A Bayesian Network-Driven Zero Trust Model for Cyber Risk Quantification in Small-Medium Businesses

TL;DR

This paper presents a Bayesian network-based predictive model to evaluate the feasibility and effectiveness of Zero Trust Architecture in reducing cyber risks for small and medium businesses, considering their unique constraints.

Contribution

It introduces an integrated Bayesian model specifically tailored to SMBs, assessing ZTA adoption likelihood and its impact on cyber risk mitigation.

Findings

The model predicts risk levels with ZTA implementation.

It quantifies uncertainty in ZTA's effectiveness for SMBs.

Provides insights for practitioners on ZTA feasibility.

Abstract

Small-Medium Businesses (SMBs) are essential to global economies yet remain highly vulnerable to cyberattacks due to limited budgets, inadequate cybersecurity expertise, and underestimation of cyber risks. Their increasing reliance on digital infrastructures has expanded their attack surfaces, exposing them to sophisticated and evolving threats. Consequently, implementing proactive, adaptive security measures has become imperative. This research investigates the effectiveness of Zero Trust Architecture (ZTA) as a sustainable cybersecurity solution tailored to SMBs. While ZTA adoption has been examined broadly, the specific financial, organizational, and capability constraints of SMBs remain underexplored. This study develops an integrated predictive model to assess both the feasibility and risk-mitigation potential of ZTA implementation. The model consists of two sub-models. The first sub-model evaluates the probability of successful ZTA adoption considering implied barriers, and the second tests the effectiveness of ZTA in responding to prevalent cyberattacks. The integrated model predicts the risk level in the presence of ZTA and quantifies the uncertainty of the extent to which ZTA can enhance SMBs' cyber resilience, contributing novel insights for practitioners and stakeholders seeking to enhance compliance with policies, risk, and governance activities in SMBs.