Information systems security issues and decisions for

0 downloads 0 Views 175KB Size Report
Sep 13, 2017 - Global proliferation of the internet, falling computer prices and a growing ... virulent virus, rifling through correspondence files, sending a Trojan Horse, copying ... By contrast, the owner manager's belief in the importance of IT.
Information Management & Computer Security Information systems security issues and decisions for small businesses: An empirical examination Atul Gupta, Rex Hammond,

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

Article information: To cite this document: Atul Gupta, Rex Hammond, (2005) "Information systems security issues and decisions for small businesses: An empirical examination", Information Management & Computer Security, Vol. 13 Issue: 4, pp.297-310, https://doi.org/10.1108/09685220510614425 Permanent link to this document: https://doi.org/10.1108/09685220510614425 Downloaded on: 13 September 2017, At: 19:59 (PT) References: this document contains references to 21 other documents. To copy this document: [email protected] The fulltext of this document has been downloaded 5170 times since 2006*

Users who downloaded this article also downloaded: (2014),"Mobile device security considerations for small- and medium-sized enterprise business mobility", Information Management & Computer Security, Vol. 22 Iss 1 pp. 97-114 https://doi.org/10.1108/IMCS-03-2013-0019 (2006),"Organizational factors to the effectiveness of implementing information security management", Industrial Management & Data Systems, Vol. 106 Iss 3 pp. 345-361 https://doi.org/10.1108/02635570610653498

Access to this document was granted through an Emerald subscription provided by emerald-srm:426046 []

For Authors If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services. Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

*Related content and download information correct at time of download.

The Emerald Research Register for this journal is available at www.emeraldinsight.com/researchregister

The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm

Information systems security issues and decisions for small businesses An empirical examination Atul Gupta Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

School of Business and Economics, Lynchburg College, Lynchburg, Virginia, USA, and

IS security issues and decisions

297 Received December 2003 Revised November 2004

Rex Hammond Lynchburg Regional Chamber of Commerce, Lynchburg, Virginia, USA Abstract Purpose – The objective of this study is to gather information about information technology (IT) related security issues in small firms in both manufacturing and service. Design/methodology/approach – Despite its widely acknowledged importance, the academic research in the area of information systems security issues for small businesses is almost negligible. To fill this gap, a questionnaire was mailed to 1,000 small business owners in Lynchburg, Virginia, USA, and 138 valid responses were received. Findings – The results of this study indicate that the small business owners may have procedures and policies in place and may use technologies to counteract the security threat, but this research raised doubts about their effectiveness. Originality/value – The data collected through this research will help small business organizations in planning, training, and exploitation of IT. Keywords Small enterprises, Communications technologies, Information systems, Data security Paper type Research paper

Introduction Global proliferation of the internet, falling computer prices and a growing menu of applications are compelling businesses of every size to rely on computers to store, manage and transmit vital information. The value of this information has not escaped the attention of hackers, cyber criminals and insiders who seek to steal from or damage an organization. A disgruntled employee, an overzealous competitor, a probing hacker or a cyber thief could all be sources of an attack against an organization’s stores of computerized information. While their motives may vary, individuals planning an attack have a wide array of attack options. Erasing a customer data base, planting a virulent virus, rifling through correspondence files, sending a Trojan Horse, copying personnel records and searching for active credit card numbers are just a few of the attacks that may be directed at the victim’s information technology (IT) system. The use of IT has become more widespread and today’s organizations rely on information systems (IS) to the extent that it would be impossible to manage without them. The growth of e-business and e-commerce applications also presents abundant opportunities for unauthorized access to IS (Brooks et al., 2002).

Information Management & Computer Security Vol. 13 No. 4, 2005 pp. 297-310 q Emerald Group Publishing Limited 0968-5227 DOI 10.1108/09685220510614425

