Advertisement

Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments

  • Margareta HeidtEmail author
  • Jin P. Gerlach
  • Peter Buxmann
Article
  • 24 Downloads

Abstract

Lagging IT security investments in small and medium-sized enterprises (SME) point towards a security divide between SME and large enterprises, yet our structured literature review shows that organizational IT security research has largely neglected the SME context. In an effort to expose reasons for this divide, we build on extant research to conceptualize SME-specific characteristics in a framework and suggest propositions regarding their influence on IT security investments. Based on 25 expert interviews, emerging constraints are investigated and validated. Our findings imply that several widely held assumptions in extant IT security literature should be modified if researchers claim generalizability of their results in an SME context. Exemplary assumptions include the presence of skilled workforce, documented processes or IT-budget planning which are often un(der) developed in SME. Additionally, our study offers context-specific insights regarding particular effects of identified constraints on IT security investments for all involved stakeholders (researchers, SME, large enterprises, governments).

Keywords

IT security SME Constraints Investment Qualitative study 

Notes

Acknowledgements

An earlier version of this article was presented at the International Conference of Information Systems (ICIS) 2018 and appeared in the subsequent proceedings of ICIS 2018 under the title “The Influence of SME Constraints on Organizational IT Security”.

References

  1. Agell, J. (2004). Why are small firms different? Managers’ views. Scandinavian Journal of Economics, 106(3), 437–453.CrossRefGoogle Scholar
  2. AIS (2016). Senior Scholars' Basket of Journals. Association for Information Systems (AIS). https://aisnet.org/?SeniorScholarBasket. Accessed 20 January 2019.
  3. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.CrossRefGoogle Scholar
  4. Albrechtsen, E. (2007). A qualitative study of Users' view on information security. Computers & Security, 26(4), 276–289.CrossRefGoogle Scholar
  5. Alvesson, M., & Sandberg, J. (2011). Generating research questions through Problematization. Academy of Management Review, 36(2), 247–271.Google Scholar
  6. Angst, C. M., Block, E. S., D'Arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893–916.CrossRefGoogle Scholar
  7. Arendt, L. (2008). Barriers to ICT adoption in SMEs: How to bridge the digital divide? Journal of Systems and Information Technology, 10(2), 93–108.CrossRefGoogle Scholar
  8. Auerbach, C., & Silverstein, L. B. (2003). Qualitative Data: An Introduction to Coding and Analysis. New York University Press.Google Scholar
  9. Ballantine, J., Levy, M., & Powell, P. (1998). Evaluating information Systems in Small and Medium-sized Enterprises: Issues and evidence. European Journal of Information Systems, 7(4), 241–251.CrossRefGoogle Scholar
  10. Barrett, B. (2019). Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach. https://www.wired.com/story/collection-one-breach-email-accounts-passwords/. Accessed 20 January 2019.
  11. Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security commitment: A study of external influences on senior management. Computers & Security, 59, 9–25.CrossRefGoogle Scholar
  12. Baskerville, R. (1991). Risk analysis: An interpretative feasibility tool in justifying information systems security. European Journal of Information Systems, 1(2), 121–130.CrossRefGoogle Scholar
  13. Bassellier, G., Reich, B. H., & Benbasat, I. (2001). Information technology competence of business managers: A definition and research model. Journal of Management Information Systems, 17(4), 159–182.CrossRefGoogle Scholar
  14. Bazeley, P. (2003). Computerized data analysis for mixed methods research. In A. Tashakkori & C. Teddlie (Eds.), Handbook of mixed methods in Social & Behavioral Research (pp. 385–422). Thousand Oaks: Sage.Google Scholar
  15. Beck, T., & Demirguc-Kunt, A. (2006). Small and medium-size enterprises: Access to finance as a growth constraint. Journal of Banking & Finance, 30(11), 2931–2943.CrossRefGoogle Scholar
