations:
9
9
Findings & Conclusions
RQ1.What are the impediments for the application of ransomware-specific preventative controls by small business owners?
It is essential to acknowledge that in this study, the participants confirm that major hindrances to preventing ransomware attacks relate to limited awareness of cybersecurity and lack of adequate training, including the absence of specific internal policies on cyber-security management.
RQ2. What are the impediments for the application of ransomware-specific detective controls by small business owners?
Participants confirm that their organizations are less equipped to detect ransomware or malware invasions as they lack sophisticated solutions.
RQ3. What are the impediments for the application of ransomware-specific corrective controls by small business owners?
This study’s findings confirm several impediments related to corrective controls, such as ineffective threat removal, inadequate resources, and unclear recovery policies.
10
10
Findings & Conclusions
Conclusion(s):
11
11
Implications
Implications:
12
Recommendations
Recommendations:
13
13
image1
image2
7
The Ongoing Threat of Ransomware to Small Businesses: A Qualitative Case Study on the Impediments to the Application of Preventative, Detective, and Corrective Controls
Dissertation Manuscript
Submitted to Northcentral University
School of Business Management
in Fulfillment of the
Requirements for the Degree of
DOCTOR OF
MANAGEMENT INFORMATION SYSTEMS
by
Rahkon Allah Ross
La Jolla, California
March 2023
Abstract Comment by Northcentral University: The abstract should be included in the dissertation manuscript only. It should not be included in the dissertation proposal.
The word Abstract should be centered, bolded, and begin on its own page.
The problem addressed in this study is ransomware has been wreaking havoc since its discovery over twenty years ago. Small businesses continue to be regularly attacked through ransomware. The research method chapter points out essential elements related to the saliency of this study. This study incorporates a qualitative research methodology and case study design to explore the impediments to applying ransomware-specific preventative, detective, and corrective controls. A target population of small businesses and a sample of 30 enterprises were selected to provide insights into the experience and authentic encounters with cyber-attacks. Salient elements discussed include ethical concerns, assumptions, delimitations, and limitations. Open-ended questionnaires were used for instrumentation, and narrative analysis will be essential for the data analysis. The research explored the research findings related to the presented questions in chapter one in chapter four.
The findings from this study were crucial in cybersecurity risk planning and management by identifying, assessing, and addressing cybersecurity risks, prioritizing them, and monitoring and establishing essential controls. This study was fundamental in resource planning, ensuring efficient and effective use of resources and opportunity for mobilization. The initial aim was to explore the impediments to the application of the system controls. Based on the framework, findings, and implications of this study, future researchers must understand the role of technology and assess the complexities of small business operations as they heighten their vulnerability to cyber-attacks. It is essential to acknowledge that this study is integral to the literature expansion, providing specific impediments and potential frameworks for resolving cybersecurity issues at the organizational level.
Acknowledgments Comment by Northcentral University: You may include an optional acknowledgements page in normal paragraph format in the dissertation manuscript. Do not include such a page in the dissertation proposal.
The word Acknowledgements should be centered, bolded, and begin on its own page.
“Impossibilities are merely things of which we have not learned, or which we do not wish to happen.”
Charles W. Chesnutt “Every great dream begins with a dreamer. Always remember, you have within you the strength, the patience, and the passion to reach for the stars to change the world.”
Harriet Tubman.
As I sat here reading countless pages of acknowledgments in countless books, I never realized how difficult a task it would be to say “thank you” for all the help, support, understanding, grief, and argument given by so many people over the time it took to write this dissertation. There can be no overstating the contributions of so many people, so my fear is of sinning by omission or under-representation. Simply and tritely put, I could not have done it on my own; it took a large and disparate community to help me through this project.
Getting through my dissertation required more than academic support, and I have many, many people to thank for listening to me and, at times, having to put up with my temper tantrums over the past two and a half years. I cannot begin to express my gratitude and appreciation for their unwavering personal and professional support. To my brother
Dr. James Tisdale thank you for taking the time out of your busy day and night to help me reach my goal of one day being called Dr. Ross. Without your guidance and advice, I would’ve indeed been at odds. Thank you for the words of encouragement you gave every time I was ready to quit, you did not let me, and I am forever grateful. To my brother
Terrell Boothe, you are a great boss, mentor, and friend. Your guidance and advice have been invaluable to me since we met. I can’t thank you enough for all the help that you’ve bestowed upon me. Thank you again for being an exemplary and visionary mentor. This dissertation stands as a testament to your unconditional love and encouragement. This list of acknowledgments can only capture a small fraction of the people who supported my work. I send my deep thanks to all. Your contributions to this dissertation were vital, but the inevitable mistakes in it are very much my own.
Table of Contents Comment by Northcentral University: Use the Table of Contents feature in Word. For additional information on creating a table of contents, click here.
For information on updating the table of contents, click here, and for video resources from the Academic Success Center on formatting the table of contents, click here.
Do not manually add headings into the Table of Contents. The headings in the table of contents are populated from the Styles gallery using the APA Level 1 and Heading 2 styles.
Only include APA heading levels 1 and 2 in the table of contents. Use the Heading 2 style from the Styles gallery to add level two headings in the document. Update the table of contents to reflect any new level 2 headings added to document.
Comment by Northcentral University: For Academic Success Center resources on formatting the table of contents, click here. For assistance, use the videos in the Tables and Headers tab and handouts in the Format tab. Comment by Northcentral University: Ensure the headings in the table of contents match those in the document. Please note the place holders are included in this table of contents:
“XXX” under Chapter 2 must be replaced with the themes generated from the integrative critical review of the literature.
If your study is qualitative, “Operational Definitions of Variables” under Chapter 3 must be deleted.
“XXX” under Chapter 4 must be replaced with “Trustworthiness” for a qualitative study, “Validity and Reliability” for a quantitative study, and “Trustworthiness/Validity and Reliability” for a mixed methods study.
The number of research questions listed under Chapter 4 must align with the number of research questions in your study.
Under Appendices, each “XXX” must be replaced with the titles of the appendix.
Chapter 1: Introduction
1
Statement of the Problem
4
Purpose of the Study
5
Introduction to Theoretical or Conceptual Framework
5
Introduction to Research Methodology and Design
6
Research Questions
7
Significance of the Study
8
Definitions of Key Terms
9
Summary
10
Chapter 2: Literature Review
11
Theoretical or Conceptual Framework
11
Subtopic
16
Summary
50
Chapter 3: Research Method
52
Research Methodology and Design
53
Population and Sample
54
Materials or Instrumentation
55
Study Procedures
55
Data Analysis
56
Assumptions
56
Limitations
57
Delimitations
57
Ethical Assurances
58
Summary
58
Chapter 4: Findings
60
Data Analysis
61
Results
62
Evaluation of the Findings
65
Summary
72
Chapter 5: Implications, Recommendations, and Conclusions
73
Implications
75
Recommendations for Practice
80
Recommendations for Future Research
81
Conclusions
82
References
85
Appendix A
: Question
n
air
95
Appendix B
:
Informed Consent
96
List of Tables Comment by Northcentral University: The words List of Tables should be centered, bolded, and begin on its own page
Use the Table of Figures feature in Word and select “Table” as the caption label. For additional information and guidance, click here.
Tip: For formatting the caption for tables, table headings should be double spaced and placed above the table. The word “Table” and the number should be bolded. The table title is in title case and italics.
Comment by Northcentral University: Click here to review a video from the Academic Success Center on creating the List of Tables.
Table 1.
Summary of Selected
5
Studies
48
Table
2
.
Participant Demographics
65
1
vii
Chapter 1: Introduction Comment by Garrett Smiley: Requirements have been met.
Delete the text highlighted in yellow, as it is either incorrect or unnecessary for this section.
Rewrite this entire section as a lead up or a ramp up to the problem statement; it should serve as both an introduction to the problem space with background on what the academic body of knowledge has to say about the current state of the problem space.
All claims must have a citation from a current, peer reviewed journal article (this is true for any claim made in the paper). Currently, you have far too many citations that do not meet this threshold. Adjust.
Checklist:
☐ Begin with an overview of the general topic to establish the context of the study and orient the reader to the field. Do not overstate the topic as you will address the topic more fully in Chapter 2.
☐ Describe the larger context in which the problem exists.
☐ Present an overview of why this research topic is relevant and warranted.
☐ Briefly explain what research has been done on the topic and why the topic is important practically and empirically (applied and PhD) as well as theoretically (PhD).
☐ Clearly lead the reader to the problem statement to follow. The reader should not be surprised by the problem described later in the document.
☐ Do not explicitly state the study problem, purpose, or methodology, as they are discussed in subsequent sections.
☐ Devote approximately 2 to 4 pages to this section.
☐ Write in the future tense when referencing the proposed study in the dissertation proposal. Write in the past tense when referencing the completed study in the dissertation manuscript.
☐ There are no personal opinions in the dissertation. All work must come from cited sources.
Small businesses, mostly comprised of up to 19 employees, are becoming the primary targets of the cyber-criminals as these enterprises struggle in establishing salient security measures deployed by the larger organizations
(Tam et al., 2021). Iovan and Iovan (2016) account that more businesses have become victims of cyber-attacks, with 91% of these organizations having experienced these attacks at least once over the past year and 9% of these victims being pre-defined targets. Technological advancement and digitization of major organizational processes, alongside the widespread utilization of the digital tools into main activities, have developed a perfect condition for the development and execution of malware to corrupt organizational data (Iovan & Iovan, 2016).
Studies reveal an increasing innovation or automation of the small businesses as the key hindrance to its success, making them vulnerable to cyber-attacks
(Taneja et al., 2016). Furthermore, technological advancement and commitment to vast innovation are risk factors for small businesses as criminals have virtual access to businesses’ networks, and hackers have become more skilled in accessing protected data or files, posing salient cyber security threats (Iovan & Iovan, 2016). Udofot and Topchyan (2020) confirm that small businesses remain vulnerable to cyber-attacks due to their limited power to address the sophisticated models adopted by the hackers, making it difficult for their strategies to outsmart the attackers. Furthermore, the reports add that small business are attractive targets to ransomware, as they possess the vast information the criminals want to exploit (Udofot & Topchyan, 2020). They typically lack a robust security infrastructure compared to the larger enterprises
(Udofot & Topchyan, 2020). Thus, cyber-attacks remain critical threats and primary concerns for small-sized enterprises, contributed by the inability of their security infrastructure to address external attacks
(Udofot & Topchyan, 2020). The numerous threats remain a challenge to small businesses, including malware, viruses, ransomware, and phishing (Iovan & Iovan, 2016).
Iovan and Iovan (2016) confirm that due to the
vulnerability of small businesses to cyber-attacks such as ransomware, there is a need for proper planning and assessment of the business environment to identify the business’ vulnerability and create a framework to resolve the challenge and protect the organization’s assets. Pandey et al. (2020) confirm that small businesses and personal systems are mainly vulnerable to ransomware attacks, primarily by the business being held, hostage.
Furthermore, studies show that small business owners have the basic or fundamental instruments for technological risk management but lack the essential procedures, training, and policies to protect their information resources (Berry & Berry, 2018).
Berry and Berry (2018) also note that small businesses have limited knowledge of incorporating solid passwords to safeguard their information assets. Mansfield-Devine (2016) acknowledges that a critical challenge with the ransomware attacks in small businesses comes and goes unnoticed. It encrypts networks to decrypt the victims until the ransom is paid (Mansfield-Devine, 2016).
Studies confirm that ransomware is a prevalent challenge facing businesses in the contemporary period considering that small-sized enterprises are making little effort to establish robust security infrastructures (Strauss, 2017; Mansfield-Devine, 2016). Furthermore, the lack of a well-established security system is a salient vulnerability steering the hacker’s focus to the small businesses (Mansfield-Devine, 2016). Strauss (2016) confirmed that in 2016, five sheriff and police departments were victims of ransomware attacks in Maine, forcing the departments to pay the ransom for they did not want to risk losing essential data related to law enforcement.
Additionally, Tam et al. (2021) confirm that cyber-attacks are detrimental to the wellness or thriving of small businesses or enterprises, leading to disruption of its operation and losses contributed by the paid ransom.
Cheng et al. (2017) confirm that ransomware or malware attacks on small businesses are damaging in terms of loss of sensitive or valuable data, reputational damage, and overall disruption of the organizational operations. Furthermore, cyber-attacks on businesses are linked to the financial losses’ outcomes, as exhibited in the previous attacks, as Anthem insurance lost $100 million in the cost of 2015 attacks (Cheng et al., 2017).
Numerous studies, such as Chen (2016), examine the cyber threats to small businesses in general while accounting for the specifics. Studies such as Chen (2016) and Raghavan et al. (2017), among other numerous studies, explore the widespread cyber threats to small businesses and the factors that increase their vulnerability. In addition, numerous studies such as Van and Code (2018) have investigated the impacts of cyber-attacks such as ransomware on small businesses, having shown detrimental effects. Further, extensive studies provide broad background information on the factors increasing the vulnerability of small businesses to cyber-attacks.
Additionally, other studies examine the strategies for resolving the cyber-attack challenges in small businesses. For example, studies such as Patterson (2017) point out policy decisions as critical approaches to addressing the vulnerability of small businesses to cyber-attacks. These studies are practically and empirically essential for small businesses to develop vast policies on curbing cybercrimes while considering their exposure or factors making them targeted by the hackers. Furthermore, these studies contribute to the knowledge expansion on small businesses’ vulnerability while providing consistent evidence applicable in further research.
Statement of the Problem Comment by Garrett Smiley: Requirements have been met.
Add citations to the claims without citations (highlighted in yellow).
Delete the text highlighted in yellow, as the text is either incorrect or unnecessary.
Adopt all adjustments (highlighted in green).
Add a statement that identifies what is unknown about this problem that should be known.
Add a statement about the potential negative consequences if the proposed study is not performed by the researcher.
Checklist:
☐ Begin with “The problem to be addressed in this study is…” This statement should logically flow from the introduction and clearly identify the problem to be addressed by the study (current citations needed).
☐ Succinctly discuss the problem and provide evidence of its existence.
☐ Identify who is impacted by the problem (e.g., individuals, organizations, industries, or society), what is not known that should be known about it, and what the potential negative consequences could be if the problem is not addressed in this study.
☐ Ensure the concepts presented are exactly the same as those mentioned in the Purpose Statement section.
☐ Do not exceed 250-300 words.
The problem addresed is, ransomware has continued to be a challenge to small businesses since its discovery two decades ago (Dhinnesh, 2020). Small businesses continue to be regularly attacked using ransomware (Poudyal & Dasgupta, 2021). Ransomware attacks on small businesses or enterprises stand out as critical challenges facing organizations costing them time, resources, and reputation (Knutson, 2021). Approximately two-thirds of the cyber-attacks, in the form of ransomware, target small businesses, targeting critical information such as customer records, information of the vendors, list of the customers, security details such as passwords, among others that the organization uses (Van & Code, 2018). Sufficient evidence justifies the vast challenges of small businesses from ransomware attacks (Van & Code, 2018). Legislative assessments exploring ransomware attacks confirm that small businesses constitute more than half of the victims of ransomware attacks, as most operate on a narrow margin and often have no crucial resources for cyber security (Knutson, 2021).
Kaseya’s CEO confirms that between 800 and 1500 businesses across the world have at one point experienced and been affected by ransomware attacks (Satter, 2021). Therefore, the business and consumer societies are the most affected by these ransomware attacks due to data loss and disruption of operations. Small businesses are in a state of limbo as ransomware attacks continue becoming rampant in the society of digitization (Lovan & Lovan, 2016). However, these businesses do not understand that they can leverage their limited power in terms of resources to build a secure infrastructure that is unbreakable or less vulnerable to malicious attacks (Berry & Berry, 2018). As a result, these small enterprises should be aware of the strategies to enhance their safety and manage their risk to external attacks. Therefore, failure to conduct this research will leave the small businesses unenlightened about their vulnerabilities, translating to domestic and global economic disruption. Furthermore, failing to conduct this research will lead to the researcher’s loss for not acquiring new knowledge on helpful mechanisms for leveraging limited resources to develop a safe or secure infrastructure for the small enterprises.
Purpose of the Study Comment by Garrett Smiley: Requirements have been met.
Adopt all adjustments (highlighted in green).
Include a step-by-step overview of how the study will be conducted.
Identify the population.
Identify the minimum sample size and justify it using proper citations.
Delete the text highlighted in yellow, as the text is either incorrect or unnecessary.
Identify how the researcher will have access to data (e.g., paid services through SurveyMonkey, Qualtrics).
Either add citations to the claims without citations (highlighted in yellow) or remove them.
Checklist:
☒ Begin with a succinct purpose statement that identifies the study method, design, and overarching goal. The recommended language to use is: “The purpose of this [identify research methodology] [identify research design] study is to [identify the goal of the dissertation that directly reflects and encompasses the research questions to follow].”
☐ Indicate how the study is a logical, explicit research response to the stated problem and the research questions to follow.
☐ Continue with a brief but clear step-by-step overview of how the study will be (proposal) or was (manuscript) conducted.
☐ Identify the variables/constructs, materials/instrumentation, and analysis.
☐ For the proposal (DP) identify the target population and sample size needed. For the manuscript (DM), edit and list sample size obtained.
☐ Identify the site(s) where the research will be (proposal) or was (manuscript) conducted using general geographic terms to avoid identifying the specific location. To avoid compromising participants’ confidentiality or anonymity, use pseudonyms.
☐ Do not exceed one paragraph or one page.
The purpose of this qualitative case study was to understand better the impediments to the application of ransomware-specific preventative, detective, and corrective controls by small business owners. The incorporated the experiences and perceptions of small business owners and leaders to explore the hindrances to the effective implementation of ransomware controls. The study was conducted using an open-ended questionnaire directed to small businesses to collect data on their experiences and perceptions about ransomware and what they think are the hindering factors towards controlling these attacks. Therefore, the target population for this case study research is small businesses or enterprises with a target sample size of 30 small businesses. Qualitative research often entails using a small sample size to gain in-depth insight into experience and perceptions (Sim et al., 2018). Furthermore, Sim et al. (2018) confirms an ideal qualitative research sample size ranges between four and 30 for the single case study. Generally, data will be collected from the small businesses’ premises, from which their confidentiality will be affected using pseudonyms. The researcher had access to data using paid services through SurveyMonkey as needed for the study.
Introduction to Theoretical or Conceptual Framework Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Identify the guiding framework. Present the key concepts, briefly explain how they are related, and present the propositions relevant to this study.
☐ Explain how the framework guided the research decisions, including the development of the problem statement, purpose statement, and research questions.
☐ If more than one framework is guiding the study, integrate them, rather than describing them independently. Do not select a separate framework for each variable/construct under examination.
☐ Do not exceed two pages. A more thorough discussion of the theoretical/conceptual framework will be included in Chapter 2.
The theoretical framework used to explain this study is the routine activity theory introduced by Cohen and Felson in 1979 (Holt et al., 2020). This framework is most appropriate in the given study because it shows how having adequate protection of systems against ransomware can prevent infections. Furthermore, this is a criminology theory based on examining the victimization and offenses of cybercrime (de Melo et al., 2018). Thus, it will help understand the application of ransomware and the development of controls, including preventive, corrective, and detective controls.
Introduction to Research Methodology and Design Comment by Garrett Smiley: Requirements have been met.
Delete the text highlighted in yellow, as it is either incorrect or unnecessary for this section.
Rewrite this entire section to justify the selection of the research methodology (i.e., qualitative) and research design (i.e., case study). Define and justify these selections using proper citations.
Checklist:
☐ Provide a brief discussion of the methodology and design to include a description of the data collection procedure and analysis. Do not include specific details regarding why the methodology and design were selected over others. More detailed information will be included in Chapter 3.
☐ Cite the seminal works related to the selected methodology and design.
☐ Indicate why the selected research methodology and design are the best choices for the study by explaining how they align with the problem and purpose statements as well as the research questions. Do not simply list and describe various research methodologies and designs.
☐ Devote approximately one to two pages to this section.
A Qualitative study was the research methodology chosen as the research design. Studies confirm that qualitative research methodology entails collecting, analyzing, and deducing meaning from non-numerical data (Flick, 2018). Flick (2018) proves that the primary focus of qualitative research is to obtain the individual subjective perceptions and give meaning to their experiences. Hennink et al. (2020) note that qualitative research methodology is crucial for obtaining a quality, in-depth insights into the problem. Therefore, qualitative research methodology was selected for this study due to its ability to obtain insights and information regarding the experiences of people and organizations with a study’s problem or phenomenon.
Hennink et al. (2020) note that qualitative research methodology is essential to comprehend or understand diverse people’s world experiences and operations. The qualitative method was selected for this study due to its primary intention to obtain sufficient data on the experiences of small businesses with ransomware. Therefore, the methodology represents a perfect choice to draw insights and interpret perceptions towards the ransomware challenges and the factors impeding effective control of the business challenge. Furthermore, flick (2018) confirms that a qualitative study is flexible and naturalist, meaning it accounts for the changes and incorporates new ideas within real-world contexts. Furthermore, the qualitative method is crucial for this research to obtain meaningful insights by accounting for people or businesses’ experiences and perceptions of ransomware challenges. Finally, flick (2018) and Hennink et al. (2020) confirm that the open nature of qualitative research makes it crucial to uncover new problems that could not have been thought of before.
