Henson, Richard and Hallas, B. (2009) "SMEs, Information Risk Management, and ROI". In: Athens Institute for Education and Research (ATINER) SMEs Conference 2009, 10th - 13th August 2009, Athens, Greece. (Unpublished)
Text
atiner_final_draft.pdf Restricted to Repository staff only Download (164kB) | Request a copy |
Abstract
Recent research in the area of standards accreditation has shown that the rate of take up of the ISO27001 (Information Security Management) by organisations been disappointing in many Western countries, compared to the picture emerging in Asia, and the rollout of previous international standards that relate to information management, such as ISO9001.
In this paper, a researcher and a practitioner from the UK investigate possible reasons for a lesser interest in pursuing certification for organisational Information Security Management Systems (ISMS) across Western countries. They also share their perceptions and concerns that current attitudes of UK of small businesses regarding complying with standards and legislation means that they may be taking unnecessary risks with their corporate and personal data under the possibly misguided notion that other priorities are more important during these current recessionary times.
The authors use an economics-based approach in proposing a solution to the problem. On the one hand they review the research that has provided methods for putting a figure on the value of corporate and personal data in larger organisations, and applying the principles of managing information risk as appropriate to SMEs. On the other hand they look at economics-related issues such as market pressure, insurance, outsourcing, and the legal and regulatory matters regarding privacy of personal data. The result provides a case for showing SMEs that, apart from the moral matter of being “good for the business”, there are very sound economic reasons for an SME developing an ISMS and getting ISO27001 certified.
Item Type: | Conference or Workshop Item (Paper) |
---|---|
Uncontrolled Discrete Keywords: | SME, Information Risk Management, ISMS, Information Security Management Systems, data protection legislation, economics of information security, value of data, ISO27001, PCI DSS, drivers for accreditation |
Subjects: | T Technology > T Technology (General) |
Divisions: | College of Business, Psychology and Sport > Worcester Business School |
Related URLs: | |
Depositing User: | Richard Henson |
Date Deposited: | 03 Aug 2010 10:11 |
Last Modified: | 11 Jun 2024 13:58 |
URI: | https://eprints.worc.ac.uk/id/eprint/958 |
Actions (login required)
View Item |