Browse > Article
http://dx.doi.org/10.3837/tiis.2018.02.012

Structure and Challenges of a Security Policy on Small and Medium Enterprises  

Almeida, Fernando (Faculty of Engineering of Oporto University, INESC TEC & ISPGaya)
Carvalho, Ines (School of Computer Science and Engineering, Higher Institute of Gaya, ISPGaya)
Cruz, Fabio (School of Computer Science and Engineering, Higher Institute of Gaya, ISPGaya)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.12, no.2, 2018 , pp. 747-763 More about this Journal
Abstract
Information Technology (IT) plays an increasingly important role for small and medium-sized enterprises. It has become fundamental for these companies to protect information and IT assets in relation to risks and threats that have grown in recent years. This study aims to understand the importance and structure of an information security policy, using a quantitative study that intends to identify the most important and least relevant elements of an information security policy document. The findings of this study reveal that the top three most important elements in the structure of a security policy are the asset management, security risk management and define the scope of the policy. On the other side, the three least relevant elements include the executive summary, contacts and manual inspection. Additionally, the study reveals that the importance given to each element of the security policy is slightly changed according to the sectors of activity. The elements that show the greatest variability are the review process, executive summary and penalties. On the other side, the purpose of the policy and the asset management present a stable importance for all sectors of activity.
Keywords
security policy; SMEs; privacy; information assets; risk management;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Manso, E. Rekleitis, F. Papazafeiropoulos, and V. Maritsas, "Information security and privacy standards for SMEs," ENISA, 2015. Available in: https://www.enisa.europa.eu/publications/standardisation-for-smes/at_download/fullReport
2 S. Shamshirband, M. Shojafar, A. Hosseinabadi, M. Kardgar, M. Nasir, and R. Ahmad, "OSGA: genetic-based open-shop scheduling with consideration of machine maintenance in small and medium enterprises," Annals of Operations Research, 229(1), pp. 743-758, 2015.   DOI
3 A. Hosseinabadi, H. Siar, S. Shamshirband, M. Shojafar, and M. Nizam, "Using the gravitational emulation local search algorithm to solve the multi-objective flexible dynamic job shop scheduling problem in Small and Medium Enterprises," Annals of Operations Research, 229(1), pp. 451-474, 2015.   DOI
4 D. Lacey, and B. James, "Review of Availability of Advice on Security for Small/Medium Sized Organisations," ICO, 2010. Available in: http://ico.org.uk/about_us/research/-/media/documents/library/Corporate/Research_and_reports/REVIEW_AVAILABILITY_OF_%20SECURITY_ADVICE_FOR_SME.pdf
5 A. Tawileh, J. Hilton, and S. McIntosh, "Managing information security in small and medium sized enterprises: a holistic approach," in Proceedings of the ISSE/SECURE, pp. 331-339, 2007.
6 Z. Soomro, M. Shah, and J. Ahmed, "Information security management needs more holistic approach: A literature review," International Journal of Information Management, 36(2), pp. 215-225, 2016.   DOI
7 J. Park, R. Robles, C. Hong, S. Yeo, and T. Kim, "IT Security Strategies for SME's," International Journal of Software Engineering and Its Applications, 2(3), pp. 91-98, 2008.
8 J. Abbas, H. Mahmood, and F. Hussain,"Information Security Management for Small and Medium Enterprises," Science International, 27(3), pp. 2393-2398, 2015.
9 K. Renaud, "How smaller businesses struggle with security advice," Computer Fraud & Security, 2016(8), pp. 10-18, 2016.   DOI
10 N. Amrin, "The Impact of Cyber Security on SMEs," MSc. thesis in Electrical Engineering, Mathematics and Computer Science, University of Twente, 2014. Available in: http://essay.utwente.nl/65851/
11 A. Santos-Olmo, L. Sanchez, I. Caballero, S. Camacho, and E. Fernandez-Medina, "The Importance of the Security Culture in SMEs as Regards the Correct Management of the Security of Their Assets," Future Internet, 8(30), pp. 1-27, 2016.
