The Impact of a Security Culture in Small and Medium Scale Enterprise (SME) on Enterprise Information Security

Abstract

An information system is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the enterprise. In current world, the information is stored in the computerised system in the form of digital data, including sensitive data, which can be extracted as needed. It is much better than maintaining hard copies in traditional manner by using physical storages. The information system security is crucially important for a business with that background. The SME introduces in many forms. Many use the number of employees, capital amount invested, turnover amount, and nature of business. In Sri Lanka, main banks use value of fixed assets as a way to introduce SME, whereas the World Bank uses number of employees as the criteria. Even though enterprises are relatively small and run with a limited budget, SMEs can now target national and international market segments, enabled by the Internet. Therefore, this complicated the business process at SMEs. The computer security represents confidentiality, integrity and availability (CIA) from the mainframe-computing era. The rise of the Internet and complex computer systems means that data is now decentralized. As such, the security measures now must extend form the CIA domain to cover additional areas, depicted in the McCumber Cube in three dimensions. This challenges SME’s to assure information security with a limited operating budget, and there are two approaches presented by the ‘Sphere of Protection’, focusing on both technology and people aspects. The technological aspect is expensive, whereas the people aspect is cost effective by introducing security culture. The policy implementation is the better tool for security culture by considering business in process level emphasizing laws to acknowledge people on the importance of assuring secure environment, and education and training are important to share the knowledge among employee. This paper explores the need for effective people based security measures for better security culture, before the implementation of technological controls is considered for SMEs.