Research Proposal Assignment: Employee Experiences In Information Security In SME
Question
Task:
Write a research proposal assignment presenting the qualitative study on employee emperiences in information security in SME.
Answer
Introduction
It is evident herein research proposal assignment that technology and the Internet have advanced in recent years and people are completely dependent on the latest technology and internet connectivity. With the advancement of the internet and technology, the size of data has also increased a lot. Every organization is it large or medium enterprises is dependent on data and information and it acts as a backbone for any organization's survival, especially for SMEs. Intruders are always active in the network to fetch out valuable information from the network (Hwang et al., 2017). And SMEs are the primary target as they are prone to intrusive attacks that are initiated by the intruders and it also due to the fact that employees in SMEs have less knowledge about cyber threats and information security so it makes it easy for the intruders to get hold of the valuable information of the SMEs. Small and medium companies have used technologies to contend against far bigger competitors, but they have faced new risks and challenges to the equation (Guhret al., 2019). The business processes and data are in the continuous attack of hackers, ransomware, rogue personnel, device errors, and natural disasters are continually at risk. When more small firms use third-party sellers to carry out activities that help them to expand and scale within their budgets, the likelihood of a safety threat will increase dramatically. An enterprise will be exponentially and with catastrophic consequences, if it has bad passwords, inadequate smart device policies, insecure POS structures, and confusion risks to cybersecurity (Chen et al., 2018). Hackers wait for employees mistake as a result of error and they will get access to confidential information are the most effective and periodic cyberattacks.
The perception of employees today is largely influenced by interactive technologies. Technology is closely interconnected with daily practices as it allows small and medium businesses to work less and more flexibly (Kessler et al., 2020). Both of these needs to be underpinned by a strong security structure to keep cyber attackers out of security, ensuring that safety solutions cannot diverge from required security standards and are seamless and intuitive. Modern identity and access risks can be difficult to understand, especially for the workforce's less technical populations. Many organizations understand the advantages of IDM technologies, such as multiple-factor authentication. MFA allows staff to save time and money with limited preparation to exploit contextual and biometric authentication elements in order to improve security. The new MFA technology enables fast integration into services like Microsoft Azure. Cloud and smartphone applications have expanded the handling of passwords by adding substantial difficulty (Hinaet al., 2019). According to the Global Password Protection Survey, the total number of employees in small businesses needs 85 passwords ranging from 1 to 25 employees, while the average number of employees in big companies ranging from 1,001 to 10,000 employees is 25 (Connolly et al., 2017). Single-sign-on (SSOs) systems are introduced to simplify passwords for the use or access to more applications to reduce the work needed to handle passwords.
Research Questions
- How is it possible for Verzekeringen Financiering B.V. will utilize the most productive and most recent developments including sufficient information security mechanics by evaluating specifications, plans, and IT security policies, to strengthen their approaches and tactics against phishing?
- How successful is the filtering mechanism provided by VPO Tribion against the threats faced by Vezekeringen Financiering B.V.?
- Do Verzekering workers consider Phishing as a hazard?
- What more steps can be taken to minimize the phishing issue by supporting Verzekeringen Financiering?
- How is it necessary to Verzekeringen Financiering B.V. to learn from the SMEs dealing with this phishing problem?
Research Aims and Objectives
Aim
The main aim of the study is to find out the importance of employee experience in Information security in small and medium enterprises and the way Verzekeringen Financiering B.V. consultancy can help the SMEs in dealing with the phishing attack in information security.
Objectives
- The study intends to analyze the literature sources related to information security in SMEs.
- The main focus of the study is to find out the need for employee experience in information security in SMEs.
- The study is focused on finding out the various ways Verzekeringcan guide the SMEs in training their employee to have proper knowledge about phishing attack and the way information can be secured.
