Assessment of Financial Risks Arising from Cybersecurity Threats in a Small IT Company
Ketene, Batuhan (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025121235336
https://urn.fi/URN:NBN:fi:amk-2025121235336
Tiivistelmä
The objective of this thesis is to identify, analyze and mitigate financial risks that are caused by cybersecurity threats in small information technology company. By developing a practical and lightweight approach, this thesis aims to better understand the cause and effect relation between financial risks and cyber threats using Company X as a case company. The knowledge base derives from risk management guidelines and operational realities of small IT businesses. This thesis applies qualitative and developmental methods such as a document analysis, a targeted literature search to build the theoretical framework, a semi structured interview with the Company X, a brainstorming session, and a SWOT analysis.
The first step was to do a risk assessment that focused on cybersecurity to identify and look at threats that could cause financial instability in a small SaaS company. Identified risk were evaluated using a simple scoring model that uses likelihood and impact parameter and summarized the risks in a prioritization matrix. The assessment considered the current controls and pointed out important gaps that affect data protection, cloud configuration, the software supply chain, third party dependencies, human error and social engineering, incident response readiness, regulatory compliance, and customer trust after an incident.
Based on the results, the thesis suggests a short list of treatment strategies that can be quickly put into action in a setting with limited resources. A total of five proposals are given top priority because they will have the biggest effect with minimal resource cost to put into action. These are quarterly tabletop exercises with a one page communication playbook, enabling cloud guardrails and monthly access reviews, a simple component inventory with automated dependency alerts, continuous security awareness with a no blame reporting culture, and a prepared “customer trust pack” for clear communication after an incident.
The thesis delivers actionable strategies that a small IT startup can use to strengthen financial resilience against possible cyber incidents. The purpose of this thesis is to help companies like Company X to understand the financial risks related to cyber threats. Strategic planning and flexibility are essential, as competitive advantage will favor teams that adapt quickly while preserving customer trust.
The first step was to do a risk assessment that focused on cybersecurity to identify and look at threats that could cause financial instability in a small SaaS company. Identified risk were evaluated using a simple scoring model that uses likelihood and impact parameter and summarized the risks in a prioritization matrix. The assessment considered the current controls and pointed out important gaps that affect data protection, cloud configuration, the software supply chain, third party dependencies, human error and social engineering, incident response readiness, regulatory compliance, and customer trust after an incident.
Based on the results, the thesis suggests a short list of treatment strategies that can be quickly put into action in a setting with limited resources. A total of five proposals are given top priority because they will have the biggest effect with minimal resource cost to put into action. These are quarterly tabletop exercises with a one page communication playbook, enabling cloud guardrails and monthly access reviews, a simple component inventory with automated dependency alerts, continuous security awareness with a no blame reporting culture, and a prepared “customer trust pack” for clear communication after an incident.
The thesis delivers actionable strategies that a small IT startup can use to strengthen financial resilience against possible cyber incidents. The purpose of this thesis is to help companies like Company X to understand the financial risks related to cyber threats. Strategic planning and flexibility are essential, as competitive advantage will favor teams that adapt quickly while preserving customer trust.