It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

Moufida Sadok, Steven Alter, Peter Bednar

Research output: Contribution to journalArticlepeer-review

640 Downloads (Pure)


Purpose - This paper presents empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security.

Design/methodology/approach - This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view.

Findings - Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real world contexts.

Research limitations/implications - This paper focuses only on closed-ended questions related to the following topics: a) awareness of existing security policy; b) information security practices and management and c) information security involvement.

Practical implications - Our empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. Our interpretation based on WST provides guidelines for enhancing information system security.

Originality/value - Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.
Original languageEnglish
Pages (from-to)467-483
Number of pages17
JournalInformation and Computer Security
Issue number3
Early online date4 Jun 2020
Publication statusPublished - 1 Jul 2020


  • information security
  • security practices
  • work system theory
  • socio-technical approach
  • SMEs


Dive into the research topics of 'It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs'. Together they form a unique fingerprint.

Cite this