The HORM Diagramming Tool: A Domain-Specific Modelling Tool for SME Cybersecurity Awareness

Abstract

Improving security posture while addressing human errors made by employees are among the most challenging tasks for SMEs concerning cybersecurity risk management. To facilitate these measures, a domain-specific modelling tool for visualising cybersecurity-related user journeys, called the HORM Diagramming Tool (HORM-DT), is introduced. By visualising SMEs’ cybersecurity practices, HORM-DT aims to raise their cybersecurity awareness by highlighting the related gaps, thereby ultimately informing new or updated cyber-risk strategies. HORM-DT’s target group consists of SMEs’ employees with various areas of technical expertise and different backgrounds. The tool was developed as part of the Human and Organisational Risk Modelling (HORM) framework, and the underlying formalism is based on the Customer Journey Modelling Language (CJML) as extended by elements of the CORAS language to cover cybersecurity-related user journeys. HORM-DT is a fork of the open-source Diagrams.net software, which was modified to facilitate the creation of cybersecurity-related diagrams. To evaluate the tool, a usability study following a within-subject design was conducted with 29 participants. HORM-DT achieved a satisfactory system usability scale score of 80.69, and no statistically significant differences were found between participants with diverse diagramming tool experience. The tool’s usability was also praised by participants, although there were negative comments regarding its functionality of connecting elements with lines.