Information Security In Small And Medium Organizations

Published Date: 02 Nov 2017

Dissertation

Table of Contents

Introduction

SME is an abbreviation of ‘Small and Medium sized Enterprises’. More than 99 % of enterprises in Europe and UK come under SMEs which is doing a major role in terms of workforce. As per the European Commission, SMEs are classified as micro, small and medium. SMEs are classified based on certain aspects such as headcount, turnover and balance sheet. For the most part of these criteria, headcount is considered as important, because it influences on organization structure, working methods, culture and IT services.

Special attention has shown on security in most of the small and medium enterprises in developing countries because of its importance. It is considerable that however moving into global market with the support of ICTs is important; certain risks are also involved in that.

The insertion of technologies into the business such as network connection and e-business are viewed in a different way in the systems and management processes. In general, stand-alone systems would be process-centered or product centered which includes inventory, ordering, and processes such as general ledger, manufacturing, account payable and receivable. E-business has been following different strategies to be successful. It is mostly focused on customer-centric rather than product and process-centric. In that, systems would track the customer’s progress in terms of evaluation of products, placement of an order, tracking of the sale shipment, and completion of financial transaction. However product and process are having importance, these are considered as secondary in e-business. These are also required to track the customer’s journey through the business’s website and to collect and execute the customer’s transaction. In order to be successful, an alternative approach is required to Customer transaction management. When an approach is put into practice with no caution, it would lead to new form of security breaches.

It should be noted that any new form of business systems for deployment would be ended up with a disappointment as well as risks. One of the major risks includes the possible compromise or theft of intellectual property assets under the organization. There is also certain chances for the replication of products and services which can be sold and distributed illegally for free of cost or less price. In these cases, pirates can get benefits where the organizations don’t get any profit.

Decisions made in the SME sector are entirely diverse from the corporate world. For many SMEs which are at base of the pyramid, policy is a foreign concept. SMEs will quickly create and file policy documents whenever getting demands from customers and investors. The owners, the board and management are not stepping ahead for changes in decision making which relies in formal. And those changes are also difficult to influence with current scenario.

The growth of the internet in the last few years is phenomenal and it covers almost every small-to-medium sized businesses. Most of the organizations are investing their significant resources to be a part of global network. Now-a-days, information are created in digital formats and stored in various storage devices and transmitted through interconnected networks. The growth in the internet has also changed the communication approach, business techniques, and methods for achieving goals. In the mean time, security threads such as spam, phishing, badware and viruses are troubling to undermining users in terms of trust and confidence in the Internet.

When considering the security aspects of the information society, two issues are mainly observed: protection and defence of the information. Most of the time, interpretation or meaning could be related to information security. Security of digital information could be called in different names such as cyber security, Information Technologies security or digital security. Information security is the solution for the risks related to the use of information and communication technologies in daily activities. The main purpose of information security is to reduce the risks associated with information systems and provide the systems with acceptable level.

Primarily security is:

To make safe or safer;

The act of functioning without disorder or major difficulty;

To be protected from danger, counter the risks;

An ability to ensure the security of goods and people.

The following instructions would assist to focus on information system and network security. Organization for Economic Co-operation and Development, OECD’s guidelines for the security of information systems and network – "Towards a culture of security" acts as the initial phase for analyzing security such as:

Awareness: It is required for participants to be aware of the need for securing information systems and networks and how to improve security;

Responsibility: All participants are responsible for the security of information systems and networks;

Response: It is the responsibility for participants to take action in timely and co-operative manner to prevent, detect and respond to security incidents;

Ethics: Participants should accept the reasonable opinions of others;

Democracy: The security of information systems and networks should be well-matched with the basic values of a democratic society;

Risk assessment: Participants should perform assessments on risk factors;

Security design and implementation: Participants should consider security as an important element of information systems and networks;

Security management: Participants should adopt a comprehensive approach to security management

Reassessment: Participants should review and reassess the security of information systems and networks and make appropriate modifications to security policies, practices, measures and procedures.

Background

Raising awareness on security issues among SMEs cannot be the solution for the problems associated with information security. In the UK, Government provides guidance to industries on risk factors in the form of DTI, and industry organizations such as Institute of Directors and the Confederation of British Industry. There are also some other factors influencing in the information systems and make the situation even more difficult. In such cases, it is important to take immediate action. However, SMEs are having proper awareness and understandings on security issues; SMEs are not in the position to invest the needed resources such as human, monetary or technical which is required to solve the problem. Generally, SMEs function with specific financial plans which are very fixed in approach. SMEs are also very limited in manpower and many compete for their position in a limited resource. These are all lessening the information security in priorities list because of less awareness on information security.

Normally, the above mentioned problems are not happening in large sized firms because; they are paying more attention to security problems. Now a days, small businesses are interconnected through the Internet which act as medium. If smaller businesses contain problems, it will also impact on other organizations.

Information security is believed to be expensive to put into practice, due to the lack of capable technology professionals and expertise. Anderson delivers certain ideas which would lead the organizations against the information security problems. Micro businesses could not be involved in information security related issues since these are not possessing required time or resources and functioning for tiny market. Nothing can get improved by applying traditional approaches to information security. By providing adequate time and resources to current approaches, it is possible to achieve good results and high level of technical expertise is also required. So, the "Long Tail" of the business information security market continues to be unnoticed.

Drivers and Blockers for security

Security drivers

In large businesses, executive board governs the policies and strategies, and delivered by executive management. Large organizations are focusing on security aspects in a long term manner and they are not threatening to the process. Corporate policy and governance processes take care of decisions and work practices. Managers yearn for adequate budget and resources. More number of professional security managers is employed in large organizations. Final decisions are made by committees and not by any individuals. Strategies and processes come across with several changes in last few decades. Regulatory compliance is considered as a major driver of change in large organizations.

In contrast to large companies, small companies are ‘just in time’ focused where the costs are limited and cash flow within organization is monitored carefully in every stage. Unlike large companies, small companies are customer oriented in which changes can be made for customer demands and it is essential for small companies to remain in business. Since the business is smaller in moderate companies, these are forced to ‘chase the money’ more willingly than corporate strategies. It is been noted that professional security manages are employed in few numbers in rare cases. Business managers are making decisions in quick manner based on short term needs and priorities. Whenever there is no immediate, recognized threat to the business, then regulatory compliance brings in as a driver for change and that too in rare conditions. The following figure illustrates the primary business drivers of small companies.

Figure : Security drivers for small companies

The following key points provide assistance in implementing special drivers in SMEs.

Demands by customers.

A perceived threat of losing an important customer.

A realistic prospect of gaining new business.

Recognition that it is part of the perceived ‘license to operate’ within the sector.

Visible and externally auditable regulatory compliance requirements.

The desire to avoiding a potential loss.

The potential for reputation damage, from a major security breach for example.

Generally, suppliers would require access to personnel information in small organizations. A quite new and commanding driver is growing pressure from larger customer organizations in order to identify the security needs in contracts with suppliers. This trend is non-breakable by predetermined guidance of supervisory bodies such as the Office of Government Commerce and the Financial Services.

Security Blockers

There are many blockers and constraints available to implement security. On the other hand, it has various issues such as:

Not enough time to desire and priority to understand security.

Ignorance of what needs to be done.

Lack of cash or credit, is needed in a recession periods.

No appropriate resources available.

Short term focus (just in time).

Awareness of that security is a pointless overhead.

An Unaware of paperwork, policies and procedures.

A perception that security is something for techies, not business people.

A feeling that the enterprise is too small to be affected.

Operating in an environment that demands and accepts a high tolerance of risks.

It needs to educate, provide awareness programs and proper material to the target audiences to promote and explain to overcome the factors like blockers and constraints. It is very easy to overcome blockers (ignorance, time shortage of management, and expertise) than shortage of money and other resources. The presentation about security should include the measures with priority which can be understood quickly and which have less difficulties to execution.

Figure Smaller obstacles should be tackled first

Literature Review

The information security risks differentiate through its complexity and interdependence. It is interrelated with each other from many factors and elements. By existence of human factor, it makes the situation difficult even further because humans always work under their own thoughts. However, while increasing dependency on the internet in originations is making that the security become a key concern for many stakeholders.

The main objective of security is to make collaboration of all stakeholders to ensure that the internet is a secure medium to perform their activities. But, it also possess one challenge to reaching this collaboration `like each organization having own ideas and approaches to resolve the security issues. In addition, various stakeholders are having their own resources to which they are investing for security purposes. According to the security, the space between large and SME’s has been increasing significantly because of the shortage of resources in SME’s.

The growth of internet usage is the only reason of raising system security problems. These problems will create many problems like financial losses to decrease organizations reputation, disturbance in industry continuity include legal allegations. So, organizations should concentrate on system security to avoid such difficulties.

The key role of any security system is cost attendance with its design, development, and implementation. It needs major part of organization’s investment to construct and maintain highly reliable, approachable and responsible information security systems. But, some people argue that for information storing, processing communication trough computer systems do not acquire considerable risks. This will be happens while major investment for significant security procedures may caused difficult to justify.

The organization might reduce the investments and initiatives by the modern electronic marketplace and other factors which are caused to those difficulties. The difficulty and interdependence of the security problems on the internet will restrict to the initiatives which are agreed in particular organizational.

Many SMEs are investing more to secure that digital information, and communication infrastructures within the organizations due to the lack of knowledge on negative consequence of information security. Of course, interconnectedness is growing as a major requirement for business communication purpose.

According to the Chris Anderson, there are various reasons are lies behind the production of large business segmentation in last 20 years. He states about Internet, it has completely changed the market principles of major companies. The equality of production and distribution tools is most essential for SME’s and to a particular quantity, leveled the playing field for competition with larger organizations.

This helps to create unlimited number of micro market niches in each industry. SMEs are well incorporated with these micro niches because these are causes in the significant growth of these industries. The development of medians (websites which are mediating between consumer and producers) has very low obstacles to provide security for new markets. Anderson opposing that these developments will be continue for many years in future and these are helps to further expansion of SMEs in both number and industry share.

According to Al (2005), an efficient security system implementation in organization is exposes to organizational progressive interest. Many organizations are willing to secure for their own digital information and the data which is provided by their customers, suppliers and other associates. They are felt like responsibility for information security implementation on their companies and getting technologies to develop the liabilities and for internal and external hazards to their digital information.

As per Yngstrom (2005), SMEs are using lack of frameworks to set priorities, to allocate tasks, get start and examine the accomplishment of IT security measures. Organizations also developed lack of user guides to overcome the internal and external attacks in organizations. These guides are developed with high-level principles but there is no standard approach at an organization which can help to describe how to work on it and who should work on it. Without proper instructions SME’s are indistinct to work on information security tasks especially in financial sector.

As security is a common concern among all stakeholders, combating information threats re-quires collaboration to ensure that the Internet is a secure medium which is needed for build- ing a thriving information society. However, one of the challenges in reaching collaboration is that each group has a different position and approach to how to address security issues and

deal with the potential trade-offs related to security and usability. Furthermore, different stakeholders possess different resources that they can invest in countering security threats. The gap between large and small-to-medium sized enterprises in the information security arena has been increasing substantially as a direct result of the scarcity of resources available to SMEs.

Generally, information security system is an expensive element because of its design, development, execution, and decommissioning. It requires major investments to implement security systems and to maintain consistently, quick to respond, and reliable. But, some people were opposed to those huge investments on information security systems because of drawbacks of those systems and do not sustain significant threats. The major objective of this argument is these systems are implemented by using prioritization methods that have been using from last decade. Basically, it has been increasing and rigorous complaints forced on commercial organizations. In general, large organizations were developed by understanding of difficulties that are affected to the information systems. Thus, many organizations are investing more from their business budgets to develop the information security systems in order to protect the digital resources.

Recently, these investments are reducing due to many threats are posed in the modern electronic market, and other factors which are not addressed successfully. The degree of difficulty and interdependence of security hazards on the Internet which can allocate the limits of any initiative under particular organizational circumstances.

Risks and attacks are posed from anywhere because it doesn’t have particular geographies or organizational boundaries. The main factor that organizations are facing these difficulties is shortage of knowledge on threats of information security systems in small and medium sized enterprises. Hence, organizations are looking for strict regulatory needs for securing their digital data that communicates with the structure of the organization to find difficulties.

Moreover, inter connectivity is a major need for any business interactions. Large organizations are depended on the various small organizations and contract workers who can enlarge their boundaries. The large organizations should have limitations to avoid extension of these boundaries of SME’s to deploy their business contracts. These SME’s and contractors are using the large organizations information systems network to perform their operations and to communicate. Hence, the attacks have been increasing through SME’s weakest link in the global network.

The weakest link is playing the key median role to attack un-authorized persons to hack into the corporate systems and any business network which is having a weakest link. So, it is suggesting that corporate network should be protected and more holistic methods need to take with special special investments on the weakest link.

The main aim of this study is to discuss about a new holistic approach to sustain information security in SME’s by using of soft system methodology. Initially, this study deal with the significance of the security problem in SME’s and why SME’s are looking for a simple, holistic, and minimal cost approach to the information system security management. Then, it introduces new methods to manage the security systems and provide complete information about that particular development process. The application model in SME’s information security systems should have conditions that described by realistic case study and finally, the study conclude with a summary of the complete discussion and the recommendations that need to research in future.

Background

The main difficulty of the information security in SME’s cannot be solved by using existing methods. The government of UK with the collaboration of DTI and Industry organizations is proposed some guidance to overcome these threats. But, many additional elements are affecting more and it needs quick response for those and it should be increase the awareness and make understanding of the security systems management to avoid issues because SME’s do not have the enough sources like human, monetary, and technical. In general, SME’s are having very limited sources due to the tough budgets and also manpower and requirements of tools.

It has very negative comments on SME’s due to the lack of awareness of the information systems that press on to down in priorities list. Hence, it will reduce the investments to allocate that and it compels to lead lower awareness. However, the above mentioned difficulties are not easily posed in the framework of large organizations and it must be occurs from the SME’s with a significant effect. The inter connectivity of global internet is also involved in this problems that may included in SME’s.

Many initiatives are started to develop information security in large organizations which should concentrate and implement that the development of an organization digital information and communication structure will incorporated with the security status in the organization. The implementation shouldn’t forget the essential fact about the e-attacks and security issues form any place on the global.

The perimeter cooperate network is not an efficient tool because of this communication boundaries and interactions requirements. In general, information security should be made with a view of holistic which considers the dependability and consistent background of modern global statements. Moreover, due to the lack of qualified professionals and experts, information security is generally supposed as a high cost that must be needed to follow.

The proposed high costs of security are having more positive elements to allocate appropriate resources to improve the outside security in the boundaries of large organizations. To gain knowledge of the scope of the information security problems within SME’s and how they will effect with the information declaration status of the total economy and its related quantities that are conducted by SME’s. It was compared against the existing actions in Europe and US.

The DTI (Department of Trade and Industry) of UK was stated that the total number of business activities of 4.3 million during 2005 and small organizations are comprises 99.3 percent of the above measures. Medium organizations are having 50-249 employees that defining 0.1 percent only. Hence, there is only 0.1% of large organizations (more than 250 employees) are fall in to that category. As per Observatory of European SME’s, there is more than 19 million SME’s are constituted with 99.8% of overall businesses in the UK. Conversely, there are only 6000 large enterprises are comprises in UK.

In the US, the total number of SME’s which is having less than 500 employees is about 99.7 percent. Chris Anderson found that various reason over the explosion of severe partition and role creation those witnesses from last 20 years. He argues that the internet usage has been modified to the market dynamics. The equality in production and deployment of tools has a better power due to the SME’s and in an assured level these are all playing a competitor role to the large organizations. It has been leading by creation of various practically unlimited micro markets and almost each single industry. Small organizations are suitable for micro niche markets that can make helpful to develop these businesses.

These development aggregators are lower obstacles to establish and develop the new business. But, Anderson opposed to these leanings that will maintain for further and it lead additional development of SME’s in both market share and number. Additionally, Anderson ideas are working more significantly on development process in the information security system issues. Micro businesses are specially started to satisfy the lack of the development in small organizations and didn’t possess sufficient time nor to sustain resources actively to the information security systems. Existing methods of information security systems cannot provide expected results that are crucial for an organization. Modern methods are needed sufficient investments of time and resources, as well as high-level demands of technical professionals. The following section is discussed about that proposed holistic approach to deal with the management of information security systems in Small and Medium Enterprises.

The difficulties in effectively conducting such analyses are numerous. Identifying all relevant threats and reliably estimating the probability of occurrences have proven to be extremely difficult if not impossible. Likewise, estimating costs, even qualitatively, associated with various

types of system failures or compromises is an inexact process. While the models for performing risk analyses are not difficult to understand, appropriately applying the models in given organizational contexts represents a daunting task. This is particularly true for resource- and expertiseconstrained small- and medium-sized enterprises (SME). In the U.S., the term is more typically applied to small- medium-sized businesses having less than 500 employees; the term SME is more typically used within the EU to refer to firms with less than 250 employees (Storey, 2003). Either definition works for the purposes of this paper. Under either definition, these organizations are unlikely to include large IT staffs with dedicated or extensive information security expertise. As Jaquith (2007) notes, the information security world has widely adopted the paradigm of calculating annualized cost expectancies (ALEs), but, "ther Schneier’s discussion of attack trees (2004, pp. 318-333). Developing comprehensive lists associated with natural- and man-made disasters and the diverse and ever-expanding list of technical and behavioral exploits can prove to be an insurmountable task and one highly dependent upon the knowledge and thoroughness of the analyst. We suggest that it might be possible to usefully aggregate threats into threat classes, dramatically reducing the workload of the analyst without fully eliminating the granularity of information required for organizations to make investment regarding the selection of appropriate countermeasures. Whitman has proposed a very similar approach, identifying and prioritizing 12 threat categories according to weightings derived from an online survey of IT professionals (Whitman, 2003; Whitman & Mattord, 2003). Our intent would be to build on this fundamental work by greatly increasing participation in refining threat categories if required, and investigating whether vulnerability and exposure data can be usefully

aggregated for application in a more abstract risk analysis model suggested above.

The end objective is to reduce the number of variables to be incorporated into the model. We anticipate the argument by experts that such abstraction could well undermine the integrity of the

entire analysis process, thus producing meaningless results. We offer two responses. One, for reasons further articulated below, we are not entirely confident with the results obtained from expert consultants and commercial products. Second, with use and public scrutiny, model efficacy can be empirically assessed over time.

Initiative 2. Develop Decision Heuristics for Quantification of

Organizational Costs

While we have not conducted formal research on the subject, the first author has missed few opportunities to query practicing accountants regarding methods used to estimate costs associated with specific types of security incidents. For example, when asked about how his company would assess the cost of lost productivity of back office staff due to a virus infection, an accountant specifically charged with the responsibility for IT investment analysis could offer no answer. His shrugged shoulders were not a unique response to this questione is just one problem with ALE: the old dog will not hunt….the numbers are too poor even to lie with" (p. 32). Jaquith cites three primary reasons for this (p.33):

The inherent difficulty in modeling outliers.

The lack of data for estimating probabilities of occurrence or loss expectancies

Sensitivity of the ALE model to small changes in assumptions.

There are numerous commercial enterprises providing software tools designed to assist with this effort. Some of them, RiskWatch ® for example, claim to provide strong support for calculating nnualized loss expectancy (ALE) and return on security investment (ROSI) (RiskWatch, 2005). While these tools may be quite effective, their use presents several practical issues for SMEs. First, they tend to be fairly expensive, although prices can vary significantly depending upon the

features and support included. Second, they tend to be quite complicated. Effective use requires

a significant amount of personnel training or consultant assistance as well as a significant amount

of effort. Finally, for data quality problems referenced above, users have no real means of making

an a priori evaluation of the quality of the final output. Understandably, commercial companies prefer not to release their proprietary models and the knowledge bases employed in their products. However, without such information little opportunity exists for the user community to evaluate the relative efficacy of various products. Users are often permitted to download trial packages to evaluate the look and feel of program execution and reports but again lack an objective means for evaluating output quality. To address these issues, this paper proposes the Information Assurance (IA) community adopt an "open source" approach to develop the following:

A multi-level risk assessment methodology and set of decision heuristics designed to minimize

the intellectual effort required to conduct SME infrastructure level risk assessments

A set of decision heuristics to assist in the quantification of organizational costs, financial

as well as non-financial

A knowledge base of probability estimates associated with specified classes of threats for

use in the application of the aforementioned methodology

Automated tool(s) capable of supporting the execution of the aforementioned methodology

and heuristics.

Desirability of Adopting an Open Development Approach

Multiple factors contribute to our recommendation of employing an "open source" approach for

implementing this effort. Certainly, an open source approach can be expected to complicate program governance. Furthermore, given the anticipated scope of the program, we confess that our use of the term may be metaphorical as well as literal. For example, model and knowledge base developments may choose to rely on Wiki technology and methods, emphasizing content sharing and management over the development of code. Foremost among our admittedly untested assumptions is a belief that the quality of each initiative will greatly benefit by broad participation. We would encourage a broad marketplace of ideas where numerous approaches are broached and then incorporated into the approach by general consensus. The process should be open and accessible such that even after an approach is adopted, there is ample opportunity for criticism and dissent; a moderated "Darwikinism" process (Lamb, 2004, p. 42).