IMCS 13,4

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

298

Intuitively, small businesses are more vulnerable to these attacks because they may lack the financial resources and expertise to develop a comprehensive information security system. Lacking policies and procedures, an organization is particularly susceptible to attacks from insiders who have direct access to the company’s computer system. The next section of this research paper documents the information security threats faced by small businesses and organizations in the USA and around the world. More importantly, the literature review section offers many helpful suggestions and checklists to assist businesses interested in strengthening their information security defenses. The objective of this study is to gather information about the IT-related security issues in small firms in both manufacturing and service. The data collected through this research will help small business organizations in planning, training, and exploitation of IT. Literature review Smith (1999) reports on the importance and use of IT in a sample of 150 new small firms. It provides statistical evidence to show that the greater the use of IT, the higher the firm’s performance. By contrast, the owner manager’s belief in the importance of IT to the management of their business is not correlated with performance. Empirical evidence is then presented to confirm that IT use is increasing, in general, year on year, and is being implemented as a management information tool. Finally, a profile is presented of the typical components of a young management IS, within the context of a management accounting framework. It is suggested that, given the proven importance of IT to the new small firm, a management IS should be developed that takes advantage of the opportunities offered by new technology, and that this, in turn, should lead to enhanced performance. Kankanhalli et al. (2003) argued that as organizations become increasingly dependent on IS for strategic advantage and operations, the issue of IS security also becomes increasingly important. In the interconnected electronic business environment of today, security concerns are paramount. Management must invest in IS security to prevent abuses that can lead to competitive disadvantage. In their empirical analysis, small and medium-sized enterprises (SMEs) were found to engage in fewer deterrent efforts compared to larger organizations. Organizations with stronger top management support were found to engage in more preventive efforts than organizations with weaker support from higher management. Financial organizations were found to undertake more deterrent efforts and have stiffer deterrent severity than organizations in other sectors. Moreover, greater deterrent efforts and preventive measures were found to lead to enhanced IS security effectiveness. Ban and Heng (1995) examined the issues facing the provision of computer security in the SMEs in Singapore. Issues that SMEs may face in their implementation of computer security may include: . the sophistication of computer usage; . the scale of computer operation; . the lack of resources and technical specialists; . computer used primarily for mundane and non-critical operations; and . the cost of standard PC hardware and common office software.

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

Adopting a business approach, the rationale for protecting computer systems can be obtained by examining the consequences of loss arising from the lack of security in computer systems. These can be examined from four viewpoints: financial loss, legal and ethical responsibility, business service interruption, and quality and security intertwined. According to their research, the key factors for security management include: . issue a computer security policy statement; . assign responsibilities and accountabilities for security; and . educate all staff on security issues. Creating and implementing a comprehensive new IT security strategy is a pervasive challenge for many small to mid-size organizations. The temptation to cut corners is great. Yet, knowing where to cut corners and where not to can spell the difference between security success and disaster. A personal security adviser in Milwaukee points out that he can hack into a client’s computer system 98 percent of the time (Krause, 2003). Information security is a pervasive concern for all organizations. The growth of e-commerce and changes driven by globalization and regulation are combining to make information security an even greater area of concern. Garg et al. (2003) indicate that between 36 and 90 percent of organizations reported computer security breaches in the past year. New US federal laws require thorough safeguards to protect the security and confidentiality of non-financial data, individual medical records and the privacy of children on the internet. A growing level of cyber attacks by terrorists and criminals are directed at communications networks and computer systems. Beyond the internet’s early uses of text messaging and web site access, today’s users are demanding digital transactions and remote access. Competitive forces that drive companies to reduce costs and enhance productivity have increased reliance on IT. The expanded connectivity and greater interdependence has increased the damage potential of a breach in a company’s IT security. Wakefield (2002) points out that small business use the internet for a variety of activities. Internet technologies substantially increase the vulnerability of computer systems, however, and may compromise the confidentiality of information stored therein. Security experts predict major liability lawsuits for companies whose computer systems exhibit security lapses. Transitioning applications to the internet has become a major trend. Firms without formal IT departments should implement security measures to reduce their liability risks. Because technology tools continually evolve to meet the challenges of network security, IT security professionals advise implementing security policies that remain constant even as software changes. The internet has made it easier to copy and distribute software and has opened up a new, lucrative market for software development. With an increasing number of court cases on internet-related issues, the courts are struggling with the question of intellectual property rights in an open environment supporting e-commerce (Smith and Rupp, 2002). Growth in IT has introduced a new category of criminal offender, the computer criminal. While most attention is devoted to catching the criminal “outsider”, the most costly and least caught is the criminal “insider”. Computer security has become a global problem and recent surveys indicate that there are increasing concerns about security risks. It is becoming more common for businesses to outsource internet-based network support services and enter into e-business alliances. These new

IS security issues and decisions

299

IMCS 13,4

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

300

relationships can create new problems if they are not properly managed and controlled. Security surveys have indicated a few trends that are appearing in various locations around the world. In Australia, surveys indicate poor levels of computer security among the country’s businesses, due to poor security procedures and implementation. It is estimated that 45 percent of organizations did not budget for computer security. In the UK, 42 percent of organizations did not have an information security policy and 49 percent of organizations listed budget constraints as being the primary issue in implementing computer security. A survey of firms in the USA showed that theft of information, financial fraud, viruses, insider net abuse and sabotage caused the most financial damage. The survey found that there was little difference in the levels of abuse carried out by internal or external criminals (Warren, 2002). Hebert and Bradley (1993) examined expert systems; if understood and properly developed, they can help the small business owner make the transition from doing to managing. These expert systems can help reduce IT-related security risks. Information security is a multi-faceted problem faced by all organizations in all sectors. A comprehensive solution will normally include physical, procedural and logical forms of protection. This necessitates the appropriate training and awareness within the organization to foster a security culture, particularly within small organizations (of less than 100 employees) where resources may be limited (Furnell et al., 2002). Organizations may recognize information security as an issue but it is often found that they do not have a full understanding of what they should be doing or how to go about it. Small organizations face the same security challenges as larger companies but there is a significant difference that exists depending upon the size of the organization involved. The most recent National Computer Center survey suggests that a disparity continues to exist on the basis of organizational size and states that “smaller organizations place limited value on information and its security” (Smith and Rupp, 2002). Why does such a disparity exist? In part, because of the operational constraints faced by smaller organizations, which limit their ability to address security concerns. Constraints include: not having staff with specific security expertise, lacking financial resources to hire consultants or provide staff training, lacking understanding or being dismissive of the risks, and an inability to focus upon security due to other business priorities. A prototype tool has been developed in Great Britain to provide an interactive and user-friendly approach to enhance understanding of IT security. The system maintains a database of security countermeasures, which explain security options and approaches. The system also provides a selection of interactive scenario descriptions in which security countermeasures must be applied to solve one or more security issues. This tool can make a useful contribution by assisting users to learn about security in a more active manner, rather than reading reference material. Users can experiment with different security configurations, without financial or disruptive impacts on their company. Advances in networking technology, the explosive growth of the internet and more open telecommunication markets have combined to allow small businesses and individuals to benefit from sophisticated networked computer applications. Unfortunately, these applications are often hampered by security problems typical of open networks: messages can be intercepted and manipulated, the validity of documents can be denied, and personal data can be illicitly collected. The use of networked IS within small businesses and home offices can be the source of

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

serious security problems because they typically lack the technical expertise and resources to create and maintain a desirable level of security (Spinellis et al., 1999). The Information Security Foundation has created an “ethical hacking” training program with the purpose of preparing high school students with tech aptitude for a career in information security (Sisk, 2003). The free, seven-week program launched in April divided the initial ten students into two “Tiger teams” to practice attacking and defending a dedicated network. As part of the program, students will offer lectures to business, military and law enforcement leaders. The goal of the program is not only to train someone for a career in information security, but also to train these students not to be hackers. There are many access points to a business computer network and resources. A security policy should contain objectives and processes that prevent, detect and respond to intrusions (Lei, 2003). The widespread growth of computer technology and user-friendly systems has enabled various tasks to be accomplished much faster and more accurately than ever before. This advanced technology has also created significant security risks and, in many cases, has developed faster than the development of control practices and employee knowledge (Abu-Musa, 2003).

Sample and methodology One of the problems with a study of small businesses is the lack of a commonly accepted method to distinguish small, medium, and large firms. One of the common criteria is number of employees (Beheshti, 2004). We classified any organization having between ten and 499 employees as an SME (Beheshti, 2004). The initial sample of 1,000 businesses was drawn from the members of a Chamber of Commerce in the South Eastern United States using systematic sampling. The questionnaire used in this study has already been pre-tested (Ryan, 2000). The first mailing was sent out in early May 2003; and a follow up mailing was distributed in June 2003. The questionnaire was also tested for reliability. The a values range from 0.64 to 0.785. Accordingly, the measures developed for this study were judged reliable. Once the reliability of the measures had been established, construct and criterion related validity of the questionnaire was also established. A total of 138 useable questionnaires were returned, providing a response rate of 13.8 percent. An “extrapolation procedure” was used to assess non-response bias. This assumes that “late” respondents are similar to the “theoretical” non-respondents (Armstrong and Overton, 1977). Independent t-tests were used to determine whether significant differences between the security concerns and technologies differed between the two sub-samples consisting of the respondents in the first and last quartile. No significant differences were found between the two sub-samples for any of the variables. The results suggest that there appears to be no significant difference between respondents and non-respondents for the variables under study and the sample can be considered sufficient to draw conclusions about small businesses for the issues under study. A series of stepwise regressions were run in an attempt to identify the significant technologies and policies and procedures used to counteract IS security threats; 14 regressions were run and the dependent variable in each regression was security concern being examined. The independent variable in each regression consisted of the firm’s technological response to the security concern.

IS security issues and decisions

301

IMCS 13,4

Results For a summary of results see Tables I-XI. Summary data on all the characteristics of respondent small businesses indicate that:

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

302

.

The majority of firms were in services business (47.1 percent) followed by retail (14.4 percent) and finance/insurance (10.8 percent) (Table I).

.

More than one-half (50.7 percent) of the small businesses had sales of $500,000 or less. Only 10.1 percent had sales of more than 5 million dollars (Table III).

.

The majority of the firms (45.6 percent) had five or less computers. Only 6.5 percent had 100 computers or more (Table IV).

.

About 64.5 percent of respondents have internet access and 39.1 percent have web presence (Table V).

Business area

Table I. Business areas

Agriculture Manufacturing Transportation Finance/insurance Real estate Mining Retail Gas/electric Sanitary Construction Wholesale Communications Services

Number of employees

Table II. Number of employees

1-10 11-20 21-50 51-100 101-200 201-500 More than 500

Number of respondents 0 9 1 15 3 0 20 1 0 16 4 4 65

Number of respondents 59 28 25 15 5 5 1

$

Table III. Annual revenue

0-500,000 500,001-1 million 1-5 million More than 5 million

70 16 38 14

.

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

.

About 40.5 percent respondents have an information security policy in place; 42.7 percent have computer use and misuse policy; and 47.1 percent have data recovery procedures in place (Table VII). The majority of firms use technologies such as anti-virus software (56.5 percent); firewall (42.7 percent); system access control (57.9 percent); power surge protectors (79.7 percent); and data back up systems (65.2 percent) (Table VIII).

IS security issues and decisions

303

1-5 6-10 11-20 21-50 51-100 More than 100

63 28 12 18 8 9

Table IV. Number of computers

Internal LAN Intranet Extranet Internet access Web presence E-commerce

46 24 9 89 54 11

Table V. Connectivity

Some employees, job related All full time employees Part-time employees Temporary employees Contractors E-commerce partners Customers Family members, friends

68 68 26 12 5 1 9 3

Table VI. Who can use the computers and/or network

Information security policy Computer use and misuse policy Proprietary data use and misuse policy Communication use and misuse policy Business continuity plan Information security procedures Data destruction procedures Media destruction procedures Information sensitivity levels or coding Computer emergency response plan Computer emergency response team Data recovery procedures

56 59 36 35 33 45 29 13 35 26 19 65

Table VII. Does your organization have any of the following?

IMCS 13,4

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

304

Table VIII. Does your organization use any of the following technologies?

Table IX. How important is the following information to your enterprise?

Table X. Level of concern for the items listed

Anti-virus software Data segregation Firewall(s) Intrusion detection system(s) Encryption System access control Facility access control Dial-back modem Redundant systems System activity monitor Media degaussers Power surge protectors Security evaluation systems(s) Shredders Data backup systems(s)

Proprietary information Trade secrets Privacy data Customer data Competitive data Market data

78 33 59 35 26 80 24 12 48 29 1 110 12 67 90

Mean

Standard deviation

3.43 2.73 3.90 4.25 3.03 2.98

0.137 0.149 0.128 0.110 0.140 0.129

Notes: 1 – not important; 5 – extremely important

Insider access abuse Viruses Power failure Software problems Data integrity Transaction integrity Outsider access abuse Data secrecy Data availability Data theft Data storage User errors Natural disasters Fraud

Mean

Standard deviation

2.02 3.405 2.913 2.847 2.768 2.717 2.311 2.746 3 2.384 2.601 2.586 2.253 2.514

0.114 0.122 0.119 0.123 0.145 0.150 0.139 0.138 0.141 0.138 0.130 0.126 0.117 0.134

Notes: 1 – not important; 5 – extremely important

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

Concern used

Technologies coefficient

Insider access abuse

Information sensitivity level or coding Data recovery procedure Data destruction procedures Media degaussers

0.88 0.56 2 0.61 2.50

3.48 2.47 2 2.61 2.00

( p ¼ 0.001) ( p ¼ 0.015) ( p ¼ 0.041) ( p ¼ 0.048)

Viruses

Data backup system(s) Firewalls Media destruction procedures Computer emergency response plan

1.04 0.44 2 0.81 0.64

4.29 1.79 2 2.01 1.87

( p ¼ 0.000) ( p ¼ 0.075) ( p ¼ 0.047) ( p ¼ 0.064)

Power failure

Dial back modem Facility access control Data destruction procedure

1.56 0.54 2 0.68

3.86 ( p ¼ 0.000) 1.76 ( p ¼ 0.081) 2 2.36 ( p ¼ 0.020)

Software problems

Shredders Dial back modem Communication use and misuse policy

0.70 1.02 2 0.49

2.92 ( p ¼ 0.004) 2.43 ( p ¼ 0.061) 2 1.75 ( p ¼ 0.083)

Data integrity

Firewall Data recovery procedures Media destruction procedures Computer emergency response plan

1.23 0.78 2 0.88 1.13

4.49 2.81 2 1.87 2.85

( p ¼ 0.000) ( p ¼ 0.006) ( p ¼ 0.064) ( p ¼ 0.005)