  16. Benbasat, I., Goldstein, D. K., & Mead, M. (1987). The case research strategy in studies of information systems. MIS Quarterly, 11(3), 369–386.CrossRefGoogle Scholar
  17. Benbasat, I., & Zmud, R. W. (1999). Empirical research in information systems: The practice of relevance. MIS Quarterly, 23(1), 3–16.CrossRefGoogle Scholar
  18. Bennett, R., & Robson, P. J. A. (2004). The role of trust and contract in the supply of business advice. Cambridge Journal of Economics, 28(4), 471–489.CrossRefGoogle Scholar
  19. Bharati, P., & Chaudhury, A. (2009). SMEs and Competitiveness: The Role of Information Systems. Management Science and Information Systems Faculty Publication Series, 15, i-ix.Google Scholar
  20. Birley, S. (1982). Corporate strategy and the small firm. Journal of General Management, 8(2), 82–86.CrossRefGoogle Scholar
  21. Bogdan, R. C., & Biklen, S. K. (2007). Qualitative research for education: An introduction to theories and methods (Vol. 5). Boston: Pearson Education.Google Scholar
  22. Boyes, J., & Irani, Z (2003). Barriers and Problems Affecting Web Infrastructure Development: The Experiences of a UK Small Manufacturing Business. In Proceedings of the 9th Americas Conference on Information Systems, USA.Google Scholar
  23. Bradshaw, A., Cragg, P., & Pulakanam, V. (2013). Do IS consultants enhance IS competences in SMEs? Electronic Journal of Information Systems Evaluation, 16(1), 1–23.Google Scholar
  24. Buckley, P. J. (1997). International technology transfer by small and medium-sized enterprises. Small Business Economics, 9(1), 67–78.CrossRefGoogle Scholar
  25. Business Week (1990). Is Research in the Ivory Tower 'Fuzzy, Irrelevant, Pretentious?, pp. 62–66.Google Scholar
  26. Caldeira, M. M., & Ward, J. M. (2003). Using resource-based theory to interpret the successful adoption and use of information systems and Technology in Manufacturing Small and Medium-sized Enterprises. European Journal of Information Systems, 12(2), 127–141.CrossRefGoogle Scholar
  27. Carbo-Valverde, S., Rodriguez-Fernandez, F., & Udell, G. F. (2007). Bank market power and SME financing constraints. Review of Finance, 13(2), 309–340.CrossRefGoogle Scholar
  28. Casterella, J. R., Francis, J. R., Lewis, B. L., & Walker, P. L. (2004). Auditor industry specialization, client bargaining power, and audit pricing. Auditing: A Journal of Practice & Theory, 23(1), 123–140.CrossRefGoogle Scholar
  29. Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.CrossRefGoogle Scholar
  30. Chang, K. C., & Wang, C. P. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579–593.CrossRefGoogle Scholar
  31. Chell, E., Haworth, J. M., & Brearley, S. A. (1991). The entrepreneurial personality. Concepts, cases, and categories (Vol. 1, Routledge small business series). London: Routledge.Google Scholar
  32. Chen, H., Lee, M., & Wilson, N. (2007). Resource Constraints Related to Emerging Integration Technologies Adoption: The Case of Small and Medium-Sized Enterprises. In Proceedings of the 13th Americas Conference on Information Systems, Keystone, Colorado.Google Scholar
  33. Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated failures, diversification, and information security risk management. MIS Quarterly, 35(2), 397–A393.CrossRefGoogle Scholar
  34. Cisco (2018). Small and Mighty - How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats. https://www.cisco.com/c/dam/en/us/products/collateral/security/small-mighty-threat.pdf. Accessed 20 February.
  35. Coden, M., Madnick, S., Pentland, A., & Yousuf, S. (2016). How to Prepare for the Cyberattack that is Coming to your Company. https://www.cio.com/article/3185725/security/9-biggest-information-security-threats-through-2019.html. Accessed 20 February 2019.
  36. Cooper, H. M. (1988). Organizing knowledge syntheses: A taxonomy of literature reviews. Knowledge in Society, 1(1), 104–126.Google Scholar
  37. Cragg, P., Caldeira, M., & Ward, J. (2011). Organizational information systems competences in small and medium-sized enterprises. Information & Management, 48(8), 353–363.CrossRefGoogle Scholar
  38. Cragg, P., Mills, A., & Suraweera, T. (2013). The influence of IT management sophistication and IT support on IT success in small and medium-sized enterprises. Journal of Small Business Management, 51(4), 617–636.CrossRefGoogle Scholar
