Improving Information Security Risk Analysis Practices for Small- and Medium-Sized Enterprises:  A Research Agenda

Abstract: Despite the availability of numerous methods and publications concerning the proper conduct of information security risk analyses, small and medium sized enterprises (SMEs) face serious organizational challenges managing the deployment and use of these tools and methods to assist them in selecting and implementing security safeguards to prevent IS security compromises. This paper builds a case for and then outlines a possible approach and a multi-faceted research agenda for developing an " open development" st… Show more

“…Research in information security indicates that small-scale organisations seldom deploy proper information security controls regardless of the availability of guidelines to this effect (Dimopoulos, Furnell & Barlow, 2003;Beachboard et al 2008). Management in small-scale organisations are prepared to invest more resources in protecting computing infrastructure without assessing the risks to their critical information (Dimopoulos et al 2003;Panda, 2009).…”

“…Risk management is an iterative process with well-defined steps, which when taken in sequence, supports better decision-making by contributing a greater insight into risks and their impacts (Hoo, 2000). Large organisations include their risk management plans in their security policies (Alberts & Dorofee, 2001;Beachboard et al 2008). This is different from small-scale organisations such as secondary schools that may have problems in formulating workable risk management plans and fail to implement them.…”

“…Management uses risk assessment and analysis outcomes to decide on whether to accept or mitigate identified information security risks. The choice of risk mitigation strategies by an organisation is a crucial step towards an organisation"s quest to deploy, implement and manage its information security tools (Beachboard, Cole, Mellor, Hernandez & Aytes, 2008). The complexity of establishing completely secured information systems is an adequate contribution to the complications of information securities in secondary schools" CISs.…”

“…There is no doubt that those secondary schools using CISs experience information security risk problems similar to other small-scale organisations. Lack of sound risk management programmes is cited as a major contributory factor to information systems security risks in small-scale organisations (Beachboard et al 2008). The possibility of secondary schools overlooking this essential information security requirement is high.…”

Information security risk management in small-scale organisations: A case study of secondary schools computerised information systems

“…Research in information security indicates that small-scale organisations seldom deploy proper information security controls regardless of the availability of guidelines to this effect (Dimopoulos, Furnell & Barlow, 2003;Beachboard et al 2008). Management in small-scale organisations are prepared to invest more resources in protecting computing infrastructure without assessing the risks to their critical information (Dimopoulos et al 2003;Panda, 2009).…”

“…Risk management is an iterative process with well-defined steps, which when taken in sequence, supports better decision-making by contributing a greater insight into risks and their impacts (Hoo, 2000). Large organisations include their risk management plans in their security policies (Alberts & Dorofee, 2001;Beachboard et al 2008). This is different from small-scale organisations such as secondary schools that may have problems in formulating workable risk management plans and fail to implement them.…”

“…Management uses risk assessment and analysis outcomes to decide on whether to accept or mitigate identified information security risks. The choice of risk mitigation strategies by an organisation is a crucial step towards an organisation"s quest to deploy, implement and manage its information security tools (Beachboard, Cole, Mellor, Hernandez & Aytes, 2008). The complexity of establishing completely secured information systems is an adequate contribution to the complications of information securities in secondary schools" CISs.…”

“…There is no doubt that those secondary schools using CISs experience information security risk problems similar to other small-scale organisations. Lack of sound risk management programmes is cited as a major contributory factor to information systems security risks in small-scale organisations (Beachboard et al 2008). The possibility of secondary schools overlooking this essential information security requirement is high.…”

Information security risk management in small-scale organisations: A case study of secondary schools computerised information systems

“…Small companies and organizations expose themselves to risk in believing that their data are not of interest to cybercriminals. External attacks are beginning to occur among smaller organizations as they often have relationships or host systems with their larger counterparts, and larger organizations are more likely to have the means to provide a more advanced information security system (Beachboard et al., ; White, ). Although large organizations usually have more advanced information security measures in place, their security functions within their organizational structure often undergo frequent change (Johnson & Goetz, ).…”

What Works: A Systems Approach to Employee Performance in Strengthening Information Security

A New Model for Information Security Risk Management