An Integrative Study of Information Systems Security Effectiveness in SME’s

Posted on

Organizations are increasingly relying on information systems (IS) to enhance business operations, facilitate management decision-making, and deploy business strategies. The dependence has increased in current business environments where a variety of transactions involving trading of goods and services are accomplished electronically and as organizations become increasingly dependent on IS for strategic advantage and operations, the issue of IS security also becomes increasingly important.. Increased organizational dependence on IS has led to a corresponding increase in the impact of IS security abuses. While such a trend would suggest IS security as a key management issue, this has not been the case in practice.

 

In the interconnected electronic business environment of today, security concerns are paramount. Management must invest in IS security to prevent abuses that can lead to competitive disadvantage. Using the literature on security practices and organizational factors, this study develops an integrative model of IS security effectiveness and empirically tests the model. The data was collected through a survey of IS managers from various sectors of the economy. SMEs were found to engage in fewer deterrent efforts compared to larger organizations. Organizations with stronger top management support were found to engage in more preventive efforts than organizations with weaker support from higher management. Financial organizations were found to undertake more deterrent efforts and have stiffer deterrent severity than organizations in other sectors. Moreover, greater deterrent efforts and preventive measures were found to lead to enhanced IS security effectiveness (Kankanhalli A., et al., 2009).

 

Risk analysis is the predominant technique used by information security professionals to establish the feasibility of information systems controls. Yet it fails an essential test of scientific method it lacks statistical rigour and is subject to social misuse. Adoption of alternatives from other disciplines, however, proves even more implausible. Indeed, even improved rigour in risk analysis may limit its usefulness. Perhaps risk analysis is misconceived: its ostensible value as a predictive technique is less relevant than its value as an effective communications link between the security and management professionals who must make decisions concerning capital investments in information systems security (Baskerville R., 1991).

 

REFERENCES:

Baskerville R., (1991). Risk analysis: an interpretive feasibility tool in justifying information systems security. European Journal of Information Systems (1991) 1, 121–130. doi:10.1057/ejis.1991.20. Retrieved on 28 February 2014 from <http://www.palgravejournals.com/ejis/journal/v1/n2/abs/ejis199120a.html >

Kankanhalli A., Hock-Hai T., Bernard C.Y., Kwok-Kee W., (2009). An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management Retrieved 0n 28 February 2014 from http://www.researchgate.net/profile/Hock_Teo publication/222417677_An_integrative_study_of_information_systems_security_effectiveness/file e0b495265c7016604b.pdf

This entry was posted in GENERAL BLOG POSTS, INFORMATION SECURITY IN SMEs, INFORMATION SYSTEMS, WHAT THE PAPERS SAY, WHAT THE PAPERS SAY and tagged , .

Leave a comment