Information Security Risk Management in Small Business Enterprises (SMES)

##plugins.themes.academic_pro.article.sidebar##

Published Mar 28, 2025
https://doi.org/10.71064/spu.amjr.1.1.2025.360
Download
PDF
Statistic
Vol. 1 No. 1 (2025): Special Issue - African Multidisciplinary Journal of Research (AMJR)

##plugins.themes.academic_pro.article.main##

Nicholus Mitende Nyapete
St. Paul's University
John Muhoho Kimani
St. Paul's University

Abstract

The desire to optimize organizational processes such as planning, control, communication, and collaboration is a significant driver for business enterprises, especially SMEs, to invest in Information Technology (IT). IT investments contribute to improved operational efficiency, financial management, flexibility, and agility, providing a competitive edge in the market. SMEs particularly invest in IT to facilitate new partnerships and collaborations through electronic linkages, enabling them to overcome barriers and enhance business performance. However, IT investments in SMEs face numerous challenges, including insufficient resources, lack of time for implementation, poor IT staff expertise, and inadequate management commitment. Inadequate IT investments often result in Information Security (IS) breaches, leading to significant financial and non-financial losses. Non-financial losses included damage to reputation, product piracy, and theft of critical business information. Effective Information Security Risk Management Investment (ISRMI) is essential for ensuring long-term competitiveness and survival, guiding the selection of security measures to protect IT assets while ensuring data confidentiality, integrity, and availability. However, existing literature lacks guidance on effective ISRMI strategies, focusing primarily on the implementation of ISRM approaches rather than the economics of security investment. This research aimed to explore the ISRMI strategies adopted by SMEs within Nairobi’s Central Business District, based on SMEs that have implemented ISRM programs, through a review of literature and interviews with information security experts.

##plugins.themes.academic_pro.article.details##

How to Cite
Nyapete , N. M. ., & Kimani, J. M. (2025). Information Security Risk Management in Small Business Enterprises (SMES). African Multidisciplinary Journal of Research, 1(1), 504–534. https://doi.org/10.71064/spu.amjr.1.1.2025.360

References

  1. Al-Jaghoub, S., Al-Yaseen, H., & Al-Hourani, M. (2010). Evaluation of Awareness and Acceptability of Using e-. Government Services in Developing Countries: the Case of Jordan. The Electronic Journal Information Systems Evaluation, 13(1), 1–8.
  2. Ariyachandra, T. R., & Frolick, M. N. (2008). Critical Success Factors in Business Performance Management—Striving for Success. Information Systems Management, 25(2), 113–120.
  3. Bacon, C. J. (1994). Why companies invest in information technology. In Information management (pp. 31–47). Boston: Springer.
  4. Baker, W. H., Rees, L. P., & Tippett, P. S. (2007). Necessary measures: metric-driven information security risk assessment and decision making. Communications of the ACM, 50(10), 101–106. https://doi.org/10.1145/1290958.1290969
  5. Baker, W., & Wallace, L. (2007). Is Information Security Under Control?: Investigating Quality in Information Security Management. IEEE Security and Privacy Magazine, 5(1), 36–44. https://doi.org/10.1109/MSP.2007.11
  6. Bandyopadhyay, K., Mykytyn, P. P., & Mykytyn, K. (1999). A framework for integrated risk management in information technology. Management Decision, 37(5), 437–445.
  7. Bandyopadhyay, T., Liu, D., Mookerjee, V. S., & Wilhite, A. W. (2014). Dynamic competition in IT security: A differential games approach. Information Systems Frontiers, 16(4), 643–661.
  8. Barba-Sanchez, V., Martinez-Ruiz, M. del P., & Jimenez-Zarco, A. I. (2007). Drivers, Benefits and Challenges of ICT adoption by small and medium sized enterprises (SMEs): A Literature Review. Problems and Perspectives in Management (Open-Access), 5(1), 103– 114.
  9. Bardhan, I. R., Bagchi, S., & Sougstad, R. (2004). Prioritizing a portfolio of information technology investment projects. Journal of Management Information Systems, 21(2), 33–60.
  10. Barlette, Y., & Fomin, V. (2009). The adoption of Information Security Management Standards: A Literature Review. In Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions (pp. 119–140). New York: IGI Global.
  11. Behnia, A., Rashid, R. A., & Chaudhry, J. A. (2012). A Survey of Information Security Risk Analysis Methods. The Smart Computing Review, 2(1), 72–94.
  12. https://doi.org/10.6029/smartcr.2012.01.007
  13. Bitange - Ndemo, E. (2006). Assessing sustainability of faith based enterprises in Kenya. International Journal of Social Economics, 33(5/6), 446–462.
  14. Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. In Proceedings of the 2001 workshop on new security paradigms (pp. 97–104). New York: ACM Press. https://doi.org/10.1145/508171.508187
  15. Bleistein, S. J., Cox, K., Verner, J., & Phalp, K. T. (2006). B-SCP: A requirements analysis
  16. framework for validating strategic alignment of organizational IT based on strategy, context, and process. Information and Software Technology, 48(9), 846–868.
  17. Boltz, J. (1999). Informational Security Risk Assessment: Practices of Leading Organizations. DIANE Publishing.
  18. Brink, D. (2001). “A guide to determining return on investment for e-security.” RSA Security Inc.
  19. British Standards Institution. (2013). BS ISO/IEC 27002:2013: information technology - security techniques - code of practice for information security controls (2nd ed.). London: BSI.
  20. Brotby, K. (2009). Information Security Governance: A Practical Development and Implementation Approach. London: John Wiley & Sons.
  21. Burnard, P. (1991). A method of analysing interview transcripts in qualitative research. Nurse Education Today, 11(6), 461–466.
  22. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A Model for Evaluating IT Security Investments. Commun. ACM, 47(7), 87–92. https://doi.org/10.1145/1005817.1005828
  23. Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment. Journal of Management Information Systems, 25(2), 281–304.
  24. Church, B. K., Libby, T., & Zhang, P. (2008). Contracting Frame and Individual Behaviour: Experimental Evidence. Journal of Management Accounting Research, 20(1), 153–168.
  25. Ciorciari, M., & Blattner, P. (2008). Enterprise risk management maturity-level assessment tool (pp. 1–3). Retrieved from https://www.soa.org/...monographs/2008...symposium/mono- 2008-m-as08-1-ciorciari...
  26. Cole, F. L. (1988). Content Analysis: Process and Application. Clinical Nurse Specialist, 2(1), 53.
  27. Coles-Kemp, E., & Overill, R. (2006). The Information Security Ownership Question in ISO/IEC 27001 - an Implementation Perspective. In C. Valli, & A. Woodward (Eds.), Proceedings of the 4th Australian Information Security Management Conference (pp. 49–56). Edith Cowan University.
  28. Dawson, C. (2002). Practical research methods: a user-friendly guide to mastering research q techniques and projects. Oxford: How to Books.
  29. Devers, C. E., McNamara, G., Wiseman, R. M., & Arrfelt, M. (2008). Moving Closer to the action: Examining Compensation Design Effects on Firm Risk. Organization Science, 19(4), 548–566.
  30. Duh, R.-R., Chow, C. W., & Chen, H. (2006). Strategy, IT applications for planning and control, and firm performance: The impact of impediments to IT implementation. Information & Management, 43(8), 939–949.
  31. Edwards, W., Miles, R. F., & von Winterfeldt, D. (Eds.). (2007). Advances in Decision Analysis: From Foundations to Applications. Cambridge: Cambridge University Press.
  32. Eisenhardt, K. M. (1989). Building Theories from Case Study Research. Academy of Management Review, 14(4), 532–550. https://doi.org/10.5465/AMR.1989.4308385
  33. Eisenhardt, K. M. (1991). Better Stories and Better Constructs: The Case for Rigor and Comparative Logic. The Academy of Management Review, 16(3), 620.
  34. Eisenhardt, K. M., & Graebner, M. E. (2007). Theory building from cases: opportunities and challenges. Academy of Management Journal, 50(1), 25–32. https://doi.org/10.5465/AMJ.2007.24160888
  35. Faraj, S., & Sambamurthy, V. (2006). Leadership of information systems development projects. IEEE Transactions on Engineering Management, 53(2), 238–249. https://doi.org/10.1109/TEM.2006.872245
  36. Fenz, S., Ekelhar, A., & Neubaue, T. (2011). Information Security Risk Management: In which Security Solutions is it worth Investing? Communications of the Association for Information Systems :, 28(1), 329–356.
  37. General Accounting Office. (1996). Content analysis : a methodology for structuring and analyzing written material. Washington, D.C.: U.S. General Accounting Office.
  38. Gal-Or, E., & Ghose, A. (2005). The Economic Incentives for Sharing Security Information. Information Systems Research, 16(2), 186–208. https://doi.org/10.1287/isre.1050.0053
  39. Ghobakhloo, M., Hong, T. S., Sabouri, M. S., & Zulkifli, N. (2012). Strategies for Successful Information Technology Adoption in Small and Medium-sized Enterprises. Information, 3(4), 36–67. https://doi.org/10.3390/info3010036
  40. Gillham, B. (2005). Case study research methods. London: Continuum.
  41. Goodhue, D. L., & Thompson, R. L. (1995). Task-Technology Fit and Individual Performance. MIS Quarterly, 19(2), 213. https://doi.org/10.2307/249689
  42. Gordon, L. A., & Loeb, M. P. (2007). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335–337. https://doi.org/10.1007/s10796-006-9010-7
  43. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457. https://doi.org/10.1145/581271.581274
  44. Gupta, A., & Hammond, R. (2005). Information systems security issues and decisions for small businesses: An empirical examination. Information Management & Computer Security, 13(4), 297–310. https://doi.org/10.1108/09685220510614425
  45. Halliday, S., Badenhorst, K., & von Solms, R. (1996). A business approach to effective information technology risk analysis and management. Information Management & Computer Security, 4(1), 19–31. https://doi.org/10.1108/09685229610114178
  46. Hausken, K. (2007). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability.
  47. Information Systems Frontiers, 8(5), 338–349. https://doi.org/10.1007/s10796-006-9011-6
  48. Herath, H. S. B., & Herath, T. C. (2008). Investments in Information Security: A Real Options Perspective with Bayesian Postaudit. Journal of Management Information Systems, 25(3), 337–375. https://doi.org/10.2753/MIS0742-1222250310
  49. Home land security. (2008). A roadmap for cyber security research (pp. 1–126). Washington: INFOSEC Research Council (IRC).
  50. Hornbil Systems. (2009). ITIL State of the Nation survey (pp. 1–22). London: Hornbil Systems.
  51. Huang, C. D., Hu, Q., & Behara, R. S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 2(114), 793–804.
  52. Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247–255.
  53. International Standards Organization (ISO). (2005). ISO/IEC 27002:2005. Information technology, Security techniques and Code of practice for information security management. Retrieved from https://www.iso.org/standard/50297.html
  54. Ioannidis, C., Pym, D., & Williams, J. (2013). Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach. In B. Schneier (Ed.), Economics of Information Security and Privacy III (pp. 171–191). New York, NY: Springer New York.
  55. ISACA. (2009). Risk IT Framework (pp. 1–106). Rolling Meadows: ISACA.
  56. IT Governance Institute. (2007). IT controls objectives for Basel II: the importance of governance and risk management for compliance. Rolling Meadows IL: IT Governance Institute.
  57. Jung, C., Han, I., & Suh, B. (1999). Risk analysis for electronic commerce using case-based reasoning. International Journal of Intelligent Systems in Accounting, Finance & Management, 8(1), 61–73.