  39. Creswell, J. W. (1998). Qualitative inquiry and research design: Choosing among five traditions. London: Sage.Google Scholar
  40. Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research. Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127–153.CrossRefGoogle Scholar
  41. Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293–314.CrossRefGoogle Scholar
  42. Dholakia, R. R., & Kshetri, N. (2004). Factors impacting the adoption of the internet among SMEs. Small Business Economics, 23(4), 311–322.CrossRefGoogle Scholar
  43. Dojkovski, S., Lichtenstein, S., & Warren, M. J. (2007). Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. In Proceedings of the 15th European Conference on Information Systems, St Gallen, Switzerland.Google Scholar
  44. Drechsler, A., & Weißschädel, S. (2018). An IT strategy development framework for small and medium enterprises. Information Systems and e-Business Management, 16(1), 93–124.CrossRefGoogle Scholar
  45. Dutta, S., & Evrard, P. (1999). Information technology and organisation within European small enterprises. European Management Journal, 17(3), 239–251.CrossRefGoogle Scholar
  46. Dwivedi, Y. K., Rana, N. P., Jeyaraj, A., Clement, M., & Williams, M. D. (2017). Re-examining the Unified Theory of Acceptance and Use of Technology (UTAUT): Towards a Revised Theoretical Model. Information Systems Frontiers, 1–16.Google Scholar
  47. European Commission (2003). Commission Recommendation of 6 May 2003 Concerning the Definition of Micro, Small and Medium-sized Enterprises (Notified under Document Number C(2003) 1422). In European Commission (Ed.): Official Journal of the European Union 46 (L 124).Google Scholar
  48. Eurostat (2015). Statistics on Small and Medium-sized Enterprises - Dependent and Independent SMEs and Large Enterprises. http://ec.europa.eu/eurostat/statistics-explained/index.php/Statistics_on_small_and_medium-sized_enterprises. Accessed 03 March 2018.
  49. Feeny, D. F., & Willcocks, L. P. (1998). Core IS Capabilities for Exploiting Information Technology. Sloan Management Review (9–21).Google Scholar
  50. Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86(3), 13–23.CrossRefGoogle Scholar
  51. Fischer, F. (1998). Beyond empiricism: Policy inquiry in post positivist perspective. Policy Studies Journal, 26(1), 129–146.CrossRefGoogle Scholar
  52. Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to theory and research. Reading: Addison-Wesley.Google Scholar
  53. Fontana, A., & Frey, J. H. (2000). The interview: From structured questions to negotiated text. In N. K. Denzin & Y. S. Lincoln (Eds.), Handbook of qualitative research (Vol. 2). Thousand Oaks: Sage.Google Scholar
  54. Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.CrossRefGoogle Scholar
  55. Goffman, E. (1959). The presentation of self in everyday life. London: Penguin.Google Scholar
  56. Goodhue, D. L., & Straub, D. W. (1991). Security concerns of system users: A study of perceptions of the adequacy of security. Information & Management, 20(1), 13–27.CrossRefGoogle Scholar
  57. Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of involuntary disclosures concerning information security. MIS Quarterly, 34(3), 567–594.CrossRefGoogle Scholar
  58. Greenberg, A. (2018). The Untold Story of NotPetya, the Most Devastating Cyberattack in History.Google Scholar
  59. Greener, S. (2008). Business research methods. London: Ventus Publishing ApS.Google Scholar
  60. Gregor, S. (2006). The nature of theory in information systems. MIS Quarterly, 30(3), 611–642.CrossRefGoogle Scholar
  61. Herath, H. S. B., & Herath, T. C. (2008). Investments in Information Security: A real options perspective with Bayesian Postaudit. Journal of Management Information Systems, 25(3), 337–375.CrossRefGoogle Scholar
  62. Hermanns, H. (2004). Interviewing as an activity. In U. Flick, E. von Kardoff, & I. Steinke (Eds.), A companion to qualitative research (pp. 209–213). London: Sage.Google Scholar
  63. Howorth, C. (2001). Small firms demand for finance: A research note. International Small Business Journal, 19(4), 78–86.CrossRefGoogle Scholar
  64. Hsu, C. W. (2009). Frame misalignment. Interpreting the implementation of information systems security certification in an organization. European Journal of Information Systems, 18(2), 140–150.CrossRefGoogle Scholar
