Skip to main content
SpringerLink
Log in

Security Culture in Small and Medium-Size Enterprise

  • Conference paper
ENTERprise Information Systems (CENTERIS 2010)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 110))

Included in the following conference series:

Abstract

The information society depends ever-increasingly on Information Security Management Systems (ISMSs), and these systems have become vital to SMEs. However, ISMSs must be adapted to SME’s specific characteristics, and they must be optimised from the point of view of the resources which are necessary to install and maintain them. Furthermore, when installing ISMSs, the majority of models have until now been centred on technical and management aspects, and the third aspect, which is institutional and is of particular relevance to SMEs, has been virtually ignored. In this paper we present the importance of the security culture for SMEs, along with our proposal to introduce this concept into SMEs in a progressive and sustainable manner. The model is currently being applied in real cases, thus leading to a constant improvement in its application.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Eloff, J., Eloff, M.: Information Security Management - A New Paradigm. In: Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on Enablement Through Technology, SAICSIT 2003, pp. 130–136 (2003)

    Google Scholar 

  2. Von Solms, B.: Information Security - The Third Wave? Computers and Security 19(7), 615–620 (2000)

    Article  Google Scholar 

  3. Magklaras, G., Furnell, S.: The Insider Misuse Threat Survey: Investigating IT misuse from legitimate users. In: International Information Warfare Conference, Perth, Australia (2004)

    Google Scholar 

  4. Dhillon, G., Backhouse, J.: Current Directions in Information Systems Security Research: Toward Socio-Organizational Perspectives. Information Systems Journal 11(2), 127–153 (2001c)

    Article  Google Scholar 

  5. Schlienger, T., Teufel, S.: Information Security Culture - From Analysis to Change. In: 3rd Annual IS South Africa Conference, Johannesburg, South Africa (2003)

    Google Scholar 

  6. Galletta, D.F., Polak, P.: An Empirical Investigation of Antecedents of Internet Abuse in the Workplace. In: AIS SIG-HCI Workshop, Seattle (December 2003)

    Google Scholar 

  7. CSI/FBI, Tenth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute, USA (2005)

    Google Scholar 

  8. ISBS, Information Security Breaches Survey 2006. Department of Trade and Industry, UK (2006)

    Google Scholar 

  9. AusCERT, Australian Computer Crime and Security Survey. AusCERT (2005)

    Google Scholar 

  10. Ernst&Young, 2006 Global Information Security Survey. Ernst & Young (2006)

    Google Scholar 

  11. DTI. The_Empirical_Economics_of_Standards (2005), www.dti.gov.uk/iese/The_Empirical_Economics_of_Standards.pdf

  12. OECD, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, O.f.E.C.-o.a.D. (OECD). Editor, Paris (2002)

    Google Scholar 

  13. Nosworthy, J.: Implementing Information Security in the 21st Century - Do You Have the Balancing Factors. Computers and Security 19(4), 337–347 (2000)

    Article  Google Scholar 

  14. Martins, A., Eloff, J.H.P.: Information Security Culture. In: IFIP TC11 17th International Conference on Information Security (SEC 2002), Cairo, Egipt (2003)

    Google Scholar 

  15. Schlienger, T., Teufel, S.: Information Security Culture: The Socio-cultural Dimension in Information Security Management. In: IFIP TC11 17th International Conference on Information Security (SEC 2002), Kluwer Academic Publishers, USA (2002)

    Google Scholar 

  16. Zakaria, O., Gani, A.: A Conceptual Checklist of Information Security Culture. In: 2nd European Conference on Information Warfare and Security, June 30-July 1. University of Reading, UK (2003)

    Google Scholar 

  17. Zakaria, O., Jarupunphol, P., Gani, A.: Paradigm Mapping for Information Security Culture Approach. In: 4th Australian Conference on Information Warfare and IT Security, Adelaide, Australia (2003b)

    Google Scholar 

  18. Schein, E.H.: Organizational Culture and Leadership, 2nd edn. Jossey-Bass, San Francisco (1992)

    Google Scholar 

  19. Chia, P.A., Ruighaver, A.B., Maynard, S.B.: Understanding Organizational Security Culture. In: Proc. of PACIS 2002, Security Culture, Japan (2002b)

    Google Scholar 

  20. Siponen, M.T.: A conceptual foundation for organizational information security awareness. Information Management & Computer Security 8(1), 31–41 (2000)

    Article  Google Scholar 

  21. Von Solms, B., Von Solms, R.: Incremental Information Security Certification. Computers & Security 20, 308–310 (2001)

    Article  Google Scholar 

  22. Vroom, C., Von Solms, R.: Towards information security behavioural compliance. Computers & Security 23(3), 191–198 (2004)

    Article  Google Scholar 

  23. Dhillon, G., Managing Information System Security. M.P. Ltd., Great Britain, 210 (1997)

    Google Scholar 

  24. Chia, P.A., Maynard, S.B., Ruighaver, A.B.: Exploring Organisational Security Culture: Developing A Comprehensive Research Model. In: IS ONE World Conference, Las Vegas, USA (2002)

    Google Scholar 

  25. Helokunnas, T., Kuusisto, R.: Information security culture in a value net. In: 2003 IEEE International Engineering Management Conference (IEMC 2003), Albany, New York, USA, November 2-4 (2003b)

    Google Scholar 

  26. Straub, D., et al.: Toward a Theory-Based Measurement of Culture. Global Information Management 10(1), 13–23 (2002)

    Article  MathSciNet  Google Scholar 

  27. Dojkovski, S., Lichtenstein, S., Warren, M.J.: Challenges in Fostering an Information Security Culture in Australian Small and Medium Sized Enterprises. In: 5th European Conference on Information Warfare and Security, Helsinki, Finland, June 1-2 (2006)

