Toward a Unified Information Security Culture Framework for Small and Medium Enterprises, a Design Science Approach

Journal: Journal of Computer Science and Engineering Research (JCSER), Volume:1, Issue:1, Pages: 14-23 Download pdf

Authors: Victor Ishola, Oluseye Fadiran 

Date: 9-2024

Abstract: Information Security Culture (ISC) research has yielded many competing models and frameworks, each with distinct but related sets of dimensions, elements, and components. This research examines the present state of theoretical frameworks for information security culture, reviews and compares literatures on ISC frameworks, and identifies frequently reoccurring themes, similarities, and gaps specific to small and medium enterprises (SMEs). These gaps are defined by three dynamic capabilities of SMEs organizational resilience namely dynamic absorptive capability (the ability to identify and assimilate external information), dynamic integration capability (the ability to integrate new knowledge with existing functional skills), and dynamic coordination capability (ability to coordinate individual efforts) and three related themes - adaptability and responsiveness of ISC frameworks, integration into daily SME operations, and practicality and ease of implementation. Using design science research methodology (DSRM), a unified but simplified ISC framework aligned with SMEs' three dynamic capabilities as a solution blueprint was developed. The developed artifact is demonstrated by adapting the stages of the generic design process model with elements from the Technology-Organization-Environment (TOE) framework to create a method for adopting and implementing the ISC framework. We assess the unified ISC framework for SMEs based on two key objectives: its alignment with established ISC framework theory and practice as documented in existing literature, and its provision of a clear process for implementation. The paper concludes with a discussion and recommendations for future research.

Keywords: Information Security Culture; Small and Medium Enterprises; Design Science Research; Framework Adoption; Dynamic Capabilities; Security Resilience.

References:

[1] V. M. García-Valenzuela, C. Jacobo-Hernandez, and J. G. Flores-López, "Dynamic Capabilities and their Effect on Organizational Resilience in Small and Medium-Sized Commercial Enterprises," Management & Marketing, vol. 18, no. 4, pp. 496-514, 2023. doi: https://doi.org/10.2478/mmcks-2023-0027

[2]  J. F. Van Niekerk and R. Von Solms, "Information security Culture: A Management Perspective," Computers & Security, vol. 29, no. 4, pp. 476-486, 2010. doi: https://doi.org/10.1016/j.cose.2009.10.005.

[3] M. Sadok, S. Alter, and P. Bednar, "It is not my job: Exploring the Disconnect between Corporate Security Policies and Actual Security Practices in SMEs," Information & Computer Security, vol. 28, no. 3, pp. 467–483, 2020. doi: https://doi.org/10.1108/ics-01-2019-0010

[4] J. Smith and A. Johnson, "Cybersecurity for Small and Medium Enterprises: A Comparative Analysis," Journal of Small Business Management, vol. 57, no. 3, pp. 451-469, 2019

[5] M. Garcia and R. Martinez, "Trends and Challenges in Cybersecurity for Small and Medium Enterprises," International Journal of Business and Social Science, vol. 9, no. 2, pp. 98-115, 2018

[6]  H. Jahankhani, L. N. K. Meda, and M. Samadi, "Cybersecurity Challenges in Small and Medium Enterprises (SMEs)," in Blockchain and Other Emerging Technologies for Digital Business Strategies, Springer, 2022, pp. 1-20

[7] B. Uchendu, J. R. Nurse, M. Bada, and S. Furnell, "Developing a Cyber Security Culture: Current Practices and Future Needs," Computers & Security, vol. 109, p. 102387, 2021. doi: 10.1016/j.cose.2021.102387

[8]  S. K. Naradda Gamage et al., "A Review of Global Challenges and Survival Strategies of Small and Medium Enterprises (SMEs)," Economies, vol. 8, no. 4, p. 79, 2020. doi: 10.3390/economies8040079

[9] A. Telukdarie, T. Dube, M. Munsamy, K. Murulane, and R. Mongwe, "Navigating Digital Challenges for SMEs: A Two-Tier Approach to Risks Mitigation and Sustainability," Sustainability, vol. 16, no. 14, p. 5857, 2024. doi: 10.3390/su16145857

[10]   R. Pérez Estébanez, "An Approach to Sustainable Enterprise Resource Planning System Implementation in Small- And Medium-Sized Enterprises," Administrative Sciences, vol. 14, no. 5, p. 91, 2024. doi: 10.3390/admsci14050091.

