Abstract
The information society depends ever-increasingly on Information Security Management Systems (ISMSs), and these systems have become vital to SMEs. However, ISMSs must be adapted to SME’s specific characteristics, and they must be optimised from the point of view of the resources which are necessary to install and maintain them. Furthermore, when installing ISMSs, the majority of models have until now been centred on technical and management aspects, and the third aspect, which is institutional and is of particular relevance to SMEs, has been virtually ignored. In this paper we present the importance of the security culture for SMEs, along with our proposal to introduce this concept into SMEs in a progressive and sustainable manner. The model is currently being applied in real cases, thus leading to a constant improvement in its application.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Eloff, J., Eloff, M.: Information Security Management - A New Paradigm. In: Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on Enablement Through Technology, SAICSIT 2003, pp. 130–136 (2003)
Von Solms, B.: Information Security - The Third Wave? Computers and Security 19(7), 615–620 (2000)
Magklaras, G., Furnell, S.: The Insider Misuse Threat Survey: Investigating IT misuse from legitimate users. In: International Information Warfare Conference, Perth, Australia (2004)
Dhillon, G., Backhouse, J.: Current Directions in Information Systems Security Research: Toward Socio-Organizational Perspectives. Information Systems Journal 11(2), 127–153 (2001c)
Schlienger, T., Teufel, S.: Information Security Culture - From Analysis to Change. In: 3rd Annual IS South Africa Conference, Johannesburg, South Africa (2003)
Galletta, D.F., Polak, P.: An Empirical Investigation of Antecedents of Internet Abuse in the Workplace. In: AIS SIG-HCI Workshop, Seattle (December 2003)
CSI/FBI, Tenth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute, USA (2005)
ISBS, Information Security Breaches Survey 2006. Department of Trade and Industry, UK (2006)
AusCERT, Australian Computer Crime and Security Survey. AusCERT (2005)
Ernst&Young, 2006 Global Information Security Survey. Ernst & Young (2006)
DTI. The_Empirical_Economics_of_Standards (2005), www.dti.gov.uk/iese/The_Empirical_Economics_of_Standards.pdf
OECD, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, O.f.E.C.-o.a.D. (OECD). Editor, Paris (2002)
Nosworthy, J.: Implementing Information Security in the 21st Century - Do You Have the Balancing Factors. Computers and Security 19(4), 337–347 (2000)
Martins, A., Eloff, J.H.P.: Information Security Culture. In: IFIP TC11 17th International Conference on Information Security (SEC 2002), Cairo, Egipt (2003)
Schlienger, T., Teufel, S.: Information Security Culture: The Socio-cultural Dimension in Information Security Management. In: IFIP TC11 17th International Conference on Information Security (SEC 2002), Kluwer Academic Publishers, USA (2002)
Zakaria, O., Gani, A.: A Conceptual Checklist of Information Security Culture. In: 2nd European Conference on Information Warfare and Security, June 30-July 1. University of Reading, UK (2003)
Zakaria, O., Jarupunphol, P., Gani, A.: Paradigm Mapping for Information Security Culture Approach. In: 4th Australian Conference on Information Warfare and IT Security, Adelaide, Australia (2003b)
Schein, E.H.: Organizational Culture and Leadership, 2nd edn. Jossey-Bass, San Francisco (1992)
Chia, P.A., Ruighaver, A.B., Maynard, S.B.: Understanding Organizational Security Culture. In: Proc. of PACIS 2002, Security Culture, Japan (2002b)
Siponen, M.T.: A conceptual foundation for organizational information security awareness. Information Management & Computer Security 8(1), 31–41 (2000)
Von Solms, B., Von Solms, R.: Incremental Information Security Certification. Computers & Security 20, 308–310 (2001)
Vroom, C., Von Solms, R.: Towards information security behavioural compliance. Computers & Security 23(3), 191–198 (2004)
Dhillon, G., Managing Information System Security. M.P. Ltd., Great Britain, 210 (1997)
Chia, P.A., Maynard, S.B., Ruighaver, A.B.: Exploring Organisational Security Culture: Developing A Comprehensive Research Model. In: IS ONE World Conference, Las Vegas, USA (2002)
Helokunnas, T., Kuusisto, R.: Information security culture in a value net. In: 2003 IEEE International Engineering Management Conference (IEMC 2003), Albany, New York, USA, November 2-4 (2003b)
Straub, D., et al.: Toward a Theory-Based Measurement of Culture. Global Information Management 10(1), 13–23 (2002)
Dojkovski, S., Lichtenstein, S., Warren, M.J.: Challenges in Fostering an Information Security Culture in Australian Small and Medium Sized Enterprises. In: 5th European Conference on Information Warfare and Security, Helsinki, Finland, June 1-2 (2006)
Sneza, D., Sharman, L., Matthew John, W.: Fostering information security culture in small and medium size enterprises: An interpretive study in australia. In: Fifteenth European Conference on Information Systems. University of St. Gallen, St. Gallen (2007)
ABS, 1321.0 - Small Business in Australia. Australian Bureau of Statistics (2001)
Detert, J., Schroeder, R., Mauriel, A.J.: A Framework For Linking Culture and Improvement Initiatives in Organisations. The Academy of Management Review 25(4), 850–863 (2000)
Taylor, M., Murphy, A.: SMEs and eBusiness. Small Business and Enterprise Development 11(3), 280–289 (2004)
Hutchinson, D., Warren, M.: e-Business Security Management for Australian Small SMEs - A Case Study. In: Proceedings of the 7th International We-B (Working for E-Business) Conference, e-Business: how far have we come? Electronic Commerce Research Unit ECRU, Australia (2006c)
Dimopoulos, V., et al.: Approaches to IT Security in Small and Medium Enterprises. In: 2nd Australian Information Security Management Conference, Securing the Future, Perth, Western Australia, pp. 73–82 (2004b)
Furnell, S.M., Gennatou, M., Dowland, P.S.: Promoting Security Awareness and Training within Small Organisations. In: 1st Australian Information Security Management Workshop. Deakin University, Geelong, Australia (2000)
Helokunnas, T., Iivonen, L.: Information Security Culture in Small and Medium Size Enterprises. In: e-Business Research Forum – eBRF 2003. Tampere University of Technology, Tampere (2003)
Warren, M.J.: Australia’s Agenda for E-Security Education and Research. In: TC11/WG11.8 Third Annual World Conference on Information Security Education (WISE3). Naval Post Graduate School, Monterey (2003)
Von Solms, R., Von Solms, B.: From policies to culture. Computers & Security 23(4) (2004)
Furnell, S.M., Clarke, N.L.: Organisational Security Culture: Embedding Security Awareness, Education and Training. In: 4th World Conference on Information Security Education (WISE 2005), Moscow, URSS (2005)
Van Niekerk, J.C., Von Solms, R.: Establishing an Information Security Culture in Organisations: an Outcomes-based Education Approach. In: ISSA 2003: 3rd Annual IS South Africa Conference, Johannesburg, South Africa, July 9-11 (2003)
Hutchinson, D., Warren, M.: Australian SMES and e-Security Guides on Trusting the Internet. In: Fourth Annual Global Information Technology Management World Conference, Global Information Technology Management Association (GITMA), USA (2003)
Knapp, K.J., et al.: Information Security: Management’s effect on culture and policy. Information Management & Computer Security 14(1), 24–36 (2006)
Lichtenstein, S.: Internet security policy for organisations. Unpublished thesis (PhD) (public version), ed. S.o.I.M.S. Monash University, Melbourne, Australia (2001)
Stanton, J.M., et al.: Analysis of end-user security behaviors. Computers & Security 24, 124–133 (2004)
Kuusisto, T., Ilvonen, I.: Information security culture in small and medium size enterprises. In: Frontiers of e-business Research 2003 (2003)
Sánchez, L.E., et al.: Managing Security and its Maturity in Small and Medium-Sized Enterprises. Journal of Universal Computer Science (J. UCS) 15(15), 3038–3058 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sánchez, L.E., Santos-Olmo, A., Fernández-Medina, E., Piattini, M. (2010). Security Culture in Small and Medium-Size Enterprise. In: Quintela Varajão, J.E., Cruz-Cunha, M.M., Putnik, G.D., Trigo, A. (eds) ENTERprise Information Systems. CENTERIS 2010. Communications in Computer and Information Science, vol 110. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16419-4_32
Download citation
DOI: https://doi.org/10.1007/978-3-642-16419-4_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16418-7
Online ISBN: 978-3-642-16419-4
eBook Packages: Computer ScienceComputer Science (R0)