Concerning the selection of a case study as the design for this study entails an in-depth investigation of a single group, particularly the small businesses. Hennink et al. (2020) ascertain that the case study design is crucial to obtain information related to the individual group’s previous experience or as the event currently occurs in the course of their life. Studies confirm that a qualitative case study is crucial in exploring an event or phenomenon within a specific context using diverse data sources to discover the multiple facets of the studied concept or phenomena (Rashid et al., 2019). Therefore, this research focused on the small businesses as the target and specific context for exploring the multiple facets of ransomware by examining the business representatives’ perceptions and experiences with the cyber threat to obtain in-depth insights. Case study design accounts for the phenomenon or challenge within the real-life context to consider the features of the problem through the subjective experiences or feelings towards the ransomware attacks. It is crucial to obtain the inadequacies of the systems of small businesses to control or prevent ransomware attacks.
Research Questions Comment by Garrett Smiley: Requirements have been met.
Adopt all adjustments (highlighted in green).
Checklist:
☐ Present research questions directly answerable, specific, and testable within the given timeframe and location identified in the problem and purpose statements.
☐ Include the exact same variables/constructs, participants, and location mentioned in the problem and purpose statements. No new variables/constructs should be introduced.
RQ1
What are the impediments for the application of ransomware-specific preventative controls by small business owners?
RQ2
What are the impediments for the application of ransomware-specific detective controls by small business owners?
RQ3
What are the impediments for the application of ransomware-specific corrective controls by small business owners?
Significance of the Study Comment by Garrett Smiley: Requirements have been met.
Provide citations for all of the claims in this section.
Checklist:
☐ Describe why the study is important and how it can contribute to the field of study.
☐ For applied studies, explain how the results might both be significant to leaders and practitioners in the field and contribute to the literature. For PhD studies, explain how the results advance the guiding framework and contribute to the literature.
☐ Describe the benefits of addressing the study problem, achieving the study purpose, and answering the research questions. Whereas the problem statement should articulate the negative consequences of not conducting the study, this section should highlight the positive consequences of completing the study.
☐ Do not exceed one page.
The significance of this study states that it can contribute a lot towards helping small business owners to become more informed regarding the implications of controls relating to cyber security so that they can improve business operations. This research stands out as a novel in nature of purpose, exploring a critically new gap. It is crucial to the field of the study to account for the system inadequacies in small businesses to prevent and control the infectivity of ransomware attacks. Knutson (2021) ascertains that small businesses are overwhelmed by ransomware attacks as they have limited resources to implement preventive strategies. Furthermore, small business owners are often unaware of the magnitude of ransomware threats (Malecki, 2019). The usefulness of this study’s result is embedded in the aspect that some business owners can learn through experience how to strengthen and mitigate their cyber security while reducing the negative consequences of ransomware attacks. Most of the time, small business owners provide information to promote stability and safety while being in their locus of control and managing all cost-effectively (Tuttle, 2020). There is a more sophisticated type of information system being used in large businesses compared to small companies, which can help improve the strategies of small companies and adjust them according to the target company. This means that it is necessary to understand complex information systems and also improve subcomponents for better implementation.
The findings from this study will highly contribute to the advancement of the guiding framework and literature expansion by addressing the gap in the previous studies that disregards the inadequacies of the small businesses’ systems to counter, prevent or mitigate the impacts of ransomware. Most studies, such as Knutson (2021), Tuttle (2020), and Malecki (2019), among other studies, explore the effects of ransomware attacks and prevention mechanisms for small businesses. Therefore, this study extends this exploration to examine the cause of the persistent nature of cyber-attacks on small businesses to understand what is not being done right. Thus, considering this research provides an opportunity to build a resilient small business sector, identify the system flaws, and correct them appropriately.
Definitions of Key Terms Comment by Garrett Smiley: Requirements have been met.
Alphabetize the terms.
Replace “Term X” with the actual term.
Separate the final term into two terms.
Checklist:
☐ Alphabetize and bold terms directly related to the dissertation topic and not commonly used or understood.
☐ Paraphrase the definitions of the terms using complete sentences and provide a citation for each one.
☐ Do not define theories, conceptual frameworks, statistical analyses, methodological terms, or the variables/constructs under examination.
Corrective Controls
Corrective controls are deployed to restore systems to a normal state and minimize the effect after an unwanted or unauthorized activity has occurred (Williams et al., 2020).
Detective Controls
Detective controls are the controls that are used for detecting ransomware any kind of online virus that can be harmful to the information system (Williams et al., 2020).
Guardianship
Guardianship is the concept of protection in which the elements of surveillance are used to prevent crime (Young & Yung, 2017).
Preventive Controls
Preventive and corrective controls help develop preventive strategies and have a proper corrective system to overcome the issue in case of any cyber-attack (Williams et al., 2020).
Ransomware
Ransomware is an online virus used to get money from victims (Young & Yung, 2017).
Summary Comment by Garrett Smiley: Requirements have been met.
Adopt all adjustments (highlighted in green).
Checklist:
☐ Briefly restate the key points discussed in the chapter. Review the headings and/or table of contents to ensure all key points are covered.
The problem addressed in this study is ransomware has been continuing to wreak havoc since its’ discovery over twenty years ago (Dhinnesh, 2020). Small businesses continue to be regularly attacked through ransomware (Poudyal & Dasgupta, 2021). The purpose of this qualitative case study is to better understand the impediments to the application of ransomware-specific preventative, detective, and corrective controls by small business owners. The theoretical framework used in this study is the routine activity theory introduced by Cohen and Felson in 1979 (Holt et al., 2020). This framework is most appropriate in the given study because it shows how having adequate protection of systems against ransomware can prevent infections. This study is very significant in identifying the usefulness of developing preventive and control strategies against ransomware. Most of the time, small business owners are not informed about the magnitude of ransomware threats. Some business owners can learn through experience how to strengthen and mitigate their cyber security while reducing the negative consequences of ransomware attacks. This study will provide help to small business owners in overcoming these issues and protecting their data.
Chapter 2: Literature Review Comment by Garrett Smiley: Requirements have been met.
List the databases and search terms used in the lit review.
Meet the minimum page length for this chapter (i.e., 30 pages – you are currently at 34 pages).
Checklist:
☐ Begin with the first sentence of the purpose statement and problem statement that leads to a brief explanation of the organization of the literature review. Do not simply cut and paste the Purpose Statement section from Chapter 1.
☐ Provide an overview of the sub-headings in the literature that will be discussed.
☐ At the end of this section, indicate the databases accessed and the search engines used. Discuss all the search parameters, including the search terms and their combinations (with more detailed search terms located in an appendix, if appropriate), range of years, and types of literature.
☐ Devote approximately 30 to 60 pages to this chapter to include citations to at least 50 relevant sources.
Iovan and Iovan (2016) confirm that small businesses have a limited capability to overcome challenges associated with cyber-attacks or threats, mainly related to impediments on the institutions’ preventative, detective, and corrective controls. The advanced use of digital tools in businesses operations is a leading factor contributing to the widespread cyber-attacks on small businesses or enterprises (Iovan & Iovan, 2016). This section explores previously conducted studies examining the cyber threats, especially the ransomware attacks on small businesses. Notably, this section is divided into sub-sections from various studies, mainly related to the evolution and operations of ransomware, previous attacks, the vulnerability of small businesses, the complexity of ransomware. Other sub-sections include the effects of the attacks, efforts by the organizations to address these attacks, strategies, the internal impediments to the controls, and the overall framework of the study. The databases and search engines used included Google Scholar, Microsoft Academic, Computing Research Repository (CoRR), CiteSeerX, ProQuest, and Google for professional publications. Search parameters used include cryptography, cyber-attacks, cybercrime, and cyber-security, alongside other combinations of those search terms AND small businesses, prevention, cyber crisis management, or cyber-defense. In selecting the studies, the scholarly peer-reviewed and professional publications were chosen for the last 9 years. However, more than 90% of the selected publications are current and published in the previous 5 years.
Theoretical or Conceptual Framework Comment by Garrett Smiley: Requirements have been met.
Share the summarized results for at least two other studies that leveraged the Routine Activity Theory.
Checklist:
☐ Describe the guiding theoretical/conceptual framework of the study, including the definitions of all the concepts, an explanation of the relationships among the concepts, and a presentation of all the assumptions and propositions.
☐ Explain the origin and development of the framework. Demonstrate detailed knowledge of and familiarity with both the historical and the current literature on the framework.
☐ Identify existing research studies that used this framework in a similar way. Mention alternative frameworks, with a justification of why the selected framework was chosen.
☐ Describe how and why the selected framework relates to the present study and how it guided the development of the problem statement, purpose statement, and research questions.
This study’s development relies on the routine activity theory explored by Cohen and Felson (1979) to explore the elements of the crime by considering space and time. This selection incorporates the inferences of Leukfeldt and Yar (2016) on the role of routine activity theory to explore cyber-crime and victimization. The elements of routine activity theory explored in this study include the critical constructs that motivate crime 1) a motivated or potential offender, 2) suitable target, and 3) absence of protection, essential to explore the possible occurrence of cyber-crime and measures to mitigate by accounting for space and time. The convergence of time and space provides a background for understanding why small businesses are easy targets and measures are hard to implement to alleviate their suitability to attacks.
According to Leukfeldt and Yar (2016), routine activity theory is a criminological theory essential for exploring cybercrimes and victimization. Cohen and Felson (1979) constructed the routine activity theory to define crime as an event occurring in space and time. The routine activity theory is selected for this study because small businesses can use the theory to establish effective protection against ransomware attacks. The routine activity theory forms the foundation of this study’s conceptual framework as it relates to the approaches for establishing prevention approaches to address the victims and attackers on the matters regarding ransomware. Cohen and Felson (1979) provide three critical constructs of the routine activity theory as 1) a motivated or potential offender, 2) suitable target, and 3) absence of protection. Cohen and Felson (1979) define a motivated offender as an individual capable of executing a crime or criminal activity. A suitable target is an individual or property, which a potential offender can damage or threaten easily. The absence of protection or lack of guardianship means the unavailability of a guardian who can inhibit or prevent a crime from occurring (Cohen & Felson, 1979). As part of the routine activity theory assumptions, Cohen and Felson (1979) assume that the risk of victimization by a criminal varies depending on the circumstances and location. Another assumption of this theory is that the target suitability influences the happenings of direct predatory violations (Cohen & Felson, 1979).
Cohen and Felson (1979) are recognized as the original authors of the routine activity approach, defining the circumstance by which offenders execute a crime instead of emphasizing the offender’s characteristics. After the formulation by the dual, the routine activity theory was later developed by Felson, focusing on studying crime as an event by recognizing the space and the time aspect of crime, alongside its ecological nature (Miró, 2014). Miró (2014) ascertains that in the initial formulation of the theory, the initiators acknowledged that patterns of daily operations could explain the emergence of crime. Later the rose two aspects related to crime; occurrence of crime may depend on the configuration of diverse elements of the criminal, and the absence of either the aggressor or target would prevent a possible crime (Miró, 2014). These findings are congruent with the assertions by Tuttle (2020), confirming that the occurrence of crime is an interplay of multiple factors such as the presence of an aggressor, target, and lack of protection, whereby removal of one factor can successfully prevent the crime from occurring. Therefore, the routine activity approach forms the background of this study’s framework. Incorporating the conceptual framework will lead to a better understanding of the study outcomes because a successful ransomware attack requires a ransomware offender, the target of the cyber-attack, and the lack of protection or safety mechanisms against the attack that causes damage. Tuttle (2020) establishes a relationship between the key constructs of the routine activity theory occurrence of a ransomware attack requires potential cyber-attackers and suitable target or the organization system. Sufficient protection inhibits the actors or cyber-attackers from compromising the robust system, and the absence of adequate protection empowers the perpetrators to corrupt the system (Tuttle, 2020). The conceptual framework provides a salient opportunity to understand the appropriate managerial functions to protect the system against cyber-attacks by addressing all internal impediments to ransomware-specific preventive, detective, and corrective controls.
Numerous studies use the routine activity approach similarly to explore the aspects of cyber-attacks as a modernized criminal activity. Tuttle (2020) successfully uses this approach to construct a quality conceptual framework to salient strategies for the small business leaders to solve the ransomware problem. Reyns (2017) also uses the routine activity theory to construct a literature review on the matters related to cyber-crime. Reyns (2017) uses the theory to define the occurrence of cybercrimes and victimization as successful exploitation of the available opportunities by a cybercriminal. Based on this theory, studies confirm the need to provide capable guardianship to eliminate the potentially motivating factors or opportunities to cyber-crime. Similarly, Kigerl (2011) uses the routine activity theory to explore the determinants of the crimes, revealing crime occurrence as a relationship between factors such as unemployment, internet use, among other pertinent characteristics.
Reyns and Henson (2015) utilize routine activity theory to establish a link between the routine online activities of the victims and their likelihood of experiencing identity theft. The study’s findings indicate that some of the routine activities by the victims have a direct influence on the possibility of online identity theft. Additionally, Paek and Nalla (2015) used the theory to establish positive relationships between online activities and possible online victimization. Using the routine activity theory, Brady et al. (2016) confirm that a substantial proportion of businesses experience regular cyber-attacks.
Alternatives to the routine activity theory include lifestyle theory, which entails the researchers accounting for the individuals’ behaviors to predict a system user becoming a potential victim of a malicious attack (Pratt & Turanovic, 2016). Tuttle (2020) acknowledges the likelihood of lifestyle theory directing the probability of an individual or a firm becoming a target of an attack based on their online behaviors. However, the routine activity theory remains outstanding for this study’s selection due to its ability to explain how and why crimes happen within the physical space. Furthermore, Tuttle (2020) confirms that routine activity theory creates a critical opportunity to understand and redesign the physical environment to deter criminal behavior. Besides, the routine activity theory helps identify the spatial decision-making of a criminal.
The routine activity theory relates to the study exploring the ransomware attacks on small businesses as an event occurring of the hindrances on the ransomware-specific preventative, detective, and corrective controls. This theory explains crime as an interaction between three factors: the potential offender, target, and lack of protection (Tuttle, 2020), allowing small business leaders to focus on the measures that prevent ransomware infections. Therefore, this framework provides a chance for understanding the factors steering victimization and later altering these factors to solve the ransomware problem. Generally, the routine activity theory provides critical constructs for exploring the impediments to achieving quality controls as a central role for small business leaders to develop effective strategies for addressing ransomware threats. This selection guided the development of the dissertation’s crucial parts, including the problem and purpose statements and research questions by exploring victimization as a collaboration between related factors and solving the problem depending on the removal of these factors. Therefore, this framework would help understand the essential preventive, corrective, and detective controls that would directly influence change in the cyber-security realm by altering the patterns of the interdependent factors.
.
Image 1: Theoretical framework under the routine activity theory
Evolution of Ransomware Comment by Garrett Smiley [2]: Requirements have been met (these comments apply to all themed sections – see highlighted areas below).
Checklist:
☐ Critically analyze (i.e., note the strengths and weaknesses) and synthesize (i.e., integrate) the existing research. Rather than reporting on each study independently, describe everything known on the topic by reviewing the entire body of work.
☐ Present a balanced integrative critical review of the literature, ensuring all points of view are included. Cover all the important issues with a discussion of areas of convergence (i.e., agreement) and divergence (i.e., disagreement). Provide potential explanations for areas of divergence.
☐ Address issues of authority, audience, and/or bias/point of view in the sources used.
Richardson and North (2017) ascertain that the emergence and growth of ransomware have occurred in numerous phases, although it is expected some details to be missing due to its illegal nature. Studies confirm that although sources tend to be inconsistent in the names of numerous versions of the ransomware, they tend to be similar (Richardson & North, 2017). The AIDS Trojan is the first-ever ransomware developed by Joseph L. Popp in 1989; it uses simple symmetric cryptography to encode files, and resources are available for decryption (Richardson & North, 2017). Humayun et al. (2021) infer that during the 1990s towards the early 2000s, since the emergence of the AIDS Trojan, the cyber-attacks were not prevalent due to the limited use and availability of computers and the internet. Richardson and North (2017) ascertain that until 2005, the second version of ransomware and first-ever modern ransomware was released, Trojan.Gpcoder, also known as GP Code and GPCoder. Humayun et al. (2021) ascertain that Trojan.Gpcoder marked the beginning of robust and more sophisticated cyber-attacks due to the increased use of the internet of things (IoT). Studies confirm that Russian organized criminals developed the early ransomware versions targeting the Russians and neighboring countries such as Belarus and Kazakhstan (Cawley, 2016, as cited in Richardson & North, 2017).
Richardson and North (2017) confirm that in 2006 Trojan.Cryzip was developed as ransomware had begun gaining more traction and included gaining access to the files, copying them to a password-protected archive folder. Additionally, in 2006, also Trojan.Archiveus was developed and on top of the Trojan.Cryzip features, recovery of files involved payment of a ransom. Locker ransomware emerged in 2007 and GPcode.AK appeared in 2008, requiring a ransom of up to $200 to decrypt corrupted files (Richardson & North, 2017). In their study to explore the evolution of ransomware, Richardson and North (2017) ascertain that it is until 2011 that ransomware attacks became more prevalent after the emergence of anonymous payment methods. These attacks began occurring on a large scale with the year 2011 recording approximately 120,000 new ransomware samples (Sjouwerman, 2015, as cited in Richardson & North, 2017).
Muslim et al. (2019) acknowledge ransomware and the overall elements of cybercrime have transformed significantly from a sector of Maverick attackers to criminal businesses. Similar to other assertions in different studies such as Richardson and North (2017), Muslim et al. (2019) confirm that transformation or evolution in ransomware attacks and cybercrime relates significantly to the vast technological advancement as the avenue to aid illegitimate users in crime. An evolution in internet and cloud services provided a reliable ground for ransomware attacks by connecting millions of users both at individual and corporate levels (Muslim et al., 2019). Muslim et al. (2019) ascertain that internet and technological advancements are integral in ransomware development and deployment on the victims by creating a foundation for infection, encryption, payment, and electronic decryption of the system. The inferences by Muslim et al. (2019) are congruent with the assertion provided by Richardson and North (2017), ascertaining that advancement in the internet led to the implementation of cryptocurrencies such as Bitcoin to complete the ransom payments, and development of more sophisticated ransomware software as confirmed by Humayun et al. (2021). Studies confirm that technological advances that increase the anonymity of the cybercriminals and cover up the proceeds of crime steer the evolution of ransomware, which increases its complexity and sophistication to resolve (Muslim et al., 2019; Richardson and North, 2017; Humayun et al., 2021).
Richardson and North (2017) demonstrate that time has been a defining factor in the changes or evolution of ransomware attacks. By 2012, ransomware became more sophisticated and uneasy to detect with the emergence of toolkits such as Citadel that produced and distributed ransomware (Segura, 2016). Richardson and North (2017) note that the emergence of another toolkit, Lyposit, in 2012 enhanced the ransomware to pretend to emerge from law enforcement agencies depending on the computer’s regional settings. Scholars confirm that 2013 marked the beginning of the crypto-ransomware after the release of CyptoLocker, which required payments to be completed using the cryptocurrencies such as Bitcoin (Richardson & North, 2017). By 2016, the Federal Bureau of Investigation (FBI) estimates that in the first quarter of 2016 ransomware generated approximately $209,000,000 (Richardson & North, 2017).
Sources of Ransomware
Kapoor et al. (2021) confirm that organizations and individuals suffer from malicious attacks due to their failure to adopt quality cyber-hygiene or online safety, including safe browsing behavior, regular updates of the antivirus software, and creating user awareness. Studies infer that ransomware attacks have been successful for the previous years irrespective of salient measures and protocols due to their widespread sources (Kapoor et al., 2021). Kapoor et al. (2021) identify emails attachments and phishing emails as central sources of ransomware, which entails making the email look like it originated from a trusted source or known sender. Removable media is the second potential ransomware source, considering that people or system users might be interested in USB drives mainly lying-in public places (Tischer et al., 2016, as cited in Kapoor et al., 2021). Lee et al. (2016) found that most businesses that did not disable their USB ports are most likely to be hit by ransomware. Kapoor et al. (2021) confirm malvertising, social media and SMS, and ransomware as a service as other potential sources of ransomware.
Similar to the assertions attained from other studies such as Kapoor et al. (2021) and Lee et al. (2016), Connolly et al. (2020) confirm that ransomware attacks arise from numerous sources such as phishing emails and failure to use the system safely. Furthermore, in exploring the causes of ransomware attacks, studies acknowledge that lack of adequate cyber security training and unfavorable or poor use practices such as unprotected file transfer and remote access to the system increases the possibility of ransomware attacks (Connolly et al., 2020). Grossman and Schortgen (2016) confirm the assertions by Lee et al. (2016) on the need for implementation of effective policies to guide the best IT practices in inhibiting the vulnerability of businesses to ransomware attacks. Paek and Nalla (2015) confirm a relationship between phishing attempts and the possibility of ransomware attacks through identity theft and victimization. Iovan and Iovan (2016) provide congruent evidence proving the sources of ransomware attacks as phishing emails and possibly malicious email attachments with untraceable sources. Kapoor et al. (2021), Lee et al. (2016), Tischer et al. (2016), Paek and Nalla (2015), and Connolly et al. (2020) provide consistent evidence confirming that phishing emails and ransomware as a service as the core sources of ransomware attacks.