    Google Scholar 

  28. Sneza, D., Sharman, L., Matthew John, W.: Fostering information security culture in small and medium size enterprises: An interpretive study in australia. In: Fifteenth European Conference on Information Systems. University of St. Gallen, St. Gallen (2007)

    Google Scholar 

  29. ABS, 1321.0 - Small Business in Australia. Australian Bureau of Statistics (2001)

    Google Scholar 

  30. Detert, J., Schroeder, R., Mauriel, A.J.: A Framework For Linking Culture and Improvement Initiatives in Organisations. The Academy of Management Review 25(4), 850–863 (2000)

    Google Scholar 

  31. Taylor, M., Murphy, A.: SMEs and eBusiness. Small Business and Enterprise Development 11(3), 280–289 (2004)

    Article  Google Scholar 

  32. Hutchinson, D., Warren, M.: e-Business Security Management for Australian Small SMEs - A Case Study. In: Proceedings of the 7th International We-B (Working for E-Business) Conference, e-Business: how far have we come? Electronic Commerce Research Unit ECRU, Australia (2006c)

    Google Scholar 

  33. Dimopoulos, V., et al.: Approaches to IT Security in Small and Medium Enterprises. In: 2nd Australian Information Security Management Conference, Securing the Future, Perth, Western Australia, pp. 73–82 (2004b)

    Google Scholar 

  34. Furnell, S.M., Gennatou, M., Dowland, P.S.: Promoting Security Awareness and Training within Small Organisations. In: 1st Australian Information Security Management Workshop. Deakin University, Geelong, Australia (2000)

    Google Scholar 

  35. Helokunnas, T., Iivonen, L.: Information Security Culture in Small and Medium Size Enterprises. In: e-Business Research Forum – eBRF 2003. Tampere University of Technology, Tampere (2003)

    Google Scholar 

  36. Warren, M.J.: Australia’s Agenda for E-Security Education and Research. In: TC11/WG11.8 Third Annual World Conference on Information Security Education (WISE3). Naval Post Graduate School, Monterey (2003)

    Google Scholar 

  37. Von Solms, R., Von Solms, B.: From policies to culture. Computers & Security 23(4) (2004)

    Google Scholar 

  38. Furnell, S.M., Clarke, N.L.: Organisational Security Culture: Embedding Security Awareness, Education and Training. In: 4th World Conference on Information Security Education (WISE 2005), Moscow, URSS (2005)

    Google Scholar 

  39. Van Niekerk, J.C., Von Solms, R.: Establishing an Information Security Culture in Organisations: an Outcomes-based Education Approach. In: ISSA 2003: 3rd Annual IS South Africa Conference, Johannesburg, South Africa, July 9-11 (2003)

    Google Scholar 

  40. Hutchinson, D., Warren, M.: Australian SMES and e-Security Guides on Trusting the Internet. In: Fourth Annual Global Information Technology Management World Conference, Global Information Technology Management Association (GITMA), USA (2003)

    Google Scholar 

  41. Knapp, K.J., et al.: Information Security: Management’s effect on culture and policy. Information Management & Computer Security 14(1), 24–36 (2006)

    Article  Google Scholar 

  42. Lichtenstein, S.: Internet security policy for organisations. Unpublished thesis (PhD) (public version), ed. S.o.I.M.S. Monash University, Melbourne, Australia (2001)

    Google Scholar 

  43. Stanton, J.M., et al.: Analysis of end-user security behaviors. Computers & Security 24, 124–133 (2004)

    Article  Google Scholar 

  44. Kuusisto, T., Ilvonen, I.: Information security culture in small and medium size enterprises. In: Frontiers of e-business Research 2003 (2003)

    Google Scholar 

  45. Sánchez, L.E., et al.: Managing Security and its Maturity in Small and Medium-Sized Enterprises. Journal of Universal Computer Science (J. UCS) 15(15), 3038–3058 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Departament R&D, Sicaman Nuevas Tecnologias, Juan José Rodrigo 4, 13700, Tomelloso, Spain

    Luis Enrique Sánchez & Antonio Santos-Olmo

  2. Research GSyA Group, University of Castilla-La Mancha, Paseo de la Universidad 4, 13071, Ciudad Real, Spain

    Eduardo Fernández-Medina

  3. Research Alarcos Group, University of Castilla-La Mancha, Paseo de la Universidad 4, 13071, Ciudad Real, Spain

    Mario Piattini

Authors
  1. Luis Enrique Sánchez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonio Santos-Olmo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eduardo Fernández-Medina
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mario Piattini
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dept. de Engenharias, University of Trás-os-Montes e Alto Douro, Quinta de Prados, Apartado 1013, 5001-801, Vila Real, Portugal

    João Eduardo Quintela Varajão

  2. Polytechnic Institute of Cávado and Ave, Campus do IPCA, Lugar do Aldão, 4750-810, Vila Frescaínha - Barcelos, Portugal

    Maria Manuela Cruz-Cunha

  3. University of Minho, Campus de Azurém, 4800-058, Guimaraes, Portugal

    Goran D. Putnik

  4. Coimbra Institute of Accounting and Administration, Portugal

    António Trigo

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sánchez, L.E., Santos-Olmo, A., Fernández-Medina, E., Piattini, M. (2010). Security Culture in Small and Medium-Size Enterprise. In: Quintela Varajão, J.E., Cruz-Cunha, M.M., Putnik, G.D., Trigo, A. (eds) ENTERprise Information Systems. CENTERIS 2010. Communications in Computer and Information Science, vol 110. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16419-4_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16419-4_32

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16418-7

  • Online ISBN: 978-3-642-16419-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation