Towards an Empirical Examination of IT Security Infrastructures in SME

  • Ramona Groner
  • Philipp Brune
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7617)


Despite the availability of numerous techniques for information security management and implementation, still many small-to-medium sized enterprises (SME) lack a holistic IT security infrastructure. There have been proposed various reasons for this, ranging from lacking security awareness to the complexity of solutions. However, it remains an open issue how an IT security infrastructure suitable for SME should be designed. This paper presents a research model describing the dependencies between security threats, requirements, and the related framework components. It also accounts for the adoption of security solutions in SME and the impact of human and technical factors. The model allows to quantitatively study the influences on security requirements and the adoption of the respective technologies. This is partially demonstrated by an empirical study conducted among south german SME. The obtained results reveal the current security technology adoption by SME and emphasize the need for an appropriate IT security infrastructure framework.


Security Requirements Security Awareness Security Architectures Network Security Security Infrastructure Adoption Risk Management 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Milne, D., McCarthy, J., Mills, B.: SME Security in the Digital Age. In: 2nd International Conference on Information Warfare and Security, Monterey, pp. 263–270 (2007)Google Scholar
  2. 2.
    Beachboard, J., Cole, A., Mellor, M., Herandez, S., Aytes, K.: Improving Information Security Risk Analysis Practices for Small- and Medium-Sized Enterprises. Issues in Informing Science and Information Technology 5, 73–85 (2008)Google Scholar
  3. 3.
    Sánchez, L.E., Parra, A.S., Rosado, D.G., Piattini, M.: Managing Security and its Maturity in Small and Medium-sized Enterprises. Journal of Universal Computer Science 15(15), 3038–3058 (2009)Google Scholar
  4. 4.
    Gupta, A., Hammond, R.: Information systems security issues and decisions for small businesses. Information Management & Computer Security 13(4), 297–310 (2005)CrossRefGoogle Scholar
  5. 5.
    Jennex, M.E., Walters, A., Addo, T.B.A.: SMEs and Knowledge Requirements for Operating Hacker and Security Tools. Innovations Through Information Technology, 276–279 (2004)Google Scholar
  6. 6.
    Kimwele, M., Mwangi, W., Kimani, S.: Adoption of information technology security policies: Case study of Kenyan small and medium enterprises (SMEs). Journal of Theoretical and Applied Information Technology 18(2), 1–11 (2010)Google Scholar
  7. 7.
    Fong, M.W.L.: Chinese SMEs and Information Technology Adoption. Issues in Informing Science and Information Technology 8, 313–322 (2011)Google Scholar
  8. 8.
    Coles-Kemp, E., Overill, R.: The Design of Information Security Management Systems for Small-to-Medium Size Enterprises. In: 6th European Conference on Information Warfare, Shrivenham, pp. 47–54 (2007)Google Scholar
  9. 9.
    Barlette, Y., Fomin, V.V.: Exploring the suitability of IS security management standards for SMEs. In: 41st Annual Hawaii International Conference on System Sciences (2008)Google Scholar
  10. 10.
    Valdevit, T., Mayer, N., Barafort, B.: Tailoring ISO/IEC 27001 for SMEs: A Guide to Implement an Information Security Management System in Small Settings. In: O’Connor, R.V., Baddoo, N., Cuadrago Gallego, J., Rejas Muslera, R., Smolander, K., Messnarz, R. (eds.) EuroSPI 2009. CCIS, vol. 42, pp. 201–212. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Valdevit, T., Mayer, N.: A Gap Analysis Tool for SMEs Targeting ISO/IEC 27001 Compliance. In: 12th International Conference on Enterprise Information Systems, Funchal, vol. 3, pp. 413–416 (2010)Google Scholar
  12. 12.
    Dojkovski, S., Lichtenstein, S., Warren, M.: Developing Information Security Culture in Small and Medium Size Enterprises: Australian Case Studies. In: 6th European Conference on Information Warfare and Security, Shrivenham, pp. 55–65 (2007)Google Scholar
  13. 13.
    Dojkovski, S., Lichtenstein, S., Warren, M.J.: Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. In: 15th European Conference on Information Systems, St. Gallen, pp. 1560–1571 (2007)Google Scholar
  14. 14.
    Ramachandran, S., Rao, S.V., Goles, T.: Information Security Cultures of Four Professions: A Comparative Study. In: 41st Annual Hawaii International Conference on System Sciences, pp. 454–464 (2008)Google Scholar
  15. 15.
    Thong, J.Y.L., Yap, C., Raman, K.S.: Top Management Support, External Expertise and Information Systems Implementation in Small Businesses. Institute for Operations Research 7(2), 248–267 (1996)Google Scholar
  16. 16.
    Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Analyzing Information Security Awareness through Networks of Association. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 227–237. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Park, J., Hong, C., Yeo, S., Kim, T.: IT Security Strategies for SME’s. International Journal of Software Engineering and Its Applications 2(3), 91–98 (2008)Google Scholar
  18. 18.
    Sánchez, L.E., Santos-Olmo, A., Fernández-Medina, E., Piattini, M.: Building ISMS through the Reuse of Knowledge. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 190–201. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Osório, A.L., Barata, M.M.: Reliable and secure communications infrastructure for virtual enterprises. Journal of Intelligent Manufacturing 12, 171–183 (2001)CrossRefGoogle Scholar
  20. 20.
    Siponen, M., Stucke, C.: Effective Anti-Spam Strategies in Companies. In: 39th Annual Hawaii International Conference on System Sciences (2006)Google Scholar
  21. 21.
    Conklin, W.A., Dietrich, G.: Systems Theory Model for Information Security. In: 41st Annual Hawaii International Conference on System Sciences, pp. 265–274 (2008)Google Scholar
  22. 22.
    Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: Toward a unified view. MIS Quarterly 27(3), 425–478 (2003)Google Scholar
  23. 23.
    Firesmith, D.G.: Engineering Security Requirements. Journal of Objects Technology 22(1), 53–68 (2003)Google Scholar
  24. 24.
    Whitman, M.E.: Enemy at the Gates: Threats to Information Security. Communications of the ACM 46(8), 91–95 (2003)CrossRefGoogle Scholar
  25. 25.
    Yeh, Q., Jung-Ting Chang, A.: Threats and countermeasures for information system security: A cross-industry study. Information & Management 44, 480–491 (2007)CrossRefGoogle Scholar
  26. 26.
    Whitman, M.E.: The Enemy at the Gates II: The Enemy Within. In: Proc. of the 15th Colloquium for Information Systems Security Education (CISSE), Fairborn, Ohio, pp. 75–80 (2011)Google Scholar
  27. 27.
    Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: Todays reality, yesterdays understanding. MIS Q. 16(2), 173–186 (1992)CrossRefGoogle Scholar
  28. 28.
    Rayner, S., Cantor, R.: How fair is safe enough? The cultural approach to societal technology choice. Risk Anal. 7, 3–9 (1987)CrossRefGoogle Scholar
  29. 29.
    Weinstein, N.D.: Unrealistic optimism about future life events. J. Pers. Soc. Psychol. 39(5), 806–820 (1980)CrossRefGoogle Scholar
  30. 30.
    Kline, R.B.: Principles and Practice of Structural Equation Modeling, 3rd edn. The Guilford Press, New York (2010)Google Scholar
  31. 31.
  32. 32.
    Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13(3), 319–339 (1989)CrossRefGoogle Scholar
  33. 33.
    Yu, J., Brune, P.: No Security by Obscurity - Why Two Factor Authentication Should Be based on an Open Design. In: International Conference in Security and Cryptography, Seville, pp. 418–421 (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Ramona Groner
    • 1
  • Philipp Brune
    • 1
  1. 1.Hochschule Neu-UlmUniversity of Applied SciencesNeu-UlmGermany

Personalised recommendations