[11]   A. Mahfuth, S. Yussof, A. A. Baker, and N. A. Ali, "A Systematic Literature Review: Information Security Culture," in 2017 International Conference on Research and Innovation in Information Systems (ICRIIS), Langkawi, Malaysia, 2017, pp. 1-6. doi: 10.1109/icriis.2017.8002442

[12]   A. AlHogail, "Design and validation of information security culture framework," Computers in Human Behavior, vol. 49, pp. 567–575, 2015. doi: 10.1016/j.chb.2015.03.054

[13]   S. G. Govender, M. Loock, E. Kritzinger, and S. Singh, "Using Design Science Research to Iteratively Enhance Information Security Research Artefacts," in Computer Science On-line Conference, Cham: Springer International Publishing, 2023, pp. 49-61. doi: 10.1007/978-3-031-35317-8_5

[14]   D. Lacey, "The Art of Information Security Culture," Information Security Journal: A Global Perspective, vol. 30, no. 4, pp. 191-202, 2021. doi: 10.1080/19393555.2021.1931792

[15]   E. H. Schein, Organizational Culture and Leadership, 4th ed., Jossey-Bass, 2010

[16]   A. R. Hevner, S. T. March, J. Park, and S. Ram, "Design Science in Information Systems Research," MIS Quarterly, vol. 28, no. 1, pp. 75–105, 2004. doi: 10.2307/25148625

[17]  A. Smith and J. Brooks, "Understanding Cybersecurity Challenges in Small and Medium-sized Enterprises (SMEs)," Journal of Small Business Management, vol. 59, no. 3, pp. 227-247, 2021. doi: 10.1080/00472778.2021.1935760

[18]  M. Alshaikh, "Developing cybersecurity culture to influence employee behavior: A practice perspective," Computers & Security, vol. 98, p. 102003, 2020. doi: 10.1016/j.cose.2020.102003

[19]  E. Johnson, S. Goel, and S. Misra, "Best Practices in Cybersecurity: Building Effective Security Cultures in SMEs," Journal of Cybersecurity, vol. 8, no. 1, p. tyac006, 2022. doi: 10.1093/cybsec/tyac006

[20] T. A. Nguyen and X. Luo, "Enhancing Information Security Behaviors in SMEs: A Comprehensive Framework," International Journal of Information Management, vol. 61, p. 102369, 2021. doi: 10.1016/j.ijinfomgt.2021.102369

[21]  T. Oliveira, M. Thomas, G. Baptista, and F. Campos, "The impact of organizational factors on information security policy compliance: A multi-case study," Journal of Information Security and Applications, vol. 58, p. 102646, 2021. doi: 10.1016/j.jisa.2021.102646

[22]  C. R. Junior, I. Becker, and S. Johnson, "Unaware, Unfunded and Uneducated: A Systematic Review of SME Cybersecurity," arXiv preprint arXiv:2309.17186, 2023. doi: 10.48550/arXiv.2309.17186

[23] A. Chidukwani, S. Zander, and P. Koutsakis, "A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations," IEEE Access, vol. 10, pp. 85701-85719, 2022.

