University of Worcester Worcester Research and Publications

"SMEs, Information Risk Management, and ROI"

Henson, Richard and Hallas, B. (2009) "SMEs, Information Risk Management, and ROI". In: Athens Institute for Education and Research (ATINER) SMEs Conference 2009, 10th - 13th August 2009, Athens, Greece. (Unpublished)


Download (164kB) | Preview


Recent research in the area of standards accreditation has shown that the rate of take up of the ISO27001 (Information Security Management) by organisations been disappointing in many Western countries, compared to the picture emerging in Asia, and the rollout of previous international standards that relate to information management, such as ISO9001.

In this paper, a researcher and a practitioner from the UK investigate possible reasons for a lesser interest in pursuing certification for organisational Information Security Management Systems (ISMS) across Western countries. They also share their perceptions and concerns that current attitudes of UK of small businesses regarding complying with standards and legislation means that they may be taking unnecessary risks with their corporate and personal data under the possibly misguided notion that other priorities are more important during these current recessionary times.

The authors use an economics-based approach in proposing a solution to the problem. On the one hand they review the research that has provided methods for putting a figure on the value of corporate and personal data in larger organisations, and applying the principles of managing information risk as appropriate to SMEs. On the other hand they look at economics-related issues such as market pressure, insurance, outsourcing, and the legal and regulatory matters regarding privacy of personal data. The result provides a case for showing SMEs that, apart from the moral matter of being “good for the business”, there are very sound economic reasons for an SME developing an ISMS and getting ISO27001 certified.

Item Type: Conference or Workshop Item (Paper)
Uncontrolled Discrete Keywords: SME, Information Risk Management, ISMS, Information Security Management Systems, data protection legislation, economics of information security, value of data, ISO27001, PCI DSS, drivers for accreditation
Subjects: T Technology > T Technology (General)
Divisions: College of Business, Psychology and Sport > Worcester Business School
Related URLs:
Depositing User: Richard Henson
Date Deposited: 03 Aug 2010 10:11
Last Modified: 08 Jun 2021 09:24

Actions (login required)

View Item View Item
Worcester Research and Publications is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.