  65. Hsu, C. W., Lee, J. N., & Straub, D. W. (2012). Institutional influences on information systems security innovations. Information Systems Research, 23(3), 918–939.CrossRefGoogle Scholar
  66. Hu, Q., Hart, P., & Cooke, D. (2007). The role of external and internal influences on information systems security – A neo-institutional perspective. Journal of Strategic Information Systems, 16(2), 153–172.CrossRefGoogle Scholar
  67. Hui, K. L., Hui, W., & Yue, W. T. (2012). Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems, 29(3), 117–156.CrossRefGoogle Scholar
  68. Kam, H. J., Mattson, T., & Goel, S. (2019). A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness. Information Systems Frontiers, 1–24.Google Scholar
  69. Kaplan, B., & Maxwell, J. A. (1994). Evaluating health care information systems: Methods and applications. In J. G. Anderson, C. E. Ayden, & S. J. Jay (Eds.), Qualitative research methods for evaluating computer information systems. Thousand Oaks: Sage.Google Scholar
  70. Kaspersky (2017). New Threats, New Mindset: Being Risk Ready in a World of Complex Attacks. How to Address Incident Response Challenges. https://www.kaspersky.com/blog/incident-response-report/. Accessed 12 March 2018.
  71. Keller, S., Powell, A., Horstmann, B., Predmore, C., & Crawford, M. (2005). Information security threats and practices in small businesses. Information Systems Management, 22(2), 7–19.CrossRefGoogle Scholar
  72. Kumar, R. L., Park, S., & Subramaniam, C. (2008). Understanding the value of countermeasure portfolios in information systems security. Journal of Management Information Systems, 25(2), 241–279.CrossRefGoogle Scholar
  73. Kwon, J., & Johnson, M. E. (2014). Proactive versus reactive security Investments in the Healthcare Sector. MIS Quarterly, 38(2), 457–471.CrossRefGoogle Scholar
  74. Lee, C. H., Geng, X., & Raghunathan, S. (2013). Contracting information security in the presence of double moral Hazard. Information Systems Research, 24(2), 295–311.CrossRefGoogle Scholar
  75. Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: Determinants of SMB Executives' decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187.CrossRefGoogle Scholar
  76. Lowry, P. B., Moody, G. D., Gaskin, J., Galletta, D. F., Humphreys, S. L., Barlow, J. B., et al. (2013). Evaluation journal quality and the Association for Information Systems Senior Scholars' journal basket via bibliometric measures: Do expert journal assessments add value? MIS Quarterly, 37(4), 993–1012.CrossRefGoogle Scholar
  77. MacGregor, R. C. (2003). Strategic Alliance and perceived barriers to electronic commerce adoption in SMEs. Journal of Systems and Information Technology, 7(1), 27–47.Google Scholar
  78. MacGregor, R. C., & Vrazalic, L. (2005). A basic model of electronic commerce adoption barriers: A study of regional small businesses in Sweden and Australia. Journal of Small Business and Enterprise Development, 12(4), 510–527.CrossRefGoogle Scholar
  79. Marshall, B., Cardon, P., Poddar, A., & Fontenot, R. (2013). Does sample size matter in qualitative research? A review of qualitative interviews in IS research. Journal of Computer Information Systems, 54(1), 11–22.CrossRefGoogle Scholar
  80. Mayadunne, S., & Park, S. (2016). An economic model to evaluate information security Investment of Risk-taking Small and Medium Enterprises. International Journal of Production Economics, 182, 519–530.CrossRefGoogle Scholar
  81. Melville, N., Kraemer, K., & Gurbaxani, V. (2004). Information technology and organizational performance: An integrative model of IT business value. MIS Quarterly, 28(2), 283–322.CrossRefGoogle Scholar
  82. Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: An expanded sourcebook. Beverly Hills: Sage.Google Scholar
  83. Miles, M. B., Huberman, A. M., & Saldana, J. (2013). Qualitative data analysis. A methods sourcebook (Vol. 3). Los Angeles: Sage.Google Scholar
  84. Mintzberg, H. (1989). The Structuring of Organizations. In: Readings in Strategic Management (pp. 322–352). London: Palgrave.CrossRefGoogle Scholar
  85. Moore, S., & Keen, E. (2018). Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019: Detection, Response and Privacy Driving Demand for Security Products and Services. In Gartner (Ed.). https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019. Accessed 29 January 2019.
