What Business Environment Changes Are Needed to Cause SME?s to Take a Strategic Approach to Information Security?

R Henson, Joy Garfield

Research output: Chapter in Book/Published conference outputConference publication


In the fourteen years since “Economics of Information Security” started as a discipline, many articles have been written about management of information security within organisations. Most of the articles have focused on public sector or larger private sector companies perhaps with an implicit assumption that the research findings would also apply to and influence SMEs. In practice, the truth is that SMEs have been largely unmoved, and not enough research has examined this reality.

In this paper, the author seeks to explore the reasons why smaller SMEs in particular have consistently failed to see securing information as strategic year-on-year spending, and often just part of an overall tight IT budget. Spending on security therefore has to compete with demands for hardware, infrastructure, and strategic applications.

The author’s latest research scrutinises the typical SMEs reasoning choosing to see non-spending on security as an acceptable strategic risk. In terms of primary data-gathering, it looks particularly at possible reasons why SMEs tend not to take much notice of “scare stories” in the media which have consistently shown that SMEs are increasingly at risk as the information systems of larger businesses have taken greater precautions and become more difficult to penetrate.

The results and their analysis provide useful pointers towards the broader business environment changes that would cause SMEs to be more risk-averse and ethical in their approach to securing their own and their clients’ information.
Original languageEnglish
Title of host publication12th Annual International Conference on SME's, Entrepreneurship and Innovation: Management - Marketing - Economic - Social Aspects
Publication statusPublished - 2015


Dive into the research topics of 'What Business Environment Changes Are Needed to Cause SME?s to Take a Strategic Approach to Information Security?'. Together they form a unique fingerprint.

Cite this