Abstract
Lagging IT security investments in small and medium-sized enterprises (SME) point towards a security divide between SME and large enterprises, yet our structured literature review shows that organizational IT security research has largely neglected the SME context. In an effort to expose reasons for this divide, we build on extant research to conceptualize SME-specific characteristics in a framework and suggest propositions regarding their influence on IT security investments. Based on 25 expert interviews, emerging constraints are investigated and validated. Our findings imply that several widely held assumptions in extant IT security literature should be modified if researchers claim generalizability of their results in an SME context. Exemplary assumptions include the presence of skilled workforce, documented processes or IT-budget planning which are often un(der) developed in SME. Additionally, our study offers context-specific insights regarding particular effects of identified constraints on IT security investments for all involved stakeholders (researchers, SME, large enterprises, governments).
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agell, J. (2004). Why are small firms different? Managers’ views. Scandinavian Journal of Economics, 106(3), 437–453.
AIS (2016). Senior Scholars' Basket of Journals. Association for Information Systems (AIS). https://aisnet.org/?SeniorScholarBasket. Accessed 20 January 2019.
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.
Albrechtsen, E. (2007). A qualitative study of Users' view on information security. Computers & Security, 26(4), 276–289.
Alvesson, M., & Sandberg, J. (2011). Generating research questions through Problematization. Academy of Management Review, 36(2), 247–271.
Angst, C. M., Block, E. S., D'Arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893–916.
Arendt, L. (2008). Barriers to ICT adoption in SMEs: How to bridge the digital divide? Journal of Systems and Information Technology, 10(2), 93–108.
Auerbach, C., & Silverstein, L. B. (2003). Qualitative Data: An Introduction to Coding and Analysis. New York University Press.
Ballantine, J., Levy, M., & Powell, P. (1998). Evaluating information Systems in Small and Medium-sized Enterprises: Issues and evidence. European Journal of Information Systems, 7(4), 241–251.
Barrett, B. (2019). Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach. https://www.wired.com/story/collection-one-breach-email-accounts-passwords/. Accessed 20 January 2019.
Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security commitment: A study of external influences on senior management. Computers & Security, 59, 9–25.
Baskerville, R. (1991). Risk analysis: An interpretative feasibility tool in justifying information systems security. European Journal of Information Systems, 1(2), 121–130.
Bassellier, G., Reich, B. H., & Benbasat, I. (2001). Information technology competence of business managers: A definition and research model. Journal of Management Information Systems, 17(4), 159–182.
Bazeley, P. (2003). Computerized data analysis for mixed methods research. In A. Tashakkori & C. Teddlie (Eds.), Handbook of mixed methods in Social & Behavioral Research (pp. 385–422). Thousand Oaks: Sage.
Beck, T., & Demirguc-Kunt, A. (2006). Small and medium-size enterprises: Access to finance as a growth constraint. Journal of Banking & Finance, 30(11), 2931–2943.
Benbasat, I., Goldstein, D. K., & Mead, M. (1987). The case research strategy in studies of information systems. MIS Quarterly, 11(3), 369–386.
Benbasat, I., & Zmud, R. W. (1999). Empirical research in information systems: The practice of relevance. MIS Quarterly, 23(1), 3–16.
Bennett, R., & Robson, P. J. A. (2004). The role of trust and contract in the supply of business advice. Cambridge Journal of Economics, 28(4), 471–489.
Bharati, P., & Chaudhury, A. (2009). SMEs and Competitiveness: The Role of Information Systems. Management Science and Information Systems Faculty Publication Series, 15, i-ix.
Birley, S. (1982). Corporate strategy and the small firm. Journal of General Management, 8(2), 82–86.
Bogdan, R. C., & Biklen, S. K. (2007). Qualitative research for education: An introduction to theories and methods (Vol. 5). Boston: Pearson Education.
Boyes, J., & Irani, Z (2003). Barriers and Problems Affecting Web Infrastructure Development: The Experiences of a UK Small Manufacturing Business. In Proceedings of the 9th Americas Conference on Information Systems, USA.
Bradshaw, A., Cragg, P., & Pulakanam, V. (2013). Do IS consultants enhance IS competences in SMEs? Electronic Journal of Information Systems Evaluation, 16(1), 1–23.