While we accept the necessity of a governance function to maintain conceptual integrity and help

the community move toward actual delivery of functional capabilities, we also anticipate that a

broadly based effort will spawn offshoots that, while potentially valuable, simply do not fit within the scope of the effort as initially conceived and accepted b y the community of participants. Secondly, we are committed to the idea of the free distribution of whatever knowledge results from these efforts. This desire should not be interpreted as an anti-business stance. We are simply aware that many organizations have not yet been motivated or able to expend the financial resources required to obtain quality assistance in determining their security needs. The failure of these many organizations to adopt improved IA practices can have adverse economic consequences. Additionally, we believe that the availability of the knowledge created may help drive the improvement of commercial products as vendors seek to maintain commercially viable products. The advent of information technology tools to aid business transactions has tremendously improved the way business is done. Virtually every aspect of modern day business has being enhanced technically. In this age of fast communications, much

or most of the total volume of communications is transmitted electronically [12]. It is therefore not surprising that organisations are transforming their business into digital ones [2].Information technology, the lifeline of modern businesses, and a vital component in the overall national development of any country, embeds within its context, information as an integral entity that requires proactive and strategic management. Central to this management, as stated by Whitman and Mattord [16], is a high priority task – the security or protection of such information. This involves, but not limited to it, the systems and hardware used to store, process and transmit information.

A cross section of small and medium scale enterprises across Africa seem to exhibit similar characteristics and challenges. Their approach or understanding of information security risk usually does not extend beyond viruses and anti-virus software [13]. The purpose of computer security is to protect an organisation's valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organisation's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. Although information systems may be robust, they cannot run continually without some form of maintenance. This maintenance becomes a reality with the possibility of having an organisation’s data exposed to malicious attackers due to the constantly increasing prowess of attackers.

As per Richard Allen Greene, 2009, although it is one of the most alarming incidents occur more frequently for governments and policy makers. The IT systems of the government facilities were overwhelmed and these attacks are being immediate spam targets with many e-mails. The major key concern of various organizations is iterated to starts a more immediate and wide spread factor in aspect of Information security. A "security illiterate" staff has access to sensitive business information. In order to realize these important human issues like security illiteracy is the main cause of security breaches. The most effective way to reduce Information security risks in an organization is to make better employees more Information Security aware.

Related Issues

As researched further it indicates that highly developed countries like UK and US, incidence and issues of security does not share some uncommon benefits of increased capacity, efficiency and profitability outcomes. It also potential security backlash is being capable of belittling the core of information technology. The various responsibilities that data breaches are often nightmare for IT managers are not only directly responsible to secure their company’s confidential data but possibly sensitive information belongs to their clients. As a result of Security threats in major loss of productivity, business and damage to the organization’s brand. The detailed information security problem is characterized with complexity and interdependence of quantity factors interrelating with each other. The complicated tendency deals with alarm involvement of untrained opportunist the people who seems to perceive their invaded of information technology industry in Nigeria.

The gravity of security compromise is always assume that proportion of doubt can easily access to the networks of local well spread organization like Micro finance banks revealed exposure invasion. The future of information incidents seems to perceive more organizations naturally. The upcoming countries like Nigeria have developing in IT but this does not substantiate to perceive careless vulnerability accessible in most of an ideal firms. The policies should develop to implement security like ISBS 2004 and ISO/IEC 17799 has adopted to face upcoming challenges in information systems.

In order to address this human-related issue, Security awareness needs to be conscious or aware of potential threats. The various security risks like Trojans, phishing, viruses, and intellectual property theft in their daily activities are neglect detecting due to lack of security awareness. Its cause to be sophisticated with Internet security technologies useless and organizations exposed to enormous risks. An employee who against the general perception that organizations are mainly vulnerable to external threats although a whole range of incidents occur more frequently. Survey reports suggest that 78% of computer attacks occur in the form of viruses and there have been releases considered by employees of different perspective which are activated during e-mail attachments.

Information Security Awareness in SMEs

The sophistication of information is planning to control systems in prominent factor that determine the business growth as larger and more complicated. The growth aspect of information systems can be acquired in advance and becomes very important of decision making in all levels of management enterprises. The ability of SME’s is to realize their goals is mainly depends on the organization acquires, interprets, synthesizes, evaluate and understand detailed information of an organizational processes. As a result, the technology makes to achieve the full potential significant effect on the structure of organization.

With the advancement of technology, for both organizational structure and managerial decision making is influenced and allows of an ideal firm it more feasible for organizational structure. There is a need of structural dependency could pave the way for implementation of security policies. The importance of monitoring and controlling does not over emphasized for any person or group of persons that have financial goals and desire to balance with our income of spending.

In the past, those people who are restricted to spend the physical money without physical cash in their hands it’s possible to purchase anything. There are no conditions to keep written or electronic record of inflow or outflow. In today’s society, we have hard time to keep track our money for this reason cash is no longer required for most transactions. Various peoples are finding it difficult to use cash and it’s commonly referred to as cashless society.