Ransomware Operations
Studies confirm that ransomware attacks occur in four successful phases (Hampton et al., 2018). The primary phase of the ransomware attack is the infection where the ransomware is spread into the victim’s device by ensuring that the malware is downloaded into the victim’s machine, mainly dependent on the victims’ overall cyber-hygiene (Kapoor et al., 2021). Hampton et al. (2018) and Kapoor et al. (2021) confirm that after the infection, the second phase of the ransomware operations is the encryption or the locking of the victim’s device or changing the master boot of the business’ device to make it inaccessible by the user.
Next in the ransomware operations is that the attacker makes demand through the screen displays, indicating the ransom amount required from the victim to unlock their device (Hampton et al., 2018). With the rise of cryptocurrency, most attackers demand payments in Bitcoin for ransom, making it hard for law enforcement agencies to trace the attacker based on the transaction (Kapoor et al., 2021). The outcome or the result is the fourth phase of the ransomware operations, which entails the decision to pay or not pay (Kapoor et al., 2021; Hampton et al., 2018). Kapoor et al. (2021) ascertain that three potential outcomes after the ransomware attack include paying the ransom and receiving a decryption key to access the devices, reversing the operations of the attacker and recover files, and not paying the ransom, which can result in permanent data loss or damage of the devices.
Ransomware Attacks on Small Businesses
In an empirical study to explore the severity of ransomware and the factors influencing the organization’s vulnerability, Connolly et al. (2020) confirm that size of the organization does not affect the severity and susceptibility. However, the sector or industry that the organization operates from is highly relevant to these attacks on small businesses (Connolly et al., 2020). Sharton (2021) confirms that organizations must be prepared for malware attacks considering the spiking cases of ransomware attacks. Studies confirm that the shift to remote working due to the pandemic has exponentially increased cyber-attacks (Sharton, 2021). Sharton (2021) ascertains that in 2020 alone, the ransomware attacks were 150% above the previous year’s attacks, and the amount paid by the victims heightened by more than 300% in 2020. Similar to the previous year’s attacks, in 2021, there was a significant increase in ransomware attacks against private companies, including small businesses, municipalities, and critical infrastructures (Sharton, 2021).
A study to explore the increased cases of crypto-ransomware confirms that these malware attacks are changing the overall landscape of cybercrimes (Connolly & Wall, 2019). Connolly and Wall (2019) ascertain that crypto-ransomware has become more complex due to the nuanced connection between technical and human aspects of the attack. Due to the complex relationship between the technical and human features of the ransomware attacks, a simple technological solution would not wipe out the threats related to crypto-ransomware (Connolly & Wall, 2019). The study by Connolly and Wall (2019) notes that after realizing the essence of the IT assets to the businesses, the cybercriminals have explored new measures or cyber-tactics to invade enterprises, especially small-sized enterprises. Sharton (2021) ascertain that there have been significant changes in the deployment of ransomware, which has shown a shift from the traditional access through phishing email to exfiltrating organizational information, which has turned to business for those venturing in the malicious acts. Citing the study’s outcomes by Hiscox, Ltd., Sharton (2021) confirms that 43% of more than 6,000 organizations surveyed have experienced an attack in 2020, and one in six of these attacks was ransomware.
Maurya et al. (2018) ascertain that cyber-security has remained a salient issue in the business fraternity following the rise of computers. In the study to explore the evolution, target, and safety tactics related to ransomware, the outcomes show that ransomware attacks have remained a central means for the attackers to monetize the files on the victims’ electronic gadgets (Maurya et al., 2018). Maurya et al. (2018) provide recent cases of malware attacks such as the attacks on the Bournemouth University in 2016 and the Hollywood Presbyterian Medical Center attack of 2016, which left the latter with a huge of $17,000 or 40 Bitcoin (BTC) for files recovery. As Iovan and Iovan (2016) confirm that all organizations are vulnerable to cyber-attacks, the small-sized enterprises are highly vulnerable due to their system-based inadequacies.
Vulnerability of Small Businesses to Ransomware Attacks
Patterson (2017) notes that small businesses remain the most vulnerable to cyber-attacks for numerous reasons. In a study to explore the cyber-security policies on decision making in small-sized enterprises, Patterson (2017) ascertains that technology comes within the unending instability and ever-changing landscape that makes small businesses more susceptible to these attacks. Small businesses lack stable cyber-security infrastructures to keep up with the cyber-security threats. Citing Shackelford (2016), Patterson (2017) confirms that hackers perceive small businesses or enterprises as the most accessible gateways to the macro-businesses or larger organizations, including the government institutions, due to their close interdependence. Studies note that a critical problem for the small businesses that render them more vulnerable than the larger institutions is the lack of precise approaches for the small business owners to prioritize maintaining some significant levels of sanctity. Shackelford (2016), as cited by Patterson (2017), notes at least 80% of small businesses lack cyber-security policies; they lack effective tactics to make upright decisions to safeguard the organization from cyber-attacks. Similar to the inferences by Patterson (2017) and Shackelford (2016), Iovan and Iovan (2016) ascertain those small businesses are the most vulnerable to cyber-attacks because the owners lack sufficient resources such as cyber-security infrastructures to prevent the attacks.
Studies confirm that even though the internet has hastened the business operations across all sectors, it has also steered significant security risks, especially for the small businesses and enterprises, due to their limited capacity to overcome the threats (U.S. Securities and Exchange Commission, 2015). Patterson (2017) confirms that small businesses lack the resources required to recognize and mitigate cyber-security threats, making them more susceptible to ransomware attacks than large organizations. Li and Liu (2021) ascertain that the internet has played a significant role in global communication and businesses by integrating people’s lives. However, as many organizations operate in cyberspace, they have become more susceptible to malicious attacks to disrupt or destroy organizational operations (Li & Liu, 2021). Government-led studies confirm the need to focus on cyber-security challenges, especially among small and medium-sized businesses, following the enterprises’ vast commitment to internet-based services (U.S. Securities and Exchange Commission, 2015).
The study by the U.S. Securities and Exchange Commission (SEC) (2015) confirms the inference by Shackelford (2016) that there is a strong relationship between the small and large organizations, which criminals use as penetration to attack both the micro and macro-sized organizations. SEC posits that the criminals’ perception that attacks on the small and medium-sized firms will guide their move into the system of the larger organizations due to their interdependence is a leading factor to their vulnerabilities. Additionally, SEC confirms that small-sized firms are susceptible to malicious attacks because they lack robust cyber defense than the larger firms (U.S. Securities and Exchange Commission, 2015). This inference by SEC is congruent to the findings by other studies such as Shackelford (2016), Patterson (2017), and Iovan and Iovan (2016), which confirm that the weaknesses in the systems of the small-sized firms make them more vulnerable to external or malicious cyber-attacks such as ransomware. Additionally, Berry and Berry (2018) confirm that although some small business owners have the crucial resource to manage the potential technological risks, they lack the salient training, procedures, and policies to safeguard their information. As demonstrated by a study by Knutson (2021), small businesses are overwhelmed by cyber-attacks, considering that they have limited resources to detect, prevent and manage these attacks.
Furthermore, the factor that heightens small businesses’ vulnerability is that owners of the small enterprises are primarily unaware of the intensity of the attacks to implement preventive measures (Malecki, 2019). Knutson (2021) confirms that cyber-attacks are detrimental to small-sized organizations, considering their vulnerability to malicious attacks that make the outcomes worse than expected. Griffin Jr. (2021) infers that small businesses or organizations remain vulnerable to malicious attacks because they are often convinced that they are so small to be targeted by cybercriminals. Based on the National Cyber Security Alliance findings, most attacks target small and medium-sized organizations, and at least 60% of them stay out of business for approximately six months after the attack (Griffin Jr., 2021).
The Complexity of the Ransomware Attacks
Studies confirm that as the threats by ransomware grow, so does the list of the criminals or cyber-offenders, alongside the advancement of their victimization techniques (Connolly & Wall, 2019). Connolly and Wall (2019) ascertain that there is an increased sophistication of ransomware attacks, characterized by advancement in their attacking techniques. The ransomware attackers are increasingly incorporating advanced techniques such as powerful botnets adept at sending millions of malicious emails or messages within the shortest time possible (Connolly & Wall, 2019). Additionally, Connolly and Wall (2019) ascertain that some attackers use internet scanners to identify or detect the vulnerable Internet Protocol (IP) addresses, which become the potential victims. In a study to explore the evolution in the ransomware attacks, Kalaimannan et al. (2016) there are significant advancements since the evolution of the CryptoLocker in 2013, which make ransomware so potent to control and conquer. Kalaimannan et al. (2016) confirm that just like the business’s owners, the cybercriminals are refining or improving their business approaches to artifice their targets. Connolly and Wall (2019) ascertain that using anonymized platforms such as the dark web and cryptocurrencies for transactions makes it easier for cybercriminals to cover their digital footprints. Furthermore, it becomes even more complicated for the law enforcement agents to investigate ransomware crimes, as the offenders use strong encryption, making it for the victims to resist the demands of the attackers (Connolly & Wall, 2019). Kalaimannan et al. (2016) and Connolly and Wall (2019) confirm that the complexity of the ransomware makes it more refined for victims to reject the attackers’ demands.
Effects of Ransomware Attacks on Small-Sized Enterprises
Financial Burden on the Small Businesses
In a systematic review conducted by Reshmi (2021), findings indicate that even though there are numerous malicious attacks or malware, ransomware is the most dangerous, considering that it imposes a significant financial burden on the organization. Besides, most of the payments demanded by the attackers are completed through cryptocurrency, which is mainly untraceable by concealing the identity and the location of the attacker (Reshmi, 2021). Connolly and Wall (2019) ascertain that the recovery cost after an organization has been hit by crypto-ransomware is considerable. For instance, the average cost of an attack was $133,000 as per the survey results by Sophos in 2018; organizations experience losses approximately between $13,000 and $70,000, alongside other costs such as the loss of reputation (Connolly & Wall, 2019). Cheng et al. (2017) confirm that financial loss is a primary outcome in the businesses after a ransomware attack, as exhibited in the $100 million loss in the Anthem insurance 2015 ransomware attack.
In a study published by Forbes, Schiappa (2021) confirmed that ransomware attacks may have reduced in terms of the numbers, but their financial implications remain significantly high and drastically increasing. In 2019, the firms that had experienced ransomware attacks incurred average remediation costs of at least $761,000; in 2020, the figure was $1.85 million (Schiappa, 2021). Schiappa (2021) ascertains that in the United States, the victims of ransomware attacks spent a median remediation cost of $2.09 million, marking a rise in the ransoms and payouts demands. Hernandez-Castro et al. (2020) ascertain that the primary aim of ransomware attacks is extortion, from which financial extortion is not an exemption. The studies infer that the firm or organization must incur financial losses to retrieve the corrupted files (Hernandez-Castro et al., 2020). Hernandez-Castro et al. (2020) confirm that the fundamental idea of ransomware is that it entails encrypting files on the computer and demanding ransom. Brewer (2016) ascertains that ransomware has been the greatest cyber-crime in the business world over the years, with the FBI estimating the financial loss to be approximately $1bn in 2016. The basic aspect of ransomware is that if the attack is executed perfectly, the only way to recover files is by paying a ransom and then receiving the required key to decrypt the files (Schiappa, 2021).
Disruption of Work or Operations
Simon (2015) ascertains that ransomware remains an integral threat to small businesses and remains disruptive to their operations due to the limited access to the required files. Cybercriminals use malicious attacks or malware to freeze the computer files, bringing the processes to a stop until the ransom is paid (Simon, 2015). Simon (2015) notes that most small businesses fall victims to ransomware, which appears in the code form that locks their computers, making them inaccessible until they are paid for decryption. Mark Stefanick, the President of Advantage Benefits Solutions, a Houston-based small-sized business, confirms that after an attack on his company was executed, it took just hours for the malicious code to spread through the firm’s server and backup system. It brought the critical functions related to claims information and financial data to a stop (Simon, 2015). Studies confirm that organizations, mainly the victims of ransomware attacks, suffer significant productivity loss and time loss due to the time and tasks required to contain and clear or clean up the attack (Griffin Jr., 2021). Griffin Jr. (2021) acknowledges that at least 60% of the small businesses that experience a ransomware attack stay out of operation for at least six months before its recovery. Other than the financial loss in terms of ransom, organizations suffer a significant loss in business, which affects the business’s overall productivity (Brewer, 2016).
Legal Liability
Studies confirm that ransomware attacks can result in legal liabilities for failing to meet the contract-related obligations due to the hacking incidents (Trautman & Ormerod, 2018). Experts ascertain that ransomware attacks might result in data loss related to an organization’s salient obligation within a specific time. Therefore, disruption from the cyber-attack that delays or halts the achievement of these obligations might result in legal liability for failing to meet the terms of the contract. Studies ascertain those businesses have a duty of care to other stakeholders and must diligently execute such responsibilities without failing (Trautman & Ormerod, 2018). Therefore, malicious attacks that might lead to disruption of the internal operations pose significant threats related to legal liabilities, requiring compensation or payment of damages for breaching the contract (Trautman & Ormerod, 2018).
Information and Data Security Breaches
Richardson and North (2017) confirm that ransomware is a significant threat to individual and business files, considering that it encrypts organizational or personal files on an infected computer and conceals the decryption keys until the victim pays a ransom. The study by Richardson and North (2017) confirms that organizations and individuals are mainly encompassed with either paying or not paying the ransom depending on the importance of the corrupted files. According to the recent studies by the Security Magazine on the International Data Corporation (IDC), one-third of the global organizations have experienced breach or ransomware attacks that block access to their system or data over the last 12 months (Security Magazine, 2021). Cheng et al. (2017) note that most organizations suffer the significant threat of intention and unintentional data leakage, calling for sufficient mechanisms to inhibit such losses. Experts ascertain that organizations of all sizes must be vigilant on ransomware attacks as the most significant threats to today’s business (Security Magazine, 2021).
Data is one of the organization’s most valuable assets, loss of data control due to a technical breach is a universal issue affecting everyone within the system (Juma’h & Alnsour, 2020). Fagioli (2019) ascertains that the primary focus for the organizations should be recovery, especially the corrupted files, and Reshmi (2021) confirms that loss of information and organizational data is a direct outcome of the ransomware attacks, following the unauthorized encryption of the necessary files by the attackers. Brewer (2016) notes that permanent data loss is a potential outcome after the ransomware attack. In a study to explore the effects of data or information breach on the organization performance, the findings indicate mixed outcomes on the relationship between the breach and value or share of the company (Juma’h & Alnsour, 2020). Juma’h and Alnsour (2020) confirm that companies depend heavily on the technologies and recent digital advancements, meaning that most technical vulnerabilities such as data breaches and loss are inevitable.
Juma’h and Alnsour (2020) establish a link between the data breaches and the economic implications on an organization, especially related to the financial loss in ransom and the work stoppage due to the disruption of the internal operations. Juma’h and Alnsour (2020) confirm that data breaches due to ransomware or other forms of malware indicate deficiency or weaknesses in internal controls, mainly in the IT section, calling for IT controls to mitigate the cyber-incidents to reduce the possibility of data breaches. Juma’h and Alnsour (2020) note that attackers may steal sensitive information for commercial purposes even after a paid ransom. In the study to understand the trending cyber-security threats in health care organizations, the findings show that approximately 1512 data breaches impacted over 154, 415, 257 patient records (Ronquillo et al., 2018). Hacking, which also constitutes ransomware attacks, makes at least 85% of all breaches, which risks salient client information exposure (Ronquillo et al., 2018). Griffin Jr. (2021) confirms that most of the victims of the ransomware attacks learn very late that their systems did not back up their data, and the businesses must painstakingly establish a pathway for finding the paper records to reconstruct its records from scratch. Cheng et al. (2017), Szücs et al. (2021), and Juma’h and Alnsour (2020) provide consistent evidence confirming that data breach after a ransomware attack is detrimental as it risks the financial stability and reputation of the institutions. Notably, Szücs et al. (2021) acknowledge that considering the current digital era, information or data breach is the most probable outcome after a ransomware attack requiring the businesses to make their systems complex enough for the attacker to crack. Cheng et al. (2017) ascertain that data leakage is a potential outcome after a ransomware attack. The loss of sensitive information can cause substantial financial and reputational damage to the organization.
Strategies or Measures to Address Ransomware
Tuttle (2020) confirms that addressing cyber threats is a primary function for small businesses, considering ransomware as a central problem to enhance safety and change in the organization. Pope (2016) ascertains that organizations such as health care and health care providers should be concerned about malware attacks such as ransomware and others, irrespective of the organization size. Studies confirm that a primary strategy for addressing ransomware across all organizations is creating awareness that any institution is susceptible to these attacks (Pope, 2016).
Creating Awareness
Pope (2016) confirms that the primary step for preventing ransomware attacks is that these invasions occur at all times, and everyone should take the necessary measures to address challenges as they arise. A report by the Department of Justice (DOJ) of the United States, at least 4,000 ransomware attacks happen every day, a figure that represents a 300% increase between 2015 and 2016 (Pope, 2016). As a result, Pope (2016) acknowledges the need to ensure the system users are aware of the attacks and the risk factors. Tuttle (2020) confirms that organizations must be mindful of the cyber-security matters to address the ransomware attacks to the system users informed and updated on safety-related issues. Similar to the findings by Pope (2016), Tuttle (2020) acknowledges the need for business leaders to set a pathway for learning to mitigate the mistakes that render the systems vulnerable to ransomware attacks.
Studies confirm the need for ensuring all employees receive adequate training on ransomware-related matters (Pope, 2016; Tuttle, 2020). Pope (2016) ascertains a need to train employees on ransomware as part of the awareness plan to understand or know the magnitude of the threat it poses. Tuttle (2020) and Pope (2016) confirm that training and educating the organizational employees on the up-to-date information on matters related to ransomware is a central measure for addressing cybercrimes such as malware attacks. Kapoor et al. (2021) note the need for educating the employees on avoiding emails from unrecognized sources or phishing emails, which are primary pathways for delivering ransomware attacks. Malware detection is a critical training to support within an organization, which entails educating the staff to recognize that links, attachments, and websites can be malicious and should be avoided (Pope, 2016).
Pope (2016) notes that training employees on malware detection entail educating the staff to understand when failure to log in or access specific files results from ransomware attacks. Furthermore, studies acknowledge the need for ransomware prevention training as part of the education program (Pope, 2016). Tuttle (2020) and Pope (2016) note employee training as a critical way for preventing ransomware by reminding the staff to be cautious on the sites they visit and open via the computer. Singh and Sittig (2016) ascertain that training the staff and equipping them with the relevant skills to operate the organizational devices and applications is a significant step for ensuring the safety of the systems from malicious attackers. The findings by Singh and Sittig (2016) confirm the need for making the end-user intelligent about the effective use and management of the organizational system to avoid the potential risks and preventable exposures to malicious attacks.
Integrate Cyber-Threat Intelligence in the Organization
Studies confirm that cyber-threat intelligence for organizations entails adopting a proactive approach for detecting and preventing ransomware attacks before it occurs or spread (Jasper, 2016). Jasper (2016) confirms that cyber-threat intelligence for enhancing organizational safety entails gathering and synthesizing information by the analysts to detect or identify a threat to a specific target. Moore (2016) confirms that overcoming the cyber-threats for an organization requires designing the organizational files such that they are confusing to the hackers to execute their plans successfully. Moore (2016) suggests the need for using the honeypots folder, which acts as the virtual trap for the hackers as the only folder that the ransomware attacks, keeping the firms alert of potential malware. Moore (2016) ascertains that detecting ransomware is a complex task because of its morphing nature, confirms that it has already escaped the perimeter defense such as spam filter or firewall.
Generally, studies ascertain that the overall idea of cyber-threat intelligence for organizations is to be able to recognize and address threats on time (Jasper, 2016). Integrating cyber-threat intelligence for preventing ransomware and other malware attacks in an organization entail fusing human intelligence (HUMINT), open-source intelligence (OSINT), signals intelligence (SIGINT), imagery intelligence (IMINT), measurement, and signature intelligence (MASINT) (Jasper, 2016). Jasper (2016) confirms that cyber-threat intelligence for ransomware prevention and detection entails incorporating information from numerous sources, analyzing the data to detect threats, and establishing potential countermeasures to address cyber-related problems as they arise. Through an article by AllBusiness.com, published by Forbes findings indicate that addressing cyber-attacks through cyber-threat intelligence entails conducting an on-going attack detection, evaluating organizational information for data comprise and compromised credentials.
Edamadaka et al. (2020) confirm that as part of cyber-threat intelligence, machine-learning plays a central function using tools such as intelligent botnets to enhance the safety of the computers at businesses. Machine and its tools play a critical function to inhibit unauthorized access, prevent evasive malware and phishing by examining numerous data to detect and deter hackers’ invasive behaviors (Edamadaka et al., 2020). Gasu (2020) ascertains that cyber-security has evolved for the past decades, suggesting the need for machine learning in the organization information systems to advance communication networks, safe from malware, phishing, intrusion, and illegitimate modification of information.
Conducting Cyber-Security Audit
Azmi et al. (2018) confirm a solid need to promote cyber resilience to enhance cyber-security strategy to secure the organizations’ virtual environment. Studies ascertain that securing the organization’s virtual environment entails governance and effective management of its assets (Azmi et al., 2018). According to the analysis by AllBusiness.com, conducting a cyber-security audit is a central means for preventing ransomware attacks by involving the security auditor to incorporate the threat intelligence that the organization lacks, to improve the IT infrastructure vulnerabilities, and enhance the login credentials. Azmi et al. (2018) reveal that cyber-security audit enhances organizations to record security threats and strengths through current analysis of the audits and logs information based on expert advice.
Findings by Azmi et al. (2018) match the outcomes in Moore (2016), confirming the need for incorporating expertise to detect the vulnerabilities of the system. Singh and Sittig (2016) ascertain that promoting a comprehensive strategy for monitoring suspicious operations or activities within the connected networks is crucial in preventing, mitigating, and recovering from ransomware and other cyber-attacks. Studies note that cyber-security audit entails in-depth surveillance of the system by establishing a network and model for monitoring the user activities to detect suspicious activities such as email messages from the known malicious sources, sudden file changes, and unauthorized encryption of files (Singh & Sittig, 2016). Establishing a salient monitoring mechanism for the organization’s systems makes it easier to detect the potential ransomware attack, respond on time and recover from the potentially lost or corrupted files (Singh & Sittig, 2016).
Kapoor et al. (2021) ascertain that database activity monitoring (DAM) is a salient mechanism for every organization to hinder ransomware attacks by monitoring and analyzing numerous activities within the system. Studies confirm that organizations can inhibit malware attacks by combining network-based surveillance and native audit to establish a comprehensive image of the database operations, enhancing detection and ransomware avoidance plans (Kapoor et al., 2021). Kapoor et al. (2021) suggest static and dynamic analysis for detection; static analysis includes stub examination, static linking, string extraction, and dynamic analysis includes measures such as manual code reversing, manual debugging, and automated sandboxing. Furthermore, business leaders might consider a hybrid analysis which malware reconstruction, malware dump analysis, etc., (Kapoor et al., 2021).
Socio-Technical Strategies: Installation and Configuration of the System
Singh and Sittig (2016) ascertain that after the ransomware attack has been launched, the victims have three options; use their backup to restore data, pay the ransom or permanently lose their data. Studies acknowledge the need for socio-technical approaches, especially in health organizations, to address the socio-technical challenges related to information technology (IT) to prevent, mitigate and recover from ransomware attacks (Singh & Sittig, 2016). Singh and Sittig (2016) suggest salient socio-technical measures to strengthen the computing infrastructures against malicious cyber-attacks.
The study findings by Singh and Sittig (2016) confirm that the primary step for preventing malicious attacks is by ensuring sufficient protection of the system by fitting and configuring the computers and computer networks. As part of the system protection from the losses, studies confirm the need for establishing a regular backup for the data, which is updated frequently and the content stored offline, out of the reach of the ransomware (Singh & Sittig, 2016). Studies confirm that personnel maintaining all the technical resources for the organizations, such as application software, browsers, and antiviruses, alongside other salient digital tools, should ensure that they are tested and updated with the last patches (Singh & Sittig, 2016). Mansfield-Devine (2016) confirms that for practical approaches for addressing ransomware and other potential malware attacks on businesses, it is essential to establish a robust security system on the organization’s network to alleviate the risk of exposure to the malicious attackers. Beaman et al. (2021) confirm that small businesses, especially those in the health industry, must configure or design their systems so that they are impervious to the hackers’ tricks.
Studies suggest the need for hybrid encryption by using symmetric and asymmetric encryption, making it harder for hackers to decrypt and corrupt files (Beaman et al., 2021). Findings by Singh and Sittig (2016) confirm a need for the network engineers in the organization to set and configure a firewall to safeguard the system from unauthorized access by either people or programs. Additionally, segmenting the network into sections such as IT assets and personnel into diverse categories and restricting access to these categories by the use of entry and exit traffic filtering is a salient strategy for the businesses to monitor and censor access to the vulnerable programs, essential in the organization (Singh & Sittig, 2016). Kapoor et al. (2021) confirm that promoting controlled folder access is also crucial for ransomware avoidance, where specific folders or files are mapped with different applications. The system can bar any application absent from the trusted enlisted applications. Singh and Sittig (2016) and Kapoor et al. (2021) have a common finding of restricting access only to the authorized users by building synergy and trust in the network. Kapoor et al. (2021) confirm the need for controlled folder access to creating a honeypot for the functions not incorporated in the trusted application database but trying access to the protected files.
Singh and Sittig (2016) suggest the need for the firms to block the potentially weaponized attachments and limit the system users’ ability to install and run unneeded software using the tenet of minimizing the users’ access to systems and services required in their job. Kapoor et al. (2021) confirm the need for consistent patches and updates as salient ransomware avoidance mechanisms to reduce the system’s vulnerability to the hackers’ operations. Updates are part of the salient malware avoidance option, including updating the browsers and applications integrated within the network (Singh & Sittig, 2016; Kapoor et al., 2021).
Digital Line Protection System (DLPD) Strategies
Cheng et al. (2017) confirm that DLPD strategies for protecting the system against malicious data breaches are categorized into basic security strategies and designated DLPD techniques. Studies confirm that the basic security measures for safeguarding the systems from malicious attacks include but are not limited to establishing the firewall, antivirus software, promoting intrusion detection, controlling access, and encrypting the systems (Cheng et al., 2017). Additionally, DLPD strategies are outstanding in identifying, monitoring, and protecting confidential information from illegitimate access, which leads to leakage of pertinent organizational information (Cheng et al., 2017). DLPD plays a salient role in analyzing the content and the context encompassing the organizational data to detect and safeguard data at diverse stages (Cheng et al., 2017). Szücs et al. (2021) confirm that considering we are in the digital era characterized by vast digital information and data storage, adopting digitized solutions such as Anti-Ransomware Defense System (ARDS) is a priority to detect and address ransomware attacks in an organization.
Cheng et al. (2017) ascertain that DLPD approaches such as context-based analysis help in incorporating digital tools that profile the system users’ behaviors to detect the legitimate insiders and intruders within the system. The context-based approach enhances the system’s ability to detect an abnormal activity to help them differentiate the intruders from the internal users. Furthermore, the content-based strategies under the DLPD strategies help the system profile sensitive information and its patterns such that it can easily detect changes in these patterns to adopt internal safety approaches (Cheng et al., 2017). Generally, Cheng et al. (2017) and Szücs et al. (2021) suggest the need for incorporating digital tools to address technical problems such as malware attacks in an organization.
Attempts by the Small Business to Address the Ransomware
Tuttle (2020) notes that small business leaders use numerous strategies to address the ransomware issue, mainly focused on protecting the information systems from ransomware attacks. The study targeting to explore the salient strategies for small businesses on addressing ransomware divides the potential solutions into three possible themes; 1) ransomware strategy, 2) support structure, and 3) cyber-security awareness (Tuttle, 2020).
Ransomware Strategy
Tuttle (2020) confirms that most small business leaders prefer antivirus as a primary approach for addressing ransomware. According to Bergmann et al. (2018), ransomware strategies adopted by most small business leaders entail salient protective measures that focus on inhibiting the possibility of falling victim to cybercrime. Studies identify some of these protective measures, such as installing the antivirus software, keeping the software up to date, incorporating strong passwords, trashing or deleting suspicious emails and notifications, and authenticating the safety of the websites (Bergmann et al., 2018). Tuttle (2020) ascertains that most participating small business leaders trusted their systems’ antivirus, which provides alerts on potential ransomware attempts. The antivirus alerts on susceptible invasion notify the computer’s users of the need to double-check their information or run a report of possible attacks, which enable their information systems to address problems as they arise (Tuttle, 2020).
Tuttle (2020) confirms that antivirus is a central ransomware strategy for small business leaders for addressing ransomware. Based on the study’s findings, most of the small business leaders’ dependence on the feedback mechanism such as alerts, as a function of the antivirus, aid understand the effectiveness of their antivirus software (Tuttle, 2020). Hampton et al. (2018) confirm that small businesses focus on robust infection analysis for ransomware as a potential approach for detecting potential attacks at the operating system level. Antivirus protection to inhibit risks and possible attacks on small businesses stand out as a central function achieved by analyzing abnormal file activity, detecting unrecognized attempts on the internet connection, and complicated code execution (Hampton et al., 2018).
Generally, studies reveal that using firewalls for connected devices is the central ransomware strategy to keep small businesses safe (Tuttle, 2020). As part of the daily ransomware strategies for small businesses, small business leaders have implemented formal procedures for backing their data regularly, alongside software for allowing only authorized applications to alter the data (Tuttle, 2020). Thomas and Galligher (2018) acknowledge keeping the data back-ups for the organizational data and keeping updates enhance the safety and protection mechanisms for businesses. Tuttle (2020) confirms that the weakness of small business leaders on matters related to data protection is that they are more concerned with safeguarding the local information system instead of focusing on the data or information stored outside their information systems.
Support Structure
Hampton et al. (2018) confirm that victims of ransomware attacks experience four phases of the attacks, which entail infection, encryption or encoding information, demand for a ransom, and results. As a measure to address these potential ransomware attacks, small business leaders “work with either customer support or their peer network for pre-planning or post-incident support” (Tuttle, 2020, p. 80). Tuttle (2020) ascertains that for pre-planning and support after the incidents, the small business leaders depend on vendor-supplied support for peer recommendation. The overall findings of these studies are that small businesses outsource services depending on their information security needs by either working with a security provider or peer network (Tuttle, 2020).
Cyber-Security Awareness
Tuttle (2020) ascertains that cyber-security awareness as a critical strategy for addressing ransomware attacks on small businesses originate from the user-centric approach of the cyber-security strategy, entailing numerous trajectories for learning and sharing information. Nobles (2018) confirms that any cyber-security strategy that does not incorporate the need for user training deviates from addressing the behavioral-based errors that cause successful execution of the ransomware attacks. Tuttle (2020) notes that small business leaders know they need training system users and rely heavily on the peer network for education and direction before the attack or for a reactionary response after a malicious infection.
Saber (2016) acknowledges the need for increasing the staff’s awareness of cyber-attacks and their vulnerabilities to cyber-crime by implementing more sophisticated and complex strategies. Ursillo Jr. and Arnold (2021) ascertain that awareness among the workforces or staff members in the organization promotes their advocacy on the essence of quality policies and resilient IT systems to enhance their preparedness to address the unnoticed organizational weaknesses that heighten their vulnerability to attacks. Similar to other studies, Kapoor et al. (2021) confirm the need to create user awareness on safe browsing behaviors and regular updates to improve their responsiveness to malicious threats and block the potential source of ransomware attacks. Pope (2016) and Tuttle (2020) provide consistent evidence confirming the commitment by the small businesses or enterprises to keep their employees knowledgeable and aware of the possible attacks, their vulnerability, and available measures effective in inhibiting such occurrences.
Studies ascertain that most small business leaders have cyber security training to keep their staff enlightened on matters related to ransomware attacks (Tuttle, 2020). Cyber-security awareness by small business leaders entails education on cautious cyber behaviors such as visiting unfamiliar websites and opening emails from unknown sources (Tuttle, 2020). Tuttle (2020) infers that cyber-security awareness by small businesses is a proactive strategy for keeping the end-users informed and updated on the emerging trends on cyber-related issues.
Internal Impediments to Control Ransomware Attacks
Studies ascertain that irrespective of the vast attempts by small business leaders to control the ransomware attacks, they suffer significant inadequacies such as lack of resources, among others, to address the ransomware challenges (Berry & Berry, 2018). Small businesses lack robust security systems that render them vulnerable to the hackers’ plans (Mansfield-Devine, 2016). More than two-thirds of the cyber-attacks, especially ransomware attacks, target small businesses due to their system and fundamental inadequacies that make them vulnerable to malicious attacks (Van & Code, 2018).
Impediments to Ransomware-Specific Preventive Controls
Virtue and Rainey (2015) acknowledge that preventive controls for businesses or organizations entail the measures implemented before the threat to avoid or reduce the likelihood of a successful attack. Some of the preventive controls recognized in the studies include but are not limited to organizational policies, standards, encryption plans, physical hindrances, firewalls, and procedures (Virtue & Rainey, 2015).
Inconsistent Policy on Cyber-Security
Saber (2016) confirms that an organizational policy on cyber-security matters is a central factor for small businesses to adopt consistent measures to prevent ransomware and other malware attacks. Findings in Saber (2016) show that even though small businesses understand that they are close targets by the cybercriminals, they lack consistent cyber-security policies on best IT practices and build a resilient system. Grossman and Schortgen (2016) ascertain that the lack of organizational policies on cyber-security matters hinders attaining the required professional skills and unique positioning when dealing with the cyber-threats. Additionally, Saber (2016) notes that irrespective of the small businesses’ awareness of their vulnerabilities to cyber-attacks, they disregard the complex and more sophisticated storage options such as cloud computing that impede their preventive strategies. Ursillo Jr. and Arnold (2021) acknowledge the essence of quality policies and processes for proper IT governance to protect the businesses’ IT assets and promote the integrity of their information. Hutchings (2012) effective organizational policies on cyber-security enhance the firm’s preparedness to address potential organizational weaknesses that would threaten the firm’s cyber-security.
Lack of Adequate Training
Patterson (2017) ascertains that cyber-attacks are dominant among small businesses because the staff or employees lack sufficient training to deal with the enterprises’ vulnerabilities by engaging in technology-related activities like electronic commerce. Patterson (2017) acknowledges that the increasing diversity of ransomware attacks and lack of the required competencies to deal with these challenges make small businesses vulnerable to malicious attacks. Hayes et al. (2012) note that small businesses have limited knowledge of the various forms of malware, including Trojan and viruses, making them more vulnerable to ransomware attacks. Hutchings (2012) notes that staff training is a central requirement for keeping employees informed and updated on the quality mechanisms for securing the firm’s resources. Ursillo Jr. and Arnold (2021) confirm that small businesses suffer a challenge of the number of trained personnel with the required knowledge to support the organization’s system on cyber-security matters. Brewer (2016) acknowledges the need for training the organizational workforce to enhance their awareness of the safe use of systems and strategies for alleviating vulnerabilities to malicious attacks. Hutchings (2012) confirm that staff training improves the knowledgeability of the teams to address cyber-attacks through active involvement in quality enhancement and support the system in attaining sustainable growth.
Weak Technical Prevention Measures
Studies confirm that businesses lack the matching technical measures or technologies to enhance the survivability of the small enterprises, which make them vulnerable to ransomware attacks (Cook, 2017). Hutchings (2012) confirms that effective prevention of ransomware and other forms of malware requires robust technical strategies such as keeping the system and its applications automated and up-to-date, and keeping the firewalls enabled, alongside securing the sites used by the firm. Cook (2017) confirms that cyber-criminals are highly reliant on advancing technology, calling for proactive actions that inhibit future cyber-crimes. Brewer (2016) confirms that weak technical prevention measures encompassing small businesses include lack of offline backups, failed spam filters, non-configuration of the desktop extension, etc. Findings by Brewer (2016) match the assertions by Cook (2017) that confirm that weak technical measures to prevent malicious attacks such as ransomware in small businesses include failure to restrict the use of high privilege such that a section of the system is only accessible to the designated users. Hutchings (2012) and Brewer (2016) suggest the need for system configuration, firewall enablement, and improving the security of the internet sites as core elements for strengthening the technical capabilities of the small businesses’ security infrastructure.
Impediments to Ransomware-Specific Detective Controls
Virtue and Rainey (2015) ascertain that detective controls for the organization entail the measures or strategies designed to discover a threat as it occurs and help during the investigation and audits after the occurrence of the threat. Such detective controls include but are not limited to host and network invasion detection, antivirus identification for identifying malicious codes, and security events monitoring (Virtue & Rainey, 2015).
Lack of Sophisticated Security Strategies
Griffin Jr. (2021) points out that small businesses remain vulnerable to malicious attacks, especially ransomware because they lack adequate resources to monitor and detect malicious code before it is executed. Hayes et al. (2012) confirm that small businesses do not have the sophisticated security abilities to safeguard the computer systems against the evolving ransomware attacks. Studies confirm that some businesses lack sophisticated cyber-security strategies because they rely on free software, which could also be malicious (Ursillo Jr. & Arnold, 2021). Ursillo Jr. and Arnold (2021) ascertain that to enhance the business safety and effective detection of cybercriminals, businesses must consider incorporating the well-managed system using an in-depth defense strategy by sourcing premium software services from reputable vendors.
Most small businesses rely on free software from unknown vendors, which can be malicious and affects the company’s system without being detected (Ursillo Jr. & Arnold, 2021). Ursillo Jr. and Arnold (2021) affirm that failure to source the premium software services from the known vendors; small businesses miss the daily automatic database update, hence losing their protection as new malicious software emerges. Additionally, Saber (2016) confirms that small businesses rely on a simple mechanism that is easily permeated by cyber-criminals; the findings confirm that most small businesses do not use cloud computing services to alleviate their burden of protecting their data and need for constructing its house corporate servers. Businesses require sophisticated physical security, such as restricting access to IT resources (Hutchings, 2012). Van and code (2018) infer that due to the sophistication of the cybercriminals and lack of the same prowess by the small businesses, the latter suffers losses for failed detection mechanisms.
Impediments to Ransomware-Specific Corrective Controls
Virtue and Rainey (2015) confirm that corrective controls are the measures established by individuals and organizations to mitigate or bar the possible effects of a threat event to recover for normal operations. Some of the corrective controls for businesses include but are not limited to automated removal of malicious code using antivirus software, continuity and recovery plans for the business (Virtue & Rainey, 2015).
Lack of Continuity and Recovery Plans for Small Busi
n
esses
Studies confirm that most small businesses lack the financial resources enough to recover from the monetary losses incurred after a malware attack (Hayes et al., 2012). Griffin Jr. (2021) affirms that the financial resources help the firms recover the lost files by paying the ransom and resuming from disruptions; however, small businesses lack adequate resources to recover immediately after the ransomware attack. Griffin Jr. (2021) confirms that most small businesses lack sufficient recovery and continuity measures, considering that at least 60% of them stay out of business for at least six months after the ransomware attack. Connolly and Wall (2019) confirm that recovery from a ransomware attack is significantly costly, similar to the assertions by Cheng et al. (2017) that financial loss is an initial outcome after a ransomware attack, which is mainly not planned for by small businesses. This inference confirms the assertions by Griffin Jr. (2021) some small businesses halt their operations for a significant period after a cyber-attack due to their unpreparedness and unavailability of recovery or continuity plans.
Search Strategies, Engines, and Databases
For this study, the databases and search engines used included Google Scholar, Microsoft Academic, Computing Research Repository (CoRR), CiteSeerX, ProQuest, and Google for professional publications. Search parameters used include cryptography, cyber-attacks, cybercrime, and cyber-security, alongside other combinations of those search terms AND small businesses, prevention, cyber crisis management, or cyber-defense. In selecting the studies, the scholarly peer-reviewed and professional publications were chosen for the last 9 years. However, more than 90% of the selected publications are current, published in the previous 5 years.
Synthesis and Analysis of the Literature
Studies on ransomware, especially in small businesses, generally provide an in-depth understanding of the contributing factors to the business’s vulnerability to malicious attacks. Recent studies such as Tuttle (2020), Udofot and Topchyan (2020), Berry and Berry (2018), and Mansfield-Devine (2016) provide in-depth, solid analysis of the small businesses’ vulnerability to malicious attacks, confirming that the available evidence is undisputable that they lack crucial resources to address their inadequacies. Additionally, studies provide generalizable findings, considering the similarity in their inference on the impediments to achieving safety on cyber-security matters, especially in the small business realm. Simon (2015), among other studies like Griffin Jr. (2021) and Brewer (2016), point out central arguments that small businesses face similar problems when addressing cybercrime. Studies provide generalizable outcomes on the impairment to ransomware-specific controls, recognizing that inconsistency, lack of resources, administrative and technical weaknesses as fundamental causes of these failures (Hutchings, 2012; Ursillo Jr. & Arnold, 2021; Cook, 2017; Saber, 2016; Virtue & Rainey, 2015). Tuttle (2020), Jasper (2016), Singh and Sittig (2016) point out reliable and versatile findings on the successful measures to addressing ransomware through training, technical prowess, and governance. However, most studies adopt the qualitative nature, making them susceptible to insufficient evidence to make population-level inferences.
Generally, most studies agree on the need for safety tactics for all businesses to address the evolving ransomware and other malware attacks. Based on the outcomes of the literature, there is sufficient and congruent evidence from the diverse studies indicating substantial convergence on the findings of the studies. Certainly, Lee et al. (2016), Kapoor et al. (2021), and Tischer et al. (2016) provide convergent findings on the sources of ransomware, pointing out poor cyber-hygiene as a central origin. Furthermore, more studies acknowledge that small businesses are not well equipped to address ransomware attacks due to their structural, technical, and administrative weaknesses that render them susceptible to cyber-attacks (Patterson, 2017; Shackelford, 2016; Iovan & Iovan, 2016; Knutson, 2021). These studies confirm a central point of convergence that small businesses are vulnerable to cyber-attacks compared to large organizations, calling for stringent measures to enhance their responses to cyber-crime. Contrary to past findings showing that small businesses are easily preyed on by cyber-criminals, Connolly et al. (2020) provide a critical point of divergence that organizational size does not affect the severity and susceptibility to cyber-crime.
On the issues related to the authority of the sources used in this study, the sources have been selected from credible, reliable scholars, website domains and address cyber-security as a central point of argument in the research. Notably, the sources are relevant because they directly address the small businesses and small enterprises leaders as the key audience for this study’s findings. Therefore, the information and context need have been met sufficiently to address the audience’s interests, which include knowing the weaknesses of the small businesses and approaches for addressing the cyber-crime in their operations. Selection bias is a common problem in these studies, considering their reliance on non-probabilistic techniques. However, some studies, such as Tuttle (2020), have sought to address this bias successfully by saturating data through triangulation approaches and member checking.
Table 1. Summary of Selected 5 Studies
Study
Methodology
Sample
Instruments/Constructs
Main findings or contribution
Tuttle (2020)
Qualitative method – Multiple case studies
5 Business owners
Semi-structured interviews
Company documents
Archival records
Ransomware strategy, support structure, and awareness of cyber-security enhance the prevention of ransomware victimization.
Connolly et al. (2020)
Mixed-Method – exploratory sequential design
55 ransomware cases from 50 firms
Questionnaire and interview
Organizational size has no impact on the severity of a cyber-attack; instead, the firm’s security posture influences the level of severity. Attacks directed at specific victims are more damaging than opportunistic ones.
Moore (2016)
Experimental research design
1000 file changes
Experiment
The tripwire files provided limited value since there was no means to influence malware to access the monitored files.
Singh & Sittig (2016)
Qualitative method
N/A
Systematic reviews
Firms must support reliable defense systems, incorporate user-focused strategies and monitor the computer and network use in the organization.
Saber (2016)
Qualitative exploratory case study
5 small business leaders for questionnaire and 3 for interviews
Open-ended questionnaire, semi-structured interviews and company documents review
Small businesses must have a goal and tactical approach and promote employee training on cyber-security strategies.
Summary Comment by Garrett Smiley: Requirements have been met.
Include high level summary statements from the literature review that contain multiple citations within the same paren. These summary statements should cover the entire lit review.
Checklist:
☐ Briefly restate the key points discussed in the chapter. Review the headings and/or table of contents to ensure all key points are covered.
☐ Highlight areas of convergence and divergence as well as gaps in the literature that support the need for the study. This discussion should logically lead to Chapter 3, where the research methodology and design will be discussed.
The literature review marks the second section or chapter of this study, providing quality and reliable evidence on the ransomware incident in small businesses. The construction of the entire section is based on the assertion from the studies exploring the routine activity theory as the foundation for the theoretical framework. There is consistent evidence confirming the relevance of routine activity theory as a guideline to alleviate cyber-crime through an in-depth exploration of the critical constructs such as 1) a motivated or potential offender, 2) suitable target, and 3) absence of protection (Cohen & Felson, 1979; Leukfeldt & Yar, 2016; Miró, 2014). Numerous studies provide congruent evidence confirming the significant transformation of ransomware attacks as an avenue to cause sophisticated attacks (Richardson & North, 2017; Humayun et al., 2021; Cawley, 2016). Ransomware attained complexity and became more sophisticated due to the development of the internet, technological advancements, and cryptocurrency, making them undetectable (Richardson & North, 2017; Muslim et al., 2019; Humayun et al., 2021; Segura, 2016). Furthermore, sources of ransomware are diverse, including emails attachments and phishing emails, malvertising, social media and SMS, ransomware as a service, etc. (Kapoor et al., 2021; Lee et al., 2016; Connolly et al., 2020). Notably, the vast sources of ransomware make it available and easy to launch to the unsuspecting victims.
Furthermore, ransomware attacks occur in phases including, infection, encryption, demand, and outcome (Hampton et al., 2018; Kapoor et al., 2021). Besides, Connolly et al. (2020), Sharton (2021), Connolly and Wall (2019), Maurya et al. (2018), and Iovan and Iovan (2016) provide consistent evidence confirming that small businesses are more prone to ransomware attacks than large and medium-sized organizations. The vulnerability of small businesses to malware attacks such as ransomware results from its limited capability in terms of resources as the ransomware evolves steadily (Iovan & Iovan, 2016; Patterson, 2017; Shackelford, 2016). Furthermore, small-sized firms are susceptible to malicious attacks because they lack robust cyber defense than the larger firms. Lack of reliable defense mechanisms and ransomware complexity makes small enterprises more vulnerable (Patterson, 2017; Shackelford, 2016; Knutson, 2021; Griffin Jr., 2021). As a result, small businesses will likely suffer financial loss, work disruptions, legal liabilities, and data breaches or information loss (Reshmi, 2021; Cheng et al., 2017; Schiappa, 2021; Simon, 2015; Trautman & Ormerod, 2018; Richardson & North, 2017; Fagioli, 2019). Thus, creating awareness, integrating cyber-threat intelligence, cyber-threat audit, socio-technical approaches, and DLPD are preferable strategies to alleviate the risk of ransomware attacks (Tuttle, 2020; Pope, 2016; Kapoor et al., 2021; Singh & Sittig, 2016; Jasper, 2016; Edamadaka et al., 2020; Azmi et al., 2018; Beaman et al., 2021; Cheng et al., 2017). Comment by Garrett Smiley [2]: This statement represents what this entire section should be. Adjust.
Additionally, numerous resources agree on salient means for addressing ransomware and the recent attempts by small businesses to reach the safety level of large businesses. Studies agree on creating awareness and staff training in enhancing safety measures (Pope, 2016; Kapoor et al., 2021; Singh & Sittig, 2016). Besides, numerous studies provide consistent evidence confirming that small businesses are vulnerable to malicious attacks for their system-based weaknesses that business leaders should focus on curbing (Reshmi, 2021; Cheng et al., 2017; Schiappa, 2021; Simon, 2015; Trautman & Ormerod, 2018; Richardson & North, 2017; Fagioli, 2019). However, a key point of divergence is that studies such as Juma’h and Alnsour (2020) reveal no relationship between the size of the firm and the vulnerability to cyber-attacks, unlike other research like Iovan and Iovan (2016), showing a connection between small business and susceptibility to ransomware. Thus, numerous studies explore the weaknesses of small businesses in addressing the ransomware problem, but they fail to address the ransomware-specific preventive, detective, and corrective controls that provide a gap for this study to examine what impedes the perfect establishment and implementation of these controls.
Chapter 3: Research Method Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Begin with an introduction and restatement of the problem and purpose sentences verbatim.
☐ Provide a brief overview of the contents of this chapter, including a statement that identifies the research methodology and design.
Introduction
Exploration of this research requires a salient approach for collecting in-depth insights from a small sample size. It is the third section of this research paper, targeting to incorporating methods for data collection, essential for attaining quality and reliable study. It is necessary to acknowledge the problems encompassing small businesses or enterprises related to their increased vulnerabilities to ransomware attacks, considering that they have remained the primary targets of the malicious hackers. Nevertheless, this research will collect data to aid small businesses in identifying impediments to preventative, detective, and corrective controls to close the systemic loopholes and enhance the system’s safety. This study will adopt a qualitative research method and specifically a case study design, targeting the small businesses as the central focus of the research. Furthermore, the chapter of this study will include components related to the population, sample, instruments, procedures of the study, data analysis, assumptions, limitations, delimitations, ethical concerns, and the summary.
Research Methodology and Design Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Describe the research methodology and design. Elaborate upon their appropriateness in relation to the study problem, purpose, and research questions.
☐ Identify alternative methodologies and designs and indicate why they were determined to be less appropriate than the ones selected. Do not simply list and describe research methodologies and designs in general.
This study adopts a qualitative research methodology and case study as the research design, preferable to address the current situation of ransomware vulnerability in small enterprises. Studies confirm that qualitative research methodology is applicable when the study focuses on answering questions on experiences, opinions, and perceptions, often from the participants’ standpoint (Aspers & Corte, 2019). Similarly, this research focuses on the experiences of the small business enterprises with ransomware attacks, making a qualitative methodology the most preferable. Besides, this research aims to obtain in-depth insights to answer the research questions satisfactorily, making a qualitative approach preferable to provide details. It is crucial to note that the study problem, purpose, and research questions integrate a more subjective experience with ransomware, confirming the need for a qualitative approach to generate understanding through detailed descriptions.
Additionally, studies ascertain that a case study design in qualitative research helps explore a phenomenon within a specific context from various lenses (Rashid et al., 2019). Therefore, a case study design is preferable in this research. The research’s purpose, questions, and problem point out the prevalence of the phenomenon (ransomware) in small business enterprises more than in any other place. Therefore, a case study design is an approach to contextualize the phenomenon within the spheres of small businesses.
A quantitative research methodology would make a salient alternative for the qualitative research, but it was declared ineffective since it does not incorporate an interpretation of the participants’ experiences. Apuke (2017) confirms that quantitative research contains quantifiable variables to derive numerical data. As a result, since this research focuses on experiences and individual opinions, the variables are unmeasurable, making this quantitative methodology less appropriate. A correlational design would be less suitable for this research considering that there are no variables to connect or explore their relationships. Apuke (2017) ascertains that survey research design is inflexible, making it less preferable for this research, considering that this study requires incorporating changes in the research as they arise to obtain information in detail.
Population and Sample Comment by Garrett Smiley: Requirements have been met.
Reword your recruitment approach to perfectly align with what was stated in chapter one in the purpose of the study section.
Checklist:
☐ Describe the population, including the estimated size and relevant characteristics.
☐ Explain why the population is appropriate, given the study problem, purpose, and research questions.
☐ Describe the sample that will be (proposal) or was (manuscript) obtained.
☐ Explain why the sample is appropriate, given the study problem, purpose, and research questions.
☐ Explain the type of sampling used and why it is appropriate for the dissertation proposal methodology and design. For qualitative studies, evidence must be presented that saturation will be (proposal) or was (manuscript) reached.
☐ Describe how the participants will be (proposal) or were (manuscript) recruited (e.g., email lists from professional organizations, flyers) and/or the data will be (proposal) or were (manuscript) obtained (e.g., archived data, public records) with sufficient detail so the study could be replicated.
The target population for this study is the small businesses or enterprises, considering that they are the most vulnerable to the problem addressed in this research, ransomware attacks on businesses. This research seeks to conclude a population of over 31.7 million small enterprises in the United States. The significant characteristics of the population include businesses not having more than 19 employees and with low annual returns. This population is appropriate considering that the problem explored, ransomware in business, is predominant in a small business environment, making them a vulnerable victim to the problem. As a result, this population provides a salient platform for exploring the ransomware challenge from system inadequacies to address the research questions.
The sample of 30 small businesses that have experienced a cyber-attack for the last four years will be obtained from the large population identified above. This sample is appropriate for the study to provide insights from experience and authentic encounters with the explored problem. A purposive sampling technique is preferred for this study to identify and select information-rich cases related to ransomware attacks on small businesses. Vehovar et al. (2016) confirm that purposive sampling, also referred to as judgmental sampling, entails incorporating the researcher’s arbitrary ideas seeking a representative sample. Therefore, purposive sampling is appropriate for this research to obtain representative data by relying on personal knowledge of the small businesses that have had cyber-attacks recently. The data saturation will be attained by stretching the diversity of the data and analyzing the responses. When the same comments are repeated more than ten times, saturation will be reached, and data collection can be stopped. Information is analyzed with the collected information. The recruitment of the participants will be conducted by using the SurveyMonkey paid services to obtain survey panelists or small businesses respondents to respond to the provided questions. From the selected enterprises, the data will be obtained from primary research entailing an examination of the sample population to establish their experiences with the system’s inadequacies.
Materials or Instrumentation Comment by Garrett Smiley: Requirements have not been met (see highlighted areas below).
Create open-ended survey questions that align to your research questions and place them in an appendix for my review.
Checklist:
☐ Describe the instruments (e.g., tests, questionnaires, observation protocols) that will be (proposal) or were (manuscript) used, including information on their origin and evidence of their reliability and validity. OR as applicable, describe the materials to be used (e.g., lesson plans for interventions, webinars, or archived data, etc.).
☐ Describe in detail any field testing or pilot testing of instruments to include their results and any subsequent modifications.
☐ If instruments or materials are used that were developed by another researcher, include evidence in the appendix that permission was granted to use the instrument(s) and/or material(s) and refer to that fact and the appendix in this section.
An open-ended questionnaire (Appendix A) will be used to obtain data on experiences with ransomware attacks and impediments to effective prevention, detection, and correction. Allen (2017) confirms that open-ended questionnaires allow for a comprehensive and holistic approach for the researchers to permit respondents to provide opinions. It allows for diverse data by permitting extra details to qualify and clarify responses to build on accurate and actionable insights for the researcher. Admission of the interpreter’s perceptual presuppositions constitutes a salient option with the open-ended questionnaire to enhance validity. Additionally, an online pilot testing will be conducted for this research to pre-test the components of the questionnaire to establish the feasibility of the study process.
Study Procedures Comment by Garrett Smiley: Requirements have been met.
Reword your study procedure to perfectly align with what was stated in chapter one in the purpose of the study section. You can expand upon that discussion in a step-by-step manner but not deviate from it.
Checklist:
☐ Describe the exact steps that will be (proposal) or were (manuscript) followed to collect the data, addressing what data as well as how, when, from where, and from whom those data will be (proposal) or were (manuscript) collected in enough detail the study can be replicated.
The open-ended questionnaires will be submitted to SurveyMonkey through the paid services to obtain survey panelists from their list of small businesses respondents. The SurveyMonkey services will constitute a primary approach for primary data collection, through the selected respondents. The feedback will be expected after 14 days of completing the survey. The topmost representatives of the selected enterprises will be responsible for the responses, although it is up to them, they can consider delegating this function. Some of the critical data collected include the most recent hack or cyber-attack related to ransomware on the business and the losses incurred. Other data collected include the measures the business is adapting to inhibit future attacks, alongside information on the impediments of applying ransomware-specific preventative, detective, and corrective controls.
Data Analysis Comment by Garrett Smiley: Requirements have been met.
Explain how triangulation will be addressed.
Checklist:
☐ Describe the strategies that will be (proposal) or were (manuscript) used to code and/or analyze the data, and any software that will be (proposal) or was (manuscript) used.
☐ Ensure the data that will be (proposal) or were (manuscript) analyzed can be used to answer the research questions and/or test the hypotheses with the ultimate goal of addressing the identified problem.
☐ Use proper terminology in association with each design/analysis (e.g., independent variable and dependent variable for an experimental design, predictor and criterion variables for regression).
☐ For qualitative studies, describe how the data will be (proposal) or were (manuscript) processed and analyzed, including any triangulation efforts. Explain the role of the researcher.
This research will adopt a narrative analysis to analyze data collected by translating the survey responses to abstract findings by establishing core points or sub-topics of the narrative based on the participant’s experiences. Data will be processed in terms of narrative blocks from which the research will build subtopics based on experiences with ransomware for every organization. The narrative analysis adopted for this research entails collecting data, writing the findings, reviewing and analyzing them based on the research questions. For triangulation efforts, this research will also incorporate information from secondary sources to enhance a comprehensive understanding of the explored phenomena by testing validity through the convergence of the findings from diverse sources. Additionally, the literature review findings will constitute a critical approach for supplementing the primary outcomes. The research will be responsible for accessing thoughts and perceptions of the study participants’ feelings. Furthermore, the research is obliged to ensure the confidentiality and safety of the participants and their data.
Assumptions Comment by Garrett Smiley: Requirements have been met.
Put this section in a paragraph format with complete statements.
Checklist:
☐ Discuss the assumptions along with the corresponding rationale underlying them.
The participants will provide honest responses because this research entails collecting internal business operations and will focus on alleviating raising issues of safety and confidentiality of the data. As a result, this assumption incorporates the assertion that respondents will not lie. The previous ransomware attacks resulted in losses – this study examines the systemic inadequacies, making this assumption necessary to select only small businesses that did not overcome the attack.
Limitations Comment by Garrett Smiley: Requirements have been met.
Put this section in a paragraph format with complete statements.
Checklist:
☐ Describe the study limitations.
☐ Discuss the measures taken to mitigate these limitations.
Time constraints due to the detailed responses from the open-ended questionnaires are critical limitations of this study. Measures to mitigate this limitation entail effective planning to assign adequate time to collect and analyze the data. The sample size will be small, limiting the generalizability of the research. As a result, triangulation, which entails data collection using more than one approach, that is, literature review to ensure convergence of evidence, is preferred in this study.
Delimitations Comment by Garrett Smiley: Requirements have been met.
Put this section in a paragraph format with complete statements.
Rephrase the first delimitation to state the sampling method chosen.
Tie each delimitation back to the literature using proper citations.
Checklist:
☐ Describe the study delimitations along with the corresponding rationale underlying them. An example of delimitations are the conditions and parameters set intentionally by the researcher or by selection of the population and sample.
☐ Explain how these research decisions relate to the existing literature and theoretical/conceptual framework, problem statement, purpose statement, and research questions.
I did choose purposive sampling for this research to obtain in-depth insights and details of the experiences from the representative sample. This decision relates to the purpose statement on the need to incorporate individuals’ subjective thoughts in problem-solving. Sim et al. (2018) acknowledge the need to obtain in-depth insights to account for subjective experiences from the participants. Larger businesses are excluded from this research since they have the capacity and resources to mitigate these challenges, hindering an evaluation of the roles of systemic incapability. This decision relates to the existing literature confirming that larger enterprises prevent these challenges before they happen, motivating a shift to small businesses (Tam et al., 2021).
Ethical Assurances Comment by Garrett Smiley: Requirements have been met (see highlighted areas below).
State that the risk to participants will be minimal.
Explain how researcher bias will be addressed.
Checklist:
☐ Confirm in a statement the study will (proposal) or did (manuscript) receive approval from Northcentral University’s Institutional Review Board (IRB) prior to data collection.
☐ If the risk to participants is greater than minimal, discuss the relevant ethical issues and how they will be (proposal) or were (manuscript) addressed.
☐ Describe how confidentiality or anonymity will be (proposal) or was (manuscript) achieved.
☐ Identify how the data will be (proposal) or were (manuscript) securely stored in accordance with IRB requirements.
☐ Describe the role of the researcher in the study. Discuss relevant issues, including biases as well as personal and professional experiences with the topic, problem, or context. Present the strategies that will be (proposal) or were (manuscript) used to prevent these biases and experiences from influencing the analysis or findings.
☐ In the dissertation manuscript only, include the IRB approval letter in an appendix.
It is essential to acknowledge that this research will receive approval from the Northcentral University’s Institutional Review Board (IRB) before data collection. Besides, this research will incorporate numerous ethical assurances, including informed consent, by presenting an informed consent form to the participating enterprises, highlighting the research’s purpose. This research will be guided by voluntary participation, where responses to the survey will be at the enterprise’s preferences, choosing to withdraw their participation any time they feel uncomfortable proceeding. All personal identifying information, such as the name of the enterprises, will be de-identified and instead, use pseudonyms to promote confidentiality. Thus, the risk to participants will be minimal in this study. Completed surveys will be encrypted to ensure safe data and ensure it is not used illegitimately. Problems anticipated include but are not limited to time constraints and subjectivity in sampling. Effective time management, event scheduling, and sending the results’ analysis to the participants to confirm accuracy are vital options for overcoming these problems. Therefore, ensuring that participants’ responses are reviewed equally will constitute an adequate approach for addressing the selection bias.
Summary Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Summarize the key points presented in the chapter.
☐ Logically lead the reader to the next chapter on the findings of the study.
This research method chapter points out essential elements related to the saliency of this study. The study will incorporate a qualitative research methodology and case study design to explore the impediments towards applying ransomware-specific preventative, detective, and corrective controls. A target population of small businesses and a sample of 30 enterprises are selected to provide insights out of the experience and authentic encounters with cyber-attacks. Salient elements discussed include ethical concerns, assumptions, delimitations, and limitations. Open-ended questionnaires will be used for instrumentation, and narrative analysis will be essential for the data analysis. Therefore, this research will explore the research findings related to the presented questions in chapter one in chapter four.
Chapter 4: Findings Comment by Garrett Smiley: Requirements have been met.
Open this section with the problem and purpose statements.
