Abstract

In the modern information economy, the security of information is critically important to organizations. Information‐security risk assessments (ISRAs) allow organizations to identify key information assets and security risks so security expenditure can be directed cost‐effectively. Unfortunately conducting ISRAs requires special expertise and tends to be complex and costly for small to medium sized organizations (SMEs). Therefore, it remains unclear in practice, and unknown in literature, how SMEs address information security imperatives without the benefit of an ISRA process. This research makes a contribution to theory in security management by identifying the factors that influence key decision‐ makers in SMEs to address information security risks. The study has identified three key motivating factors from a series of case studies. Firstly, the need for sufficient information security to maintain reputation with external clients whilst conforming to the level of information security practices typical in industry culture. Secondly, (mis)perceptions of the existing state of information security and level of exposure to security threats in the organization. Thirdly, the perceived need to focus on higher corporate business priorities rather than on information security.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.