Influential factors regarding adoption of ICT by SMEs

A better modern studies has adopted in SMEs is consists of technological, organizational, environmental and individual aspects of an ideal firm. The four influences has adopted framework formulated from several adoption studies that framework interplay with SME and serves as an evaluative structure. It also determines the propensity of innovation has adopted with scientific firms and has clear impact of decision process of manager. The presence of innovative factors consists of relative advantages of complexity, compatibility, cost and image surrounding the innovation. An organizational factor can influence has adopted the same aspects of size, quality of existing information systems, the intensity of information being proceed and specific level of an ideal firm for adoption oriented management. The clear impact of an environmental factor has adopted the pressure as of competition with supply chain, public policy with role of government. As per Rashid’s framework, Individual factors have affects innovation adoption incorporates with decision maker’s innovativeness with their knowledge of technology.

In order to address this issues, lead operators of SME is to consider some adoption of ICT business as defensive reaction to competitors in this technology. Further in updating it, the defensive reaction needs to address retention of market share. In this competitive world, taking an advantage of early protectors leads to adopting advantageous technology in their market niche. Small business operators have adopted to pressure their ICT systems in suppliers and customers in supply chain. As business partners can be positive to assist their integration process. Unfortunately SMEs may be required to implement ICT is not appropriate to the business.

The evolution of ICT and Security uptake

It is important for all the small and medium organizations to concentrate on the levels of TCT adoption in an evolutionary process. By starting with the promotion of easier and simple ICT tools, it could be possible to generate positive attitudes to technology and cultural acceptance to more difficult forms of ICT. There has been an extraordinary growth in e-business among organizations which become possible because of organization’s handling of email use, online store, website, and many more. According to Earl (2000), a fully digitized e-business is normally known as Reformation. As per Booty (2000), a SME could start its process by developing a static website on the internet which can be helpful to sell the products over the internet and also the growth rate would be increased and can become a fully transactional enterprise.

The objective of Hudson’s research with regard to SME was to verify the appropriateness of strategic performance measurement (PM) for SMEs. A proposal was made to develop PM framework current strategic theory. This was prepared by conducting a semi structured interview with eight SME managers. The research results reveal that SMEs use differently strategic PM from their framework. The managers of SMEs had widely accepted the strategic PM framework. However, proper initiatives were not taken by the managers of SMEs to redesign or update their current PM systems. Therefore, there exist some obstacles in strategic PM system development in SMEs. Given below are some of the strategic variables that SMEs should consider quality, time, finance, customer satisfaction and human resource. Additionally, performance measurement of competitiveness for SME requires cost control and full commitment to customer responsiveness in products and services.

Research Methodology

Various methodologies and standards were improved to concentrate on the issues of information security. Some of these standards have become major impacts by different regulatory observance accordingly. In this study, the case study methodology has been used to evaluate the information security mechanisms in SME’s.

This research used case study approach as a research methodology to analyze project management concepts. It provides a procedural way to gather, analyze to the information and report the results of information and understands that particular problem in depth.

Case study is one of the way to perform research either it is social science related or even socially related. The main objective of case study is to study about human beings in a social background by considering as a single group, community.

According to the Gillham (2000), case study provides a solution for specific questions which search various evidences from the case settings. Yin (2003) said that case study is an empirical research which is investigates current trends within its practical context. It is more helpful for when we find un-cleared limitations among trends and framework.

Especially, case study also providing following solutions, such:

A range of participant point of views,

It uses various methods and techniques to collect the information,

It also evaluates e-learning and face-to-face instructional approaches in a technical background.

Generally, the case study uses various methods such as interviews, document reviews, archival records, and direct/indirect participant’s observations to collect the information. By using of these techniques researchers can easily access to the right point from various collection.

Quantitative and Qualitative Research

The research plays a vital role to recognize that systematic observation and testing can be accomplished using a wide variety of methods. The various people envisions of scientific inquiry strictly in terms of laboratory experimentation. On the other hand, it possible to all study of phenomena of interest under controlled laboratory conditions.

These initial decisions reflect assumption with regards to social world. Taking an example of how science should conduct better modern criteria of proof and are constituted with legitimate problems, solutions. The various research approaches leads to encompass the theory and method. For both quantitative and qualitative research these two general approaches are widely recognized.

Quantitative research is an inquiry into identify the problems is mainly based on testing theory measure with numbers and analyzed statistical techniques. The intent of quantitative methods is to determine the predictive generations of a factual theory.

The selection research approach is suitable to given study should be based upon their problem of interest, resources available, the skills, researcher training and the audience for research. The research incorporates with quantitative and qualitative methodologies. There is a significant difference in assumptions underlying these approaches as well as data collection and analysis procedures used.

The following three general types of quantitative methods are

Experiments: The random assignment of subjects to experimental conditions and use of factual experimental controls are characterized.

Quasi-Experiments: Quasi experimental studies share some perception features of experimental designs except that can further involve various non-randomized assignment of subjects to experimental conditions.

Surveys: Surveys consists of both cross-sectional and longitudinal studies using questionnaires or interviews for data collection. The intent of estimating characteristics of large population is mainly interest based on smaller sample population.

Assumptions Underlying Qualitative Methods

At the time of investigation, the researcher’s those who are being to read or audience the interpreting results. These multiple perspective of voices, informants includes in this study.

The researchers interact with studies and actively work to minimize the distance between researcher and being researched.

The researcher explicit to recognize and acknowledges the value-laden nature.

Research is context-bound.

The researcher is mainly based on inductive forms of logic; categories of interest appear as informants rather than prior identifiers.

The intent is to expose and find out the patterns or theories that are very helpful to explain a phenomenon of interest.

The accuracy can involves verifying the detailed information with informants or "triangulating" among the major sources of information.