Delete text highlighted as yellow, as it is incorrect and/or unnecessary.
Checklist:
☐ Begin with an introduction and restatement of the problem and purpose sentences verbatim and the organization of the chapter.
☐ Organize the entire chapter around the research questions/hypotheses.
The problem to be addressed is, ransomware has continued to be a challenge to small businesses since its discovery two decades ago (Dhinnesh, 2020). The purpose of this qualitative case study is to understand better the impediments to the application of ransomware-specific preventative, detective, and corrective controls by small business owners. Small businesses are highly vulnerable to cybercrime, characterized by their inability to cope and manage digitization and the overall technological advancement within the organizational processes. Ransomware attacks are major challenges affecting small-sized enterprises leading to systemic disruption. Therefore, many small businesses are victims of recent ransomware attacks as the attackers leverage the commonly known weaknesses, such as the lack of sufficient resources within these enterprises. As stated, small businesses comprise more than half of the ransomware attack victims, demonstrating their lack of knowledge in the safety and management of risks. It is essential to acknowledge that such cyber-attacks have significantly impacted small businesses, including loss of data, revenue, time, resources, and reputation, alongside the disruptions of functional operations.
Therefore, exploring this study reveals the major impediments to implementing ransomware-specific preventative, detective, and corrective controls for small business owners. Furthermore, it entails incorporating diverse experiences and perceptions by small business leaders, exploring their thoughts on factors hindering their control of these attacks. This chapter will further explore the trustworthiness of the data, examine the study’s results, and provide a comprehensive exploration of responses from the participants, an evaluation of findings, and a summary.
Trustworthiness/Validity and Reliability of the Data Comment by Garrett Smiley: Requirements have been met.
Delete text highlighted as yellow, as it is incorrect and/or unnecessary.
Actually provide the steps taken by the researcher to reduce bias in the study (not what could have been or should have been done).
Checklist:
☐ For qualitative studies, clearly identify the means by which the trustworthiness of the data was established. Discuss credibility (e.g., triangulation, member checks), transferability (e.g., the extent to which the findings are generalizable to other situations), dependability (e.g., an in-depth description of the methodology and design to allow the study to be repeated), and confirmability (e.g., the steps to ensure the data and findings are not due to participant and/or researcher bias).
The trustworthiness of the qualitative data in research represents the study’s rigor, affirming that this study’s arguments are worth paying attention to. Credibility is the first component for exploring the trustworthiness of the data, executed through triangulation in this study (Korstjens & Moser, 2017). Transferability relates to the degree to which findings from qualitative research can be transferred to other settings or contexts with different respondents (Korstjens & Moser, 2017). About transferability, this element of the study entails generalizing the findings and implementation of the research to other contexts. Primarily, it is essential to acknowledge that this research implements the purposive sampling strategy, which is crucial in maximizing the specific data relative to the context of its collection, as well as considering the characteristics of the subjects of the study. As a result, it is possible to gather better and more precise insights from collecting the qualitative responses.
Notably, this research was conducted on a sample of small businesses with 19 or fewer employees that have experienced a cyber-attack within the past four years. Furthermore, the sample was selected from a population of small enterprises with low annual returns. Therefore, with this study-specific sample implemented in the research, it is possible to transfer these findings to other contexts to examine the impediments to implementing security controls against cyber-attacks in businesses. Consequently, the study findings from this research can be transferred to different contexts to solve ransomware-specific challenges to enhance the ability to prevent, detect and control security breaches.
The study’s dependability relates to the stability of the research findings or outcomes, entailing the assessment, interpretation, and recommendations of the results (Korstjens & Moser, 2017). The findings demonstrate a vital element of consistency based on the affirmations of the data audit. Furthermore, the qualitative research methodology, specifically narrative research, is integral to allowing the repetition of this study. This methodology enables a rich exploration of ransomware attacks as the phenomenon of interest, creating an opportunity to track unique events while illuminating the participant experience and countenancing replication. Furthermore, the case study research design allows exploration of the real-world subject of cyber-attacks, specific to small businesses, considering their limited resources to address the problem. Therefore, combining the qualitative methodology and case study design is fundamental to allowing a repeat of the study, confirming the dependability of the findings. Confirmability relates to the extent to which the research findings can be confirmed by other researchers (Korstjens & Moser, 2017).
It is essential to acknowledge that the outcomes and their interpretation in this study are explicitly obtained from the data and not the fabrications of the inquirer’s imagination. Primarily, two steps were completed to ensure the findings are not because of researcher or participant bias. First, the findings were verified using secondary sources such as peer-reviewed publications to confirm consistency with outcomes from other studies. Secondly, the outcomes were reviewed by peers or colleagues, who provided insights or opinions on whether the interpretation of the findings was correct.
Results Comment by Garrett Smiley: Requirements have been met.
Provide a de-identified demographics table for the participants.
Delete the text highlighted in yellow.
Move the text highlighted in blue under its’ respective RQ section.
Checklist:
☐ Briefly discuss the overall study. Organize the presentation of the results by the research questions/hypotheses.
☐ Objectively report the results of the analysis without discussion, interpretation, or speculation.
☐ Provide an overview of the demographic information collected. It can be presented in a table. Ensure no potentially identifying information is reported.
Participants in this study represent small businesses or enterprises that have been hit by ransomware attacks within the last four years, with a significant proportion of the members in the study pointing out the lack of preparedness to counter these attacks. Notably, most businesses agree to have a ransomware awareness program in the institution but deny having a consistent training platform or program to hone employee skills in mitigating such attacks. One participant stated, “We usually have an awareness program for ransomware, but there are not formally established arrangements to ensure employees can prevent such attacks from occurring.” Additionally, over 50% of the participants confirm that their organizations do not have an updated organizational policy on ransomware prevention or robust firewalls. However, all participants confirm the presence of encryption plans such as passwords on the computers.
Participants agree that they are not fully prepared to curb ransomware due to the lack of standard organizational policies and inadequate training and awareness programs. Most of them confirm the problem of insufficient technical provisions, such as the lack of updated firewalls and the absence of spam filters. The participants point out barriers to preventing ransomware in their organizations as lack of adequate security awareness, inconsistent internal policy on ransomware prevention, insufficient encryption measures, lack of regular systems updates, and inadequate access management. For example, one representative pointed out, “In our organization, anyone can access the system provided they have the password since there are no managed admin rights that manage and controls access to the network.” Furthermore, another participant confirmed that their firewalls are not up-to-date, and they can be disabled sometimes.
The participants confirm periodic security event log checks within their organizations. One of the participants stated, “I cannot remember the last time our organization audited the electronic logs within our system.” Another confirms that the log checks are popular in the organization but are not regularly completed. Over three-quarters of the participants do not remember their organizations conducting regular reviews on their electronic systems for the past year. “We do not have any available intrusion alert for unauthorized access to our systems, which could be a problem with the last year’s attack that went without being noticed,” one of the participants noted.
Most participants confirm the ineffectiveness of its systems in detecting malicious codes. They confirm that malicious codes can invade their systems and spread without being noticed on time or without being noticed per se. Furthermore, a substantial proportion, mainly more than 50% of the participants, affirm that their networks are weak to detect intrusions as they lack specific system administrators to monitor them. Only 10 percent of the study had intrusion detection systems (IDS).
Regarding automatic threat removal, a significant proportion of the participants confirm that these efforts are insufficient in their organization. At least 75 percent of the participants affirmed that their antivirus software was not sophisticated enough to remove the malicious codes after an attack. Notably, a significant proportion of the participants confirmed that some of the weaknesses they identified with their systems after a previous attack include a lack of apparent efforts to quarantine viruses, unclear continuity plans, and insufficient financial resources to aid the recovery from the attack. Some participants confirmed that they had just resumed their operations after the last attack disrupted them and could not pay the ransom.
There are no clear administrative policies regarding the plans to correct the ransomware attacks, among other significant inadequacies within the small businesses. For example, one of the participants stated, “Considering we are small in size, we lack adequate finances to pay a ransom and even standards to guide on the recovery phase.” A significant proportion of the participants confirmed that their institutions have limited finances and that their budget is relatively constrained to address the effects of ransomware attacks instantly.
Demographics Table for the Participants
Table 1
Participant Demographics
Pseudonym
Gender
Age range (years)
Years of experience in current executive position
Years of experience in current organization
P1
Female
40 to 49
1
2.5
P2
Female
30 to 39
2
2
P3
Female
40 to 49
4
21
P4
Male
40 to 49
3
6
P5
Female
40 to 49
2
6
P6
Female
50 to 59
1
20
P7
Female
40 to 49
2
17
P8
Male
20 to 29
3
9
P9
Female
30 to 39
7
19
P10
Male
50 to 59
11
13
P11
Male
50 to 59
9
17
P12
Male
30 to 39
8
11
P13
Male
20 to 29
4
7
P14
Male
50 to 59
13
15
P15
Male
30 to 39
5
13
P16
Female
20 to 29
4
4
P17
Female
60 to 69
11
17
P18
Male
30 to 39
3
7
P19
Male
30 to 39
9
9
P20
Male
20 to 29
10
16
P21
Male
40 to 49
15
25
P22
Female
20 to 29
5
9
P23
Male
30 to 39
4
6
P24
Male
40 to 49
12
18
P25
Female
50 to 59
19
30
P26
Male
20 to 29
6
5
P27
Female
40 to 49
12
20
P28
Male
30 to 39
10
16
P29
Male
20 to 29
6
7
P30
Female
30 to 39
5
12
Research Questions Comment by Garrett Smiley: Requirements have been met (these comments apply to all RQ specific sections).
Add figures if possible to visually represent the results for each RQ.
Identify the participant numbers who actually contributed to a particular theme.
Add quotes from participants backing up each of the themes.
Clearly indicate the theme for each instrument question underneath its respective research question (A1-3 for RQ1, B1-3 for RQ2, & C1-4 for RQ3). Currently, you are just providing a broad theme for each research question and it is very thin.
Checklist:
☐ Report all the results (without discussion) salient to the research question/hypothesis. Identify common themes or patterns.
☐ Use tables and/or figures to report the results as appropriate.
☐ For qualitative studies, describe the steps taken to analyze the data to explain how the themes and categories were generated. Include thick descriptions of the participants’ experiences. Provide a comprehensive and coherent reconstruction of the information obtained from all the participants.
The narrative analysis in this qualitative research was completed by translating the responses from the questionnaire to abstract findings while establishing the core subtopics as per the participants’ experiences. First, the participant responses were processed in narrative blocks and assigned the same code for similar stories. Therefore, narrative blocks are established for similar experiences in different control categories, which form the subtopics or themes to answer the research questions. Thus, the themes derived from this research are the outcomes of experiences that converge from different participants and are further compared against other themes or structures from secondary research. Three major subtopics were derived from the narrative blocks: (RQ1) awareness and training, inconsistent internal standards, and inadequate technical capabilities, (RQ2) technical weaknesses, unauthorized access, and auditing logs (RQ3) limited resources, insufficient plans for threat removal and inadequate continuity plans.
A1-3 Awareness and training
Regarding impediments to the ransomware-specific prevention controls, the participants confirm that there is a lack of knowledge among the employees and a lack of robust mechanisms to enhance awareness about ransomware attacks and preventive approaches. The participants do not record any form of regular or standard internal policy or training programs by the organizations to prevent attacks or improve cyber-security awareness. At least 28 of 30 participants (over 93%) confirmed the inadequateness of the internal efforts to enhance awareness. For example, P12 stated, “Our last attack in 2021 was due to poor access to training materials and little efforts by the management to ensure all teams are aware of the vulnerabilities.” Similar to this assertion, P24 stated, “Up to now, we are unaware of what to do not to be hit or when hit again.” “Lack of the right technical skills and awareness programs is our major problem, which makes us easy targets,” P18 stated. There was a collective inference by these participants that their organizations lack standard policies to enhance their understanding, and if they are, they are ineffective.
A2 – Inconsistent internal standards
The participants acknowledge that most of their organizations lack consistent standards or policies to prevent cyber-attacks. Most respondents acknowledge the need for cybersecurity-specific policies in the digitization era, but their organizations lack such cyber-related standards, which they rely upon as guidelines for prevention efforts. Notably, 80 percent (i.e., 24 of the 30 participants) agree that unclear workplace standards are hindrances to preventing cyber-attacks. For example, in response to questionnaire P13 states, “Although we are improving on the measures to prevent cyber-attacks, there are no specifically mentioned standards or internal policies on cybersecurity management.” In a consistent response, P26 emphasizes, “Our organization lacks specific procedures and guidelines for the employees to embrace in preventing cyber-attacks.” P6 states, “Our business is relatively small, and we lack manuals on cyber-attack prevention.” Thus, these participants agree to a common element that the lack of policies and guidelines in their business hinders their ability and knowledge of cyber-attack prevention.
A3 – Inadequate technical capabilities
This theme obtains 100% confirmation from all participants that their systems lack the technical power and capabilities adequately prevent cyber-attacks. “I believe our systems are not up-to-date to prevent cyber-attacks from occurring, considering the sophisticated nature of cybersecurity threats,” P18 states. Similarly, P6 states, “We are equipped with modern technologies or digital tools for cybersecurity.” P4 emphasizes, “We are lagging in system complexity, and I believe our systems are unprepared to handle robust intrusion from the enemy.” The assertions by P18, P6, and P4 represent the consistent conclusions by other participants confirming that their systems are not strong enough to withstand advanced intrusion by cyber criminals.
B1 -3 Technical weaknesses
The participants confirm technical weaknesses as core hindrances to security controls within their organizations. They confirm issues such as disabled firewalls and lack of regular systems updates, along with deficiencies such as weak encryptions, lack of spam filters, and uncontrolled access. Notably, 30 of the 30 participants (100% confirmation) associated their vulnerabilities and previous attacks with the technical weaknesses within their system. For example, P16 states, “Our systems do not have restrictions on the access, meaning any persons can use our computers provided they have a hand on them.” P21 stated, “We are not fully equipped with the systems for detecting and removing attacker’s code when dispatched into our system.” The response by P16 and P21 conform to the response of other participants, associating the lack of technical prowess with constant attacks and continued susceptibility to malicious invasions. Additionally, P13 stated, “the disabled firewalls and irregular system updates within our organization have made it impossible to detect malicious codes or prevent attacks from occurring.” The participants mutually confirmed weaknesses with the technical systems to detect invasion, monitor, and remove malicious codes.
B2 – Unauthorized access
A notable proportion of the respondents agree that unauthorized access to their systems is a major factor contributing to susceptibility to cyber-attacks. It is essential to acknowledge that 28 of the 30 participants emphasize a need for controlled access to the systems to detect intrusions from unapproved users who could corrupt the system. The responses to this realization are consistent among the respondents who confirm the need to control access to the system. For example, P10 states, “I recall many attacks in our organizations result from the unauthorized persons corrupting the systems.” P14 concludes, “The lack of access management and controls on people who enter our systems makes it hard for the IT team to identify an intruder from the legitimate users.” The assertions by P10 and P14 match the inferences by P7 that “Our systems have no limitation on who to access,” similar to the remarks by P29, “We lack restrictions on system access, where our computers can be intruded without anyone noticing.”
B3 – Auditing logs
The organizations’ failure to audit their logs is a major impediment to detecting intrusion or malicious attacks at the preliminary stages. Although this theme is ‘undermentioned’ by 7 of the 30 participants, it remains a clearly highlighted challenge to detecting malicious codes. For example, P17 states, “I believe our problem with the last attack was on log auditing. The attacker had accessed our systems for three months; had we been auditing the logins; we could detect the intrusion and prevented the attacker from launching.” P4 states, “Our log audits are irregular, and we have no specific timeline for evaluating our system, and this could be a problem since a malicious code could be launched without anyone noticing.” “We conduct log audits, but it is not our culture since there are no consistent guidelines to audit access into our systems,” P30 emphasized. These responses represent a mutual confirmation from the team that ineffective assessment of the entries and exits into the system makes them vulnerable to malicious attacks.
C1-4 Limited resources
Financial resource limitation was a common element identified by all participants hindering the security controls within their organizations. For example, most participants confirmed that after past attacks, they could not resume functions due to the financial implications of the ransom paid to recover their data, or some could not afford to pay the ransom. The participants confirmed that some technical systems required to keep them safe from cyber-attacks are expensive and resource intensive. The firms affirm that they lack adequate resources, such as backup data systems and automated threat removers, to resume their processes instantly after an attack. At least 24 of 30 participants (80%) provided responses that align with this theme of limited resources as a primary impediment to preventing, detecting, and controlling ransomware attacks.
For example, P6 stated, “Inadequate financial resources to pay the ransom and resume uninterrupted functions is the largest challenge for our organization.” Similar to P6’s statement, P13 stated, “Our organizations are bound between a rock and a hard place in terms of finances. For example, during the last attack, we were forced to pay a ransom or hire services for system retrieval from external parties, whose outcomes are not always assured. We paid the ransom but went off the operations for three months.” P21 confirmed, “The lack of a backup system for enterprise data is a huge problem, which always takes firms to zero.” Generally, these participants confirmed that their enterprises are less endowed with high-quality and required resources to prevent, detect and control possible threats.
C2 – Insufficient plans for threat removal
The participants agree to the need for a plan to remove the threat from the system and implement strategies crucial to enhancing recovery from the aftermath of an attack. Notably, 11 of the 30 respondents agree that their organizations lack sufficient threat removal plans in case of a cyber-attack. P6 states, “We do not have specifically stipulated steps or guidelines on what to do in the event of a cyber-attack.” Similar to the P6 assertions, P20 states, “Although there are steps to mitigating further adverse outcomes after an invasion on the company, the guidelines are not specific to cybersecurity, such that most steps could not be practicable on incidents involving cyber-attacks.” We lack the threat-specific quantitative surveys to assess the extent of the impacts of a cyber-attack,” P29 stated. These respondents provided consistent confirmation of the inadequateness of their plans to remove the threat.
C3 – Inadequate continuity plans
Notably, 20 of the 30 participants agree that they lack business continuity plans in the event of a cyber-attack. It is essential to acknowledge that although they recognize the essence of the continuity plans, most firms confirm the lack or ineffectiveness of their continuity plans to ensure quick and easy recovery from a cyber-attack. For example, P19 states, “Even if an attack took place today, we do not know where to start and the essential services to keep uninterrupted as initiate recovery efforts.” Furthermore, P12 states, “Our organization lacks cybersecurity-specific steps for continuous monitoring and business impact analysis to mitigate the level of losses after a cyber-attack.” Similar to these assertions, P14 emphasizes, “I do not believe our resources and plans to recovery are sufficient to handle advanced effects of cyber-attacks. A massive attack can send us out of business.” These assertions by the respondents are consistent, confirming the inadequateness of the continuity plans to recover from an attack.
Evaluation of the Findings Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Interpret the results in light of the existing research and theoretical or conceptual framework (as discussed in Chapters 1 and 2). Briefly indicate the extent to which the results were consistent with existing research and theory.
☐ Organize this discussion by research question/hypothesis.
☐ Do not draw conclusions beyond what can be interpreted directly from the results.
☐ Devote approximately one to two pages to this section.
RQ1.What are the impediments for the application of ransomware-specific preventative controls by small business owners?
Notably, the research outcomes are consistent with other studies on small-sized organizations’ impediments in implementing ransomware-specific preventive controls. It is essential to acknowledge that in this study, the participants confirm that major hindrances to preventing ransomware attacks relate to limited awareness of cybersecurity and lack of adequate training, including the absence of specific internal policies on cyber-security management. These findings are consistent with Patterson (2017) confirming employees in small businesses lack sufficient training to handle technology-related vulnerabilities. Similar to this study’s results, Hayes et al. (2012) demonstrate the issue of limited knowledge or lack of awareness about malware and approaches to protect the institution from attacks as a major impediment to preventive efforts. Besides, Grossman and Schortgen (2016), Saber (2016), Hutchings (2012), and Ursillo Jr. and Arnold (2021) provide consistent inference to this study’s findings that the lack of standard policies on cyber-security renders small businesses vulnerable to attacks. Similar to the other study findings like Cook (2017) and Hutchings (2012), weak technical systems such as passwords, lack of spam filters, and robust firewalls are major elements hindering ransomware prevention among small businesses. The findings relate the elements of the routine activity theory such as suitable target, suitable offender, and absence of a guardian, representing these impediments to security as factors causing the ransomware attacks.
RQ2. What are the impediments for the application of ransomware-specific detective controls by small business owners?
Participants confirm that their organizations are less equipped to detect ransomware or malware invasions as they lack sophisticated solutions. Van and Code (2018) demonstrate that most cyber-criminals use highly sophisticated technologies in maneuvering into the systems. Similarly, the participants confirm the ineffectiveness of the detection systems due to the lack of adequate updates on the system and the absence of detection tools. Besides, these organizations lack the intrusion alert for unauthorized access, and there are no audits of electronic logs that render them vulnerable to attacks. These findings match the outcomes from other studies, such as Griffin Jr. (2021) confirming that small businesses have limited resources, and findings by Hayes et al. (2012) affirm the failure to implement advanced solutions renders small businesses unable to detect malware. Indeed, per the routine activity theory, for a crime to occur, there should be an absence of a capable guardian, such as poor detection measures that render small businesses suitable targets to offenders or cyber-criminals.
RQ3. What are the impediments for the application of ransomware-specific corrective controls by small business owners?
This study’s findings confirm several impediments related to corrective controls, such as ineffective threat removal, inadequate resources, and unclear recovery policies. For example, a participant states, “Considering we are small in size, we lack adequate finances to pay a ransom and even standards to guide the recovery phase.” These findings are consistent with the outcomes from other studies, such as Griffin Jr. (2021), that confirm small businesses are vulnerable to ransomware attacks due to the lack of sufficient recovery and continuity measures, including adequate resources to recover and aid a fast recovery. Furthermore, this study is consistent with the findings by Hayes et al. (2012), Cheng et al. (2017), and Connolly and Wall (2019) that lack of sufficient resources and finances is a major hindrance to the security controls capability for the small businesses. Besides, these findings match elements of routine activity theory that the occurrence of a crime relates to their firm’s incapability to protect the systems that render small businesses vulnerable targets to cyber-criminals.
Summary Comment by Garrett Smiley: Requirements have been met.
Rewrite this entire section once all of the other sections are nailed down and approved, as this is a summary (not a closing).
Checklist:
☐ Summarize the key points presented in the chapter.
Chapter four (4) of this study provides a comprehensive account of the findings from the participants’ responses. The central focus of this section was to provide the results on the impediments to the application of ransomware-specific preventative, detective, and corrective controls by small business owners. Notably, to enhance the trustworthiness of the research findings, a triangulation was executed to confirm the credibility of the findings. Additionally, the transferability, dependability, and confirmability of the study findings were prioritized in this research. For the avoidance of research/participant bias in this study, the findings were reviewed by colleagues, and results were verified against secondary sources to ensure accuracy.
Furthermore, the results noted core impediments such as organizational unpreparedness, lack of working standards, non-standard monitoring of the systems, weak infrastructure, insufficient resources, and administrative weakness. Regarding the impediments to preventive controls, the lack of awareness and training, inconsistent internal standards, and inadequate technical capabilities are evident. Technical weaknesses, unauthorized access into the system, and failure to audit logs emerge as core impediments to detective controls. The limited resources, insufficient plans for threat removal, and inadequate continuity plans formed other parts of narrative blocks, revealing the impediments to corrective controls. Evaluation of results demonstrates that they are consistent with other studies and the theoretical framework, noting numerous impediments to implementing security controls. The findings conform to other studies acknowledging the challenges of preventative, detective, and corrective controls in the efforts to implement ransomware-specific solutions.
Chapter 5: Implications, Recommendations, and Conclusions Comment by Garrett Smiley: Requirements have been met.
Briefly state the results.
Briefly state the study limitations.
Checklist:
☐ Begin with an introduction and restatement of the problem and purpose sentences verbatim, and a brief review of methodology, design, results, and limitations.
☐ Conclude with a brief overview of the chapter.
The problem to be addressed is, ransomware has continued to be a challenge to small businesses since its discovery two decades ago (Dhinnesh, 2020). The purpose of this qualitative case study is to understand better the impediments to the application of ransomware-specific preventative, detective, and corrective controls by small business owners. Exploring ransomware as a threat to small businesses is an eye-opener in light of modern and vast technological advancements. Besides, considering the current transition to the digitization era, characterized by increasing interconnectivity and enormous internet presence, businesses need to focus on the measures that alleviate their vulnerability to cybersecurity attacks, including ransomware attacks. Furthermore, it is essential to acknowledge that since small businesses are experiencing robust developments in innovation and automation, malicious attacks have also advanced their skills to sophisticated levels requiring robust security infrastructure. Notably, small enterprises are becoming critical targets of cyber-attacks, which cost them time, resources, reputation, and disruption of their operations. As a result, understanding the impediments to implementing ransomware-specific preventative, detective, and corrective controls would fundamentally alleviate their vulnerabilities to cyber-attacks.
With the qualitative research methodology and case study design, this paper derives an in-depth and comprehensive account of the impediments to ransomware-specific controls in small businesses or enterprises. The study results revealed that significant impediments to preventive controls include a lack of awareness and sufficient training, a lack of consistent internal standards on cyber-security, and technical incapability of the firm. Besides, the impediments to detective controls include technical weaknesses, lack of specific system access restrictions, and insufficient log audits. Furthermore, resource limitations or constraints, inadequate threat removal, and continuity plans are major impediments to corrective controls. However, this research experiences limitations of low reproducibility and estimation problems due to reliance on a small sample, impeding the generalizability.
The qualitative provides insights and information on the organization’s experiences with the cyber-attacks problem. Based on the selected cases, the study found that lack of awareness, inadequate personnel training, inconsistent internal policy on ransomware prevention, insufficient encryption measures, lack of regular systems updates, and inadequate access management impedes preventive controls. The impediments to detective controls include periodic security event log checks, poor monitoring systems, and a lack of intrusion alert systems. In addition, the findings revealed insufficient efforts for automatic threat removal, a lack of antivirus software, and inadequate resources as impediments to corrective controls against ransomware attacks. However, research experienced a time constraint with limited time for probing numerous cyber-attack experiences. The study findings are susceptible to participant bias, lacking statistical representativeness of the data. Furthermore, the findings of this study may not be generalizable to other settings, such as large organizations, considering that all results are derived from small-sized enterprises.
Chapter five (5) explores the study’s implications, including the conclusions or inferences drawn from the findings and their consequences on societal outcomes. The recommendations for practice and future research will also be part of this section, providing the background on the applicability of the findings and opportunities for other researchers to improve this study. Finally, the conclusion will give the take-home message of the research to enhance the literature or guide its application practice
Implications Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Organize the discussion around each research question and (when appropriate) hypothesis individually. Support all the conclusions with one or more findings from the study.
☐ Discuss any factors that might have influenced the interpretation of the results.
☐ Present the results in the context of the study by describing the extent to which they address the study problem and purpose and contribute to the existing literature and framework described in Chapter 2.
☐ Describe the extent to which the results are consistent with existing research and theory and provide potential explanations for unexpected or divergent results.
☐ Identify the most significant implications and consequences of the dissertation (whether positive and/or negative) to society/desired societal outcomes and distinguish probable from improbable implications.
Research Question’s
RQ1. What are the impediments to the application of ransomware-specific preventative controls by small business owners?
The results from this study confirm that the impediments to preventive controls against ransomware attacks in small businesses include a lack of adequate training awareness, technical challenges, and a lack of updated firewalls and spam filters. It is essential to acknowledge that the findings on this research question adequately address the problem and purpose of the study. For example, noting technical weaknesses and organization-related factors as hindrances to the preventive efforts against ransomware affirms the need for establishing multilevel solutions to cyber-attacks. As a result, the findings are salient to understanding the practical implementations of ransomware controls. Furthermore, this study contributes to the existing literature on the hindrances to prevention services against cyber-attacks, providing extensive knowledge to prevent attacks by supporting the personnel and internal organizational systems. These findings contribute to the further development of the routine activity theory and its theoretical framework. Thus, one can deduce that vulnerability to and occurrences of cyber-attacks/crimes is an interplay of individual and system-level weaknesses.
The interpretation of this study’s results is a subject of numerous factors, including personal knowledge of technology and internet safety and expert information on cybersecurity. Thus, interpretations in this study are inferences drawn based on personal knowledge and reliance on expert guidance. However, it is essential to acknowledge that these study findings are consistent with the existing research and theory. This research reveals that hindrances to preventive efforts include insufficient training, technical weaknesses, and lack of awareness about cyber-security. Thus, organizations with limited attention to personnel training and cybersecurity awareness and those with weak technical infrastructures may be highly vulnerable to cyber-attacks. In addition, personnel seem not to know when they are exposed and what measures to adopt to prevent further cyber-attack exposure. Like these findings, other studies such as Grossman and Schortgen (2016), Saber (2016), Hayes et al. (2012), and Patterson (2017) acknowledge lack of knowledge and adequate training as leading factors heightening vulnerability to cyber-attacks.
Furthermore, this study confirms that weak technical systems, such as insufficient configurations and updates, as significant problems with small businesses. Hutchings (2012), Cook (2017), and Brewer (2016) provide consistent findings linking attacks to a lack of firewalls and regular updates, failed spam filters, non-configuration, etc. It is essential to acknowledge that there were no divergent findings between this study and previous studies on potential hindrances to preventive controls. However, the results on inadequate access management were an unexpected finding as most businesses lacked controls on access to the network. It is essential to acknowledge that this study forms a necessary background for the managers of small businesses to initiate training and awareness programs and strengthen their technical infrastructures through regular updates, configurations, etc. Besides, this research is a knowledge hub for small businesses and their personnel to understand their vulnerabilities in cyber-attacks such as ransomware.
RQ2. What are the impediments to the application of ransomware-specific detective controls by small business owners?
The findings acknowledge that some hindrances to detecting malware invasion or cyber-attacks are associated with irregular or lack of security event log checks, lack of intrusion alert systems, and specific system administrators to detect malicious invasions. The findings on impediments to the detective control of ransomware attacks adequately address the problem and the purpose and contribute to the previous literature and framework on the routine activity theory. Based on this study’s findings, cyber-attacks occur as an outcome of a failed system to detect threats or identify loopholes that heighten vulnerability. Thus, the impediments to detective controls appear to be organizational-level problems, requiring system-level interventions to address the issues. For example, the lack of regular log checks, intrusion alert systems, and system administrators to monitor internal occurrences, as identified in this research, constitute system problems translated to the failure to notice malicious codes.
The results of this study on detective controls address the problem and purpose of the research adequately, pinpointing critical factors that heighten the vulnerability of small businesses to cyber-attacks alongside the system inadequacies to detect malicious codes before the launch. For example, since the research problem focuses on the exposure of small businesses to ransomware, the findings of this study provide consistent outcomes such that more than 50% of the sample experienced ransomware and intrusion by malicious codes. Furthermore, the study’s results adequately confirm impediments to security controls, identifying system inefficiencies in detecting malicious codes, failure to manage access, and inadequate log checks. It is essential to confirm that the previous research on the hindrances to security controls is relatively non-specific and inadequate. Thus, the outcomes of this question contribute to the existing literature by providing specific evidence on detective controls. It is essential to acknowledge that these findings also endorse the routine activity theory, confirming the occurrence of crime as an outcome of the suitability of the target and the absence of care, making them vulnerable to attacks. Personal knowledge and expert opinions, alongside the external evidence, are core factors influencing the interpretation of these results.
Notably, these outcomes in this study are consistent with the existing research and theory, confirming the findings of other scholars. For example, this study showed that periodic log checks, lack of intrusion detection systems (IDS), and ease of access without being noticed were significant impediments to detective controls. These results are consistent with the outcomes from previous studies and support the theoretical framework. For example, these findings match the results by Griffin Jr. (2021) and Hayes et al. (2012) that small businesses lack the sophisticated strategies to monitor and detect malicious codes, similar to Saber (2016) that reliance on simple mechanism heighten the permeability of the systems by hackers. Additionally, this study’s results are consistent with the routine activity theory, confirming that the occurrence of crime is an interplay of three factors, a potential offender, a suitable target, and the absence of a guardian (Tuttle, 2020). For instance, the inadequateness of the system to detect malicious codes and conduct log checks increase their vulnerability to potential hackers due to their ease of penetration and lack of care for the system in the organization.
These findings are salient to position small businesses to invest more resources in detective controls by sophisticating their technical infrastructure to monitor and detect malicious codes before they are executed. This dissertation will form a salient pathway guide businesses to implement detective controls against potential malware to complicate the system permeability to cyber-criminals. Furthermore, this study and its findings would form a crucial tool to embrace cloud computing services, improving the businesses’ prowess to detect and inhibit malware, hence reducing the possible losses.
RQ3. What are the impediments to the application of ransomware-specific corrective controls by small business owners?
The results confirm the lack of sophisticated antivirus software to remove malware codes, making it hard to quarantine viruses. Besides, most small businesses lack specific continuity plans and sufficient financial resources to resume functions after an attack. Personal knowledge, reliance on expert opinions, and findings from other resources are core factors that influenced the interpretation of the study findings. Indeed, the results address the research problem and its purpose adequately. For example, this study confirms the previous assertions that small businesses lack adequate resources (i.e., financial, and human resources) to respond to malware attacks.
Furthermore, insufficient efforts to quarantine viruses and promote continuity plans in small businesses are why most small businesses close their operations after a ransomware attack. To identify the impediments to corrective controls, this study adequately addresses this purpose, confirming the lack of administrative policies, financial constraints, and significant obstructions to correcting the effects of a ransomware attack. These findings will improve the existing infrastructure and theoretical framework by providing ransomware-specific corrective controls.
Notably, these findings are consistent with other studies such as Hayes et al. (2012), Griffin Jr. (2021), Connolly and Wall (2019), and Cheng et al. (2017) that small businesses lack the financial power to resume their functions immediately after an attack or recover the losses incurred in paying for the ransom. Similar to this study’s results, most small businesses lack sophisticated continuity plans and experience budgetary problems due to limited finances. Griffin Jr. (2021) confirms that due to unpreparedness and unavailability of recovery or continuity plans, small businesses halt their operations after a cyber-attack. Consistent with the assertions by Tuttle (2020) that crime occurs due to the interplay of factors, potential offender, a suitable target, and lack of care in the system, the study results assert that cyber-attacks arise and are maintained by the system inadequacies and organizational weaknesses such as limited resources. These results from this study and the dissertation findings were convergent in that most small businesses lack sufficient corrective controls such as financial resources, and business continuity plans, forcing them to halt their functions.
Therefore, this dissertation and its findings could be a crucial tool to guide businesses to establish measures to respond to and recover from malware attacks. Besides, this study provides a framework to enhance business continuity and prevent the possibility of halting operations and downtime. With sophisticated business continuity and recovery plans, businesses could resume their operations efficiently with clear information on where to begin after an attack.
Recommendations for Practice Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Discuss recommendations for how the findings of the study can be applied to practice and/or theory. Support all the recommendations with at least one finding from the study and frame them in the literature from Chapter 2.
☐ Do not overstate the applicability of the findings.
The findings from this dissertation would be crucial in cybersecurity risk planning and management by identifying, assessing, and addressing cybersecurity risks, prioritizing them, and monitoring and establishing essential controls. For example, with the results confirming lack of awareness and adequate training as a problem, impeding the preventive plans, it would be possible to establish crucial frameworks for risk management and improve technical infrastructure. This applicability is consistent with Hutchings’s (2012) and Ursillo Jr. and Arnold (2021), confirming the need for knowledge enhancement for system safety and alleviating vulnerability to cyber-attacks. Furthermore, this study would be fundamental in resource planning, ensuring efficient and effective use of resources and opportunity for mobilization. For example, the study findings confirm that inadequate resources and recovery plans for minor businesses impediments security controls. Thus, this study would guide businesses to assess their operations and vulnerability, identify available resources, prioritize functions, and locate resources, guiding a framework for an effective business continuity plan. This recommendation is consistent with the suggestions by Connolly and Wall (2019) to enhance preparedness and plan for potential disruption.
Recommendations for Future Research Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Based on the framework, findings, and implications, explain what future researchers might do to learn from and build upon this study. Justify these explanations.
☐ Discuss how future researchers can improve upon this study, given its limitations.
☐ Explain what the next logical step is in this line of research.
The initial aim of the study was to explore the impediments to the application of the system controls. Based on the framework, findings, and implications of this study, future researchers must understand the role of technology and assess the complexities of small business operations as they heighten their vulnerability to cyber-attacks. For example, the study identifies technological advancements and inability to embrace these changes as the primary factors increasing exposure among small businesses to cyber-attacks. Thus, it would be possible to build on this study by expanding the scope of this research beyond the small businesses to explore the factors increasing the susceptibility of businesses in general. Indeed, a significant impediment to security controls in small businesses is the lack of resources (i.e., technical, human, and financial resources). However, it is essential to acknowledge that large organizations are vulnerable, too, regardless of their endowment with resources. Thus, future researchers might build on this study by exploring factors other than insufficient resources on the vulnerability of businesses to cyber-attacks.
Future researchers should consider probabilistic sampling techniques such as simple random to avoid the problem of selection bias in this study, where the sample was obtained using purposive sampling. Furthermore, a representative sample from a probabilistic sampling design would enhance the generalizability of the findings. Additionally, adequate scheduling of activities is a fundamental approach to mitigating the time constraint to ensure all sections are completed within the stipulated time. Finally, in line with this research on the impediments to the application of ransomware-specific security controls, future researchers should consider a two-group design with both large and small-size businesses to identify the homogeneity and heterogeneity of these hindrances by firm size.
Conclusions Comment by Garrett Smiley: Requirements have been met.
Checklist:
☐ Provide a strong, concise conclusion to include a summary of the study, the problem addressed, and the importance of the study.
☐ Present the “take-home message” of the entire study.
☐ Emphasize what the results of the study mean with respect to previous research and either theory (PhD studies) or practice (applied studies).
This study on the impediments to the application of ransomware-specific security controls acknowledges the interplay of individual and system-level factors in the vulnerability of small businesses to cyber-attacks. The study pinpoints ransomware attacks on small businesses as significant causes of failure and hindrances to growth. Thus, identifying the impediments to preventative, detective, and corrective controls reveal that cyber-attacks result from (RQ1) awareness and training, inconsistent internal standards, and inadequate technical capabilities, (RQ2) technical weaknesses, unauthorized access, and auditing logs (RQ3) limited resources, insufficient plans for threat removal and inadequate continuity plans.
It is essential to acknowledge that this study is integral to the literature expansion, providing specific impediments and potential frameworks for resolving cybersecurity issues at the organizational level. Concerning previous and applied studies, the increased incidence of cybercrime and attacks on businesses is an interplay of factors that make them inadequate to prevent and mitigate the sophisticated intrusion by cyber criminals. Thus, to solve the cyber-attack problem, vast resource mobilization and robust planning are integral to strengthening the technical, human, and financial resources for preventive, detective, and corrective purposes.
References Comment by Garrett Smiley: Correct your APA errors here. Here’s some example references that are properly formatted:
Ajournalarticle, R. H., Spud, P. T., & Psychologist, R. M. (2016). Title of journal article goes here. Journal of Research in Personality, 22, 236-252. https://doi.org/doi:10.1016/0032-026X.56.6.895*
B’Onlinesourcesareconfusing, S. O. (2010). Search for answers at apastyle.org and include issue numbers after volume numbers when there is no DOI. Journal of Articles Without Digital Object Identifiers, 127 (3), 816-826.
Cmagazinearticle, B. E. (2009, July). Note the last names on this page: Each source type has to be formatted in a different way. [Special issue]. Prose Magazine, 126 (5), 96-134.
Dbookreference, S. M., Orman, T. P., & Carey, R. (1967). Google scholar’s “cite” feature is usually accurate and time-saving. Pearson.
O’encyclopedia, S. E. (1993). Words. In The new encyclopedia Britannica (vol. 38, pp. 745-758). Chicago, IL: Penguin.
Pchapter, P. R., & Inaneditedvolume, J. C. (2001). Scientific research papers provide evidence of frustration with giant style manuals. In P. Z. Wildlifeconservation, R. Dawkins, & J. H. Dennett (Eds.), Research papers are hard work but boy are they good for you (pp. 123-256). New York, NY: Simon & Schuster.
Qosenberg, Morris. (1994, September 11). This is how you cite an online news article that has an author. The Washington Post. http://www.washingtonpost.com/dir/subdir/2014/05/11/a-d9-11e3_story.html
Checklist:
☐ Please go through and correct all references; use the easy to understand reference examples that I have provided in my tailored template. The key is to make sure you adhere rigidly to the respective example (with the most common example being that for a journal article).
☐ Create your reference list as you develop each section. As each citation is included in the paper, insert the reference in this section.
☐ For each reference that is listed, there must be at least one corresponding citation within the body of the text and vice versa.
☐ The references should be alphabetized by the last name of the first author.
☐ If using a citation software, ensure all information is included and properly formatted. Although such programs can be helpful, they are not always correct.
Azmi, R., Tibben, W., & Win, K. T. (2018). Review of cybersecurity frameworks: Context and shared concepts.
Journal of Cyber Policy,
3(2), 258-283.
https://doi.org/10.1080/23738871.2018.1520271
Beaman, C., Barkworth, A., Akande, T. D., Hakak, S., & Khan, M. K. (2021). Ransomware: Recent advances, analysis, challenges and future research directions.
Computers & Security,
111, 102490.
https://doi.org/10.1016/j.cose.2021.102490
Bergmann, M. C., Dreißigacker, A., Von Skarczinski, B., & Wollinger, G. R. (2018). Cyber-dependent crime victimization: The same risk for everyone?
Cyberpsychology, Behavior, and Social Networking,
21(2), 84-90.
https://doi.org/10.1089/cyber.2016.0727
Berry, C. T., & Berry, R. L. (2018). An initial assessment of small business risk management approaches for cyber security threats.
