Information Security Practices in Small-to-Medium Sized Businesses: A Hotspot Analysis

Information Security Practices in Small-to-Medium Sized Businesses: A Hotspot Analysis

Kent Marett, Tim Barnett
Copyright: © 2019 |Pages: 18
DOI: 10.4018/IRMJ.2019040104
(Individual Articles)
No Current Special Offers


Small to medium-sized enterprises (SMEs) in North America do not always adequately address security. Based on responses from 232 SME owners and managers, the authors found that the adoption of security recommendations made by experts appear to be significantly influenced by the decisions of other local SMEs. A hot-spot analysis of information security practices suggested that local trends lead to prioritizing certain security practices and not adopting others. Follow-up interviews with business owners and Chamber of Commerce directors provided insights on how security hotspots developed or not. The study identified both hot spot and cold spot communities, and sought to assess how local business networking conduits like chambers of commerce help promote best security practices
Article Preview

1. Introduction

Despite recent high-profile information security breaches in large firms, small-to-medium sized business enterprises (SMEs) may be more vulnerable to information security breaches than large multinational organizations and Fortune 500 companies, for a number of reasons. For example, the majority of companies with 500 or fewer employees do not have a designated security professional and they are often not required to follow the same legal security standards as their larger counterparts (Verma, 2015). SMEs also lack larger firms’ capacity to absorb losses due to such security breaches. A successful attack can often lead to insolvency for an SME (Reckard & Hsu, 2014). Further, many of the recommendations put forth by security experts are geared toward larger firms with the requisite resources and experience to adopt them (Osborn & Simpson, 2017).

Because SMEs compose a significant part of the U. S. and world economy and due to their inherent susceptibility to information security breaches, it seems particularly important that the IS research community develop greater depth of knowledge related to (1) why such firms do or don’t adopt recommended security practices and (2) what specific security practices they employ. For decades, a number of researchers (Dang-Pham, Pittayachawan, & Bruno, 2017; Dang & Nkhoma, 2017; Dhillon & Torkzadeh, 2006; Knapp, Marshall, Rainer, & Ford, 2006; Straub & Welke, 1998) have made considerable progress into learning how organizations with a relative abundance of financial resources, personnel, time, and access to expertise are able to methodically develop information security programs. Although our knowledge about the security practices of Fortune 500 businesses has accumulated at a desirable pace, the same cannot be said for our understanding of the security practices of SMEs. With the resource limitations that they have, how do SMEs learn about best practices in information security? Why do some SMEs (and not others) adopt recommended security practices? Where do they turn for help or advice?

In their conceptual exposition on institutional- and resource-based theories related to information privacy, Greenaway and Chan (2005) suggest that institutional theory (DiMaggio & Powell, 1983) offers one compelling theoretical framework that “…should be applied to privacy research within the information systems area” (p. 171). Institutional theory seeks to understand and explain homogeneity or isomorphism across organizations, which the theory posits results from their attempts “…to deal rationally with uncertainty and constraint” (DiMaggio & Powell, 1983, p. 147). According to DiMaggio and Powell, an isomorphism is “…a constraining process that forces one unit in a population to resemble other units that face the same set of environmental conditions” (p. 149) that can result from decision-makers’ attempts to survive and thrive by adopting behaviors practiced by successful firms, but isomorphism can also result from institutional pressures exerted by social and economic forces, including other organizations that comprise a focal group or network for a given firm. These “other” organizations could be, for example, partners, suppliers, competitors within a given industry, customers, and/or those within a common geographic area (Besharov & Smith, 2014; Davis & Greve, 1997; Davis & Marquis, 2005; Pahnke, Katila, & Eisenhardt, 2015).

Complete Article List

Search this Journal:
Volume 37: 1 Issue (2024)
Volume 36: 1 Issue (2023)
Volume 35: 4 Issues (2022): 3 Released, 1 Forthcoming
Volume 34: 4 Issues (2021)
Volume 33: 4 Issues (2020)
Volume 32: 4 Issues (2019)
Volume 31: 4 Issues (2018)
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing