Leadership involvement and action: what avenues to improve information security in SMEs?
Keywords:
Security, manager, involvement, action.Abstract
This article focuses on the role of SME managers in IS security (ISS), as these companiesoften suffer from more important ISS problems than larger companies. Although many spe-cialists and scholars agree on the importance of their role, SME managers sometimes showlittle involvement or little action regarding ISS, leading to potentially disastrous consequences.In the literature, involvement and action are often merged, which limits the exploration ofthis issue. The research question dealt with in this paper is: How to improve the role of ma-nagers in their company’s ISS? In order to respond, we examined (1) the barriers and driversof managers’ involvement and action, (2) the consequences of their involvement and actions(3) how the roles in ISS management are shared out. This empirical study uses a qualitativemethodology and an interpretive approach. The results extend our understanding of the fac-tors that influence managers’ involvement and action in ISS. Four contexts were identified,which were used as a framework for the analysis of the roles of the various people involvedin SME ISS. This paper makes a theoretical contribution by shedding light on new factors ofmanagers’ involvement and actions. The smallest SMEs seldom have a chief information of-ficer (CIO) or a chief information security officer (CISO). In this case, we found that em-ployees sometimes assume informal responsibility for IS and ISS. We identified various factorsto explain this informal position and several related issues. We also contribute to managerialpractices by identifying avenues to better involve managers in the ISS of their SMEs. Ourmajor contribution is showing for the first time that when an employee assumes the role of aCISO, whether informally or not, it is of utmost importance to provide top management sup-port. This study is original because managers’ involvement and actions are studied separate-ly, which provides more detailed results and allowed us to propose practical recommenda-tions to improve ISS, according to the identified situations