International Journal of Business Continuity and Risk Management,
8(1), 1.
https://doi.org/10.1504/ijbcrm.2018.10011667
Brady, P. Q., Randa, R., & Reyns, B. W. (2016). From WWII to the world wide web: A research note on social changes, online “places,” and a new online activity ratio for routine activity theory.
Journal of Contemporary Criminal Justice,
32(2), 129-147.
https://doi.org/10.1177/1043986215621377
Brewer, R. (2016). Ransomware attacks: Detection, prevention and cure.
Network Security,
2016(9), 5-9.
https://doi.org/10.1016/s1353-4858(16)30086-1
Cawley, C. (2016). A history of Ransomware: Where it started & where it’s going.
http://www.makeuseof.com/tag/history-ransomware-russia-reveton/
Chen, J. (2016). Cyber security: Bull’s-eye on small businesses.
Journal of International Business and Law, 16(1), 97-118.
https://scholarlycommons.law.hofstra.edu/cgi/viewcontent.cgi?article=1309&context=jibl
Cheng, L., Liu, F., & Yao, D. D. (2017). Enterprise data breach: Causes, challenges, prevention, and future directions.
Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery,
7(5), e1211.
https://doi.org/10.1002/widm.1211
Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends: A routine activity approach.
American Sociological Review,
44(4), 588-608.
https://doi.org/10.2307/2094589
Connolly, L. Y., & Wall, D. S. (2019). The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures.
Computers & Security,
87, 101568.
https://doi.org/10.1016/j.cose.2019.101568
Connolly, L. Y., Wall, D. S., Lang, M., & Oddson, B. (2020). An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability.
Journal of Cybersecurity,
6(1).
https://doi.org/10.1093/cybsec/tyaa023
Cook, K. D. (2017).
Effective cyber security strategies for small businesses (Doctoral dissertation, Walden University).
de Melo, S. N., Pereira, D. V., Andresen, M. A., & Matias, L. F. (2018). Spatial/temporal variations of crime: A routine activity theory perspective. International journal of offender therapy and comparative criminology, 62(7), 1967-1991.
Dhinnesh, N. (2020). Analysis of ransomware and its prevention. Global Research and Development Journal For Engineering, 5(3), 1-4.
Edamadaka, G., Chowdary S., Sobhana, M., & Santhi, T. (2020). A Comparative Study On Cyber Security Techniques Using Machine Learning.
PalArch’s Journal of Archaeology of Egypt/Egyptology,
17(9), 8682-8687.
Fagioli, A. (2019). Zero-day recovery: The key to mitigating the ransomware threat.
Computer Fraud & Security,
2019(1), 6-9.
https://doi.org/10.1016/s1361-3723(19)30006-5
Flick, U. (2018).
An introduction to qualitative research. SAGE.
Gasu, D. K. (2020). Threat detection in cyber security using data mining and machine learning techniques.
Modern Theories and Practices for Cyber Ethics and Security Compliance, 234-253.
https://doi.org/10.4018/978-1-7998-3149-5.ch015
Griffin Jr., J. (2021, November 17).
Ransomware leaves small businesses vulnerable, not defenseless. Forbes.
https://www.forbes.com/sites/forbesbusinesscouncil/2021/11/17/ransomware-leaves-small-businesses-vulnerable-not-defenseless/?sh=e6b85374d9d5
Grossman, M., & Schortgen, F. (2016). Building a national security program at a small school: Identifying opportunities and overcoming challenges.
Journal of Political Science Education,
12(3), 318-334.
https://doi.org/10.1080/15512169.2015.1103653
Hampton, N., Baig, Z., & Zeadally, S. (2018). Ransomware behavioural analysis on Windows platforms.
Journal of Information Security and Applications,
40, 44-51.
https://doi.org/10.1016/j.jisa.2018.02.008
Hayes, T., Tanner, M., & Schmidt, G. (2012). Computer security threats: Small business professionals’ confidence in their knowledge of common computer threats.
Advances in Business Research,
3(1), 107-112.
Hennink, M., Hutter, I., & Bailey, A. (2020).
Qualitative research methods. SAGE.
Hernandez-Castro, J., Cartwright, A., & Cartwright, E. (2020). An economic analysis of ransomware and its welfare consequences.
Royal Society Open Science,
7(3), 190023.
https://doi.org/10.1098/rsos.190023
Holt, T. J., Leukfeldt, R., & van de Weijer, S. (2020). An examination of motivation and routine activity theory to account for cyberattacks against Dutch web sites. Criminal Justice and Behavior, 47(4), 487-505.
Humayun, M., Jhanjhi, N., Alsayat, A., & Ponnusamy, V. (2021). Internet of things and ransomware: Evolution, mitigation and prevention.
Egyptian Informatics Journal,
22(1), 105-117.
https://doi.org/10.1016/j.eij.2020.05.003
Hutchings, A. (2012). Computer security threats faced by small businesses in Australia.
Trends and issues in crime and criminal justice, (433), 1-6.
Iovan, S., & Iovan, A. A. (2016). From cyber threats to cyber-crime.
Journal of Information Systems & Operations Management, 425.
https://www.rebe.rau.ro/RePEc/rau/jisomg/WI16/JISOM-WI16-A15
Jasper, S. E. (2016). U.S. cyber threat intelligence sharing frameworks.
International Journal of Intelligence and CounterIntelligence,
30(1), 53-65.
https://doi.org/10.1080/08850607.2016.1230701
Juma’h, A. H., & Alnsour, Y. (2020). The effect of data breaches on company performance.
International Journal of Accounting & Information Management,
28(2), 275-301.
https://doi.org/10.1108/ijaim-01-2019-0006
Kalaimannan, E., John, S. K., DuBose, T., & Pinto, A. (2016). Influences on ransomware’s evolution and predictions for the future challenges.
Journal of Cyber Security Technology,
1(1), 23-31.
https://doi.org/10.1080/23742917.2016.1252191
Kapoor, A., Gupta, A., Gupta, R., Tanwar, S., Sharma, G., & Davidson, I. E. (2021). Ransomware detection, avoidance, and mitigation scheme: A review and future directions.
Sustainability,
14(1), 8.
https://doi.org/10.3390/su14010008
Kigerl, A. (2011). Routine activity theory and the determinants of high cybercrime countries.
Social Science Computer Review,
30(4), 470-486.
https://doi.org/10.1177/0894439311422689
Knutson, T. (2021, July 27).
Small businesses bearing brunt of ransomware attacks, Senate told. Forbes.
https://www.forbes.com/sites/tedknutson/2021/07/27/small-businesses-bearing-brunt-of-ransomware-attacks-senate-told/
Korstjens, I., & Moser, A. (2017). Series: Practical Guidance to Qualitative research. Part 4: Trustworthiness and Publishing.
European Journal of General Practice,
24(1), 120–124.
https://doi.org/10.1080/13814788.2017.1375092
Lee, J. K., Moon, S. Y., & Park, J. H. (2016). CloudRPS: A cloud analysis based enhanced ransomware prevention system.
The Journal of Supercomputing,
73(7), 3065-3084.
https://doi.org/10.1007/s11227-016-1825-5
Leukfeldt, E. R., & Yar, M. (2016). Applying routine activity theory to cybercrime: A theoretical and empirical analysis.
Deviant Behavior,
37(3), 263-280.
https://doi.org/10.1080/01639625.2015.1012409
Li, Y., & Liu, Q. (2021). A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments.
Energy Reports,
7, 8176-8186.
https://doi.org/10.1016/j.egyr.2021.08.126
Malecki, F. (2019). Best practices for preventing and recovering from a ransomware attack. Computer Fraud & Security, 2019(3), 8-10.
Mansfield-Devine, S. (2016). Ransomware: Taking businesses hostage.
Network Security,
2016(10), 8-17.
https://doi.org/10.1016/s1353-4858(16)30096-4
Maurya, A., Kumar, N., Agrawal, A., & Khan, R. A. (2018). Ransomware evolution, target and safety measures.
International Journal of Computer Sciences and Engineering,
6(1), 80-85.
https://doi.org/10.26438/ijcse/v6i1.8085
Miró, F. (2014). Routine activity theory.
The Encyclopedia of Theoretical Criminology, 1-7.
https://doi.org/10.1002/9781118517390.wbetc198
Moore, C. (2016). Detecting ransomware with honeypot techniques.
2016 Cybersecurity and Cyberforensics Conference (CCC), 77-81.
https://doi.org/10.1109/ccc.2016.14
Muslim, A. K., Mohd Dzulkifli, D. Z., Nadhim, M. H., & Abdellah, R. H. (2019). A study of ransomware attacks: Evolution and prevention.
Journal of Social Transformation and Regional Development,
1(1), 18-25.
https://doi.org/10.30880/jstard.2019.01.01.003
Nobles, C. (2018). Botching human factors in cybersecurity in business organizations.
HOLISTICA – Journal of Business and Public Administration,
9(3), 71-88.
https://doi.org/10.2478/hjbpa-2018-0024
Paek, S. Y., & Nalla, M. K. (2015). The relationship between receiving phishing attempt and identity theft victimization in South Korea.
International Journal of Law, Crime and Justice,
43(4), 626-642.
https://doi.org/10.1016/j.ijlcj.2015.02.003
Pandey, A. K., Tripathi, A., Alenezi, M., Agrawal, A., Kumar, R., & Ahmad, R. (2020). A framework for producing effective and efficient secure code through malware analysis.
International Journal of Advanced Computer Science and Applications,
11(2).
https://doi.org/10.14569/ijacsa.2020.0110263
Patterson, J. (2017).
Cyber-security policy decisions in small businesses (Doctoral dissertation, Walden University).
https://scholarworks.waldenu.edu/cgi/viewcontent.cgi?article=5655&context=dissertations
Pope, J. (2016). Ransomware: Minimizing the risks.
Innovations in clinical neuroscience,
13(11-12), 37.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5300711/
Poudyal, S., & Dasgupta, D. (2021). Analysis of crypto-ransomware using ML-based multi-level profiling. IEEE Access, 9, 122532-122547. Https://doi: 10.1109/ACCESS.2021.3109260.
Pratt, T. C., & Turanovic, J. J. (2016). Lifestyle and routine activity theories revisited: The importance of “Risk” to the study of victimization.
Victims & Offenders,
11(3), 335-354.
https://doi.org/10.1080/15564886.2015.1057351
Raghavan, K., Desai, M. S., & Rajkumar, P. V. (2017). Managing cybersecurity and ecommerce risks in small businesses.
Journal of management science and business intelligence,
2(1), 9-15.
http://ibii-us.org/Journals/JMSBI/V2N1/Publish/V2N1_2
Rashid, Y., Rashid, A., Warraich, M. A., Sabir, S. S., & Waseem, A. (2019). Case study method: A step-by-step guide for business researchers.
International Journal of Qualitative Methods,
18.
https://doi.org/10.1177/1609406919862424
Reshmi, T. (2021). Information security breaches due to ransomware attacks – a systematic literature review.
International Journal of Information Management Data Insights,
1(2), 100013.
https://doi.org/10.1016/j.jjimei.2021.100013
Reyns, B. W. (2017). Routine activity theory and cybercrime.
Technocrime and Criminological Theory, 35-54.
https://doi.org/10.4324/9781315117249-3
Reyns, B. W., & Henson, B. (2015). The thief with a thousand faces and the victim with none.
International Journal of Offender Therapy and Comparative Criminology,
60(10), 1119-1139.
https://doi.org/10.1177/0306624×15572861
Richardson, R., & North, M. M. (2017). Ransomware: Evolution, mitigation and prevention.
International Management Review,
13(1), 10.
https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=5312&context=facpubs
Ronquillo, J. G., Erik Winterholler, J., Cwikla, K., Szymanski, R., & Levy, C. (2018). Health IT, hacking, and cybersecurity: National trends in data breaches of protected health information.
JAMIA Open,
1(1), 15-19.
https://doi.org/10.1093/jamiaopen/ooy019
Saber, J. A. (2016).
Determining small business cybersecurity strategies to prevent data breaches (Doctoral dissertation, Walden University).
https://scholarworks.waldenu.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=6270&context=dissertations
Satter, R. (2021, July 5).
Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says. Reuters.
https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/
Schiappa, D. (2021, July 14).
With ransomware costs on the rise, organizations must be more proactive. Forbes.
https://www.forbes.com/sites/forbestechcouncil/2021/07/13/with-ransomware-costs-on-the-rise-organizations-must-be-more-proactive/#:~:text=Individual%20ransomware%20attacks%20are%20getting%20costlier.&text
Security Magazine. (2021, August 17).
More than a third of organizations have experienced a ransomware attack or breach.
https://www.securitymagazine.com/articles/95885-more-than-a-third-of-organizations-have-experienced-a-ransomware-attack-or-breach
Segura, J. (2016). Citadel: A cyber-criminal’s ultimate weapon?
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimateweapon/
Shackelford, S. J. (2016). Business and cyber peace: We need you!
Business Horizons.
http://dx.doi.org/10.1016/j.bushor.2016.03.015
Sharton, B. R. (2021, May 20).
Ransomware attacks are spiking. Is your company prepared? Harvard Business Review.
https://hbr.org/2021/05/ransomware-attacks-are-spiking-is-your-company-prepared
Sim, J., Saunders, B., Waterfield, J., & Kingstone, T. (2018). Can sample size in qualitative research be determined a priori?
International Journal of Social Research Methodology,
21(5), 619-634.
https://doi.org/10.1080/13645579.2018.1454643
Simon, R. (2015, April 15).
‘Ransomware’ a growing threat to small businesses. WSJ.
https://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403
Singh, H., & Sittig, D. (2016). A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks.
Applied Clinical Informatics,
07(02), 624-632.
https://doi.org/10.4338/aci-2016-04-soa-0064
Sjouwerman, S. (2015). A short history & evolution of Ransomware.
https://blog.knowbe4.com/a-short-history-evolution-of-ransomware
Strauss, S. (2017, February 20).
Cyber threat is huge for small businesses. USA TODAY.
https://www.usatoday.com/story/money/columnist/strauss/2017/10/20/cyber-threat-huge-small-businesses/782716001/
Szücs, V., Arányi, G., & Dávid, Á. (2021). Introduction of the ARDS—anti-ransomware defense system model—Based on the systematic review of worldwide ransomware attacks.
Applied Sciences,
11(13), 6070.
https://doi.org/10.3390/app11136070
Tam, T., Rao, A., & Hall, J. (2021). The good, the bad and the missing: A narrative review of cyber-security implications for Australian small businesses.
Computers & Security,
109, 102385.
https://doi.org/10.1016/j.cose.2021.102385
Taneja, S., Pryor, M. G., & Hayek, M. (2016). Leaping innovation barriers to small business longevity.
Journal of Business Strategy,
37(3), 44-51.
https://doi.org/10.1108/jbs-12-2014-0145
Thomas, J. E., & Galligher, G. C. (2018). Improving backup system evaluations in information security risk assessments to combat ransomware.
Computer and Information Science,
11(1), 14-25.
https://doi.org/10.5539/cis.v11n1p14
Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016). Users really do plug in USB drives they find.
2016 IEEE Symposium on Security and Privacy (SP), 306–319.
https://doi.org/10.1109/sp.2016.26
Trautman, L. J., & Ormerod, P. (2018). WannaCry, ransomware, and the emerging threat to corporations.
Tennessee Law Review,
86, 503.
https://doi.org/10.2139/ssrn.3238293
Tuttle, W. J. (2020). Effective Strategies Small Business Leaders Use to Address Ransomware (Doctoral dissertation, Walden University).
U.S. Securities and Exchange Commission. (2015, October 19).
The need for greater focus on the cybersecurity challenges facing small and midsize businesses. SEC.gov.
https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html
Udofot, M., & Topchyan, R. (2020). Factors related to small business cyber-attack protection in the United States.
International Journal of Cyber-Security and Digital Forensics,
9(1), 12-25.
https://doi.org/10.17781/p002644
Ursillo Jr., S., & Arnold, C. (2021, February 1).
Cybersecurity is critical for all organizations – Large and small. IFAC.
https://www.ifac.org/knowledge-gateway/preparing-future-ready-professionals/discussion/cybersecurity-critical-all-organizations-large-and-small
Van, R., & Code, A. L. (2018). Online vulnerabilities facing small businesses today.
Governance Directions,
70(10), 648-651.
https://kottgunn.com.au/wp-content/uploads/2018/10/Governance-Directions-November-2018-Online-vulnerabilities-facing-small-business-today
Virtue, T., & Rainey, J. (2015). Information risk assessment.
HCISPP Study Guide, 131-166.
https://doi.org/10.1016/b978-0-12-802043-2.00006-9
Williams, C., Donaldson, S., & Siegel, S. (2020). Cyberdefense Concepts. In Building an Effective Security Program (pp. 55-79). De Gruyter.
Young, A., & Yung, M. (2017). Cryptovirology: The birth, neglect, and explosion of ransomware. Communications of the ACM, 60(7), 24-26. Doi:10.1145/3097347
Appendix A: Instrument Comment by Garrett Smiley: Requirements have not been met (see highlighted areas below).
Checklist:
☐ Remove all boilerplate and make sure that you have appendices for all pertinent areas: IRB approval letter, instruments/surveys, site permission letters, instrument/survey permission letters, etc.
☐ Each appendix that is referenced in the text should appear in this section at the end of the manuscript. Appendices should be listed in the order in which they are referenced in the text.
☐ Remember to include each appendix in your Table of Contents
☐ Be sure to de-identify all materials so that readers cannot identify participants or where the data were specifically collected.
Questionnaire
General Questions
1. Size of the Organization (Number of Employees)
2. Number of Attacks for the last 4 years
Specific Questions
A)
Impediments to Preventive Controls
1. What preventive measures is your organization adopting against ransomware?
2. How would describe your organization’s preparedness to curb ransomware?
3. What are the physical, administrative and technical barriers to ransomware prevention in your organization?
B)
Impediments to Detective Controls
1. How would you describe your organization’s security event log checking?
2. What are the weaknesses of your systems in detecting network intrusion?
3. How would you describe the effectiveness and weaknesses of your system in detecting malicious codes?
C)
Impediments to Corrective Controls
1. How do you define the firm’s effectiveness in adopting the automatic threat removal?
2. After your previous attack, what weaknesses did you identify regarding correcting the problem?
3. What are the inadequacies of your organization’s recovery plans?
4. What measures is the firm considering to prohibit the future attacks?
Appendix B: Informed Consent
Introduction
My name is Rahkon Ross, and I am a doctoral student, at Northcentral University (NCU). The name of this research study is “The Ongoing Threat of Ransomware to Small Businesses: A Qualitative Case Study on the Impediments to the Application of Preventative, Detective, and Corrective Controls.” I am seeking your consent to take part in this study.
Please read this document to learn more about this study and decide if you would like to take part. Your participation is completely voluntary, and I will address your questions or concerns at any point before or during the study.
Eligibility
You may take part in this research if you meet all the following criteria:
1. You are age 18 or older
2. You currently own or run a small to medium business found in the United States.
3. You have experienced at least one malware attack in your business.
I hope to include 30 people in this research.
Activities
If you decide to take part in this study, you will be asked to do the following activities:
1. Complete an online survey to be conducted on Surveymonkey.com [for 45minutes].
During these activities, you will be asked questions about:
· What are the impediments for the application of ransomware-specific preventative controls by small business owners?
· What are the impediments for the application of ransomware-specific detective controls by small business owners?
· What are the impediments for the application of ransomware-specific corrective controls by small business owners?
All activities and questions are optional: you may skip any part of this study that you do not wish to complete and may stop at any time.
If you need to complete the activities above in a different way than I have described, please let me know, and I will try to make other arrangements.
Risks
There are no foreseeable risks or discomforts associated with this study. You can still skip any question you do not wish to answer, skip any activity, or stop participation at any time.
Benefits
If you take part, there are no direct benefits to you. This research may increase the body of knowledge in the subject area of this study.
Privacy and Data Protection
I will take reasonable measures to protect the security of all your personal information, but I cannot guarantee the confidentiality of your research data. In addition to me, the following people and offices will have access to your data:
· My NCU dissertation committee and any NCU support or leadership staff
· The NCU Institutional Review Board
This data could be used for future research studies or distributed to other investigators for future research studies without added informed consent from you or your legally authorized representative.
I will securely store your data for 3 years. Then, I will remove electronic data and destroy paper data.
How the Results Will Be Used
I will publish the results in my dissertation. I may also share the results in a presentation or publication. Participants will not be named in the results.
Contact Information
If you have questions, you can contact me at:
r.ross6677@o365.ncu.edu.
My dissertation chair’s name is Dr. Garrett Smiley. They work at Northcentral University and are supervising me on the research. You can contact them at:
gsmiley@ncu.edu.
If you have questions about your rights in the research or if a problem or injury has occurred during your participation, please contact the NCU Institutional Review Board at
irb@ncu.edu or 1-888-327-2877 ext 8014.
Voluntary Participation
If you decide not to take part, or if you stop participation after you start, there will be no penalty to you: you will not lose any benefit to which you are otherwise entitled.
image1