KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Structure and Challenges of a Security Policy on Small and Medium Enterprises

  • Almeida, Fernando (Faculty of Engineering of Oporto University, INESC TEC & ISPGaya) ;
  • Carvalho, Ines (School of Computer Science and Engineering, Higher Institute of Gaya, ISPGaya) ;
  • Cruz, Fabio (School of Computer Science and Engineering, Higher Institute of Gaya, ISPGaya)
  • Received : 2017.05.29
  • Accepted : 2017.09.08
  • Published : 2018.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Information Technology (IT) plays an increasingly important role for small and medium-sized enterprises. It has become fundamental for these companies to protect information and IT assets in relation to risks and threats that have grown in recent years. This study aims to understand the importance and structure of an information security policy, using a quantitative study that intends to identify the most important and least relevant elements of an information security policy document. The findings of this study reveal that the top three most important elements in the structure of a security policy are the asset management, security risk management and define the scope of the policy. On the other side, the three least relevant elements include the executive summary, contacts and manual inspection. Additionally, the study reveals that the importance given to each element of the security policy is slightly changed according to the sectors of activity. The elements that show the greatest variability are the review process, executive summary and penalties. On the other side, the purpose of the policy and the asset management present a stable importance for all sectors of activity.

Keywords

References

  1. IC3, "Internet Crime Report," Internet Crime Complaint Center, 2012. Available in: https://pdf.ic3.gov/2012_IC3Report.pdf (accessed on 6th of December 2016).
  2. A. Sword, "SMEs hit with 7 million cyber crime attacks per year in ${\pounds}5.26$ billion blow to UK economy," Computer Business Review, 2016. Available in: http://www.cbronline.com/news/cybersecurity/business/smes-hit-with-7-million-cyber-crime-attacks-per-year-in-526-billion-blow-to-uk-economy-4919992/ (accessed on 6th of December 2016).
  3. D. Beley, and P. Bhatarkar, "The Role of Information Technology in Small and Medium Sized Business," International Journal of Scientific and Research Publications, 3(2), pp. 1-4, 2013.
  4. F. Korcek, V. Bolek, and M. Benova, "Security of Information Assets in Small and Medium-sized Enterprises," Economic Review, 45, pp. 45-55, 2016.
  5. M. Umar, A. Mehmood, and H. Song, "SeCRoP: secure cluster head centered multi-hop routing protocol for mobile ad hoc networks," Security and Communication Networks, 9(16), pp. 3378-3387, 2016. https://doi.org/10.1002/sec.1544
  6. Q. Xu, P. Ren, H. Song, and Q. Du, "Security enhancement for IoT communications exposed to eavesdroppers with uncertain locations," IEEE Access, 4, pp. 2840-2853, 2016. https://doi.org/10.1109/ACCESS.2016.2575863
  7. S. Shamshirband, S. Kalantari, Z. Daliri, and L. Shing, "Expert security system in wireless sensor networks based on fuzzy discussion multi-agent systems," Scientific Research and Essays, 5(24), pp. 3840-3849, 2010.
  8. C. Manso, E. Rekleitis, F. Papazafeiropoulos, and V. Maritsas, "Information security and privacy standards for SMEs," ENISA, 2015. Available in: https://www.enisa.europa.eu/publications/standardisation-for-smes/at_download/fullReport
  9. S. Shamshirband, M. Shojafar, A. Hosseinabadi, M. Kardgar, M. Nasir, and R. Ahmad, "OSGA: genetic-based open-shop scheduling with consideration of machine maintenance in small and medium enterprises," Annals of Operations Research, 229(1), pp. 743-758, 2015. https://doi.org/10.1007/s10479-015-1855-z
  10. A. Hosseinabadi, H. Siar, S. Shamshirband, M. Shojafar, and M. Nizam, "Using the gravitational emulation local search algorithm to solve the multi-objective flexible dynamic job shop scheduling problem in Small and Medium Enterprises," Annals of Operations Research, 229(1), pp. 451-474, 2015. https://doi.org/10.1007/s10479-014-1770-8