  58. Kahneman, D., Slovic, P., & Tversky, A. (1982). Judgment under Uncertainty: Heuristics and Biases. New York: Cambridge University Press.
  59. Kahneman, D. (1979). Prospect theory: an analysis of decision under risk. Econometrica, 47(2), 263–291.
  60. Kahneman, D., & Tversky, A. (1973). On the psychology of prediction. Psychological Review, 80(4), 237–251.
  61. Kahneman, D., & Tversky, A. (1982). Subjective probability: A judgment of representativeness. In D. Kahneman, P. Slovic, & A. Tversky (Eds.), Judgment under uncertainty (pp. 32–47). Cambridge: Cambridge University Press.
  62. Kahneman, D., & Tversky, A. (1982). The simulation heuristic. In D. Kahneman, P. Slovic, & A. Tversky (Eds.), Judgment under uncertainty: Heuristics and biases (pp. 201-208). New York: Cambridge University Press.
  63. Kambil, A., Henderson, J. C., &Mohsenzadeh, H. (1992). Strategic management of information technology investments: an options perspective. Cambridge: Massachusetts Institute of Technology.
  64. Karim, J., Somers, T., & Bhattacherjee, A. (2007). The impact of ERP implementation on business process outcomes: a factor-based study. Journal of Management Information Systems, 24(1), 101–134. https://doi.org/10.2753/MIS0742-1222240103
  65. Karjalainen, M., Siponen, M., Kohli, R., & Shao, X. (2014). “What’s in it for me ? A Stakeholder Theory perspective on Information Technology Security Investment,” Completed Research Paper (pp. 1–30). Brisbane: The University of Queensland.
  66. Kiveu, M., & Ofafa, G. (2013). Enhancing market access in Kenyan SMEs using ICT. Global Business and Economics Research Journal, 2(9), 29–46.
  67. Knapp, K. J. (Ed.). (2009). Cyber-security and global information assurance: threat analysis and response solutions. Hershey, PA: IGI Global.
  68. Kothari. (2004). Research methodology methods and techniques (2nd ed.). New Delhi: New Age International.
  69. Kort, P. M., Haunschmied, J. L., & Feichtinger, G. (1999). Optimal firm investment in security. Annals of Operations Research, 88(0), 81–98.
  70. Kort, P. M., Haunschmied, J. L., & Feichtinger, G. (1999). Optimal firm investment in security. Annals of Operations Research, 88(0), 81–98.
  71. Liu, D., Ji, Y., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107.
  72. Li, M. (2014). A resource management framework for cloud computing (Thesis). Virginia Polytechnic Institute and State University, Blacksburg.
  73. Magnusson, C., Molvidsson, J., & Zetterqvist, S. (2007). Value creation and return on security investments (ROSI). In New Approaches for Security, Privacy and Trust in Complex Environments (pp. 25–35). Springer, Boston.
  74. Marchand, D. A., Kettinger, W., & Rollins, J. D. (2000). Information Orientation: People, Technology and the Bottom Line. MIT Sloan Management Review, 42, 69–80.
  75. Matsuura, K. (2003). Information security and economics in computer networks: an interdisciplinary survey and a proposal of integrated optimization of investment. Computing in Economics and Finance (48), 1-13.
  76. Mithas, S., Ramasubbu, N., &Sambamurthy, V. (2011). How Information Management capability influences firm performance. MIS Quarterly, 35(1), 237-256.
  77. Mithas, S., Tafti, A., Bardan, I., & Goh, J. M. (2012). Information Technology and Firm Profitability : Mechanisms and Empirical Evidence. MIS Quarterly, 36(1), 205-224.
  78. Mizzi, A. (2010). Return on information security investment – The viability of an anti-spam solution in a wireless environment. International Journal of Network Security 10(1), 18-24.
  79. Katwalo, A. M., &Muhanji, S. I. (2014). Critical success factors for the “unbanked” customers in Kenya. International Journal of Bank Marketing, 32(2), 88–103.
  80. Myers, M. D. (2009). Qualitative research in business and management. Los Angeles: SAGE.
  81. Niederman, F., Brancheau, J.C., Wetherbe, J.C., 1991. Information systems management issues for the 1990s. MIS Quarterly, 15 (4), 475-502.
  82. NIST 800–30 (2002). Risk Management Guide for Information Technology Systems, Special publication SP 800-30. [Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf, last accessed March, 2016].
  83. NIST 800–39 (2008). Managing Risk from Information Systems – An Organizational Perspective, NIST Special Publication 800–39. [Retrieved from: http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf, last accessed January, 2016].
  84. NIST (IR7358) (2007). Program Review for Information Security Management Assistance – PRISMA. [Retrieved from: http://csrc.nist.gov/publications/nistir/ir7358/NISTIR-7358.pdf, last accessed March, 2016].
  85. NIST (2007). Security Maturity Levels. [Retrieved from: http://csrc.nist.gov/groups/SMA/ prisma/security_maturity_levels.html, last accessed January, 2016].
  86. Nazımoğlu, Ö., & Özsen, Y. (2010). Analysis of risk dynamics in information technology service delivery. Journal of Enterprise Information Management, 23(3), 350–364.
  87. Oladejo, M. O., & Yinus, O. (2014). An influential analysis of the impact of information technology (IT) on cooperative services in Nigeria. European Journal of Business and Innovation Research, 2(3), 11–24.
  88. Patten, M. L., & Newhart, M. (2017). Understanding Research Methods: An Overview of the Essentials. New York: Taylor & Francis.
  89. Purser, S. (2004). Improving the ROI of the security management process. Computers & Security, 23 (2004), 542-546.
  90. Price water Coopers.(2015). 2014 annual report of Price Water Coopers. Retrieved from https://www.pwc.com/gx/en/about-pwc/global-annual-review-2015/campaign-site/pwc-global-annual-review-2015.pdf
  91. Ranyard, R., Crozier, W. R., & Svenson, O. (Eds.). (1997). Decision making: cognitive models and explanations. London: Routledge.
  92. Raz, T., & Hillson, D. (2005). A Comparative Review of Risk Management Standards. Risk Management, 7(4), 53–66. https://doi.org/10.1057/palgrave.rm.8240227
  93. Royer, I., &Zarlowski, P. (1999). Research Design. In Thietart R., A., (ed.), Doing Management Research: A Comprehensive Guide (pp. 126). London: Sage.
  94. Reyck, B. D., Grushka-Cockayne, Y., Lockett, M., Calderini, S., R., Moura, M., and Sloper, A. (2005).
  95. The impact of project portfolio management on information technology projects. International Journal of Information Management 23 (2005), 524-537.
  96. Saunders, M. N. K., Lewis, P., & Thornhill, A. (2009). Research methods for business students (5th ed). New York: Prentice Hall.
  97. Schlarman, S. (2007). Selecting an IT Control Framework. EDPACS, 35(2), 11–17.
  98. Smith, S. & Spafford, E. (2004). “Grand Challenges in Information Security: Process and Output,” IEEE Security & Privacy (2), 69-71.
  99. Sipior, J. C., & Ward, B. T. (2008). A framework for information security management based on guiding standards: a United States perspective. Issues in Informing Science and Information Technology, 5, 051–060.
  100. Stamp, P., Penn, J., Adrian, M., & Gray, B. (2015, August 2) “Increasing Organized Crime Involvement means More Targeted Attacks, Forrester Research. Retrieved from http://www.forrester.com/Research/Document/Excerpt/0,7211,37505,00.html
  101. Stefan Fenz, Johannes Heurix, Thomas Neubauer, & Fabian Pechstein. (2014). Current challenges in information security risk management. Information Management & Computer Security, 22(5), 410–430.
