{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:59:37Z","timestamp":1760061577831,"version":"3.41.2"},"reference-count":55,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2020,6,4]],"date-time":"2020-06-04T00:00:00Z","timestamp":1591228800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,6,4]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees\u2019 point of view.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2019-0010","type":"journal-article","created":{"date-parts":[[2020,6,4]],"date-time":"2020-06-04T07:23:42Z","timestamp":1591255422000},"page":"467-483","source":"Crossref","is-referenced-by-count":20,"title":["It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs"],"prefix":"10.1108","volume":"28","author":[{"given":"Moufida","family":"Sadok","sequence":"first","affiliation":[]},{"given":"Steven","family":"Alter","sequence":"additional","affiliation":[]},{"given":"Peter","family":"Bednar","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020071513124012300_ref001","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1145\/322796.322806","article-title":"Users are not the enemy","volume":"42","year":"1999","journal-title":"Communications of ACM"},{"issue":"4","key":"key2020071513124012300_ref002","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.cose.2006.11.004","article-title":"A qualitative study of users\u2019 view on information security","volume":"26","year":"2007","journal-title":"Computers and Security"},{"issue":"6","key":"key2020071513124012300_ref003","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.01.003","article-title":"The information security digital divide between information security managers and users","volume":"28","year":"2009","journal-title":"Computers and Security"},{"issue":"4","key":"key2020071513124012300_ref004","doi-asserted-by":"crossref","first-page":"432","DOI":"10.1016\/j.cose.2009.12.005","article-title":"Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study","volume":"29","year":"2010","journal-title":"Computers and Security"},{"volume-title":"The work system method: connecting people, processes, and IT for business results","year":"2006","key":"key2020071513124012300_ref005"},{"issue":"2","key":"key2020071513124012300_ref006","doi-asserted-by":"crossref","first-page":"72","DOI":"10.17705\/1jais.00323","article-title":"Work system theory: overview of core concepts, extensions, and challenges for the future","volume":"14","year":"2013","journal-title":"Journal of the Association for Information Systems"},{"issue":"55","key":"key2020071513124012300_ref007","first-page":"1041","article-title":"Theory of workarounds","volume":"34","year":"2014","journal-title":"Communications of the Association for Information Systems"},{"issue":"2","key":"key2020071513124012300_ref008","doi-asserted-by":"crossref","first-page":"69","DOI":"10.4018\/IJSS.2017070106","article-title":"Six work system lenses for describing, analyzing, or evaluating important aspects of IS security","volume":"4","year":"2017","journal-title":"International Journal of Systems and Society (IJSS)"},{"key":"key2020071513124012300_ref009","doi-asserted-by":"crossref","first-page":"396","DOI":"10.1016\/j.cose.2013.09.004","article-title":"CISOs and organisational culture: their own worst enemy?","volume":"39","year":"2013","journal-title":"Computers and Security"},{"article-title":"IS security menace: when security creates insecurity","volume-title":"Proceedings of Thirty Seventh International Conference on Information Systems","year":"2016","key":"key2020071513124012300_ref010"},{"issue":"2","key":"key2020071513124012300_ref011","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1057\/ejis.1991.20","article-title":"Risk analysis: an interpretive feasibility tool in justifying information systems security","volume":"1","year":"1991","journal-title":"European Journal of Information Systems"},{"year":"2009","key":"key2020071513124012300_ref012","article-title":"Addressing the human factor in information systems security"},{"issue":"1","key":"key2020071513124012300_ref013","article-title":"The future of sociotechnical systems theory and practice: the challenges for information system design","volume":"3","year":"2016","journal-title":"International Journal of Systems and Society"},{"issue":"4","key":"key2020071513124012300_ref014","doi-asserted-by":"crossref","first-page":"11","DOI":"10.2307\/249019","article-title":"MIS problems and failures: a socio-technical perspective, part II: the application of socio-technical theory","volume":"1","year":"1977","journal-title":"MIS Quarterly"},{"issue":"5","key":"key2020071513124012300_ref015","doi-asserted-by":"crossref","first-page":"22","DOI":"10.1109\/MSP.2016.95","article-title":"Barriers to usable security? Three organizational case studies","volume":"14","year":"2016","journal-title":"IEEE Secur. Priv"},{"issue":"4","key":"key2020071513124012300_ref016","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1016\/j.istr.2010.04.005","article-title":"Information security management: an entangled research challenge","volume":"14","year":"2009","journal-title":"Information Security