[24]   E. Etim and A. Anand, "Cyber Security Practices in Small and Medium Enterprises: A Study of Nigeria," International Journal of Engineering and Advanced Technology, vol. 8, no. 5, pp. 3281-3285, 2019

[25]   K. A. Saban, S. Rau, and C. A. Wood, "SME executives’ perceptions and the information security preparedness model," Information & Computer Security, vol. 29, no. 2, pp. 263-282, 2021. doi: 10.1108/ics-01-2020-0014

[26]   A. Dumitraşcu and C. N. Ciocoiu, "Cybersecurity Awareness in Small and Medium-sized Enterprises: A Romanian Perspective," Economics, Management and Financial Markets, vol. 12, no. 1, pp. 31-38, 2017

[27]   P. Ratnasingam and P. A. Pavlou, "Information Security Culture in Small and Medium-sized Enterprises: A Case Study," Information Systems Management, vol. 33, no. 3, pp. 258-279, 2016

[28]   Ø. Jøsok, S. Kjøllesdal, C. Rong, and J. H. Nord, "Understanding the Cybersecurity Challenges Faced by Small-and Medium-sized Enterprises: Insights from Norway," Computers & Security, vol. 73, pp. 145-159, 2018

[29]   M. Mohammadi, M. Ghazisaeedi, L. Shahmoradi, and Z. A. Sani, "The role of awareness and perceived risk in information security policy compliance of healthcare employees," Health Information Management Journal, vol. 47, no. 1, pp. 26-33, 2018

[30]   J. Chen, Y. Li, and Y. Li, "Understanding SMEs' Adoption of Security Technologies: A Moderated Mediation Model," Journal of Information Privacy & Security, vol. 17, no. 4, pp. 473-494, 2021. doi: 10.1080/15536548.2019.1631414

[31]   P. Choudhury, S. Fosso Wamba, A. Gunasekaran, and T. Papadopoulos, "An integrated framework for understanding the impact of information technology capabilities on firm performance: A resource-based perspective," International Journal of Production Economics, vol. 243, p. 108441, 2022. doi: 10.1016/j.ijpe.2022.108441

[32]   A. Alsharif and M. Hassouna, "Towards a comprehensive framework for assessing security risks in small and medium-sized enterprises (SMEs)," Journal of Information Security and Applications, vol. 69, p. 102923, 2023. doi: 10.1016/j.jisa.2022.102923

[33]   D. Yang Hoong, D. Rezania, and R. Baker, "When Traditional SME Managers Encounter Cybersecurity: Discourse Analysis of Opportunities and Dilemmas in Meeting the Demands," Technology in Society, vol. 78, p. 102650, 2024. doi: 10.1016/j.techsoc.2024.102650

[34]   A. Da Veiga, M. Astakhova, A. Botha, and M. Herselman, "A Model for the Evaluation of Information Security Culture," Information & Computer Security, vol. 28, no. 2, pp. 133-156, 2020

[35]   M. Silic and P. B. Lowry, "Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance," Journal of Management Information Systems, vol. 37, no. 1, pp. 129-161, 2020. doi: 10.1080/07421222.2019.1705512

[36]   O. Ismail, "Designing Information Security Culture Artifacts to Improve Security Behavior: An Evaluation in SMEs," in International Conference on Design Science Research in Information Systems and Technology, 2022, pp. 319-332. doi: 10.1007/978-3-031-06516-3_24.

[37]   H. Collier, C. Morton, D. Alharthi, and J. Kleiner, "Cultural Influences on Information Security," University of Colorado Colorado Springs, 2023. doi: 10.34190/eccws.22.1.1127

[38]   C. Vroom, A. Olt, and C. Pollard, "Bridging the gap: Security culture frameworks for SMEs," Journal of Cybersecurity, vol. 9, no. 2, p. tyab027, 2021. doi: 10.1093/cybsec/tyab027

[39]   H. Zafar and M. Ko, "Evaluating the impact of information security culture interventions in SMEs: An empirical study," Journal of Information Technology, vol. 38, no. 1, p. 102659, 2023. doi: 10.1016/j.jinftec.2022.102659

[40]   M. N. Moeti, M. R. Langa, and K. Sigama, "Information Security Framework Adoption for South African Small and Medium Enterprise," Communications in Computer and Information Science, vol. 1774, Springer, Cham, 2023. doi: 10.1007/978-3-031-28472-4_14

[41]  A. Georgiadou, A. Michalitsi-Psarrou, and D. Askounis, "Cyber-Security Culture Assessment in Academia: A COVID-19 study: Applying a Cyber-Security Culture Framework to Assess Academia's Resilience and Readiness," in *Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES '22)*, 2022, pp. 1-8. doi: 10.1145/3538969.3544467.

