Abstract
Purpose - This paper presents empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security.
Design/methodology/approach - This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view.
Findings - Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real world contexts.
Research limitations/implications - This paper focuses only on closed-ended questions related to the following topics: a) awareness of existing security policy; b) information security practices and management and c) information security involvement.
Practical implications - Our empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. Our interpretation based on WST provides guidelines for enhancing information system security.
Originality/value - Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.
Design/methodology/approach - This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view.
Findings - Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real world contexts.
Research limitations/implications - This paper focuses only on closed-ended questions related to the following topics: a) awareness of existing security policy; b) information security practices and management and c) information security involvement.
Practical implications - Our empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. Our interpretation based on WST provides guidelines for enhancing information system security.
Originality/value - Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.
| Original language | English |
|---|---|
| Pages (from-to) | 467-483 |
| Number of pages | 17 |
| Journal | Information and Computer Security |
| Volume | 28 |
| Issue number | 3 |
| Early online date | 4 Jun 2020 |
| DOIs | |
| Publication status | Published - 1 Jul 2020 |
Keywords
- information security
- security practices
- work system theory
- socio-technical approach
- SMEs
Access to Document
- Exploring_the_disconnect_POST_PRINT
Sadok, M., Alter, S. and Bednar, P. (2020), "It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs", Information and Computer Security, Vol. 28 No. 3, pp. 467-483. https://doi.org/10.1108/ICS-01-2019-0010. Copyright © 2020, Emerald Publishing Limited. This AAM is provided for your own personal use only. It may not be used for resale, reprinting, systematic distribution, emailing, or for any other commercial purpose without the permission of the publisher.