Buckley, P. J. (1997). International technology transfer by small and medium-sized enterprises. Small Business Economics, 9(1), 67–78.
Business Week (1990). Is Research in the Ivory Tower 'Fuzzy, Irrelevant, Pretentious?, pp. 62–66.
Caldeira, M. M., & Ward, J. M. (2003). Using resource-based theory to interpret the successful adoption and use of information systems and Technology in Manufacturing Small and Medium-sized Enterprises. European Journal of Information Systems, 12(2), 127–141.
Carbo-Valverde, S., Rodriguez-Fernandez, F., & Udell, G. F. (2007). Bank market power and SME financing constraints. Review of Finance, 13(2), 309–340.
Casterella, J. R., Francis, J. R., Lewis, B. L., & Walker, P. L. (2004). Auditor industry specialization, client bargaining power, and audit pricing. Auditing: A Journal of Practice & Theory, 23(1), 123–140.
Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.
Chang, K. C., & Wang, C. P. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579–593.
Chell, E., Haworth, J. M., & Brearley, S. A. (1991). The entrepreneurial personality. Concepts, cases, and categories (Vol. 1, Routledge small business series). London: Routledge.
Chen, H., Lee, M., & Wilson, N. (2007). Resource Constraints Related to Emerging Integration Technologies Adoption: The Case of Small and Medium-Sized Enterprises. In Proceedings of the 13th Americas Conference on Information Systems, Keystone, Colorado.
Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated failures, diversification, and information security risk management. MIS Quarterly, 35(2), 397–A393.
Cisco (2018). Small and Mighty - How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats. https://www.cisco.com/c/dam/en/us/products/collateral/security/small-mighty-threat.pdf. Accessed 20 February.
Coden, M., Madnick, S., Pentland, A., & Yousuf, S. (2016). How to Prepare for the Cyberattack that is Coming to your Company. https://www.cio.com/article/3185725/security/9-biggest-information-security-threats-through-2019.html. Accessed 20 February 2019.
Cooper, H. M. (1988). Organizing knowledge syntheses: A taxonomy of literature reviews. Knowledge in Society, 1(1), 104–126.
Cragg, P., Caldeira, M., & Ward, J. (2011). Organizational information systems competences in small and medium-sized enterprises. Information & Management, 48(8), 353–363.
Cragg, P., Mills, A., & Suraweera, T. (2013). The influence of IT management sophistication and IT support on IT success in small and medium-sized enterprises. Journal of Small Business Management, 51(4), 617–636.
Creswell, J. W. (1998). Qualitative inquiry and research design: Choosing among five traditions. London: Sage.
Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research. Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127–153.
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293–314.
Dholakia, R. R., & Kshetri, N. (2004). Factors impacting the adoption of the internet among SMEs. Small Business Economics, 23(4), 311–322.
Dojkovski, S., Lichtenstein, S., & Warren, M. J. (2007). Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. In Proceedings of the 15th European Conference on Information Systems, St Gallen, Switzerland.
Drechsler, A., & Weißschädel, S. (2018). An IT strategy development framework for small and medium enterprises. Information Systems and e-Business Management, 16(1), 93–124.
Dutta, S., & Evrard, P. (1999). Information technology and organisation within European small enterprises. European Management Journal, 17(3), 239–251.
Dwivedi, Y. K., Rana, N. P., Jeyaraj, A., Clement, M., & Williams, M. D. (2017). Re-examining the Unified Theory of Acceptance and Use of Technology (UTAUT): Towards a Revised Theoretical Model. Information Systems Frontiers, 1–16.
European Commission (2003). Commission Recommendation of 6 May 2003 Concerning the Definition of Micro, Small and Medium-sized Enterprises (Notified under Document Number C(2003) 1422). In European Commission (Ed.): Official Journal of the European Union 46 (L 124).
Eurostat (2015). Statistics on Small and Medium-sized Enterprises - Dependent and Independent SMEs and Large Enterprises. http://ec.europa.eu/eurostat/statistics-explained/index.php/Statistics_on_small_and_medium-sized_enterprises. Accessed 03 March 2018.
Feeny, D. F., & Willcocks, L. P. (1998). Core IS Capabilities for Exploiting Information Technology. Sloan Management Review (9–21).
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86(3), 13–23.
Fischer, F. (1998). Beyond empiricism: Policy inquiry in post positivist perspective. Policy Studies Journal, 26(1), 129–146.
Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to theory and research. Reading: Addison-Wesley.
Fontana, A., & Frey, J. H. (2000). The interview: From structured questions to negotiated text. In N. K. Denzin & Y. S. Lincoln (Eds.), Handbook of qualitative research (Vol. 2). Thousand Oaks: Sage.
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.
Goffman, E. (1959). The presentation of self in everyday life. London: Penguin.
Goodhue, D. L., & Straub, D. W. (1991). Security concerns of system users: A study of perceptions of the adequacy of security. Information & Management, 20(1), 13–27.
Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of involuntary disclosures concerning information security. MIS Quarterly, 34(3), 567–594.
Greenberg, A. (2018). The Untold Story of NotPetya, the Most Devastating Cyberattack in History.
Greener, S. (2008). Business research methods. London: Ventus Publishing ApS.
Gregor, S. (2006). The nature of theory in information systems. MIS Quarterly, 30(3), 611–642.
Herath, H. S. B., & Herath, T. C. (2008). Investments in Information Security: A real options perspective with Bayesian Postaudit. Journal of Management Information Systems, 25(3), 337–375.
Hermanns, H. (2004). Interviewing as an activity. In U. Flick, E. von Kardoff, & I. Steinke (Eds.), A companion to qualitative research (pp. 209–213). London: Sage.
Howorth, C. (2001). Small firms demand for finance: A research note. International Small Business Journal, 19(4), 78–86.
Hsu, C. W. (2009). Frame misalignment. Interpreting the implementation of information systems security certification in an organization. European Journal of Information Systems, 18(2), 140–150.
Hsu, C. W., Lee, J. N., & Straub, D. W. (2012). Institutional influences on information systems security innovations. Information Systems Research, 23(3), 918–939.
Hu, Q., Hart, P., & Cooke, D. (2007). The role of external and internal influences on information systems security – A neo-institutional perspective. Journal of Strategic Information Systems, 16(2), 153–172.
Hui, K. L., Hui, W., & Yue, W. T. (2012). Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems, 29(3), 117–156.
Kam, H. J., Mattson, T., & Goel, S. (2019). A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness. Information Systems Frontiers, 1–24.
Kaplan, B., & Maxwell, J. A. (1994). Evaluating health care information systems: Methods and applications. In J. G. Anderson, C. E. Ayden, & S. J. Jay (Eds.), Qualitative research methods for evaluating computer information systems. Thousand Oaks: Sage.
Kaspersky (2017). New Threats, New Mindset: Being Risk Ready in a World of Complex Attacks. How to Address Incident Response Challenges. https://www.kaspersky.com/blog/incident-response-report/. Accessed 12 March 2018.
Keller, S., Powell, A., Horstmann, B., Predmore, C., & Crawford, M. (2005). Information security threats and practices in small businesses. Information Systems Management, 22(2), 7–19.
Kumar, R. L., Park, S., & Subramaniam, C. (2008). Understanding the value of countermeasure portfolios in information systems security. Journal of Management Information Systems, 25(2), 241–279.
Kwon, J., & Johnson, M. E. (2014). Proactive versus reactive security Investments in the Healthcare Sector. MIS Quarterly, 38(2), 457–471.
Lee, C. H., Geng, X., & Raghunathan, S. (2013). Contracting information security in the presence of double moral Hazard. Information Systems Research, 24(2), 295–311.
Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: Determinants of SMB Executives' decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187.
Lowry, P. B., Moody, G. D., Gaskin, J., Galletta, D. F., Humphreys, S. L., Barlow, J. B., et al. (2013). Evaluation journal quality and the Association for Information Systems Senior Scholars' journal basket via bibliometric measures: Do expert journal assessments add value? MIS Quarterly, 37(4), 993–1012.
MacGregor, R. C. (2003). Strategic Alliance and perceived barriers to electronic commerce adoption in SMEs. Journal of Systems and Information Technology, 7(1), 27–47.
MacGregor, R. C., & Vrazalic, L. (2005). A basic model of electronic commerce adoption barriers: A study of regional small businesses in Sweden and Australia. Journal of Small Business and Enterprise Development, 12(4), 510–527.
Marshall, B., Cardon, P., Poddar, A., & Fontenot, R. (2013). Does sample size matter in qualitative research? A review of qualitative interviews in IS research. Journal of Computer Information Systems, 54(1), 11–22.
Mayadunne, S., & Park, S. (2016). An economic model to evaluate information security Investment of Risk-taking Small and Medium Enterprises. International Journal of Production Economics, 182, 519–530.
Melville, N., Kraemer, K., & Gurbaxani, V. (2004). Information technology and organizational performance: An integrative model of IT business value. MIS Quarterly, 28(2), 283–322.
Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: An expanded sourcebook. Beverly Hills: Sage.
Miles, M. B., Huberman, A. M., & Saldana, J. (2013). Qualitative data analysis. A methods sourcebook (Vol. 3). Los Angeles: Sage.
Mintzberg, H. (1989). The Structuring of Organizations. In: Readings in Strategic Management (pp. 322–352). London: Palgrave.
Moore, S., & Keen, E. (2018). Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019: Detection, Response and Privacy Driving Demand for Security Products and Services. In Gartner (Ed.). https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019. Accessed 29 January 2019.
Morse, J. M. (1994). Designing funded qualitative research. Thousand Oaks: Sage.
Muehe, S., & Drechsler, A. (2017). Towards a framework to improve IT security and IT risk Management in Small and Medium Enterprises. International Journal of Systems and Society, 3(2), 44–56.
Ng, B. Y., & Feng, A. E. (2006). An Exploratory Study on Managerial Security Concerns in Technology Start-ups. Proceedings of Pacific Asia Conference on Information Systems, Chiayi, Taiwan.
OECD. (1997). Small businesses, job creation and growth: Facts, obstacles and best practices. Paris: OECD Publishing.
OECD. (2005). Glossary of statistical terms - small and medium-sized enterprises (SMEs). Paris: OECD Publishing.
OECD. (2016). Financing SMEs and entrepreneurs: An OECD scoreboard. Definition of SMEs in China. Paris: OECD Publishing.
OECD. (2017). Small, medium, strong. Trends in SME performance and business conditions. Paris: OECD Publishing.
Paré, G., Trudel, M. C., Jaana, M., & Kitsiou, S. (2015). Synthesizing information systems knowledge: A typology of literature reviews. Information & Management, 52(2), 183–199.
Piscitello, L., & Sgobbi, F. (2004). Globalisation, E-business and SMEs: Evidence from the Italian District of Prato. Small Business Economics, 22(5), 333–347.
Riemenschneider, C. K., Harrison, D. A., & Mykytyn Jr., P. P. (2003). Understanding IT adoption decisions in small business: Integrating current theories. Information & Management, 40(4), 269–285.
Rivard, S. (2014). Editor's comments: The ions of theory construction. MIS Quarterly, 38(2), iii–xiv.
Rogers, R. (1983). Cognitive and physiological processes in fear-based attitude change: A revised theory of protection motivation. In C. J & R. Petty (Eds.), Social psychophysiology: A sourcebook (pp. 153–176). New York: Guilford Press.
Saldaña, J. (2009). The coding manual for qualitative researchers. London: Sage.
Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: A critical review and some guiding principles. MIS Quarterly, 37(4), iii–xviii.
Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314–341.
Siponen, M. (2005). An analysis of the traditional IS security approaches: Implications for research and practice. European Journal of Information Systems, 14(3), 303–315.
Sonnenschein, R., Loske, A., & Buxmann, P. (2017). The Role of Top Managers’ IT Security Awareness in Organizational IT Security Management. In Proceedings of the 38th International Conference on Information Systems, Seoul, South Korea.
Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503–522.
Stockdale, R., & Standing, C. (2006). A classification model to support SME E-commerce adoption initiatives. Journal of Small Business and Enterprise Development, 13(3), 381–394.
Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276.
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
Sun, L., Srivastava, R. P., & Mock, T. J. (2006). An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22(4), 109–142.
Teo, T. L., Chan, C., & Parker, C. (2004). Factors Affecting e-Commerce Adoption by SMEs: A Meta-Analysis. In Proceedings of the Australasian Conference on Information Systems, Hobart, Australia.
Thong, J. Y. L. (1999). An integrated model of information systems adoption in small businesses. Journal of Management Information Systems, 15(4), 187–214.
Thong, J. Y. L. (2001). Resource constraints and information systems implementation in Singaporean small businesses. The International Journal of Management Science, 29(2), 143–156.
Thong, J. Y. L., & Yap, C. S. (1995). CEO characteristics, organizational characteristics and information technology adoption in small businesses. Omega International Journal of Management Science, 23(4), 429–442.
United Nations (2008). International Standard Industrial Classification of All Economic Activities, Rev.4. In United Nations Division (Ed.). New York.
United States Business Administration (2018). US Small Business Profile. Office of Advocacy. https://www.sba.gov/sites/default/files/advocacy/2018-Small-Business-Profiles-US.pdf. Accessed 8 January 2019.
USITC (2010). Small and Medium-sized Enterprises: Overview of Participation in U.S. Exports. Investigation No. 332–508 (Vol. 4125). Washington: USITC Publication.
Verhees, F. J., & Meulenberg, M. T. (2004). Market orientation, innovativeness, product innovation, and performance in small firms. Journal of Small Business Management, 42(2), 134–154.
vom Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., & Cleven, A. (2009). Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process. In Proceedings of the 17th European Conference on Information Systems, Vienna, Austria.
Wang, J., Chaudhury, A., & Rao, H. R. (2008). A value-at-risk approach to information security investment. Information Systems Research, 19(1), 106–120.
Wang, T., Kannan, K. N., & Rees Ulmer, J. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), 201–218.
Webster, J., & Watson, R. T. (2002). Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly, 26(2), xiii–xxiii.
Weishäupl, E., Yasasin, E., & Schryen, G. A. (2015). Multi-theoretical literature review on information security investments using the resource-based view and the organizational learning theory. In Proceedings of the 36th International Conference on Information Systems, Fort Worth, USA.
Welsh, J. A., & White, J. F. (1981). A small business is not a little big business. Harvard Business Review, 59(4), 18–32.
West, G. M. (1975). MIS in small companies. Journal of Systems Management, 26(4), 10–13.
Wielicki, T., & Arendt, L. (2010). A knowledge-driven shift in perception of ICT implementation barriers: Comparative study of US and European SMEs. Journal of Information Science, 36(2), 162–174.
Wolcott, H. F. (1994). Transforming qualitative data: Description, analysis, and interpretation. Thousand Oaks: Sage.
Wolff, J. (2016). Perverse effects in defense of computer systems. When more is less. Journal of Management Information Systems, 33(2), 597–620.
World Economic Forum (2019). The Global Risks Report 2019. http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf. Accessed 14 February 2019.
WTO (2016). World Trade Report 2016 - Levelling the Trading Field for SMEs. Geneva: WTO Publications. https://www.wto.org/english/res_e/booksp_e/world_trade_report16_e.pdf. Accessed 20 January 2019.
Yang, C. G., & Lee, H. J. (2016). A study on the antecedents of healthcare information protection intention. Information Systems Frontiers, 18(2), 253–263.
Yildirim, E., Akalp, G., Aytac, S., & Bayram, N. (2011). Factors influencing information security Management in Small-and Medium-sized Enterprises: A case study from Turkey. International Journal of Information Management, 31(4), 360–365.
Yue, W. T., & Cakanyildirim, M. (2007). Intrusion prevention in information systems: Reactive and proactive responses. Journal of Management Information Systems, 24(1), 329–353.
ZDNet (2015). The Target Breach, Two Years Later. https://www.zdnet.com/article/the-target-breach-two-years-later/. Accessed 24 February 2019.
Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks. Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1), 123–152.
Zurich (2017). As Many as 875,000 UK SMEs Suffer Cyber Security Breach in the last 12 Months. https://www.zurich.co.uk/en/about-us/media-centre/general-insurance-news/2017/as-many-as-875000-uk-smes-suffer-cyber-security-breach-in-the-last-12-months. Accessed 3 April 2018.
Acknowledgements
An earlier version of this article was presented at the International Conference of Information Systems (ICIS) 2018 and appeared in the subsequent proceedings of ICIS 2018 under the title “The Influence of SME Constraints on Organizational IT Security”.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
Rights and permissions
About this article
Cite this article
Heidt, M., Gerlach, J.P. & Buxmann, P. Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments. Inf Syst Front 21, 1285–1305 (2019). https://doi.org/10.1007/s10796-019-09959-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-019-09959-1