Transaction integrity

Computer emergency response plan Firewalls(s) Media destruction procedures Data recovery procedures

1.63 0.91 2 1.16 0.58

4.53 3.08 2 2.19 2.00

( p ¼ 0.000) ( p ¼ 0.003) ( p ¼ 0.030) ( p ¼ 0.048)

Outside access abuse

Facility access control Encryption Anti-virus software Media destruction procedures

1.79 1.07 0.80 2 1.07

5.34 3.15 2.08 2 2.15

( p ¼ 0.000) ( p ¼ 0.002) ( p ¼ 0.040) ( p ¼ 0.034)

Data secrecy

Facility access control Encryption Shredders Firewall(s) Power surge protectors Dial back modem Encryption Computer emergency response team Media destruction procedures Firewall(s) Encryption Security evaluation systems Power surge protectors Encryption Power surge protectors System activity monitor Facility access control Intrusion detection system Dial back modem Information sensitivity level and coding Communication use and misuse policy

1.82 0.93 0.46 1.01 0.77 0.92 1.28 0.72 2 1.39 0.73 0.63 2 0.94 0.54 1.08 0.55 0.86 0.70 0.88 1.15 2 0.78 0.53

5.49 2.75 1.87 3.68 2.23 1.92 3.80 1.81 2 2.63 2.82 1.76 2 1.86 1.68 3.47 1.80 3.07 2.27 2.91 2.47 2 2.33 1.69

( p ¼ 0.000) ( p ¼ 0.007) ( p ¼ 0.064) ( p ¼ 0.000) ( p ¼ 0.027) ( p ¼ 0.056) ( p ¼ 0.000) ( p ¼ 0.072) ( p ¼ 0.009) ( p ¼ 0.005) ( p ¼ 0.080) ( p ¼ 0.065) ( p ¼ 0.095) ( p ¼ 0.001) ( p ¼ 0.073) ( p ¼ 0.003) ( p ¼ 0.025) ( p ¼ 0.004) ( p ¼ 0.015) ( p ¼ 0.021) ( p ¼ 0.093)

Data availability

Data theft

Data storage

User errors Natural disasters Fraud

Estimated

t-statistics

IS security issues and decisions

305

Table XI. Significant concerns that determine the type of technologies used

IMCS 13,4

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

306

When asked to indicate the level of concern for various sources of security breach, respondents said viruses are their chief concern. With a mean score of 3.4 (on a 1-5 scale with 5 being “extremely important”), viruses topped the list of concerns and were followed by power failure, software problems, data integrity, and transaction integrity and data secrecy. Ironically, respondents listed insider access abuse – the most prevalent source of IT attacks – as the lowest concern. Only 19 percent of the respondents experienced a security breach in the last 12 months. Various national surveys indicate that between 36 and 90 percent of organizations reported computer security breaches in the past year (Garg et al., 2003). This may explain the low percentage of small businesses that have developed information security policies and acquired basic protection and backup software. Until a business is “hacked”, hit with a virus or sabotaged, they may lack the necessary motivation to take the steps necessary to adopt a comprehensive information security system. This may also explain the lack of concern about insider access abuse. The key question here is, “are small business different?” To answer this question, we tested the experiences and concerns of our survey respondents against the data collected from surveys documented in the literature. Three questions with compatible format and data were derived from that compilation of information. . Question 1. Small businesses are less likely to have a written security policy then the results reported in the surveys. The grouped data mean for this question from other surveys is 0.49 (Ban and Heng, 1995; Smith, 1999). Only 48 percent of our respondents reported having some sort of written policy. The results of the test indicate a p-value of 0.00301 suggesting that small businesses are less likely to have a written security policy than the results from other surveys. The lack of enthusiasm for a written security policy may be due to several reasons such as lack of financial resources, lack of technical expertise, and may be due to “macho” mentality. . Question 2. Small businesses are less likely to experience security breaches than the results reported in the surveys. The grouped data mean for this question from other surveys is 0.48 (Ban and Heng, 1995; Smith, 1999). Only 19 percent of our respondents had experienced a security breach in last 12 months. The results of the test indicate a p-value of 0.0061 suggesting that small businesses are less likely to experience a breach of security then the respondents in other surveys. The lower rate of security breach could be related to the perceived value of information stored in the computers of a small business. It may not be worth the time and effort for the hackers to get into their systems. . Question 3. Small businesses are equally likely to view virus-related problems as one of the top-five security concern as the results reported in the surveys. The format of the questionnaire did not ask respondents to identify top-five security concerns, but did ask respondents to identify the level of concern for different areas. From other surveys: viruses are identified as being a top-five security concern in 75 percent of the surveys. About 50.7 percent of our respondents reported they are extremely or highly concerned with viruses. The resultant p-value of 0.0004 allows for the conclusion that small businesses are less concerned about viruses as compared to the results presented in other surveys. Some of the findings above may be interrelated, such as:

.

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

.

Most of the businesses have not experienced a security breach; therefore they are far behind others in developing a written security policy. Most of the businesses have not had viruses damage their systems; therefore they lag behind in developing a policy to deal with them.

The absence of these policies and procedures makes small businesses more vulnerable to hackers and disgruntled employees. In the next phase of this research, we tried to identify the technologies which may be appropriate to deal with the concerns of small businesses. Table XI shows the results of the stepwise multiple regression that attempt to identify significant technologies and policies and procedures that may address IS security related concerns of small businesses. The regression coefficients, t-statistic, and level of significance are shown for each variable. Also, the regression variables are shown in the order they were added to the model by the stepwise regression procedure. Only those variables found to have a p-value of less than 0.10 were included in the regression models. This analysis may be helpful for small businesses which are looking for “maximum bang” for their buck (i.e. technologies and policies and procedures), which can address more than one concern. On the technology front the five technologies which show significance most frequently are (with the number in parenthesis showing the frequency): encryption (5), firewall (5), facility access control (4), dial-back modem (4), and power surge protectors (3). Except for power surge protectors, none of the others are rated as top-five technologies used by small business respondents for our survey (Table VIII). The situation was not that bad on the policy and procedures analysis where most frequently occurring policies and procedures are (with the number in parenthesis showing the frequency): media destruction procedures (5), computer emergency response plan (3), data recovery procedures (2), data destruction procedures (2), and computer use and misuse policy (2). Data recovery procedures and computer use and misuse policy were rated as top-five policies and procedures in place for the small business respondents of our survey (Table VII). It is also clear from this analysis that the majority of IS security concerns require a mix of technology and policies and procedures to deal with them. The regression results suggest that small businesses do need to change technology in order for them to be more effective in dealing with the security concerns. Also, they need to reevaluate their policies and procedures as they become more effective in dealing with security threats. Given the difficulty in assessing the effectiveness of various technologies, it should not be surprising that some small business owners retain early evaluations and continue to use what is familiar and tested. Conclusions and directions for future research This study reports the results of a survey of the IS security concerns of 138 small businesses. One of the significant findings of this study is that firms continue to choose technologies which may not be very effective for their environment. Several factors could explain this trend. Small business owners may not be adept at selecting appropriate technologies. Alternatively, their choice may be limited by affordability. Another possibility relates to the nature of many small business owners. They may be too preoccupied with day-to-day operations to formulate an IS security strategy. As a consequence, they may conveniently continue to use the technology initially selected. The difficulty and cost of a switch over may be perceived as prohibitive by many small

IS security issues and decisions

307

IMCS 13,4

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

308

business owners, forcing them to rely on old technology. Under these circumstances, small business owners should take some preventive actions. For example, a consistent set of security and audit practices should be established. They should identify the security weak points and develop procedures to continuously monitor them. Another preventive measure could be having security manuals handy or computerized logs. Training employees about the IS security threats is another preventive measure. End users should be responsible for protecting themselves as well as the firm against security breaches. Small business owners must also exercise discretion when employing external consultants or temporary employees. It is frequently taken for granted that these individuals are trustworthy and reputable, but it may be a faulty assumption (Knotts and Richards, 1989). About 50 percent of our survey participants either have web presence or are actively involved in e-commerce. While doing transactions over the internet, small business owners should make sure they protect their data, maintain confidentiality of all parties, confirm identities of all transaction participants, control any system changes, detect unauthorized intrusions, and handle denial of service attacks (Williams, 2000). Some of the best practices small business owners should consider are: . establishing a process whereby participants in an e-commerce transaction can be identified uniquely and positively; . putting procedures in place to control changes to an e-commerce presence; . maintaining logs of e-commerce use, and have responsible personnel monitor them; . putting features in their e-commerce applications to reconstruct the activity performed by the application in case information is lost; . making sure that they have a way to ensure confidentiality of the data communicated between customers and vendors; and . putting features into their system architecture to prevent components from failing and to repair themselves if they should fail. Although this study presented a systematic approach to the study of IS security issues for small businesses, it could not cover all of the important issues in this field. The following suggestions in regard to future research are either extensions to the current study or are the information gaps in the current literature: . The strategic aspects of IS security have been researched, contributions in this area still tend to be conceptual or based on case studies. More large-scale studies (e.g. national sample) are needed to determine the actual strategic process used by the small business organizations. . By doing this study periodically, it will be interesting to observe and document the variations in the information security concerns, technologies used, and policies and procedures in place. . Although this study used the sample of small business organizations in the USA, it would be interesting to use the same questionnaire for small business organizations in other countries such as Japan and European countries. This type of study is important due to globalization of the US economy and will also help in verifying the validity of current results in the global context.

