We Want To Do It Our Way: The Neutralisation Approach to Managing Information Systems Security by Small Businesses

Small businesses thrive in the developing economy of South Africa and address the important issue of unemployment and poverty that exists in the country. A large number of these businesses can be found in the province of Gauteng due to the large and diverse economic contribution the province delivers to the economy of South Africa. With the increased use of Information Systems (IS) by small businesses across the Gauteng province and in South Africa generally, there is increasingly constant exposure to information security risks. Interestingly, standards such as NISTIR 7621 specifically tailored to small businesses and which could offer great insights on how to manage security risks are by and large not followed to the letter. We find in our work that owner-managers prefer to handle matters of security ‘in their own terms’ and apply neutralisation (termed rationalisation) techniques to overcome the effects posed by security threats. We used four instrumental cases for this purpose. Our findings suggest that neutralisation manifests as values held by owner-managers and this can often create the unintended consequences of exacerbating security risk to these small businesses

Information security awareness in small information technology-dependent business organisations

M.A. (Business Management)Small businesses thrive in the developing economy of South Africa and address the important issue of unemployment and poverty that exist in the country. A large number of these business organisations can be found in the province of Gauteng because of the large and diverse economic contribution the province delivers to the economy of South Africa. With the increased use of technology in the small businesses of Gauteng and South Africa, the risks around cyber-security, information security and other IT-related threats that can harm the businesses increase. As part of the related IT risks comes the information security awareness of the businesses. Research findings show that little to no information security awareness exists in the small IT-dependent business organisations of Gauteng, South Africa. New knowledge has been gained from the information technology uses and information security awareness that exists in small business organisations. This knowledge is specific to the small business organisations of South Africa which places an African context to a global debate of information security awareness