12 M. Alshaikh, S. Maynard, A. Ahmad, and S. Chang, "Information Security Policy: A Management Practice Perspective," in Proc. of the Australasian Conference on Information Systems, Adelaide, Australia, pp. 1-13, 2015.
13 T. Peltier, "Implementing an information security awareness program," Information Systems Security, 14(2), pp. 12-37, 2005.
14 I. Lopes, and P. Oliveira, "Implementation of information systems security policies: A survey in small and medium sized enterprises," in Proc. of World Conference on Information Systems and Technologies, Ponta Delgada, Portugal, pp. 459-468, 2015.
15 F. Mijnhardt, T. Baars, and M. Spruit, "Organizational Characteristics Influencing SME Information Security Maturity," Journal of Computer Information Systems, 56(2), pp. 106-115, 2016.   DOI
16 I. Lopes, and Sa-Soares, "Information security policies: A content analysis," in Proc. of 16th Pacific Asia Conference on Information Systems, Ho Chi Minh City; Vietnam, 2012.
17 M. Sadok, and P. Bednar, "Information Security Management in SMEs-Beyond the IT challenges," in Proceedings of the Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA), pp.209-219, 2016.
18 H. Kluitenberg, "Security Risk Management in IT Small and Medium Enterprises," in Proceedings of 20th Twente Student Conference on IT, Twente, Netherlands, 2014.
19 J. Alqatawna, "The Challenge of Implementing Information Security Standards in Small and Medium e-Business Enterprises," Journal of Software Engineering and Applications, 7, pp. 883-890, 2014.   DOI
20 H. Cholez, and F. Girard, "Maturity assessment and process improvement for information security management in small and medium enterprises," Journal of Software: Evolution and Process, 26(5), pp. 496-503, 2014.   DOI
21 S. Sukamolsen, "Fundamentals of quantitative research," Language Institute, Chulalongkorn University, Bangkok, Thailand, 2010.
22 M. Zohrabi, "Mixed Method Research: Instruments, Validity, Reliability and Reporting Findings," Theory and Practice in Language Studies, 3(2), pp. 254-262, 2013.
23 F. Korcek, V. Bolek, and M. Benova, "Security of Information Assets in Small and Medium-sized Enterprises," Economic Review, 45, pp. 45-55, 2016.
24 IC3, "Internet Crime Report," Internet Crime Complaint Center, 2012. Available in: https://pdf.ic3.gov/2012_IC3Report.pdf (accessed on 6th of December 2016).
25 A. Sword, "SMEs hit with 7 million cyber crime attacks per year in ${\pounds}5.26$ billion blow to UK economy," Computer Business Review, 2016. Available in: http://www.cbronline.com/news/cybersecurity/business/smes-hit-with-7-million-cyber-crime-attacks-per-year-in-526-billion-blow-to-uk-economy-4919992/ (accessed on 6th of December 2016).
26 D. Beley, and P. Bhatarkar, "The Role of Information Technology in Small and Medium Sized Business," International Journal of Scientific and Research Publications, 3(2), pp. 1-4, 2013.
27 M. Umar, A. Mehmood, and H. Song, "SeCRoP: secure cluster head centered multi-hop routing protocol for mobile ad hoc networks," Security and Communication Networks, 9(16), pp. 3378-3387, 2016.   DOI
28 S. Shamshirband, S. Kalantari, Z. Daliri, and L. Shing, "Expert security system in wireless sensor networks based on fuzzy discussion multi-agent systems," Scientific Research and Essays, 5(24), pp. 3840-3849, 2010.
29 Q. Xu, P. Ren, H. Song, and Q. Du, "Security enhancement for IoT communications exposed to eavesdroppers with uncertain locations," IEEE Access, 4, pp. 2840-2853, 2016.   DOI