  86. Morse, J. M. (1994). Designing funded qualitative research. Thousand Oaks: Sage.Google Scholar
  87. Muehe, S., & Drechsler, A. (2017). Towards a framework to improve IT security and IT risk Management in Small and Medium Enterprises. International Journal of Systems and Society, 3(2), 44–56.CrossRefGoogle Scholar
  88. Ng, B. Y., & Feng, A. E. (2006). An Exploratory Study on Managerial Security Concerns in Technology Start-ups. Proceedings of Pacific Asia Conference on Information Systems, Chiayi, Taiwan.Google Scholar
  89. OECD. (1997). Small businesses, job creation and growth: Facts, obstacles and best practices. Paris: OECD Publishing.Google Scholar
  90. OECD. (2005). Glossary of statistical terms - small and medium-sized enterprises (SMEs). Paris: OECD Publishing.Google Scholar
  91. OECD. (2016). Financing SMEs and entrepreneurs: An OECD scoreboard. Definition of SMEs in China. Paris: OECD Publishing.Google Scholar
  92. OECD. (2017). Small, medium, strong. Trends in SME performance and business conditions. Paris: OECD Publishing.CrossRefGoogle Scholar
  93. Paré, G., Trudel, M. C., Jaana, M., & Kitsiou, S. (2015). Synthesizing information systems knowledge: A typology of literature reviews. Information & Management, 52(2), 183–199.CrossRefGoogle Scholar
  94. Piscitello, L., & Sgobbi, F. (2004). Globalisation, E-business and SMEs: Evidence from the Italian District of Prato. Small Business Economics, 22(5), 333–347.CrossRefGoogle Scholar
  95. Riemenschneider, C. K., Harrison, D. A., & Mykytyn Jr., P. P. (2003). Understanding IT adoption decisions in small business: Integrating current theories. Information & Management, 40(4), 269–285.CrossRefGoogle Scholar
  96. Rivard, S. (2014). Editor's comments: The ions of theory construction. MIS Quarterly, 38(2), iii–xiv.Google Scholar
  97. Rogers, R. (1983). Cognitive and physiological processes in fear-based attitude change: A revised theory of protection motivation. In C. J & R. Petty (Eds.), Social psychophysiology: A sourcebook (pp. 153–176). New York: Guilford Press.Google Scholar
  98. Saldaña, J. (2009). The coding manual for qualitative researchers. London: Sage.Google Scholar
  99. Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: A critical review and some guiding principles. MIS Quarterly, 37(4), iii–xviii.Google Scholar
  100. Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314–341.CrossRefGoogle Scholar
  101. Siponen, M. (2005). An analysis of the traditional IS security approaches: Implications for research and practice. European Journal of Information Systems, 14(3), 303–315.CrossRefGoogle Scholar
  102. Sonnenschein, R., Loske, A., & Buxmann, P. (2017). The Role of Top Managers’ IT Security Awareness in Organizational IT Security Management. In Proceedings of the 38th International Conference on Information Systems, Seoul, South Korea.Google Scholar
  103. Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503–522.CrossRefGoogle Scholar
  104. Stockdale, R., & Standing, C. (2006). A classification model to support SME E-commerce adoption initiatives. Journal of Small Business and Enterprise Development, 13(3), 381–394.CrossRefGoogle Scholar
  105. Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276.CrossRefGoogle Scholar
  106. Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441–469.CrossRefGoogle Scholar
  107. Sun, L., Srivastava, R. P., & Mock, T. J. (2006). An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22(4), 109–142.CrossRefGoogle Scholar
  108. Teo, T. L., Chan, C., & Parker, C. (2004). Factors Affecting e-Commerce Adoption by SMEs: A Meta-Analysis. In Proceedings of the Australasian Conference on Information Systems, Hobart, Australia.Google Scholar
  109. Thong, J. Y. L. (1999). An integrated model of information systems adoption in small businesses. Journal of Management Information Systems, 15(4), 187–214.CrossRefGoogle Scholar
  110. Thong, J. Y. L. (2001). Resource constraints and information systems implementation in Singaporean small businesses. The International Journal of Management Science, 29(2), 143–156.Google Scholar
  111. Thong, J. Y. L., & Yap, C. S. (1995). CEO characteristics, organizational characteristics and information technology adoption in small businesses. Omega International Journal of Management Science, 23(4), 429–442.CrossRefGoogle Scholar