technical report"},{"key":"key2020071513124012300_ref017","first-page":"464","article-title":"Walking the line: the everyday security ties that bind","volume":"10292","year":"2017","journal-title":"HAS 2017, LNCS"},{"key":"key2020071513124012300_ref018","unstructured":"Cybersecurity breaches survey (2019), available at: www.gov.uk\/government\/statistics\/cyber-security-breaches-survey-2019"},{"issue":"4","key":"key2020071513124012300_ref019","first-page":"335","article-title":"Design principles for establishing a multi-sided open innovation platform: lessons learned from an action research study in the medical technology industry","volume":"29","year":"2019","journal-title":"Electronic Markets"},{"issue":"6","key":"key2020071513124012300_ref020","doi-asserted-by":"publisher","first-page":"571","DOI":"10.1016\/j.bushor.2016.07.003","article-title":"Impacts of security climate on employees\u2019 sharing of security advice and troubleshooting: empirical networks","volume":"59","year":"2016","journal-title":"Business Horizons"},{"issue":"3","key":"key2020071513124012300_ref021","doi-asserted-by":"crossref","first-page":"293","DOI":"10.1111\/j.1365-2575.2006.00219.x","article-title":"Value-focused assessment of information system security in organizations","volume":"16","year":"2006","journal-title":"Information Systems Journal"},{"key":"key2020071513124012300_ref022","doi-asserted-by":"crossref","first-page":"656","DOI":"10.1016\/j.chb.2016.03.068","article-title":"Deciding between information security and usability: developing value based objectives","volume":"61","year":"2016","journal-title":"Computers in Human Behavior"},{"year":"2004","key":"key2020071513124012300_ref023","article-title":"Approaches to IT security in small and medium enterprises"},{"issue":"9","key":"key2020071513124012300_ref024","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1361-3723(16)30070-7","article-title":"The usability of security \u2013 revisited","volume":"2016","year":"2016","journal-title":"Computer Fraud and Security"},{"key":"key2020071513124012300_ref025","unstructured":"Home Office (2017), \u201cBusiness population estimates 2017\u201d, available at: www.gov.uk\/government\/statistics\/business-population-estimates-2017"},{"issue":"6","key":"key2020071513124012300_ref026","doi-asserted-by":"crossref","first-page":"585","DOI":"10.1016\/j.bushor.2016.07.004","article-title":"The emerging role of the CISO","volume":"59","year":"2016","journal-title":"Business Horizons"},{"issue":"3","key":"key2020071513124012300_ref027","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1145\/3242734.3242739","article-title":"Rethinking the prevailing security paradigm: can user empowerment with traceability reduce the rate of security policy circumvention?","volume":"49","year":"2018","journal-title":"ACM SIGMIS Database: the DATABASE for Advances in Information Systems"},{"key":"key2020071513124012300_ref028","doi-asserted-by":"crossref","first-page":"73","DOI":"10.17705\/1CAIS.03905","article-title":"An analysis of the work system framework for examining information exchange in a healthcare setting","volume":"39","year":"2016","journal-title":"Communications of the Association for Information Systems"},{"key":"key2020071513124012300_ref029","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1016\/j.cose.2016.12.012","article-title":"Practice-based discourse analysis of information security policies","volume":"67","year":"2017","journal-title":"Computers and Security"},{"key":"key2020071513124012300_ref030","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/j.cose.2012.07.001","article-title":"Organizational power and information security rule compliance","volume":"33","year":"2013","journal-title":"Computers and Security"},{"key":"key2020071513124012300_ref031","first-page":"251","article-title":"Workarounds to computer access in healthcare organizations: you want my password or a dead patient?","volume":"280","year":"2015","journal-title":"Studies in Health Technology and Informatics"},{"year":"2019","key":"key2020071513124012300_ref032"},{"issue":"3","key":"key2020071513124012300_ref033","doi-asserted-by":"crossref","first-page":"479","DOI":"10.1007\/s10796-015-9606-x","article-title":"From product-centric to customer-centric services in a financial institution \u2013 exploring the organizational challenges of the transition process","volume":"18","year":"2016","journal-title":"Information Systems Frontiers"},{"key":"key2020071513124012300_ref019a","first-page":"6347","article-title":"Managing work systems for complex work via crowdworking platforms - how to orchestrate the interplay of crowds","volume-title":"Hawaii International Conference on System Sciences (HICSS)","year":"2019"},{"issue":"2","key":"key2020071513124012300_ref034","doi-asserted-by":"crossref","first-page":"44","DOI":"10.4018\/IJSS.2017070104","article-title":"Towards a framework to improve IT security and IT risk management in small and medium enterprises","volume":"4","year":"2017","journal-title":"International Journal of Systems and