Use of Security Culture to Contribute on Enterprise Information Security for the Small and Medium Scale Enterprises (SMEs)

Abstract

The great use of technologies and flexible work environment introduce complex scenarios to consider for enterprises to assure Enterprise Information Security (EIS). Further the success/failure of EIS effectively rely on behaviour of stakeholders of an enterprise irrespective to the available comprehensive enough technical infrastructure. Therefore, the Security Culture (SC) is recommended to implement at the initial phase to reduce the risk of unacceptable behaviour of stakeholders. Moreover, the SC is further important for Small and Medium Enterprises (SMEs), because comprehensive technical implementation to assure information security is not affordable with limited budget, resources and technical staff. The SC can be introduced as iterative process which must start from somewhere based on primary considerations and improve as required through multiple iterations to fulfil EIS need. The frequent evolvement of SC is essential to addresses consequences of technological development. The SC can be introduced as sub culture of organisation culture, because each stakeholder of the enterprise has active part on assuring EIS in their regular tasks. The mature SC delivers the understand of importance of assuring information security, individual responsibility in security aspects which is way over the general organisational culture, as people is the weakest(only link) for EIS(the technology). Further, people is the first line of defence in any attack, so they must be aware and prepared to represent “Human Firewall”. As a result, analyzing assets, analyzing threats, analyzing vulnerabilities, risk assessment, standards and framework, policies and procedures, responsibility, maintenance, stakeholder awareness aspects should be prioritized for implementing SC. Nevertheless, the effective ways to deliver awareness among stakeholders within a SME for enterprise security management should be identified. The successful implementation of SC contributes to EIS for SME effectively.