  112. United Nations (2008). International Standard Industrial Classification of All Economic Activities, Rev.4. In United Nations Division (Ed.). New York.Google Scholar
  113. United States Business Administration (2018). US Small Business Profile. Office of Advocacy. https://www.sba.gov/sites/default/files/advocacy/2018-Small-Business-Profiles-US.pdf. Accessed 8 January 2019.
  114. USITC (2010). Small and Medium-sized Enterprises: Overview of Participation in U.S. Exports. Investigation No. 332–508 (Vol. 4125). Washington: USITC Publication.Google Scholar
  115. Verhees, F. J., & Meulenberg, M. T. (2004). Market orientation, innovativeness, product innovation, and performance in small firms. Journal of Small Business Management, 42(2), 134–154.CrossRefGoogle Scholar
  116. vom Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., & Cleven, A. (2009). Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process. In Proceedings of the 17th European Conference on Information Systems, Vienna, Austria.Google Scholar
  117. Wang, J., Chaudhury, A., & Rao, H. R. (2008). A value-at-risk approach to information security investment. Information Systems Research, 19(1), 106–120.CrossRefGoogle Scholar
  118. Wang, T., Kannan, K. N., & Rees Ulmer, J. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218.CrossRefGoogle Scholar
  119. Webster, J., & Watson, R. T. (2002). Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly, 26(2), xiii–xxiii.Google Scholar
  120. Weishäupl, E., Yasasin, E., & Schryen, G. A. (2015). Multi-theoretical literature review on information security investments using the resource-based view and the organizational learning theory. In Proceedings of the 36th International Conference on Information Systems, Fort Worth, USA.Google Scholar
  121. Welsh, J. A., & White, J. F. (1981). A small business is not a little big business. Harvard Business Review, 59(4), 18–32.Google Scholar
  122. West, G. M. (1975). MIS in small companies. Journal of Systems Management, 26(4), 10–13.Google Scholar
  123. Wielicki, T., & Arendt, L. (2010). A knowledge-driven shift in perception of ICT implementation barriers: Comparative study of US and European SMEs. Journal of Information Science, 36(2), 162–174.CrossRefGoogle Scholar
  124. Wolcott, H. F. (1994). Transforming qualitative data: Description, analysis, and interpretation. Thousand Oaks: Sage.Google Scholar
  125. Wolff, J. (2016). Perverse effects in defense of computer systems. When more is less. Journal of Management Information Systems, 33(2), 597–620.CrossRefGoogle Scholar
  126. World Economic Forum (2019). The Global Risks Report 2019. http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf. Accessed 14 February 2019.
  127. WTO (2016). World Trade Report 2016 - Levelling the Trading Field for SMEs. Geneva: WTO Publications. https://www.wto.org/english/res_e/booksp_e/world_trade_report16_e.pdf. Accessed 20 January 2019.
  128. Yang, C. G., & Lee, H. J. (2016). A study on the antecedents of healthcare information protection intention. Information Systems Frontiers, 18(2), 253–263.CrossRefGoogle Scholar
  129. Yildirim, E., Akalp, G., Aytac, S., & Bayram, N. (2011). Factors influencing information security Management in Small-and Medium-sized Enterprises: A case study from Turkey. International Journal of Information Management, 31(4), 360–365.CrossRefGoogle Scholar
  130. Yue, W. T., & Cakanyildirim, M. (2007). Intrusion prevention in information systems: Reactive and proactive responses. Journal of Management Information Systems, 24(1), 329–353.CrossRefGoogle Scholar
  131. ZDNet (2015). The Target Breach, Two Years Later. https://www.zdnet.com/article/the-target-breach-two-years-later/. Accessed 24 February 2019.
  132. Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks. Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1), 123–152.CrossRefGoogle Scholar
  133. Zurich (2017). As Many as 875,000 UK SMEs Suffer Cyber Security Breach in the last 12 Months. https://www.zurich.co.uk/en/about-us/media-centre/general-insurance-news/2017/as-many-as-875000-uk-smes-suffer-cyber-security-breach-in-the-last-12-months. Accessed 3 April 2018.

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations