In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
» Openaccess proceedings » Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016)
Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016) |
Title: Information Security Management in SMEs: Beyond the IT Challenges
Author(s): Moufida Sadok, Peter Bednar
Reference: pp209-219
Keywords: Information security, SME, Socio-technical analysis, User engagement, Security practices, Security awareness
Abstract: In this paper we report some results of a survey involving 33 Small and Medium-sized Enterprises (SMEs) in the UK on how they approach information security risks and what the human and organisational issues related to their risk-management practices are. All of the interviewed employees are handling sensitive data, needed to do their job, but without necessarily having the most knowledge or responsibility related to information security. The qualitative approach used was intended to be more deeply insightful and informative than others, for the purpose to understand security practices gaps, and how to improve them, as normal employees are the ones concerned with the deployment of security controls and measures in their own work practices. Our findings show that while there is a wide agreement about the importance of security and its potential impact on company performance, the understanding of security is rather taking a technology-oriented perspective. Actual work practices and routines of most employees were however ignored or not intertwined with security management efforts. Deficiencies were identified in preventive mechanisms, in incident reporting and management as well as in risk analysis process. Beyond the IT challenges, SMEs will need to have in place more efficient training and awareness programmes and organizational processes to develop more resilient security capabilities. Our conclusion is that there is a much-needed involvement of practitioners with operational knowledge in risk management and security policy definition.
Download count: 4759
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.