Society"},{"issue":"4","key":"key2020071513124012300_ref035","doi-asserted-by":"crossref","first-page":"317","DOI":"10.1111\/j.1365-2575.2006.00221.x","article-title":"The story of socio\u2010technical design: reflections on its successes, failures and potential","volume":"16","year":"2006","journal-title":"Information Systems Journal"},{"issue":"1","key":"key2020071513124012300_ref036","doi-asserted-by":"crossref","first-page":"17","DOI":"10.2307\/23043487","article-title":"A set of principles for conducting critical research in information systems","volume":"35","year":"2011","journal-title":"MIS Quarterly"},{"key":"key2020071513124012300_ref037","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers and Security"},{"issue":"8","key":"key2020071513124012300_ref038","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1016\/S1361-3723(16)30062-8","article-title":"How smaller businesses struggle with security advice","volume":"2016","year":"2016","journal-title":"Computer Fraud and Security"},{"issue":"3","key":"key2020071513124012300_ref039","doi-asserted-by":"publisher","first-page":"695","DOI":"10.25300\/MISQ\/2019\/13747","article-title":"The Sociotechnical Axis of cohesion for the IS discipline: its historical legacy and its continued relevance","volume":"43","year":"2019","journal-title":"MIS Quarterly"},{"year":"2016","key":"key2020071513124012300_ref040","article-title":"The security-usability tradeoff myth"},{"issue":"2","key":"key2020071513124012300_ref041","first-page":"152","article-title":"Incorporating a knowledge perspective into security risk assessments","volume":"41","year":"2011","journal-title":"VINE Journal Information Knowledge Management System"},{"issue":"4","key":"key2020071513124012300_ref042","doi-asserted-by":"crossref","first-page":"389","DOI":"10.1287\/orsc.1050.0130","article-title":"Designing work within and between organizations","volume":"16","year":"2005","journal-title":"Organization Science"},{"issue":"4","key":"key2020071513124012300_ref043","doi-asserted-by":"crossref","first-page":"339","DOI":"10.1016\/j.infoandorg.2004.11.001","article-title":"Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods","volume":"15","year":"2005","journal-title":"Information and Organization"},{"issue":"5","key":"key2020071513124012300_ref044","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1016\/j.im.2008.12.007","article-title":"Information security management standards: problems and solutions","volume":"46","year":"2009","journal-title":"Information and Management"},{"volume-title":"Software engineering","year":"2011","key":"key2020071513124012300_ref045"},{"issue":"3","key":"key2020071513124012300_ref046","doi-asserted-by":"crossref","first-page":"503","DOI":"10.2307\/25750689","article-title":"User participation in information systems security risk management","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2020071513124012300_ref047","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1111\/j.1365-2575.2011.00378.x","article-title":"Information security policies in the UK healthcare sector: a critical evaluation","volume":"22","year":"2012","journal-title":"Information Systems Journal"},{"issue":"June","key":"key2020071513124012300_ref048","article-title":"The evolution of socio-technical systems","volume":"2","year":"1981","journal-title":"Occasional paper"},{"article-title":"Systems analysis for everyone else: empowering business professionals through a systems analysis method that fits their needs","volume-title":"in European Conference of Information Systems 2010, Pretoria, South Africa","year":"2010","key":"key2020071513124012300_ref049"},{"article-title":"Extending a systems analysis method for business professionals","volume-title":"in Practical aspects of design science: European Design Science Symposium, EDSS 2011","year":"2012","key":"key2020071513124012300_ref050"},{"year":"2001","key":"key2020071513124012300_ref051","article-title":"Embedding security practices in contemporary"},{"article-title":"Digitalization of work systems \u2013 an organizational routines\u2019 perspective","volume-title":"HICSS 2019","year":"2019","key":"key2020071513124012300_ref052"},{"year":"2017","key":"key2020071513124012300_ref053","article-title":"Workarounds and trade-offs in information security \u2013 an exploratory"},{"key":"key2020071513124012300_ref054","unstructured":"Wong, H.M.L. (2018), \u201cDemystifying and Solving the Knowledge Sharing Problems in a Regional Operations Division of a Global Courier and Delivery Services Firm: An Action Research Approach\u201d, PhD thesis, City University Hong Kong."}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2019-0010\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2019-0010\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:36Z","timestamp":1753406556000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/3\/467-483\/199266"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,4]]},"references-count":55,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2020,6,4]]}},"alternative-id":["10.1108\/ICS-01-2019-0010"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2019-0010","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2020,6,4]]}}}