Organizational Characteristics Influencing SME Information Security Maturity

Figures & data

FIGURE 1. The ISFAM Model Highlights Focus Areas per Row from Left to Right as Implemented Capabilities, Designated by Capital Letters

FIGURE 2. The Research Approach for Identifying Relevant Organizational Characteristics in Information Security for SMEs

TABLE 1. Keywords Used for the Systematic Literature Review, Combining Items within Groups 1, 2, and 3 to Construct the Actual Search Queries

Keywords
Group 1	Group 2	Group 3
Factor	Influencing	Information security
Characteristic	Impacting	Information security management
Organizational factor	Affecting	Risk management
Organizational characteristic	Effects	Information risk
Situational factor
Situational characteristic
EDP audit
IT audit
IT environment
IT complexity

TABLE 2. Key Aspects the Final List of Organizational Characteristics Should Adhere to

#	Factor
1	Nonexperts in the field of IS must be able to answer the questions with relative ease.
2	Questions must capture in a broad sense the most important characteristics, which influence the main factors.
3	The number of questions must be limited, to lower the barrier for nonprofessionals to determine their IS maturity.

TABLE 3. A Selection of OCs Overlapping with ISFAM Capabilities

Characteristic	ISFAM focus area	ISFAM capability	Capability #
Top management support [13, 24]	Information security policy development	IS policy development is supported by senior management	A2
The effective marketing of security to all employees [13, 17]	Information security policy development	The policy documents are understood by the whole organization	C2
	Risk management	Individuals in the organization are aware of the importance of risk management	A2
The degree of formalized processes and rules [29]	Information security policy development	There is a formal style for writing IS policy documents	B4
The lack of consistent risk management strategy [32]	Risk management	Risk management processes are continuously improved	D3
	Risk management	Risk management is an integral part of the decision-making process	D4
The business users knowledge and intention regarding IS security [10, 27]	Human resources security	All employees signed a document stating their roles and responsibilities to the organization	B3

TABLE 4. Overview of interviews performed with experts in IS

Expert	Experience	Company type	Field of expertise	Expertise in	No. of interviews
1	6 years	Large consultancy firm	IT Security	SMEs	2
2	10 years	Large accountancy firm	IT Security & IS/IT research	Small, medium, and large enterprises	1
3	20+ years	Large accountancy firm	IT Security Consultancy	Small, medium, and large enterprises	1
4	8 years	Large accountancy firm	IT Auditing	Small, medium, and large enterprises	1
5	6 years	Large software firm	IT development & IS/IT research	SMEs	1

TABLE 5. Shortlist with 26 unique characteristics identified in literature, and the rationale whether to retain, merge, split, or remove the characteristic based on expert interviews

