Cyber-Security Policy Decisions in Small Businesses

Cyber-attacks against small businesses are on the rise yet small business owners often lack effective strategies to avoid these attacks. The purpose of this qualitative multiple case study was to explore the strategies small business owners use to make cyber-security decisions. Bertalanffy\u27s general systems theory provided the conceptual framework for this study. A purposive sample of 10 small business owners participated in the interview process and shared their decision-making methodologies and influencers. The small business owners were vetted to ensure their strategies were effective through a series of qualification questions. The intent of the research question and corresponding interview questions was to identify strategies that successful small business owners use to make cyber-security decisions. Data analysis consisted of coding keywords, phrases, and sentences from semi structured interviews as well as document analysis. The following themes emerged: government requirements, peer influence, budgetary constraints, commercial standards, and lack of employee involvement. According to the participants, budgetary constraints and peer influence were the most influential factors when making decisions regarding cyber-security strategies. Through exposing small business owners to proven strategies, the implications for social change include a reduction of their small business operating costs and assistance with compliance activities

ISO/IEC 27001: An empirical multi-method research

The adoption of digital technologies, the emergence of platform-based business models, and the switch to smart working practices are increasing the number of potential entry points in firms’ networks and therefore their potential vulnerabilities. However, despite the relevance of the issue, the managerial debate on the topic is still scant and several research gaps exist. Under this premise, this doctoral thesis touches on the following aspects. First, by discussing the issue with senior executives and information security experts, it highlights the most relevant information security challenges in the context of Industry 4.0. In doing this, it also shows where current approaches fail short, and what emerging practices are gaining relevance. Second, by conducting a systematic literature review, the thesis provides a comprehensive synthesis of the academic body of knowledge on ISO/IEC 27001 (i.e., the most renowned international management standard for information security and the fourth most widespread ISO certification) as well as it formulates a theory-based research agenda to inspire future studies at the intersection between information systems and managerial disciplines. Third, by resorting to Grey models, it investigates the current and future diffusion patterns of ISO/IEC 27001 in the six most important countries in terms of issued certificates. Fourth, by performing an event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies, the dissertation sheds light on the performance implications of ISO/IEC 27001 adoption as well as the role of some contextual factors in affecting the outcomes of the adoption. Overall, this doctoral thesis provides several contributions to both theory and practice. From a theoretical point of view, it highlights the need for managerial disciplines to start addressing information security-related aspects. Moreover, it demonstrates that investments in information security pay off also from a financial perspective. From a practical point of view, it shows the increasingly central role that ISO/IEC 27001 is likely to have in the years to come and it provides managers with evidence on the possible performance effects associated to its adoption.The adoption of digital technologies, the emergence of platform-based business models, and the switch to smart working practices are increasing the number of potential entry points in firms’ networks and therefore their potential vulnerabilities. However, despite the relevance of the issue, the managerial debate on the topic is still scant and several research gaps exist. Under this premise, this doctoral thesis touches on the following aspects. First, by discussing the issue with senior executives and information security experts, it highlights the most relevant information security challenges in the context of Industry 4.0. In doing this, it also shows where current approaches fail short, and what emerging practices are gaining relevance. Second, by conducting a systematic literature review, the thesis provides a comprehensive synthesis of the academic body of knowledge on ISO/IEC 27001 (i.e., the most renowned international management standard for information security and the fourth most widespread ISO certification) as well as it formulates a theory-based research agenda to inspire future studies at the intersection between information systems and managerial disciplines. Third, by resorting to Grey models, it investigates the current and future diffusion patterns of ISO/IEC 27001 in the six most important countries in terms of issued certificates. Fourth, by performing an event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies, the dissertation sheds light on the performance implications of ISO/IEC 27001 adoption as well as the role of some contextual factors in affecting the outcomes of the adoption. Overall, this doctoral thesis provides several contributions to both theory and practice. From a theoretical point of view, it highlights the need for managerial disciplines to start addressing information security-related aspects. Moreover, it demonstrates that investments in information security pay off also from a financial perspective. From a practical point of view, it shows the increasingly central role that ISO/IEC 27001 is likely to have in the years to come and it provides managers with evidence on the possible performance effects associated to its adoption

An Exploration of Wireless Networking and the Management of Associated Security Risk

The rapid expansion of wireless information technology (IT) coupled with a dramatic increase in security breaches forces organizations to develop comprehensive strategies for managing security risks. The problem addressed was the identification of security risk management practices and human errors of IT administrators, putting the organization at risk for external security intrusion. The purpose of this non-experimental quantitative study was to investigate and determine the security risk assessment practices used by IT administrators to protect the confidentiality and integrity of the organization\u27s information. The research questions focused on whether the security risk management practices of IT administrators met or exceeded the minimally accepted practices and standards for wireless networking. The security risk assessment and management model established the theoretical framework. The sample was 114 participants from small to medium IT organizations comprised of security engineers, managers, and end users. Data collection was via an online survey. Data analysis included both descriptive and inferential statistical methods. The results revealed that greater than 80% of participants conducted appropriate risk management and review assessments. This study underscored the need for a more comprehensive approach to managing IT security risks. IT managers can use the outcome of this study as a benchmark for evaluating their current risk assessment procedures. Experiencing security breaches in organizations may be inevitable. However, when organizations and industry leaders can greatly reduce the cost of a data breach by developing effective risk management plans that lead to better security outcomes, positive social change can be realized

Best Practices to Minimize Data Security Breaches for Increased Business Performance

In the United States, businesses have reported over 2,800 data compromises of an estimated 543 million records, with security breaches costing firms approximately $7.2 million annually. Scholars and industry practitioners have indicated a significant impact of security breaches on consumers and organizations. However, there are limited data on the best practices for minimizing the impact of security breaches on organizational performance. The purpose of this qualitative multicase study was to explore best practices technology leaders use to minimize data security breaches for increased business performance. Systems theory served as the conceptual framework for this study. Fourteen participants were interviewed, including 2 technology executives and 5 technical staff, each from a banking firm in the Northcentral United States and a local government agency in the Southcentral United States. Data from semistructured interviews, in addition to security and privacy policy statements, were analyzed for methodological triangulation. Four major themes emerged: a need for implementation of security awareness education and training to mitigate insider threats, the necessity of consistent organization security policies and procedures, an organizational culture promoting data security awareness, and an organizational commitment to adopt new technologies and innovative processes. The findings may contribute to the body of knowledge regarding best practices technology leaders can use for securing organizational data and contribute to social change since secure organizational data might reduce consumer identity theft