Article Preview
TopIntroduction
During the recent years, we have been experiencing the rapid adoption of electronic commerce (eCommerce) that connects businesses and customers around the world. On one hand, prior and ongoing researches have been focusing on improving the effectiveness and efficiency of conducting transnational businesses with new strategies and devices. On the other hand, the important role of Information Security (InfoSec) in securing online transactions and digital assets is essential due to the increase of cybercrimes. Indeed, the latest surveys by Symantec and Computer Security Institute (CSI) reveal the increasing number of cyber-threats that aim at organisations of all sizes and industries. The sophisticated attacks has damaged businesses profits directly as shown by the global average loss of $3.44 million in 2009 (Ponemon, 2010) and $5.5 million by data breach in U.S. alone in 2011 (Symantec, 2012). In addition, Canalys announces that global enterprises security investment is expected to reach a market value of $22.9 billion worldwide in 2012 (Alto, 2012). While it is outside of the scope to discuss the effectiveness of such huge investments, these figures raise questions about how small and medium businesses (SMBs) – with their limited budget and lack of experience in InfoSec management – How can they ensure adequate protection for their information assets while spending efficiently?
Prior and ongoing studies have been dedicated to evaluate optimum strategies to justify InfoSec investments through the development of InfoSec investment model and theories. Nonetheless, little effort was spent to investigate the drivers that influence managerial intention to invest in InfoSec initiatives. Managers may estimate how much budget they should allocate for InfoSec development using the well-known Gordon-Loeb model or prioritise budget for InfoSec options with ROSI formula; but the question of when it is necessary, and why, to spend on data protection remains unverified. By determining the drivers that encourage managers to invest in InfoSec initiatives, such factors can be used as metrics to indicate when is the best time to make precise strategic investments as well as how to make sound proposals of InfoSec initiatives that align well with business goals.
This research investigates the drivers of InfoSec investments in the perspectives of SMBs’ InfoSec decision-makers working in Vietnam, an emerging market in South East Asia. The aforementioned works has briefly summarised the purposes and main content of this work, the rest of the paper is in the following order. Firstly, the second section provides our literature review including the position of (1) InfoSec investment in SMBs and (2) this research with respect to prior studies forming the body of knowledge. The third section presents the conceptual and theoretical backgrounds that justify our conceptual model and methodology. The fourth section provides the details of our data analyses. The fifth section elaborates and discusses the research findings. The sixth section discloses the research project with its limitations and suggests future research directions.