A model for the alignment of information security requirements within South African small, medium and micro enterprises

Small, medium and micro enterprises (SMMEs) are reported to be the hope of the economy in many developing countries, such as South Africa (SA). The unique characteristics of SMMEs such as their ability to evolve rapidly, and to employ larger labour forces as they grow, make these enterprises valuable to the SA economy, in which poverty and unemployment rates are alarmingly high. Like most modern enterprises, SA SMMEs make use of information and communication technology (ICT) systems - as a vehicle to store, transmit and process information, which is an asset that is critical to their business operations. Thus, the vulnerabilities of these ICT systems need to be addressed, in order to protect the information assets of enterprises. However, SMMEs are known to only implement measures to protect their information assets on an ad hoc basis and frequently as reactive measures to information security incidents. This can be attributed to the fact that most of these enterprises lack the ability to establish their unique information security requirements. Information security requirements are a measure of the level of security needed to adequately protect the information assets of an enterprise. Furthermore, it is reported that information security best practices and standards, which provide guidance on information security, are too complex for SA SMMEs to implement and for SMMEs to use for establishing their unique information security requirements