#	OC	Reference	Category	Action	Rationale	Rating
1	The influence of regulations on the business	[24, 29, 32]	General	Merge	Interviewees indicate that regulation is indeed an important factor. However, they note how regulation is mostly bound to the sector the business resides in. In this case, merging with characteristics #23 would allow to check for regulatory issues after the SME has indicated the sectors it resides in.	++
2	The business is publicly traded	[8, 29]	General	Remove	Although very important for large enterprises, for smaller and medium-sized organizations, this factor is seldom relevant and therefore was suggested to be removed.	− −
3	The entity relies on IT to create financial reports	[8]	Financial	Remove	This factor is associated with a financial IT audit. Interviewees indicated its relevance, but deemed it too specific for the purpose of the ISFAM model.	0
4	The entity relies on IT to create business reports	[8]	Financial	Remove	Interviewees identify a similar specificity with this characteristic that it does not influence enough capabilities of the ISFAM model.	0
5	The businesses’ annual spend on IT		IT complexity	Retain	All interviewees agreed that this is one of the quickest and easiest methods to get an idea of the complexity of the IT environment.	++
6	The number of business users working with financial information	[8, 23]	Financial	Remove	IT auditors found this an important factor, whilst security consultants indicated it to be very specific for financial processes. The fact that the ISFAM is focused on IS in general was decisive to agree with the latter to remove it.	0
7	The number of employees supporting the IT environment	[15, 20, 32]	IT complexity	Retain	Similar to characteristic #5 interviewees indicate this to be an important factor to determine IT complexity. Especially in combination with expenditures, since both factors implicate different types of complexity.	++
8	The entity uses an enterprise resource planning (ERP) application for critical processes	[15, 29]	IT dependency	Remove	The use of ERP systems gives a good indication of the importance of IT in businesses processes. However, interviewees argued that for many SMEs, the use of large ERP applications is rare. In addition, they felt measuring the dependency on IT applications is better served by looking at the number of hours a business can run without IT (OC #14).	+
9	There are interfaces between the business’ financial processing applications	[15]	IT complexity	Remove	The experts agreed that in larger enterprises, the mending of large software applications has become standard practice; especially when dealing with financial information, this could lead to discrepancies of data creating complications for auditing work. They do also note that in smaller organizations, this is not very common; thus, this OC should be removed.	−
10	There are interfaces between the business’ critical applications and external organizations	[15]	IT complexity	Remove	Similarly to characteristic #9 interfaces with external organizations can become a serious threats to the IS. Between experts, there was no clear consensus on its removal or retaining. Though experts commonly noted that in many cases where threats are highest, these factors would already be addressed in regulatory requirements. For example, at financial and health-care institutions, this is covered in OC #24.	0
11	The number of servers used within the IT environment	[15, 29]	IT complexity	Remove	Experts agreed this factor had too little impact, primarily due to ambiguity, compared to the other characteristics in this category.	−−
12	The number of transactions in the system	[8, 23]	Financial & IT complexity	Remove	Although an important indicator of IT complexity through range (accessibility) and reach (connectivity) of the platform, experts agreed on its ambiguity, making it difficult to measure and requiring expert analysis. For these reasons, this would not ensure reliable information, and therefore, it should be removed.	0
13	Is there a distinction between the information flow and the value flow	[8]	Business complexity	Remove	All experts agreed that this factor is almost only valid for multinationals where goods and cash flows run through different systems and tax agencies. It is also very specific to financial information.	− −
14	Time the organization can do business without IT support.	[15, 29, 38]	IT dependency	Retain	The number of hours the business can run without IT support provided the best general idea on how important IT is in supporting business processes. It thus gives a good indication on the importance of the information in these systems and the dependency of business operations on IT.	+
15	There were major changes to the application environment	[29, 38]	IT complexity	Remove	This factor is relatively of low importance for SMEs; experts indicate how in many larger enterprises critical business processes are supported by software, which is developed by the organization itself. At SMEs, it is more likely to see a large overhaul of the application environment when, for example, a new version of Microsoft Windows gets adopted. This would skew the data, making it an OC hard to measure. For SMEs, this is the case in very few cases, and in addition, the newly formed characteristics #25 and #26 already address this issue in a broader sense.	+
16	There were major changes to the IT organization	[29]	IT complexity	Remove	In SMEs, the IT department is usually relatively stable and small. Major changes are therefore possible, but not very likely to happen, resulting in no impact on the capabilities at all.	+
17	The importance of confidentiality of the entity’s critical information	[14, 38]	CIA	Retain	To assess which capabilities are crucial to implement, businesses should indicate the importance of the confidentiality, integrity, and availability of their critical information. Experts stressed that a proper definition of critical information is required, and that knowledge of the CIA triad is essential here.	++
18	The importance of Integrity of the entity’s critical information	[14, 38]	CIA	Retain		++
19	The importance of availability of the entity’s critical information	[14, 38]	CIA	Retain		++
20	The number of employees in the business	[6, 11, 20, 23]	General	Retain	Number of employees is one of the most crucial indicators of the size and complexity of the organization. In discussions with experts, number of employees was chosen above FTE, as employees, the number of weekly working hours is not related to gaining special privileges above none-employees to access systems. Experts noted that this would likely be a mediating variable in many of the capabilities of the ISFAM model.	++
21	The revenue of the business	[11]	General	Retain	Together with the number of employees, this is one of the most indicators of the size and complexity of the organization. The definition of the ECB and World Bank were adhered to identify the parameters. Experts noted that this would likely be a mediating variable in many of the capabilities of the ISFAM model.	++
22	The number of physical locations with access to critical information	[32]	General	Remove	The amount of physical locations might influence, for example, logical access control of an organization. However, physical locations are very narrow, especially with the emergence of cloud computing which extends the amount of physical locations to near infinity. Due to this small impact on SMEs, and only a single tie to the ISFAM model (logical access control) it is removed.	−
23	The sector the business resides in	[6, 11, 20]	General	Merge	The sector of the organization provides ample information on the importance of proper IS, not only when dealing with regulation (explaining the merger with characteristic #1) but also when looking at the impact of, for example, data loss which is arguably higher in health and defense than in paper and logistics.	++
24	IT staff’s knowledge of business processes	[10, 13]	General	Remove	Although literature stated this to influence a number of factors on how users take IS into account, the factor is hard to measure objectively when assessing OCs. In addition, interviewees felt this was not a key influence for many capabilities	0
25	In-house software development/maintenance In-house software development/maintained by external parties internally or externally	[1, 29]	IT complexity	Split	When discussing the influence of businesses developing, maintaining, or outsourcing software, our interviewees argued that these characteristics are important. However, they felt that it was defined in a wrong way. Based on their remarks, two new OCs are proposed: “IT development in- & outsourcing” and “IT servicing in- & outsourcing”. This prevents ambiguity surrounding the role of SLAs and which parties will be responsible for the change management processes.	+
26	Does the organization make use of IT outsourcing (application maintenance, server hosting….)	[1, 29]	IT complexity	Split		0

FIGURE 3. The CHaracterizing Organizations’ Information Security for SMEs (CHOISS) model relates 4 categories (A–D), 11 OCs (1–11), and 47 measurement levels

Fulford H, Doherty NF. 2003. The application of information security policies in large UK-based organizations: an exploratory investigation. Inf Manage Comp Sec. 11, 106–114.

 Google Scholar

Kraemer S, Carayon P, Clem J. 2009. Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput Sec. 28:509–520.

 Web of Science ®Google Scholar

Huang D, Patrick Rau P-L, Salvendy G, Gao F, Zhou J. 2011. Factors affecting perception of information security and their impacts on IT adoption and security practices. Int J Human-Comput Stud. 69:870–883.

 Web of Science ®Google Scholar

Rehage K, Hunt S, Nikitin F. 2008. Global technology audit guide: developing the IT audit plan. Altamonto Springs, FL, USA.

 Google Scholar

Smith S, Jamieson R. Determining key factors in e-government information system security. Inf Syst Manage. 23:23–32.

 Web of Science ®Google Scholar

Dunkerley KD, Tejay G. 2011. A confirmatory analysis of information systems security success factors. 2011 44th Hawaii International Conference on System Sciences, Honolulu, Hawaii, 1–10.

 Google Scholar

Milicevic D, Goeken M. 2013. Social factors in policy compliance—evidence found in literature to assist the development of policies in information security management. 2013 46th Hawaii International Conference on System Sciences, 4476–4484.

 Google Scholar

Davis C, Schiller M, Wheeler K. 2010. IT auditing using controls to protect information assets. 2nd ed. McGraw-Hill.

 Google Scholar

Kotulic AG, Clark JG. Why there aren’t more information security research studies. Inf Manage. 41:597–607.

 Web of Science ®Google Scholar

Hanseth O, Ciborra C. 2007. Risk, complexity and ICT. Cheltenham, UK: Edward Elgar Publishing.

 Google Scholar

Kankanhalli A, Teo H-H, Tan BCY, Wei K-K. 2003. An integrative study of information systems security effectiveness. Int J Inf Manage. 23:139–154.

 Web of Science ®Google Scholar

Whitman M, Mattford H. 2011. Principles of information security. UK: Cengage Learning.

 Google Scholar

Guttman B, Roback EA. 1995. Special Publication 800–12. An introduction to computer security: the NIST handbook. Gaithersburg, MD.

 Google Scholar

Chang SE, Ho CB. 2006. Organizational factors to the effectiveness of implementing information security management. Ind Manage Data Syst. 106:345–361.

 Web of Science ®Google Scholar

Ein-Dor P, Segev E. 1978. Organizational context and the success of management information systems. Manage Sci. 24:1064–1077.

 Web of Science ®Google Scholar

Alner M. 2001. The effects of outsourcing on information security. Inf Syst Sec. 10: 1–9.

 Google Scholar