.

A study on the specific competencies of a specific technology or a group of technologies can also be designed. However, the researcher will need to filter out the impact of other technologies in the organization’s portfolio.

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

Although this study is one of the few attempts towards industry-academic community cooperation, more participation is required from both practitioners and academics towards finding out solutions to business security problems. References Abu-Musa, A.A. (2003), “The perceived threats to the security of computerized accounting information systems”, Journal of American Academy of Business, Vol. 1 No. 2, pp. 9-20. Armstrong, S.J. and Overton, T.S. (1977), “Estimating non-response bias in mail surveys”, Journal of Marketing Research, Vol. 14, pp. 396-402. Ban, L. and Heng, G. (1995), “Computer security issues in small and medium-sized enterprises”, Singapore Management Review, Vol. 17 No. 1, pp. 15-30. Beheshti, H.M. (2004), “The impact of IT on SMEs in the United States”, Information Management & Computer Security, Vol. 12 No. 4, pp. 318-27. Brooks, W.J., Warren, M.J. and Hutchinson, W. (2002), “A security evaluation criteria”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 377-84. Furnell, S.M., Gennatou, M. and Dowland, P.S. (2002), “A prototype tool for information security awareness and training”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 352-7. Garg, A., Curtis, J. and Halper, H. (2003), “Quantifying the financial impact of IT security breaches”, Information Management & Computer Security, Vol. 11 No. 2, pp. 74-83. Hebert, F. and Bradley, J. (1993), “Expert systems development in small business: a managerial perspective”, Journal of Small Business Management, Vol. 31 No. 3, pp. 23-35. Kankanhalli, A., Teo, H., Tan, B. and Wei, K. (2003), “An integrative study of information systems security effectiveness”, International Journal of Information Management, Vol. 23 No. 2, p. 139. Knotts, R. and Richards, T. (1989), “Computer security: who’s minding the store?”, The Academy of Management Executive, Vol. 3 No. 1, pp. 63-6. Krause, J. (2003), “Guarding the cyberfort”, ABA Journal, Vol. 89, pp. 42-6. Lei, T.A. (2003), “Developing sound security policies”, Asia Computer Weekly, 30 June, p. 1. Ryan, J.J.C. (2000), “Information security practices and experiences in small businesses”, Unpublished Dissertation, George Washington University. Sisk, M. (2003), “Betting students will be drawn to ethical hacking”, US Banker, Vol. 113 No. 6, p. 12. Smith, A.D. and Rupp, W.T. (2002), “Issues in cybersecurity; understanding the potential risks associated with hackers/crackers”, Information Management & Computer Security, Vol. 10 No. 4, pp. 178-83. Smith, J. (1999), “Information technology in the small business: establishing the basis for a management information system”, Journal of Small Business and Enterprise Development, Vol. 6 No. 4, pp. 326-40. Spinellis, D., Kokolakis, S. and Gritzalis, S. (1999), “Security requirements, risks and recommendations for small enterprise and home-office environments”, Information Management & Computer Security, Vol. 7 No. 3, pp. 121-8. Wakefield, R. (2002), “IT security issues”, The CPA Journal, Vol. 72 No. 11, pp. 55-6.

IS security issues and decisions

309

IMCS 13,4

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

310

Warren, M.J. (2002), “Security practice: survey evidence from three countries”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 347-51. Williams, K. (2000), “Preparing your business for secure e-commerce”, Strategic Finance, Vol. 82 No. 3, p. 21. Further reading Richmond, R. (2003), “Spread of e-mail virus is fastest ever”, AP News, available at: http:// apnews.excite.com/article/20030821/D7T23LVO1.html