  11. D. Lacey, and B. James, "Review of Availability of Advice on Security for Small/Medium Sized Organisations," ICO, 2010. Available in: http://ico.org.uk/about_us/research/-/media/documents/library/Corporate/Research_and_reports/REVIEW_AVAILABILITY_OF_%20SECURITY_ADVICE_FOR_SME.pdf
  12. A. Tawileh, J. Hilton, and S. McIntosh, "Managing information security in small and medium sized enterprises: a holistic approach," in Proceedings of the ISSE/SECURE, pp. 331-339, 2007.
  13. Z. Soomro, M. Shah, and J. Ahmed, "Information security management needs more holistic approach: A literature review," International Journal of Information Management, 36(2), pp. 215-225, 2016. https://doi.org/10.1016/j.ijinfomgt.2015.11.009
  14. J. Park, R. Robles, C. Hong, S. Yeo, and T. Kim, "IT Security Strategies for SME's," International Journal of Software Engineering and Its Applications, 2(3), pp. 91-98, 2008.
  15. J. Abbas, H. Mahmood, and F. Hussain,"Information Security Management for Small and Medium Enterprises," Science International, 27(3), pp. 2393-2398, 2015.
  16. H. Kluitenberg, "Security Risk Management in IT Small and Medium Enterprises," in Proceedings of 20th Twente Student Conference on IT, Twente, Netherlands, 2014.
  17. N. Amrin, "The Impact of Cyber Security on SMEs," MSc. thesis in Electrical Engineering, Mathematics and Computer Science, University of Twente, 2014. Available in: http://essay.utwente.nl/65851/
  18. K. Renaud, "How smaller businesses struggle with security advice," Computer Fraud & Security, 2016(8), pp. 10-18, 2016. https://doi.org/10.1016/S1361-3723(16)30062-8
  19. A. Santos-Olmo, L. Sanchez, I. Caballero, S. Camacho, and E. Fernandez-Medina, "The Importance of the Security Culture in SMEs as Regards the Correct Management of the Security of Their Assets," Future Internet, 8(30), pp. 1-27, 2016.
  20. M. Alshaikh, S. Maynard, A. Ahmad, and S. Chang, "Information Security Policy: A Management Practice Perspective," in Proc. of the Australasian Conference on Information Systems, Adelaide, Australia, pp. 1-13, 2015.
  21. T. Peltier, "Implementing an information security awareness program," Information Systems Security, 14(2), pp. 12-37, 2005.
  22. I. Lopes, and P. Oliveira, "Implementation of information systems security policies: A survey in small and medium sized enterprises," in Proc. of World Conference on Information Systems and Technologies, Ponta Delgada, Portugal, pp. 459-468, 2015.
  23. I. Lopes, and Sa-Soares, "Information security policies: A content analysis," in Proc. of 16th Pacific Asia Conference on Information Systems, Ho Chi Minh City; Vietnam, 2012.
  24. M. Sadok, and P. Bednar, "Information Security Management in SMEs-Beyond the IT challenges," in Proceedings of the Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA), pp.209-219, 2016.
  25. J. Alqatawna, "The Challenge of Implementing Information Security Standards in Small and Medium e-Business Enterprises," Journal of Software Engineering and Applications, 7, pp. 883-890, 2014. https://doi.org/10.4236/jsea.2014.710079
  26. H. Cholez, and F. Girard, "Maturity assessment and process improvement for information security management in small and medium enterprises," Journal of Software: Evolution and Process, 26(5), pp. 496-503, 2014. https://doi.org/10.1002/smr.1609
  27. F. Mijnhardt, T. Baars, and M. Spruit, "Organizational Characteristics Influencing SME Information Security Maturity," Journal of Computer Information Systems, 56(2), pp. 106-115, 2016. https://doi.org/10.1080/08874417.2016.1117369
  28. S. Sukamolsen, "Fundamentals of quantitative research," Language Institute, Chulalongkorn University, Bangkok, Thailand, 2010.
  29. M. Zohrabi, "Mixed Method Research: Instruments, Validity, Reliability and Reporting Findings," Theory and Practice in Language Studies, 3(2), pp. 254-262, 2013.