Article Preview
Top1. Introduction
Despite recent high-profile information security breaches in large firms, small-to-medium sized business enterprises (SMEs) may be more vulnerable to information security breaches than large multinational organizations and Fortune 500 companies, for a number of reasons. For example, the majority of companies with 500 or fewer employees do not have a designated security professional and they are often not required to follow the same legal security standards as their larger counterparts (Verma, 2015). SMEs also lack larger firms’ capacity to absorb losses due to such security breaches. A successful attack can often lead to insolvency for an SME (Reckard & Hsu, 2014). Further, many of the recommendations put forth by security experts are geared toward larger firms with the requisite resources and experience to adopt them (Osborn & Simpson, 2017).
Because SMEs compose a significant part of the U. S. and world economy and due to their inherent susceptibility to information security breaches, it seems particularly important that the IS research community develop greater depth of knowledge related to (1) why such firms do or don’t adopt recommended security practices and (2) what specific security practices they employ. For decades, a number of researchers (Dang-Pham, Pittayachawan, & Bruno, 2017; Dang & Nkhoma, 2017; Dhillon & Torkzadeh, 2006; Knapp, Marshall, Rainer, & Ford, 2006; Straub & Welke, 1998) have made considerable progress into learning how organizations with a relative abundance of financial resources, personnel, time, and access to expertise are able to methodically develop information security programs. Although our knowledge about the security practices of Fortune 500 businesses has accumulated at a desirable pace, the same cannot be said for our understanding of the security practices of SMEs. With the resource limitations that they have, how do SMEs learn about best practices in information security? Why do some SMEs (and not others) adopt recommended security practices? Where do they turn for help or advice?
In their conceptual exposition on institutional- and resource-based theories related to information privacy, Greenaway and Chan (2005) suggest that institutional theory (DiMaggio & Powell, 1983) offers one compelling theoretical framework that “…should be applied to privacy research within the information systems area” (p. 171). Institutional theory seeks to understand and explain homogeneity or isomorphism across organizations, which the theory posits results from their attempts “…to deal rationally with uncertainty and constraint” (DiMaggio & Powell, 1983, p. 147). According to DiMaggio and Powell, an isomorphism is “…a constraining process that forces one unit in a population to resemble other units that face the same set of environmental conditions” (p. 149) that can result from decision-makers’ attempts to survive and thrive by adopting behaviors practiced by successful firms, but isomorphism can also result from institutional pressures exerted by social and economic forces, including other organizations that comprise a focal group or network for a given firm. These “other” organizations could be, for example, partners, suppliers, competitors within a given industry, customers, and/or those within a common geographic area (Besharov & Smith, 2014; Davis & Greve, 1997; Davis & Marquis, 2005; Pahnke, Katila, & Eisenhardt, 2015).