Contributing Factors of Information Security Investments in South East Asia SMBs: A Technology- Organisational -Environment Approach

Contributing Factors of Information Security Investments in South East Asia SMBs: A Technology- Organisational -Environment Approach

Mathews Z. Nkhoma (Department of Business IT & Logistics, RMIT University Vietnam, Ho Chi Minh City, Vietnam) and Duy P. T. Dang (Department of Business IT & Logistics, RMIT University Vietnam, Ho Chi Minh City, Vietnam)
Copyright: © 2013 |Pages: 15
DOI: 10.4018/jisp.2013010103


This research aims to determine the contributing factors of information security investment by developing a theory-based conceptual model using Partial Least Square techniques to analyze the data collected from 500 IT decision-makers in Vietnamese small and medium sized businesses. The findings from the conceptual model, which is based on Technology-Organization-Environment framework, suggests that the drivers of organizational intention to invest in information security include the organization’s internal information, size, perceived IT benefits and manager’s knowledge about information security. By understanding more about the contributing factors of information security investment, practitioners could focus on such factors to make rational investment decision and improve their defense against the emerging cyber-crimes. On the other hand, the authors also hope to fill in the existing gap of information security management research area in which there are few studies investigating the drivers of information security investments.
Article Preview


During the recent years, we have been experiencing the rapid adoption of electronic commerce (eCommerce) that connects businesses and customers around the world. On one hand, prior and ongoing researches have been focusing on improving the effectiveness and efficiency of conducting transnational businesses with new strategies and devices. On the other hand, the important role of Information Security (InfoSec) in securing online transactions and digital assets is essential due to the increase of cybercrimes. Indeed, the latest surveys by Symantec and Computer Security Institute (CSI) reveal the increasing number of cyber-threats that aim at organisations of all sizes and industries. The sophisticated attacks has damaged businesses profits directly as shown by the global average loss of $3.44 million in 2009 (Ponemon, 2010) and $5.5 million by data breach in U.S. alone in 2011 (Symantec, 2012). In addition, Canalys announces that global enterprises security investment is expected to reach a market value of $22.9 billion worldwide in 2012 (Alto, 2012). While it is outside of the scope to discuss the effectiveness of such huge investments, these figures raise questions about how small and medium businesses (SMBs) – with their limited budget and lack of experience in InfoSec management – How can they ensure adequate protection for their information assets while spending efficiently?

Prior and ongoing studies have been dedicated to evaluate optimum strategies to justify InfoSec investments through the development of InfoSec investment model and theories. Nonetheless, little effort was spent to investigate the drivers that influence managerial intention to invest in InfoSec initiatives. Managers may estimate how much budget they should allocate for InfoSec development using the well-known Gordon-Loeb model or prioritise budget for InfoSec options with ROSI formula; but the question of when it is necessary, and why, to spend on data protection remains unverified. By determining the drivers that encourage managers to invest in InfoSec initiatives, such factors can be used as metrics to indicate when is the best time to make precise strategic investments as well as how to make sound proposals of InfoSec initiatives that align well with business goals.

This research investigates the drivers of InfoSec investments in the perspectives of SMBs’ InfoSec decision-makers working in Vietnam, an emerging market in South East Asia. The aforementioned works has briefly summarised the purposes and main content of this work, the rest of the paper is in the following order. Firstly, the second section provides our literature review including the position of (1) InfoSec investment in SMBs and (2) this research with respect to prior studies forming the body of knowledge. The third section presents the conceptual and theoretical backgrounds that justify our conceptual model and methodology. The fourth section provides the details of our data analyses. The fifth section elaborates and discusses the research findings. The sixth section discloses the research project with its limitations and suggests future research directions.

Complete Article List

Search this Journal:
Open Access Articles
Volume 13: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing