Small Business Information Security
Vail, John Edwards
Small businesses account for over fifty percent of the Gross National Product of the U.S. economy; and the security of their information systems is critical for them to operate, compete, and remain profitable. While many security studies have been conducted and reported on enterprise scale organizations, similar research on small businesses in the U.S. is limited. One small business was evaluated by an information security audit to determine if its information resources and network were adequately secure, and will be used as a test case to identify an approach a typical small business may take to secure their networks and data to avoid unnecessary liability exposure. By examining the specific risk factors in this case study, the author believes parallels can be drawn by other small businesses as a starting point for examining their own risk factors. Additionally this study provides a series of proposed mitigation processes to improve the small businesses' network security that can be adopted by other small businesses in like circumstances. The mitigation processes are specifically tailored to the small business industry itself, as opposed to a larger organization that has a greater exposure to risk vulnerability and that also has larger asset pools from which to secure their networks. The method utilized for this research was qualitative in nature, using a form of Participatory Action Research (PAR). This approach was most appropriate in that it allows the researcher to act in partnership with the small business to attempt to affect social change that will help in securing the small business's information resources. An information security audit was performed on a small business to identify actual and potential threats, and an electronic questionnaire was distributed to the employees to gauge their individual perspectives of the clarity and comprehensibility of the business's security policy, the consequences of violations to the company's policy, how well the company's policy is disseminated and tracked for compliance, and if they have knowledge of steps to be taken in response to an incident or disaster. There were four objectives of this study. The first objective was to evaluate a small business's information security posture. The second objective was to determine if the small business had experienced any information technology security incidents. The third objective was to evaluate whether the incidents were caused by a lack of a policy, standard or procedure; an ineffective policy, standard or procedure; a lack of training and education; or a reluctance to enforce or monitor adherence to established policy, standards, or procedures. And the fourth objective was to recommend to the small business any changes or additions that would reduce the small business's exposure to information security threats, risks and vulnerabilities through effective information security risk management.
Vail, John Edwards. (January 2012). Small Business Information Security (Master's Thesis, East Carolina University). Retrieved from the Scholarship. (http://hdl.handle.net/10342/3889.)
Vail, John Edwards. Small Business Information Security. Master's Thesis. East Carolina University, January 2012. The Scholarship. http://hdl.handle.net/10342/3889. May 20, 2022.
Vail, John Edwards, “Small Business Information Security” (Master's Thesis., East Carolina University, January 2012).
Vail, John Edwards. Small Business Information Security [Master's Thesis]. Greenville, NC: East Carolina University; January 2012.
East Carolina University
Showing items related by title, author, creator and subject.
Strickland, Jerri (East Carolina University, 2017-05-03)The purpose of this study is to quantify the advertisements and information within parenting magazines in order to discover the amount of exposure readers are getting to health related information. This is significant ...
Foushee, Constance (2018-04-23)Exposure to a traumatic life event can lead to lifestyle practices that adversely affect one's health. Nearly three-fourths of Americans have experienced a traumatic life event. The purpose of this quality improvement ...
A Framework for Evaluation of Risk Management Models for HIPAA Compliance for Electronic Personal Health Information used by Small and Medium Businesses using Cloud Technologies Luna, Raymond Brett (East Carolina University, 2018-07-18)Our societal quest for collaboration and openness has always been in direct conflict with our desire to maintain our personal privacy. Those conflicting goals are more prominent than ever for healthcare, due to its rapid ...