National Computer Security Survey of Small and Medium Enterprises

This study was the second phase of a two-part grant sponsored by the Department of Justice. In the first phase, we examined the cyber security preparedness of SMEs in the tri-state area (Ohio, Pennsylvania and West Virginia). In our first study, we found that SMEs generally employed only rudimentary security policies and practices. In addition, SMEs were more concerned with external threats than internal threats. This latter finding is inconsistent with other studies that indicate that attacks on information systems are more likely to originate from within the organization.

In order to better understand the relatively low priority given to computer security, our current study examined management's role in computer security. While we argue that management awareness of information security policies and practices is critical, prior research has found that many managers believe that security is a technical issue, not a managerial issue. With this viewpoint, managers tend to rely more heavily on their IT staff to maintain a secure information network and effective security policies. With such a "hands off" approach, information security may not receive adequate focus across the organization.

This lack of attention by management is compounded by the recent finding that 85% of SME managers believe that they were less of a target for attacks on their information systems than their larger counterparts. This may explain why a small percentage of SMEs do not have a formal internet policy. Meanwhile, cyber attacks continue to plague businesses small and large. For example, in Pittsburgh, PA, internet fraud complaints increased by 12% from 2008 to 2009. The results of these attacks can be devastating. For instance, a small savings and loan in Pittsburgh was hacked in 2009 suffering $3.0 million losses which eventually lead to its foreclosure.

Our current research project is modeled on the premise that as management awareness of information security issues increases, their commitment to securing their network and enforcing security policies will increase, which in turn, increases information security preparedness. This premise is based on prior research that has demonstrated a positive relationship between management awareness, commitment and achievement of strategic initiatives and objectives.

Results of this study were released at the Cybersecurity Executive Briefing.