Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments
- 2 Downloads
Lagging IT security investments in small and medium-sized enterprises (SME) point towards a security divide between SME and large enterprises, yet our structured literature review shows that organizational IT security research has largely neglected the SME context. In an effort to expose reasons for this divide, we build on extant research to conceptualize SME-specific characteristics in a framework and suggest propositions regarding their influence on IT security investments. Based on 25 expert interviews, emerging constraints are investigated and validated. Our findings imply that several widely held assumptions in extant IT security literature should be modified if researchers claim generalizability of their results in an SME context. Exemplary assumptions include the presence of skilled workforce, documented processes or IT-budget planning which are often un(der) developed in SME. Additionally, our study offers context-specific insights regarding particular effects of identified constraints on IT security investments for all involved stakeholders (researchers, SME, large enterprises, governments).
KeywordsIT security SME Constraints Investment Qualitative study
An earlier version of this article was presented at the International Conference of Information Systems (ICIS) 2018 and appeared in the subsequent proceedings of ICIS 2018 under the title “The Influence of SME Constraints on Organizational IT Security”.
- AIS (2016). Senior Scholars' Basket of Journals. Association for Information Systems (AIS). https://aisnet.org/?SeniorScholarBasket. Accessed 20 January 2019.
- Alvesson, M., & Sandberg, J. (2011). Generating research questions through Problematization. Academy of Management Review, 36(2), 247–271.Google Scholar
- Auerbach, C., & Silverstein, L. B. (2003). Qualitative Data: An Introduction to Coding and Analysis. New York University Press.Google Scholar
- Barrett, B. (2019). Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach. https://www.wired.com/story/collection-one-breach-email-accounts-passwords/. Accessed 20 January 2019.
- Bazeley, P. (2003). Computerized data analysis for mixed methods research. In A. Tashakkori & C. Teddlie (Eds.), Handbook of mixed methods in Social & Behavioral Research (pp. 385–422). Thousand Oaks: Sage.Google Scholar
- Bharati, P., & Chaudhury, A. (2009). SMEs and Competitiveness: The Role of Information Systems. Management Science and Information Systems Faculty Publication Series, 15, i-ix.Google Scholar
- Bogdan, R. C., & Biklen, S. K. (2007). Qualitative research for education: An introduction to theories and methods (Vol. 5). Boston: Pearson Education.Google Scholar
- Boyes, J., & Irani, Z (2003). Barriers and Problems Affecting Web Infrastructure Development: The Experiences of a UK Small Manufacturing Business. In Proceedings of the 9th Americas Conference on Information Systems, USA.Google Scholar
- Bradshaw, A., Cragg, P., & Pulakanam, V. (2013). Do IS consultants enhance IS competences in SMEs? Electronic Journal of Information Systems Evaluation, 16(1), 1–23.Google Scholar
- Business Week (1990). Is Research in the Ivory Tower 'Fuzzy, Irrelevant, Pretentious?, pp. 62–66.Google Scholar
- Chell, E., Haworth, J. M., & Brearley, S. A. (1991). The entrepreneurial personality. Concepts, cases, and categories (Vol. 1, Routledge small business series). London: Routledge.Google Scholar
- Chen, H., Lee, M., & Wilson, N. (2007). Resource Constraints Related to Emerging Integration Technologies Adoption: The Case of Small and Medium-Sized Enterprises. In Proceedings of the 13th Americas Conference on Information Systems, Keystone, Colorado.Google Scholar
- Cisco (2018). Small and Mighty - How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats. https://www.cisco.com/c/dam/en/us/products/collateral/security/small-mighty-threat.pdf. Accessed 20 February.
- Coden, M., Madnick, S., Pentland, A., & Yousuf, S. (2016). How to Prepare for the Cyberattack that is Coming to your Company. https://www.cio.com/article/3185725/security/9-biggest-information-security-threats-through-2019.html. Accessed 20 February 2019.