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

This article has been cited by: 1. KaukolaJesse, Jesse Kaukola, RuohonenJukka, Jukka Ruohonen, TuomistoAntti, Antti Tuomisto, HyrynsalmiSami, Sami Hyrynsalmi, LeppänenVille, Ville Leppänen. 2017. Tightroping between APT and BCI in small enterprises. Information and Computer Security 25:3, 226-239. [Abstract] [Full Text] [PDF] 2. Jim Q. Chen, Allen Benusa. 2017. HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management 10:2, 135-146. [Crossref] 3. RohnEli, Eli Rohn, SabariGilad, Gilad Sabari, LeshemGuy, Guy Leshem. 2016. Explaining small business InfoSec posture using social theories. Information and Computer Security 24:5, 534-556. [Abstract] [Full Text] [PDF] 4. Antonio Santos-Olmo, Luis Sánchez, David Rosado, Eduardo Fernández-Medina, Mario Piattini. 2016. Applying the Action-Research Method to Develop a Methodology to Reduce the Installation and Maintenance Times of Information Security Management Systems. Future Internet 8:3, 36. [Crossref] 5. Antonio Santos-Olmo, Luis Sánchez, Ismael Caballero, Sara Camacho, Eduardo Fernandez-Medina. 2016. The Importance of the Security Culture in SMEs as Regards the Correct Management of the Security of Their Assets †. Future Internet 8:3, 30. [Crossref] 6. Karen Renaud, George R. S. Weir. Cybersecurity and the Unbearability of Uncertainty 137-143. [Crossref] 7. Jurjen Jansen, Sander Veenstra, Renske Zuurveen, Wouter Stol. 2016. Guarding against online threats: why entrepreneurs take protective measures. Behaviour & Information Technology 35:5, 368-379. [Crossref] 8. Ivan K. W. Lai, Viny W. L. Tong. 2013. The Impact of Company, Subject, and System Characteristics on the Trust Factors Affecting the Adoption of Internet-based Interorganizational Systems. Information Systems Management 30:4, 280-292. [Crossref] 9. Kai S. Koong, Mohammad I. Merhi, Jun Sun. 2013. Push and pull effects of homeland information security incentives. Information Management & Computer Security 21:3, 155-176. [Abstract] [Full Text] [PDF] 10. Gurvirender P.S. Tejay, Kevin A. Barton. Information System Security Commitment: A Pilot Study of External Influences on Senior Management 3028-3037. [Crossref] 11. Zaini Zainol, Sherliza Puat Nelson, AbuBakar Malami. 2012. Internal Human based Threats and Security Controls in Computerized Banking Systems: Evidence from Malaysia. Procedia - Social and Behavioral Sciences 65, 199-204. [Crossref] 12. Sang-Hyun Kim, Geun-A Kim. 2012. A Firm's Environmental Determinants Impacting the Information Security Management and the Moderating Effects of Regulatory Influence. Journal of the Korean Operations Research and Management Science Society 37:3, 79-94. [Crossref] 13. Guido Nassimbeni, Marco Sartor, Daiana Dus. 2012. Security risks in service offshoring and outsourcing. Industrial Management & Data Systems 112:3, 405-440. [Abstract] [Full Text] [PDF] 14. Seung-Pok Choi. 2011. The New Paradigm of Management in Design Organization: The Reality of Bottom-line Effectiveness in Design Organization's Management Needs. International Journal of Contents 7:4, 90-97. [Crossref] 15. Debasis Bhattacharya. 2011. Leadership styles and information security in small businesses. Information Management & Computer Security 19:5, 300-312. [Abstract] [Full Text] [PDF]

Downloaded by University of Manchester At 19:59 13 September 2017 (PT)

16. Chlotia Posey Garrison, Matoteng Ncube. 2011. A longitudinal analysis of data breaches. Information Management & Computer Security 19:4, 216-230. [Abstract] [Full Text] [PDF] 17. Luis Enrique Sánchez, Antonio Santos-Olmo, Eduardo Fernández-Medina, Mario Piattini. Building ISMS through the Reuse of Knowledge 190-201. [Crossref] 18. William H. Ross, Christopher J. Meyer, Jeng-Chung V. Chen, Paul Keaton. 2009. Information Protection at Telecommunications Firms: Human Resource Management Strategies and their Impact on Organizational Justice. Journal of Information Privacy and Security 5:1, 49-77. [Crossref] 19. Jengchung V. Chen, Charlie C. Chen, Hsiao‐Han Yang. 2008. An empirical evaluation of key factors contributing to internet abuse in the workplace. Industrial Management & Data Systems 108:1, 87-106. [Abstract] [Full Text] [PDF] 20. Yves Barlette, Vladislav V. Fomin. Exploring the Suitability of IS Security Management Standards for SMEs 308-308. [Crossref] 21. Arthur Jung‐Ting Chang, Quey‐Jen Yeh. 2006. On security preparations against possible IS threats across industries. Information Management & Computer Security 14:4, 343-360. [Abstract] [Full Text] [PDF] 22. Fintan Clear, Adrian Woods, Keith Dickson. SME Adoption and Use of ICT for Networked Trading Purposes 149-168. [Crossref] 23. Yves Barlette. Vers une implication et une action des dirigeants de PME dans la sécurité de leur système d'information 277-306. [Crossref] 24. Hemamali Tennakoon. Information Security and Privacy in Social Media: 73-101. [Crossref] 25. Luís Enrique Sánchez, Antonio Santos-Olmo, Eduardo Fernandez-Medina, Mario Piattini. ISMS Building for SMEs through the Reuse of Knowledge 90-116. [Crossref] 26. Hemamali Tennakoon. Information Security and Privacy in Social Media 1868-1896. [Crossref]