Research relevance
Employee experience is all about how workers use the organization's work experience and safety knowledge. Organizations set in motion different policies and procedures to ensure people felt good about their workplace climate, community, and structure. Be it a large institution or small enterprises, data is important and plays a vital role in the existence of any company. The public network is full of intruders and is always active in the network to fetch out valuable information from the companies vault to harm the victim. The large institution has made various advancements in the security procedures to safeguard its data from getting into the hands of intruders (Hallováet al., 2019). But still, there are various incidents of information thefts but the incidents are small in comparison to small and medium enterprises. Small and medium enterprises are more prone to cyber threats as the security mechanism implemented are not that of high quality and it is easy prey for the intruders to get hold of the valuable information of the small and medium enterprises. So for that employee experience in information security is of the highest priority for the small and medium enterprises to safeguard their data. Proper training for the employees is important for any small and medium enterprises to fight back any kind of intrusive activity by intruders. Verzekeringen Financiering B.V. consultancy serves SMEs in order to provide various training to the employees in SMEs in safeguarding information from various cyberattacks especially phishing attack which is common in the cyberspace. Employees mostly fall prey to this kind of phishing attack due to a lack of knowledge and training. Verzekeringen Financiering B.V. consultancy provides training to the employees about the various kinds of a phishing attacks and also training them how to avoid this kind of cyber threats. More importantly,Verzekeringen Financiering B.V. consultancy introduces VPO portal which creates a direct link between the employees and network with proper security to safeguard the confidential information.
Literature review
Introduction
According to Safa et al., (2016), it has been projected that the source of employee’s errors is the lack of knowledge about information security, indifference, carelessness, apathy, and resistance. In the study, it has been found that a new paradigm reveals how the execution and reduction of risk of employee actions of corporate information security policies. The key feature of this study is the conceptualization of various facets of interaction, such as the exchange of skills, cooperation, intervention and expertise in information security and attachment, involvement, and personal standards that are important in the theory of Social Bonding (Soomro et al., 2016). The study has obtained various results which also revealed a major impact on staff's actions on compliance with corporate information security regulations, such as awareness sharing, communication, intervention, and expertise. Advancements in the Internet and technology have a huge effect on human life. However, the confidentiality of information remains a significant issue for both consumers and SMEs. Technology cannot guarantee a protected information environment only in addition to technical factors, human aspects of data safety should be taken into account (Stewart and Jürjens, 2017). The theory had no major effects on the mindset of workers towards complying with information security policies, however. The findings have shown that the mindset of workers is influenced by the dedication and personal expectations. The behavioral intent in relation to information security enforcement has also an essential impact on compliance with ISO regulation.
Employee attitude towards information security
As per Ashenden (2018), it has been studied that the coordination between security professionals and employees is one of the primary issues outlined in the SANS report.While security frameworks certainly assume that the protection measures and the worker see information security in a similar fashion as what the security practitioner finds to be a reasonable understanding of awareness and behavior of information security does not necessarily equal that of the employee (Mijnhardtet al., 2016). Security violations arise in companies across a large variety of acts by workers. These acts are often intentional, but sometimes they are inadvertent or because business processes are impeded by protection. While several companies and workers also cause a vast amount of safety violations, have now introduced a safety awareness program.The goal of this study was to detect employees' actions towards the protection of information and to resolve the problem of social acceptability in research into information security (Barletteet al., 2017). The research used the psychology of personal systems and repertoire grids as the basis for a study in a hybrid design process. There were 11 detailed interviews accompanied by a sample of 115 employee reactions to the data set. The interview data influenced the survey's design. The findings of the interviews established a range of issues related to human responsibility for the protection of information and the capacity to contribute to the security of information (Gupta et al., 2018).
Employee’s cybersecurity awareness
As per Li, He, Xu, Ash, Anwar, and Yuan (2018), it has been stated thatthe study has focused on the published cybersecurity literature by identifying the contextual domains of the actions of workers and developed and validated practical interventions to advance occupational safety science. A philosophical structure is suggested and evaluated based on studies of 579 company management and experts. With the growing quantities and complexities of Internet technologies and smartphone devices, malicious cyber-attack grows, which leaves society more vulnerable than ever before to security threats in cyberspace (McLaughlin and Gogan, 2018). The suggested theories are evaluated using structural equation modeling and ANOVA procedures.
Theoretical Framework
Understanding the various theoretical framework used in various academic literature will help in understanding the needed theoretical framework needed in this study.
