Abstract
Despite the availability of numerous techniques for information security management and implementation, still many small-to-medium sized enterprises (SME) lack a holistic IT security infrastructure. There have been proposed various reasons for this, ranging from lacking security awareness to the complexity of solutions. However, it remains an open issue how an IT security infrastructure suitable for SME should be designed. This paper presents a research model describing the dependencies between security threats, requirements, and the related framework components. It also accounts for the adoption of security solutions in SME and the impact of human and technical factors. The model allows to quantitatively study the influences on security requirements and the adoption of the respective technologies. This is partially demonstrated by an empirical study conducted among south german SME. The obtained results reveal the current security technology adoption by SME and emphasize the need for an appropriate IT security infrastructure framework.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Milne, D., McCarthy, J., Mills, B.: SME Security in the Digital Age. In: 2nd International Conference on Information Warfare and Security, Monterey, pp. 263–270 (2007)
Beachboard, J., Cole, A., Mellor, M., Herandez, S., Aytes, K.: Improving Information Security Risk Analysis Practices for Small- and Medium-Sized Enterprises. Issues in Informing Science and Information Technology 5, 73–85 (2008)
Sánchez, L.E., Parra, A.S., Rosado, D.G., Piattini, M.: Managing Security and its Maturity in Small and Medium-sized Enterprises. Journal of Universal Computer Science 15(15), 3038–3058 (2009)
Gupta, A., Hammond, R.: Information systems security issues and decisions for small businesses. Information Management & Computer Security 13(4), 297–310 (2005)
Jennex, M.E., Walters, A., Addo, T.B.A.: SMEs and Knowledge Requirements for Operating Hacker and Security Tools. Innovations Through Information Technology, 276–279 (2004)
Kimwele, M., Mwangi, W., Kimani, S.: Adoption of information technology security policies: Case study of Kenyan small and medium enterprises (SMEs). Journal of Theoretical and Applied Information Technology 18(2), 1–11 (2010)
Fong, M.W.L.: Chinese SMEs and Information Technology Adoption. Issues in Informing Science and Information Technology 8, 313–322 (2011)
Coles-Kemp, E., Overill, R.: The Design of Information Security Management Systems for Small-to-Medium Size Enterprises. In: 6th European Conference on Information Warfare, Shrivenham, pp. 47–54 (2007)
Barlette, Y., Fomin, V.V.: Exploring the suitability of IS security management standards for SMEs. In: 41st Annual Hawaii International Conference on System Sciences (2008)
Valdevit, T., Mayer, N., Barafort, B.: Tailoring ISO/IEC 27001 for SMEs: A Guide to Implement an Information Security Management System in Small Settings. In: O’Connor, R.V., Baddoo, N., Cuadrago Gallego, J., Rejas Muslera, R., Smolander, K., Messnarz, R. (eds.) EuroSPI 2009. CCIS, vol. 42, pp. 201–212. Springer, Heidelberg (2009)
Valdevit, T., Mayer, N.: A Gap Analysis Tool for SMEs Targeting ISO/IEC 27001 Compliance. In: 12th International Conference on Enterprise Information Systems, Funchal, vol. 3, pp. 413–416 (2010)
Dojkovski, S., Lichtenstein, S., Warren, M.: Developing Information Security Culture in Small and Medium Size Enterprises: Australian Case Studies. In: 6th European Conference on Information Warfare and Security, Shrivenham, pp. 55–65 (2007)
Dojkovski, S., Lichtenstein, S., Warren, M.J.: Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. In: 15th European Conference on Information Systems, St. Gallen, pp. 1560–1571 (2007)
Ramachandran, S., Rao, S.V., Goles, T.: Information Security Cultures of Four Professions: A Comparative Study. In: 41st Annual Hawaii International Conference on System Sciences, pp. 454–464 (2008)
Thong, J.Y.L., Yap, C., Raman, K.S.: Top Management Support, External Expertise and Information Systems Implementation in Small Businesses. Institute for Operations Research 7(2), 248–267 (1996)
Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Analyzing Information Security Awareness through Networks of Association. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 227–237. Springer, Heidelberg (2010)
Park, J., Hong, C., Yeo, S., Kim, T.: IT Security Strategies for SME’s. International Journal of Software Engineering and Its Applications 2(3), 91–98 (2008)
Sánchez, L.E., Santos-Olmo, A., Fernández-Medina, E., Piattini, M.: Building ISMS through the Reuse of Knowledge. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 190–201. Springer, Heidelberg (2010)
Osório, A.L., Barata, M.M.: Reliable and secure communications infrastructure for virtual enterprises. Journal of Intelligent Manufacturing 12, 171–183 (2001)
Siponen, M., Stucke, C.: Effective Anti-Spam Strategies in Companies. In: 39th Annual Hawaii International Conference on System Sciences (2006)
Conklin, W.A., Dietrich, G.: Systems Theory Model for Information Security. In: 41st Annual Hawaii International Conference on System Sciences, pp. 265–274 (2008)
Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: Toward a unified view. MIS Quarterly 27(3), 425–478 (2003)
Firesmith, D.G.: Engineering Security Requirements. Journal of Objects Technology 22(1), 53–68 (2003)
Whitman, M.E.: Enemy at the Gates: Threats to Information Security. Communications of the ACM 46(8), 91–95 (2003)
Yeh, Q., Jung-Ting Chang, A.: Threats and countermeasures for information system security: A cross-industry study. Information & Management 44, 480–491 (2007)
Whitman, M.E.: The Enemy at the Gates II: The Enemy Within. In: Proc. of the 15th Colloquium for Information Systems Security Education (CISSE), Fairborn, Ohio, pp. 75–80 (2011)
Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: Todays reality, yesterdays understanding. MIS Q. 16(2), 173–186 (1992)
Rayner, S., Cantor, R.: How fair is safe enough? The cultural approach to societal technology choice. Risk Anal. 7, 3–9 (1987)
Weinstein, N.D.: Unrealistic optimism about future life events. J. Pers. Soc. Psychol. 39(5), 806–820 (1980)
Kline, R.B.: Principles and Practice of Structural Equation Modeling, 3rd edn. The Guilford Press, New York (2010)
Jahn, S.: Strukturgleichungsmodellierung mit LISREL, AMOS und SmartPLS (2007), http://www-user.tu-chemnitz.de/~stjah/Jahn202007-Strukturgleichungsmodellierung%20mit%20LISREL,AMOS%20und%20SmartPLS.%20Eine%20Einf%81hrung.pdf
Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13(3), 319–339 (1989)
Yu, J., Brune, P.: No Security by Obscurity - Why Two Factor Authentication Should Be based on an Open Design. In: International Conference in Security and Cryptography, Seville, pp. 418–421 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Groner, R., Brune, P. (2012). Towards an Empirical Examination of IT Security Infrastructures in SME. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)