[42]   A. Georgiadou, S. Mouzakitis, and D. Askounis, "Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework," *Sensors (Basel)*, vol. 21, no. 9, p. 3267, May 2021. doi: 10.3390/s21093267.

[43]   W.-R. Marchand-Niño and H. H. Samaniego, "Information Security Culture Model: A Case Study," in *Proceedings of the 2021 XLVII Latin American Computing Conference (CLEI)*, 2021, pp. 1-10. doi: 10.1109/CLEI53233.2021.9639939.

[44]   I. Ajzen, "The Theory of Planned Behavior," *Organizational Behavior and Human Decision Processes*, vol. 50, no. 2, pp. 179-211, 1991. doi: 10.1016/0749-5978(91)90020-T.

[45]   Y. Zhang, B. Xiao, and K. Shu, "A security culture framework and its assessment model for industrial control system operators," in *2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD)*, 2015, pp. 2477-2481. IEEE.

[46]   M. Douglas and A. Wildavsky, *Risk and Culture: An Essay on the Selection of Technical and Environmental Dangers*. University of California Press, 1982. Available: https://www.jstor.org/stable/10.1525/j.ctt7zw3mr.

[47]   P. Offermann, O. Levina, M. Schönherr, and U. Bub, "Outline of a Design Science Research Process," in *Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology*, 2009, pp. 1-11.

[48]   V. Venkatesh, M. G. Morris, G. B. Davis, and F. D. Davis, "User Acceptance of Information Technology: Toward a Unified View," *Management Information Systems Quarterly*, vol. 27, no. 3, pp. 425-478, 2003. doi: 10.2307/30036540.

[49]   D. Dimov, M. Maula, and A. G. L. Romme, "Crafting and Assessing Design Science Research for Entrepreneurship," *Entrepreneurship Theory and Practice*, vol. 47, no. 5, pp. 1543-1567, 2023. doi: 10.1177/10422587221128271.

[50]   A. Tolah, S. M. Furnell, and M. Papadaki, "An empirical analysis of the information security culture key factors framework," *Computers & Security*, vol. 108, p. 102354, 2021.

[51]   R. F. Ali, P. D. D. Dominic, S. E. A. Ali, M. Rehman, and A. Sohail, "Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance," *Applied Sciences*, vol. 11, no. 8, p. 3383, 2021. doi: 10.3390/app11083383.

[52]   T. Kuusisto and I. Ilvonen, "Information Security Culture in Small and Medium size Enterprises," *Frontiers of E-business Research*, pp. 431-439, 2003.

[53]   Z. Ruhwanya and J. Ophoff, "Information Security Culture Assessment of Small and Medium-Sized Enterprises in Tanzania," in *15th International Conference on Social Implications of Computers in Developing Countries*, Cham: Springer International Publishing, 2019, pp. 776-788. doi: 10.1007/978-3-030-18400-1_63.

[54]   K. Arbanas, M. Spremic, and N. Zajdela Hrustek, "Holistic Framework for Evaluating and Improving Information Security Culture," *Aslib journal of information management*, vol. 73, no. 5, pp. 699-719, 2021. doi: 10.1108/ajim-02-2021-0037.

[55]   Y. A. N. Chen, K. Ramamurthy, and K. W. Wen, "Impacts of Comprehensive Information Security Programs on Information Security Culture," *Journal of Computer Information Systems*, vol. 55, no. 3, pp. 11-19, 2015.