- Cooper, H. M. (1988). Organizing knowledge syntheses: A taxonomy of literature reviews. Knowledge in Society, 1(1), 104–126.Google Scholar
- Creswell, J. W. (1998). Qualitative inquiry and research design: Choosing among five traditions. London: Sage.Google Scholar
- Dojkovski, S., Lichtenstein, S., & Warren, M. J. (2007). Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. In Proceedings of the 15th European Conference on Information Systems, St Gallen, Switzerland.Google Scholar
- Dwivedi, Y. K., Rana, N. P., Jeyaraj, A., Clement, M., & Williams, M. D. (2017). Re-examining the Unified Theory of Acceptance and Use of Technology (UTAUT): Towards a Revised Theoretical Model. Information Systems Frontiers, 1–16.Google Scholar
- European Commission (2003). Commission Recommendation of 6 May 2003 Concerning the Definition of Micro, Small and Medium-sized Enterprises (Notified under Document Number C(2003) 1422). In European Commission (Ed.): Official Journal of the European Union 46 (L 124).Google Scholar
- Eurostat (2015). Statistics on Small and Medium-sized Enterprises - Dependent and Independent SMEs and Large Enterprises. http://ec.europa.eu/eurostat/statistics-explained/index.php/Statistics_on_small_and_medium-sized_enterprises. Accessed 03 March 2018.
- Feeny, D. F., & Willcocks, L. P. (1998). Core IS Capabilities for Exploiting Information Technology. Sloan Management Review (9–21).Google Scholar
- Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to theory and research. Reading: Addison-Wesley.Google Scholar
- Fontana, A., & Frey, J. H. (2000). The interview: From structured questions to negotiated text. In N. K. Denzin & Y. S. Lincoln (Eds.), Handbook of qualitative research (Vol. 2). Thousand Oaks: Sage.Google Scholar
- Goffman, E. (1959). The presentation of self in everyday life. London: Penguin.Google Scholar
- Greenberg, A. (2018). The Untold Story of NotPetya, the Most Devastating Cyberattack in History.Google Scholar
- Greener, S. (2008). Business research methods. London: Ventus Publishing ApS.Google Scholar
- Hermanns, H. (2004). Interviewing as an activity. In U. Flick, E. von Kardoff, & I. Steinke (Eds.), A companion to qualitative research (pp. 209–213). London: Sage.Google Scholar
- Kam, H. J., Mattson, T., & Goel, S. (2019). A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness. Information Systems Frontiers, 1–24.Google Scholar
- Kaplan, B., & Maxwell, J. A. (1994). Evaluating health care information systems: Methods and applications. In J. G. Anderson, C. E. Ayden, & S. J. Jay (Eds.), Qualitative research methods for evaluating computer information systems. Thousand Oaks: Sage.Google Scholar
- Kaspersky (2017). New Threats, New Mindset: Being Risk Ready in a World of Complex Attacks. How to Address Incident Response Challenges. https://www.kaspersky.com/blog/incident-response-report/. Accessed 12 March 2018.
- Lowry, P. B., Moody, G. D., Gaskin, J., Galletta, D. F., Humphreys, S. L., Barlow, J. B., et al. (2013). Evaluation journal quality and the Association for Information Systems Senior Scholars' journal basket via bibliometric measures: Do expert journal assessments add value? MIS Quarterly, 37(4), 993–1012.CrossRefGoogle Scholar
- MacGregor, R. C. (2003). Strategic Alliance and perceived barriers to electronic commerce adoption in SMEs. Journal of Systems and Information Technology, 7(1), 27–47.Google Scholar
- Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: An expanded sourcebook. Beverly Hills: Sage.Google Scholar
- Miles, M. B., Huberman, A. M., & Saldana, J. (2013). Qualitative data analysis. A methods sourcebook (Vol. 3). Los Angeles: Sage.Google Scholar
- Moore, S., & Keen, E. (2018). Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019: Detection, Response and Privacy Driving Demand for Security Products and Services. In Gartner (Ed.). https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019. Accessed 29 January 2019.
- Morse, J. M. (1994). Designing funded qualitative research. Thousand Oaks: Sage.Google Scholar
- Ng, B. Y., & Feng, A. E. (2006). An Exploratory Study on Managerial Security Concerns in Technology Start-ups. Proceedings of Pacific Asia Conference on Information Systems, Chiayi, Taiwan.Google Scholar
- OECD. (1997). Small businesses, job creation and growth: Facts, obstacles and best practices. Paris: OECD Publishing.Google Scholar
- OECD. (2005). Glossary of statistical terms - small and medium-sized enterprises (SMEs). Paris: OECD Publishing.Google Scholar
- OECD. (2016). Financing SMEs and entrepreneurs: An OECD scoreboard. Definition of SMEs in China. Paris: OECD Publishing.Google Scholar
- Rivard, S. (2014). Editor's comments: The ions of theory construction. MIS Quarterly, 38(2), iii–xiv.Google Scholar
- Rogers, R. (1983). Cognitive and physiological processes in fear-based attitude change: A revised theory of protection motivation. In C. J & R. Petty (Eds.), Social psychophysiology: A sourcebook (pp. 153–176). New York: Guilford Press.Google Scholar
- Saldaña, J. (2009). The coding manual for qualitative researchers. London: Sage.Google Scholar
- Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: A critical review and some guiding principles. MIS Quarterly, 37(4), iii–xviii.Google Scholar
- Sonnenschein, R., Loske, A., & Buxmann, P. (2017). The Role of Top Managers’ IT Security Awareness in Organizational IT Security Management. In Proceedings of the 38th International Conference on Information Systems, Seoul, South Korea.Google Scholar
- Teo, T. L., Chan, C., & Parker, C. (2004). Factors Affecting e-Commerce Adoption by SMEs: A Meta-Analysis. In Proceedings of the Australasian Conference on Information Systems, Hobart, Australia.Google Scholar
- Thong, J. Y. L. (2001). Resource constraints and information systems implementation in Singaporean small businesses. The International Journal of Management Science, 29(2), 143–156.Google Scholar
- United Nations (2008). International Standard Industrial Classification of All Economic Activities, Rev.4. In United Nations Division (Ed.). New York.Google Scholar
- United States Business Administration (2018). US Small Business Profile. Office of Advocacy. https://www.sba.gov/sites/default/files/advocacy/2018-Small-Business-Profiles-US.pdf. Accessed 8 January 2019.
- USITC (2010). Small and Medium-sized Enterprises: Overview of Participation in U.S. Exports. Investigation No. 332–508 (Vol. 4125). Washington: USITC Publication.Google Scholar
- vom Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., & Cleven, A. (2009). Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process. In Proceedings of the 17th European Conference on Information Systems, Vienna, Austria.Google Scholar
- Webster, J., & Watson, R. T. (2002). Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly, 26(2), xiii–xxiii.Google Scholar
- Weishäupl, E., Yasasin, E., & Schryen, G. A. (2015). Multi-theoretical literature review on information security investments using the resource-based view and the organizational learning theory. In Proceedings of the 36th International Conference on Information Systems, Fort Worth, USA.Google Scholar
- Welsh, J. A., & White, J. F. (1981). A small business is not a little big business. Harvard Business Review, 59(4), 18–32.Google Scholar
- West, G. M. (1975). MIS in small companies. Journal of Systems Management, 26(4), 10–13.Google Scholar
- Wolcott, H. F. (1994). Transforming qualitative data: Description, analysis, and interpretation. Thousand Oaks: Sage.Google Scholar
- World Economic Forum (2019). The Global Risks Report 2019. http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf. Accessed 14 February 2019.
- WTO (2016). World Trade Report 2016 - Levelling the Trading Field for SMEs. Geneva: WTO Publications. https://www.wto.org/english/res_e/booksp_e/world_trade_report16_e.pdf. Accessed 20 January 2019.
- ZDNet (2015). The Target Breach, Two Years Later. https://www.zdnet.com/article/the-target-breach-two-years-later/. Accessed 24 February 2019.
- Zurich (2017). As Many as 875,000 UK SMEs Suffer Cyber Security Breach in the last 12 Months. https://www.zurich.co.uk/en/about-us/media-centre/general-insurance-news/2017/as-many-as-875000-uk-smes-suffer-cyber-security-breach-in-the-last-12-months. Accessed 3 April 2018.