Managing Information Security in Small and Medium Sized Enterprises: A Holistic Approach

  • Anas Tawileh
  • Jeremy Hilton
  • Stephen McIntosh


Small to medium sized enterprises (SMEs) constitute a major part of the global economic activity. Due to the distinct characteristics of these enterprises, approaches to information security management that were mainly developed for larger organisations can not be feasibly applied in the context of SMEs. In this paper, we present some of the challenges impeding the implementation of information security management in SMEs. We propose a holistic approach based on Soft Systems Methodology to facilitate the development of security management systems within SMEs. The new approach acknowledges the limitations faced by SMEs and accounts for the systemic nature of the information security problem. We demonstrate the usefulness of our approach through a practical case study. The paper concludes with a brief summary of the findings and presents directions for future work.


Information System Information Security Holistic Approach Security Threat Medium Size Enterprise 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [ABS03]
    ABS, (2003). 8129.0 Business Use of Information Technology (2001–02). Canberra: Australian Bu-reau of Statistics.Google Scholar
  2. [Ande0l]
    R. J. Anderson (2001). Why Information Security is Hard-An Economic Perspective, in Proceedings of the Seventeenth Computer Security Applications Conference, IEEE Computer Society Press (2001), pp 358–365.Google Scholar
  3. [Ande06]
    C. Anderson, 2006. The Long Tail: How Endless Choice is Creating Unlimited Demand. Random House Business Books, London, UK.Google Scholar
  4. [AsCH03]
    G. Ashish, J. Curtis & H. Halper (2003), “Quantifying the financial impact of IT security breaches,” Information Management & Computer Security, 11/2, 74–83.Google Scholar
  5. [CaMR04]
    H. Cavusoglu, B. Mishra, and S. Raghunathan (2004), The effect of internet security breach announce-ments on market value: Capi-tal market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9:69–104.Google Scholar
  6. [ChCZ04]
    Y. Chen, P. Chong & B. Zhang (2004), Cyber security management and e-government, Electronic Government, an International Journal 2004, Vol.1, No.3, pp. 316–327.Google Scholar
  7. [Chec99]
    Checkland, P. ( 1999) Systems Thinking, Systems Practice. Wiley, West Sussex, UK.Google Scholar
  8. [Cram07]
    CRAMM Risk Management Toolkit,, accessed April 02, 2007..Google Scholar
  9. [Dti05]
    Department of Trade and Industry (dti), (2005). SME Statistics UK 2005: Statistical Press Release. accessed March 25, 2007.Google Scholar
  10. [eComOO]
    eCom-Adviser, (2000). SMEs: Australia’s Business Backbone [Internet Web Site]. eCom-Adviser., accessed March 25, 2007.Google Scholar
  11. [EuCo03]
    The European Commission, (2003). Observatory of European SMEs: SMEs in Europe 2003. http:// ac-cessed March 25, 2007.Google Scholar
  12. [HoHD02]
    A. Householder, K. Houle and C. Dougherty (2002), Computer attack trends challenge Internet secu-rity, IEEE Computer, Vol.35, No.4 (2002)5–7.Google Scholar
  13. [Iso05]
    ISO17799 Information technology — Security techniques — Code of practice for information security management, accessed April 02, 2007.Google Scholar
  14. [Jame96]
    H. L. James (1996), Managing information systems security: a soft approach. Proceedings of the Infor-mation Systems Conference of New Zealand. IEEE Society Press.Google Scholar
  15. [LaEl00]
    L. Labuschagne& J. H. P. Eloff (2000). Electronic Commerce: The Information-Security Challenge, Information Management & Computer Security, Vol. 8, No. 3:154–157.CrossRefGoogle Scholar
  16. [Lamp00]
    B. W. Lampson, (2000). Computer Security in the Real World. In Proceedings of the Annual Computer Security Applications Conference.Google Scholar
  17. [PaPo00]
    A. Papazafeiropoulou & A. Pouloudi (2000), The Government’s Role in Improving Electronic Com-merce Adoption. In H.R. Hansen et al., (Eds.) Proceedings of the European Conference on Information Systems 2000 vol. 1, (pp. 709–716). July 3–5. Vienna, Austria.Google Scholar
  18. [SBAo03]
    SBA Office of Advocacy, (2003). State Small Business Profile: UNITED STATES, advo/stats/profiles/03us.pdf accessed March 25, 2007.Google Scholar
  19. [TI3P03] The Institute for Information Infrastructure Protection (The I3P) (2003), Cyber Security Research and Development Agenda.Google Scholar
  20. [YeBU03]
    V Yegneswaran, P. Barford, & J. Ull-rich (2003), Internet intrusions: global characteristics and preva-lence. InProc. ACMSIGMETRICS’ 03, pages 138–147.Google Scholar

Copyright information

© Friedr. Vieweg & Sohn Verlag | GWV Fachverlage GmbH, Wiesbaden 2007

Authors and Affiliations

  • Anas Tawileh
    • 1
  • Jeremy Hilton
    • 1
  • Stephen McIntosh
    • 1
  1. 1.School of Computer ScienceCardiff UniversityCardiffUK

Personalised recommendations