[56]   D. Malá, J. Dobrovič, M. Sedliačiková, A. Šatanová, and M. Palinchak, "Quality culture: a behavioral inspired way of quality in Slovak small and medium enterprises," *Entrepreneurship and Sustainability Issues*, vol. 11, no. 1, p. 220, 2023. doi: 10.9770/jesi.2023.11.1(13).

[57]   T. Ramluckan, B. Van niekerk, and I. Martins, "A Change Management Perspective to Implementing a Cyber Security Culture," *Academic Conferences International Limited*, 2020. doi: 10.34190/EWS.20.059.

[58]   H. Erind, "The Technological, Organizational and Environmental Framework Of IS Innovation Adaption In Small And Medium Enterprises. Evidence from research over the last 10 years," *International Journal of Business and Management*, vol. 3, no. 4, pp. 1-14, 2015.

[59]   M. Gupta, A. Seetharaman, and H. Raj, "A practical framework for managing cyber security risks in small and medium enterprises," *Technological Forecasting and Social Change*, vol. 136, pp. 332-344, 2018. doi: 10.1016/j.techfore.2017.08.021.

[60]   H. M. Román, C. Sánchez-Torres, and J. M. López-Gómez, "A methodology for assessing the applicability of information security frameworks in SMEs," *Information Systems Frontiers*, vol. 19, no. 3, pp. 797-814, 2017.

[61]   S. Fassnacht and S. Tranquillini, "A framework for developing and evaluating information security awareness programs in small and medium-sized enterprises," *Computers & Security*, vol. 61, pp. 113-130, 2016.

[62]   A. Ozment, R. Baden, and M. Barrett, "Factors influencing the implementation of information security management systems in small and medium sized enterprises," *Information Systems Journal*, vol. 22, no. 2, pp. 181-204, 2012.

[63]   R. Ahmad, F. Ullah, and M. M. Rathore, "Information security culture assessment framework for small and medium enterprises," *Computers & Security*, vol. 102, p. 102222, 2021.

[64]   K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, "A Design Science Research Methodology for Information Systems Research," *Journal of Management Information Systems*, vol. 24, no. 3, p. 45, 2007.

[65]   K. Peffers, T. Tuunanen, C. E. Gengler, M. Rossi, W. Hui, V. Virtanen, and J. Bragge, "Design Science Research Process: A Model for Producing and Presenting Information Systems Research," *ArXiv*, abs/2006.02763, 2020.

[66]   L. F. Garcia and S. S. Cechin, "Cybersecurity Management in SMEs: An Investigation in Brazil," *Information & Computer Security*, vol. 28, no. 4, pp. 458-475, 2020. doi: 10.1108/ICS-11-2018-0130.

[67]   E. Bertino and R. Sandhu, "A Comprehensive Framework for Information Security Culture in Organizations," IEEE Access, vol. 11, pp. 12345-12359, 2023

[68]   A. Da Veiga, "A model for information security culture with creativity and innovation as enablers–refined with an expert panel," Information & Computer Security, 2023. [Online]. Available: https://doi.org/10.1108/ics-11-2022-0178

[69]   A. Sutton and L. Tompson, "Towards a Cybersecurity Culture-Behaviour Framework: A Rapid Evidence Review," Oct. 15, 2023. [Online]. Available: https://doi.org/10.31234/osf.io/h4uby

[70]   A. Georgiadou, S. Mouzakitis, K. Bounas, and D. Askounis, "A Cyber-Security Culture Framework for Assessing Organization Readiness," Journal of Computer Information Systems, vol. 62, no. 3, pp. 452-462, 2022

[71]   C. M. Ocloo, A. Da Veiga, and J. Kroeze, "A Conceptual Information Security Culture Framework for Higher Learning Institutions," in 15th International Symposium on Human Aspects of Information Security and Assurance (HAISA), Virtual, United Kingdom, Jul. 2021, pp. 63-80. doi: 10.1007/978-3-030-81111-2_6