Challenges in fostering an information security culture in Australian small and medium sized enterprises

Sneza Dojkovski, Sharman Lichtenstein and Matthew J. Warren School of Information Systems, Deakin University, Australia. sneza.dojkovski@deakin.edu.au sharman .lichtenstein@deakin.edu.au matthew. warren@deakin.edu.au In light of significant employee-based information security risks, the Australian critical infrastructure will be better protected by the increased presence of an information security culture in organisations of all sizes. This paper identifies key challenges to be addressed by Australian governments and business owners when attempting to foster information security culture in Australian small and medium sized enterprises (SME). The paper reports findings from a focus group of Australian information technology consultants. Key findings indicate that SME owners lack sufficient awareness of the importance of information security and must be persuaded to invest in it, with an initial risk analysis potentially useful for this purpose. Other findings suggest that management commitment and leadership are important influences when reinforced by formal policies and procedures and a range of formal and informal security awareness activities. The paper highlights the special challenges of the Australian environment, where the traditional laissez-faire national character presents unique difficulties that strongly suggest the need for a national SME information security awareness campaign.

[1]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[2]  G. B. Magklaras The Insider Misuse Threat Survey : Investigating IT misuse from legitimate users , 2008 .

[3]  Josep M. Rosanas,et al.  The Ethics of Management Control Systems: Developing Technical and Moral Values , 2005 .

[4]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[5]  Paula M. C. Swatman,et al.  The Potentialities of Focus Groups in e-Business Research: Theory Validation , 2002, E-Business: Multidisciplinary Research and Practice.

[6]  Keng Siau,et al.  Acceptable internet use policy , 2002, CACM.

[7]  Van Niekerk,et al.  Establishing an information security culture in organizations : an outcomes based education approach , 2005 .

[8]  Tuija Kuusisto,et al.  INFORMATION SECURITY CULTURE IN SMALL AND MEDIUM SIZE ENTERPRISES , 2003 .

[9]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[10]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[11]  Stephanie Teufel,et al.  Information Security Culture: The Socio-Cultural Dimension in Information Security Management , 2002, SEC.

[12]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[13]  P. Chia Exploring Organisational Security Culture : Developing a comprehensive research model , 2002 .

[14]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[15]  Matthew J. Warren Australia's Agenda for E-Security Education and Research , 2003, World Conference on Information Security Education.

[16]  Steven Furnell,et al.  Approaches to IT Security in Small and Medium Enterprises , 2004, AISM.

[17]  John J. Mauriel,et al.  A Framework for Linking Culture and Improvement Initiatives in Organizations , 2000 .

[18]  Omar Zakaria and Abdullah Gani,et al.  A Conceptual Checklist of Information Security Culture , 2003 .

[19]  Matthew Warren,et al.  Information security culture in small and medium sized enterprises: a socio-cultural framework , 2005 .

[20]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[21]  E. Eugene Schultz,et al.  The human factor in security , 2005, Comput. Secur..

[22]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[23]  Amitava Dutta,et al.  Management's Role in Information Security in a Cyber Economy , 2002 .

[24]  Gurpreet Dhillon,et al.  Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .

[25]  Steven Furnell,et al.  Improving Security Awareness Through Computer-based Training , 2003, World Conference on Information Security Education.

[26]  B. RuighaverA.,et al.  Organisational security culture , 2007 .

[27]  Sharman Lichtenstein,et al.  Effective Management and Policy in e-Business Security , 2001, Bled eConference.

[28]  S. Furnell,et al.  IMPROVING SECURITY AWARENESS AND TRAINING THROUGH COMPUTER-BASED TRAINING , 2008 .