The general types of qualitative methods are as follows

Case Studies: The researcher explores the concept of single entity or phenomenon within time and activity and collects detailed information of various data collection procedures is sustain its period of time. An exterior observer is considering the case study is a descriptive record of an individual’s experiences and behaviors.

Ethnographic Studies: The researcher studies are to tie together with cultural group in natural setting over a particular period of time. Those groups of individuals who share a common social experience, location or other social characteristics of interests in cultural group. The various groups which are involved in ethnographic studies range from study of rape victims in crisis shelters to study of cultural group in Africa.

Phenomenological Studies: In this phenomenological study, human experiences are examining detail description of the people is being studied. It envisions a individuals studies that actively engages with the intent of understanding the ‘lived experience’ in the studies. It is further that research approach involves a small group of people intensively over a long period of time.

Qualitative and Quantitative Methodology

Initially we need try to understand group for information in research purposes are two broad approaches like quantitative research and qualitative research. The research is originated in terms of natural sciences like biology, chemistry, physics, geology etc. The major key concern of investigating things could observe and measure in some way. This kind of observations and measurements can be made objectively and repeat other researchers.

This process is referring to as "quantitative research". The researchers working in the social sciences like psychology, sociology, anthropology etc. As per Morgan, 1983, Human beings are interested to study the human behavior and social world inhabited. An increase difficulty is trying to explain the human behavior in simply measurable terms. Measurements tells taking an example of how the people behave a certain way does not adequate answer the question The research attempts to increase our understanding things could pave the way in our social world and those people who are act the way is called as "qualitative research".

The main purpose of this paper is to explore and gain a better understanding of quantitative methodology and qualitative methodology:

This quantitative research describes some of the terms like ‘empiricism’ and ‘positivism’ based approach that led to develop new method. Further mentioning it can be derived as a scientific method as used more efficient in physical sciences. As our approach of research is mainly focus into various formal systematic processes in numerical data findings. By using a deductive process of knowledge attainment describes, tests, and examines cause and effect relationships.

The major outlook of this study is explains the subject and aim of qualitative research is to describe certain aspects of phenomenon. The researchers have been describes a methodology of phenomenology as humanistic and idealistic approach starts lying in the disciplines of history, philosophy, anthropology, sociology and psychology. The historical foundation has been cited as one of the great weakness of qualitative research and which is not possible for physical science domain.

The universal knowledge has acquire to use the true experiments has contributes great with historically. The quantitative methods are used to produce reasonable scientific answers due to hard data action was generated and changes take place. The qualitative approach has produced soft data which describes as being inadequate to provide better answers and generating changes. The person one can argue that use of labels hard and soft data suggests developing a better analysis maintained through number of superior quality analysis in words.

In quantitative research, the investigators often to view a detached objective are maintain to understand the facts. As per postal questionnaire surveys, this kind of methods is mostly require no direct contact with subjects in Perth. As per Bryman, 1988, an interview surveys needs require that researchers have little contact with key respondents is mainly hired staff carry out all interviews. The strength of detached approach is avoids researcher involvement guard not in favor of bias study and ensure objectivity.

The major outlook of this approach is successfully used in the West Berkshire-based perinea management trails. For an example, the researchers was not directly controlled the midwifery study. Previously the data was collected and the researchers which are involved except randomly allocating members is either controlled or experimental episiotomy group was analyze the data. This study is related to research findings based on objectivity have contributes to knowledge in this field. In 1983, Spencer had further discussing it can be derived as of indirect researcher-subject relationship particularly in health care setting. A major criticism of detached approach is treated the participants objects like places similar with car repair garages. As per Cormack, 1991, it also emphasizes the weakness of such approach. The research participants are usually kept in dark about the study. As our work is related to research are expected to transfer the findings into practices and often to untouched. Taking an example of these arguments how criticism quantitative methods treat people simply as a source of data.

In terms of methodology,our research processes used in quantitative approach consists of descriptive, co relational, quasi-experimental and experimental research. The strength of methods is for true experiments and quasi-experiments are to provide better sufficient information about relationship between variables. The variables are investigates and enable to predict and control over future outcomes. The ability of researcher is to manipulate an independent variable to study effects on the dependent variable is accomplished to achieve their goal.

As per Denzin, 1978, the qualitative approach consists for both grounded theory and ethnography research. The strength of the methodology employs lies in the fact of holistic focus it allows for flexibility. As per Duffy, 1986, the rigid approach is looking into a detailed understanding of the subject could be accomplish to deeper achievement.

In order to address this issues, subjects topics allows to researcher consists of structured research design, count with quality of data collected. Media is a good example of these strengths. As our study is related to research finding is contributes to the knowledge of employee’s perspective on organization

At the time of investigation, the quantitative research is considered more reliable than qualitative. A quantitative approach aims to control or eliminate extraneous variables with the external structure of the study. As per Duffy, 1985, standardized testing can be accessed through data produced. The quantitative strength can be seen some comparative analysis for both employees and managers perceptions with regards to organizational activities. The reliability of quantitative research is mainly while the data have been stripped from natural context. Although there have been random or accidental events, a whole range of incidents occur more frequently.

In view of the fact, the reliability of qualitative research is weaken that process is under-standardized and relies on insights and abilities of the observer is making an assessment of difficult reliability. By using independent experts to examine various aspects of process while developing grounded theory in order to address this issues the reliability could be assessed. The research question is feasibility of employing like costly process in terms of time and money to verify the reliability of qualitative study.

Although qualitative methodologies have greater problems with reliability than quantitative methodologies in order to address this validity issue the position is reversed. The weakness in quantitative research is more tightly controlled the study and difficult to conform that research situation in real life.

The strength of qualitative research is claims that fewer threats to external validity for this reason the studies in natural setting and encounter fewer control factors compare with quantitative research conditions. The researchers become immersed the context and subjective states of research subjects. In 1984, Oakley’s antenatal organizational study is able to give assurance that should have an idea about subject studies.

The researchers also make threats the validity of study and unable to maintain the distance required to describe or interpret experiences in a meaning full way. Employ qualitative methodologies are worth risking due to high level of validity achieved.

In order to address this ethical considerations for both quantitative and qualitative research are the safety and protection of human rights. The human rights can be required to obtain informed consent from the process of achieved. But practically impossible in qualitative methodologies the direction that research takes largely unknown. The researchers can be achieved to obtain consent from qualitative research and re-negotiation while unexpected events occur and a whole range of incidents occur more frequently. The great responsibilities of researchers are requiring possessing a high level of skill especially in negotiation.

The triangulation study conducted by Corner (1991) concerning newly registered employees’ attitudes to and organizational preparation for working for customers, illustrates both the strengths and weaknesses of the approach. The study revealed a richer and deeper understanding of the subject matter than would otherwise be possible. Quantitative and qualitative approaches were found to complement each other while the inadequacies of each were actually offset. However, it also highlighted the time and cost implications the volume of data produced was immense and an extremely broad knowledge base was required to analyze it, which meant that other researchers were contracted in to work on different parts of the analysis.

To conclude, although quantitative and qualitative methods are different, one approach is not superior to the other, both have recognized strengths and weaknesses and are used ideally in combination.

Therefore, it can be argued that there is no one best method of developing knowledge and that exclusively valuing one method restricts the ability to progress beyond its inherent boundaries. Recognizing the tension between researchers about quantitative and qualitative research, and attempting to understand it, may serve to create relevant and distinctive modes of enquiry in organizational research. It may also help the unification rather than the division of organizational scholars.

From examining research in organizational studies, qualitative approaches appear to be invaluable for the exploration of subjective experiences of employees, while quantitative methods facilitate the development of quantifiable information. Combating the strengths of the methods in triangulation, if time and money permits, results in the creation of even richer and deeper research findings. It seems that organizational research has the potential to provide a valuable resource for the organization. As organizational research discovers and uses different methodologies, it will assist in creating the necessary balance in the knowledge required to develop organizational research as both a science and an art.

Research Questions:

How selected financial institutions are dependent on their ICT systems and what are the levels they used?

What are the common threats are affecting to these organization’s "Information system assets"?

Hoe these organizations are planning to overcome these threats from Information system assets?

Analysis

Security advice requirements of SME’s

General Requirements

Many SME’s are require various advices and solutions with simple instructions according to the low cost estimations, knowledge, and technology solutions with peripheral advices. Large organizations are providing guidelines to the SME’s in designing of system security, by providing corporate centre specialists. But, that guidance should be clear, in brief and forceful, and clear path to ensure decisions and motivational programs for managers on technical training to:

Appreciate the importance of security and privacy protection.

Take hold of the implications of increasing customer and observance expectations.

To motivate to encouragement for healthy security and privacy culture.

Place a value on personal information.

Recognize the causes of data breaches.

Identify and evaluate security risks to data and their impact.

Identify with the range of protecting actions available.

Understand the costs and benefits of privacy protection.

Build security and privacy controls into new systems and processes.

Identify the security and privacy in contracts with providers.

Recognize when and how to get experts for external support.

These requirements are similar for those large organizations, but the materials which are provided at SMEs need to be preparing in a simple manner with an effective data to strike with managers. So, this documentation is needed that the preparation it by considering of the drives of business, limitations and priorities of particular SMEs and most suitable correlations and "mental models" to determine major elements.

In general, efficient security privacy systems are made with various measures which are implemented by the people, technology and people. In these involvements are required developments in the progress and technical procedures and actions to incorporate with attitude, knowledge’s, and inspirations. Especially, it requires comprise measures that which are supporting to maintainable developments in accordingly.

As we discussed before, the priorities and abilities are interdependent with the size of organizations. In general, the documentation must prepare to reflect this as shown in figure 5. It shows that there is clear description of requirements in a simple manner.

Figure 3: Illustration of how security advice can be tiered to reflect enterprise size

Case selection

In this research, researcher was chosen to SKS Microfinance for the case study analysis. Generally, Micro finance is a significant instrument that can provide more support to poor people through financial supports like credit and insurances. In the same way, the range of loans available in SKS is that Rs.2000 to Rs.12000 to poor women for small businesses like cows and goats to sell milk to develop economically.

The main objective of this research is to get more information about information security by focusing on one sector. The researcher was chosen sector to which they are willing to provide the information.

Data Collection Techniques

The researcher used range of data collection methods to create evidences to provide clear description about case and solutions for the research queries. This method helps to researcher to triangulate the information to facilitate strength to the research answer and conclusions.

The following data collections techniques were employed:

Case study

A structured questionnaire

Observation

Survey

Data Analysis

The main aim of this study is to identify returning thesis in data and classify in to groups and to investigate that the significance assigned to the issues which are previously recognized in the organizations.

The research fids that there are many endea