Current theoretical framework review
As per Klju?nikov¹ et al., (2019), it has been projected that the global economy shifts the market model and the success stories of almost all forms of transitions from physical assets to intangible goods, and the knowledge and importance thereof shifted particularly towards small and medium-sized businesses and it is becoming more and more important. Certain success factors have been identified for the management of information security in the SME segment (Montenegro and Moncayo, 2016). The performance of information security management consists fundamentally of 4 core factors whichincludes the consistence of data security the executives with the activities of the business, high level administration help, security checks, and hierarchical arrangement. The creators have moved toward senior IT security specialists from SMEs in Slovakia to choose the significance and the interconnections of the elements recorded.
Experts analyzed the importance of the performance factors of the management of security of information and interpreted the findings of the expert assessment using the methodology DEMATEL. Analysis findings indicate that the Security Measures and the Senior Management are usually the main factors, although the corporate knowledge component in the short term is the most evident and significant (Sadok and Bednar, 2016). Our findings show that small and medium-sized companies should foster corporate awareness of information security management, in line with safety controls in the defensive front line. In SMEs, safety monitoring duty is focused on the regulatory body since a dedicated full-time protection manager is not successful. Another approach is to set up functions or outsource an information management manager within a business (Ozkanet al., 2019). In particular, in the small and medium-sized market, the topic of information security management is of great significance.
As per Matternet al., (2014), it is being studied that a constructive strategy is much better when it comes to the implementation of cyber protection initiatives. It is being advocated that cyber defence powered by intelligence focused on constructive safety initiatives and a theoretical structure that includes three operations led by intelligence. The first is a proactive security strategy that encompasses network safety, legal efforts, public relations, and other business operations. The second is a prompt and reliable understanding of environmental risks and the last step is to produce decisions based on evidence.
As per Julisch (2013), it has been projected that the operational component includes a specific allocation for IT worker’s roles and privileges. Technological implications mean that they have developed solid and steady cyber protection mechanisms and that IT experts as they build this mechanism do not just use security product databases but also making use of antivirus data tools.
Developing the theoretical framework
Based on the theoretical framework review it can be clearly stated that making use of the constructive strategies along with intelligence as stated by Matternet al., (2014) has a good prospect in terms of security as it will help the employees and the small enterprises to enrich their knowledge with the cybersecurity and safeguard the information. In order to secure the information, SMEs should encourage organizational knowledge of the management of information security as a valuable asset of the organization, in conjunction with the introduction of safety checks on the first line of protection.
Research Methodology
The study has been made based on qualitative research methodology that means information about the information security and employee awareness of information security in SMEs is being collected from various literature sources like journal articles and internet sources. With the help of qualitative research, it does not require statistical analysis, and various information about the topic can be gained and it has helped in gaining in-depth knowledge about the importance of information security and has helped in gaining knowledge about the kind of employee experience needed in Information security. Information plays a major role in the existence of SMEs in a competitive market with large enterprises. The qualitative analysis consists of comprehensive investigations using a number of methods to explain what differentauthors think, experience, respond, and behave in the manner they do. For observational interviews and even focussed groups, surveys appear to be limited so they are intended to create ideas, techniques, or for example, in order to appreciate structures regulating groups or organizations. A qualitative analysis should be applied to every research background and does not require any particular expertise. The advantage of qualitative methods is that they do not continue with an established hypothesis, which is rather static. Instead, it is an open methodology that can be extended and modified in continuous analysis to increase the consistency of the results and observations.
Planning
Tasks |
Duration |
Nov |
Dec |
Jan-21 |
Feb-21 |
Mar-21 |
Project Planning strategy |
30 days |
|
|
|||
Gathering literature sources |
31 days |
|
|
|
||
Analysis of the sources |
31 days |
|
|
|
||
Documentation |
28 days |
|
|
|
||
Final Project Completion |
28 days |
|
|
|
|
|
Gantt Chart
The Gantt Chart is meant to identify the number of days it will take to complete the above-mentioned task. The duration of the project is of five months that means it will take 148 days in total to complete the project from planning of the project to the completion of the project. Each of the phases of the project isbeing mentioned clearly in the Gantt chart and the expected time frame to complete is being mentioned.
Conclusion
Information security is important for any organization is it a large enterprise or a SME. Existence for any organization is dependent on information security and most importantly it is of great importance about the awareness of employees in Information security. Employees are the ones that deal with huge data every day and awareness of policies and security features is of utmost priority for the employees. Information security is important in SMEs as losing information means the recovery process is costly and employees' experience is needed in cybersecurity to prohibit any such incidence related to information theft. If an employee in SME is aware of cybersecurity, it indicates that it knows the cyber risks, the possible effect of a cyberattack on its enterprise, and the measures taken to minimize risk and deter cybercrime from infiltrating its online workplace. This requires the preparation of staff on the various challenges and dangers posed by cybersecurity and possible weak points. Employees must understand to learn the best practices and protocols to protect networks and records. These ramifications may include the lack of jobs, criminal punishment, or even irreparable damage to the business. If all workers undergo training in cyber safety procedures, lapses in security are less possible if someone leaves the company. In other words, since a vital person was not at work or leaves the work then other employees must be trained to protect the stored information.
References
Ashenden, D., 2018. In their own words: employee attitudes towards information security. Information & Computer Security.
Barlette, Y., Gundolf, K. and Jaouen, A., 2017. CEOs’ information security behavior in SMEs: Does ownership matter?. Systemesd'information management, 22(3), pp.7-45.
Chen, X., Wu, D., Chen, L. and Teng, J.K., 2018. Sanction severity and employees’ information security policy compliance: Investigating mediating, moderating, and control variables. Information & Management, 55(8), pp.1049-1060.
Connolly, L.Y., Lang, M., Gathegi, J. and Tygar, D.J., 2017. Organisational culture, procedural countermeasures, and employee security behaviour. Information & Computer Security.
Guhr, N., Lebek, B. and Breitner, M.H., 2019. The impact of leadership on employees' intended information security behaviour: An examination of the full?range leadership theory. Information Systems Journal, 29(2), pp.340-362.
Gupta, S., Misra, S.C., Kock, N. and Roubaud, D., 2018. Organizational, technological and extrinsic factors in the implementation of cloud ERP in SMEs. Journal of Organizational Change Management.
Hallová, M., Polakovi?, P., Šilerová, E. and Slováková, I., 2019. Data protection and security in SMEs under enterprise infrastructure. AGRIS on-line Papers in Economics and Informatics, 11(665-2019-3992).
Hina, S., Selvam, D.D.D.P. and Lowry, P.B., 2019. Institutional governance and protection motivation: Theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Computers & Security, 87, p.101594.
Hwang, I., Kim, D., Kim, T. and Kim, S., 2017. Why not comply with information security? An empirical approach for the causes of non-compliance. Online Information Review.
Julisch, K., 2013. Understanding and overcoming cyber security anti-patterns. Computer Networks, 57(10), pp.2206-2211.
Kessler, S.R., Pindek, S., Kleinman, G., Andel, S.A. and Spector, P.E., 2020. Information security climate and the assessment of information security risk among healthcare employees. Health informatics journal, 26(1), pp.461-473.
Klju?nikov¹, A., Mura, L. and Sklenár, D., 2019. Information security management in SMEs: factors of success.
Li, L., He, W., Xu, L., Ash, I., Anwar, M. and Yuan, X., 2019. Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, pp.13-24.
Mattern, T., Felker, J., Borum, R. and Bamford, G., 2014. Operational levels of cyber intelligence. International Journal of Intelligence and CounterIntelligence, 27(4), pp.702-719.
McLaughlin, M.D. and Gogan, J., 2018. Challenges and best practices in information security management. MIS Quarterly Executive, 17(3), p.12.
Mijnhardt, F., Baars, T. and Spruit, M., 2016. Organizational characteristics influencing SME information security maturity. Journal of Computer Information Systems, 56(2), pp.106-115.
Montenegro, C. and Moncayo, D., 2016. Information Security Risk in SMEs: A Hybrid Model Compatible with IFRS. In de 2016 6th International Conference on Information Communication and Management.
Ozkan, B.Y., Spruit, M., Wondolleck, R. and Coll, V.B., 2019. Modelling adaptive information security for SMEs in a cluster. Journal of Intellectual Capital.
Sadok, M. and Bednar, P.M., 2016. Information Security Management in SMEs: Beyond the IT Challenges. In HAISA (pp. 209-219).
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. computers & security, 56, pp.70-82.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Stewart, H. and Jürjens, J., 2017. Information security management and the human aspect in organizations. Information & Computer Security.