  102. Stewart R. Miller, & Anthony D. Ross. (2003). An exploratory analysis of resource utilization across organizational units. International Journal of Operations & Production Management, 23(9), 1062–1083.
  103. Susanto, H., Almunawar, M. N., & Tuan, Y. C. (2011). Information security management system standards. International Journal of Electrical & Computer Sciences, 35(1), 7–11.
  104. Symantec Corporation. (2009). Symantec global internet security threat report: trends for 2008 (pp. 1–110). Boulevard: Symantec Corporation.
  105. Tatsumi K., Goto M. (2010) Optimal Timing of Information Security Investment: A Real Options Approach. In: Moore T., Pym D., Ioannidis C. (eds) Economics of Information Security and Privacy (pp 211 – 228). Boston: Springer
  106. Thompson, B. (Ed.) (2003). Score reliability: Contemporary thinking on reliability issues. Newbury Park, CA: Sage.
  107. Trkman, P. (2009). “The critical success factors of business process management. International Journal of Information Management, 30 (2010), 125-134.
  108. Tsiakis, T., Kargidis, T., & Katsaros, P. (Eds.). (2014). Approaches and processes for managing the economics of information systems. Hershey, Pa: Business Science Reference.
  109. Tsiakis, T., & Stephanides, G. (2005). The economic approach of information security.
  110. Computers & Security, 24(2), 105–108. https://doi.org/10.1016/j.cose.2005.02.001
  111. Tsiakis, T., & Pekos, G. (Eds.). (2008). Analyzing and determining return on investment for information security: proceedings of the 2006 International Conference on Applied Economics (ICOAE). Cham: Springer.
  112. Tsiakis, T. K., & Pekos, G. D. (2008). Analysing and determining Return on Investment for Information Security. In International Conference on Applied Economics – ICOAE 2008 (pp. 879–883). Thessaloniki: University of Macedonia.
  113. Tsohou, A., Kokolakis, S., Lambrinoudakis, C., &Gritzalis, S. (2010). A security standards’ framework to facilitate best practices’ awareness and conformity. Information Management & Computer Security, 18(5), 350–365.
  114. Tversky, A., & Kahneman, D. (1981). The Framing of Decisions and the Psychology of Choice. Science 211(4481), 453-458.
  115. Tversky, A., & Kahneman, D. (1992), "Advances in prospect theory: Cumumlative representation of uncertainty," Journal of Risk and Uncertainty 5, 297-323.
  116. Wagner, T., Hennig-Thurau, T., & Rudolph, T. (2009), "Does Customer Demotion Jeopardize Loyalty?" Journal of Marketing 73(3), 69-85.
  117. Wang, J., Chaudhury, A., and Rao, H.R. (2010). "A Value-At-Risk Approach to Information Security Investment," Information Systems Research 19(1), 106-120.
  118. Waweru, N., &Spraakman, G. (2012). The use of performance measures: case studies from the microfinance sector in Kenya. Qualitative Research in Accounting & Management, 9(1), 44–65.
  119. West, R. (2008). The psychology of security. Communications of the ACM, 51(4), 34–40.
  120. Westerlind, K. (2004). Evaluating return on information technology investment (Thesis). Gothenburg University, Gothenburg.
  121. Whitman, M. E., & Mattord, H. J. (2013). Management of information security (Fourth edition). Stamford: Cengage Learning.
  122. Wood, C. C., & Parker, D. B. (2004). “Why ROI and similar financial tools are not advisable for evaluating the merits of security projects.” Computer Fraud & Security, 2004(5), 8–10.
  123. Yin, R. K. (2009). Case Study Research: Design and Methods (2nd ed.). Thusand Oaks: SAGE.
  124. Zafar, H., & Clark, J. G. (2009). Current state of information security research in IS. Communications of the Association for Information Systems, 24, 571–596.
  125. Zhou, L., Vasconcelos, A., & Nunes, M. (2008). Supporting decision making in risk management through an evidence‐based information systems project risk checklist. Information Management & Computer Security, 16(2), 166–186.