{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:19:27Z","timestamp":1754158767404,"version":"3.41.2"},"reference-count":37,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2017,7,10]],"date-time":"2017-07-10T00:00:00Z","timestamp":1499644800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,7,10]]},"abstract":"\nPurpose<\/jats:title>\nThe contemporary internet provisions increasingly sophisticated security attacks. Besides underlining the advanced nature of these attacks, the concept of an advanced persistent threat (APT) catalyzes the important perspective of longitudinal persistence; attacks are not only carefully planned and targeted but the subsequent exploitation period covers long periods of time. If an APT successfully realizes into such exploitation, information assets may be continuously monitored for harvesting business-critical information (BCI). These threats are relevant for the security of small enterprises, and this study aims to examine the qualitative factors that shape the security mindsets among these.<\/jats:p>\n<\/jats:sec>\n\nDesign\/methodology\/approach<\/jats:title>\nThe data are collected with semi-structured interviews of six enterprises in a small regional market segment. The analysis is based on a fourfold taxonomy that delivers three mindset profiles, while particular emphasis is placed on the subjective security notions that shape the typical strategizing among enterprises.<\/jats:p>\n<\/jats:sec>\n\nFindings<\/jats:title>\nAPT is poorly understood among the observed segment, which tends to often also explicitly downplay the strategic relevance of the concept, but a more pressing challenge relates to the observation that business data is often perceived to have no value. The delivered results can be used to improve the situation.<\/jats:p>\n<\/jats:sec>\n\nOriginality\/value<\/jats:title>\nThis study is among the firsts to explore perceptions of small enterprises toward APT and BCI. The results reveal problematic mindsets and offers new avenues for practitioners as well as academics to study and improve the situation.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-07-2016-0047","type":"journal-article","created":{"date-parts":[[2017,5,24]],"date-time":"2017-05-24T07:32:02Z","timestamp":1495611122000},"page":"226-239","source":"Crossref","is-referenced-by-count":0,"title":["Tightroping between APT and BCI in small enterprises"],"prefix":"10.1108","volume":"25","author":[{"given":"Jesse","family":"Kaukola","sequence":"first","affiliation":[]},{"given":"Jukka","family":"Ruohonen","sequence":"additional","affiliation":[]},{"given":"Antti","family":"Tuomisto","sequence":"additional","affiliation":[]},{"given":"Sami","family":"Hyrynsalmi","sequence":"additional","affiliation":[]},{"given":"Ville","family":"Lepp\u00e4nen","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"4\/5","key":"key2020120619252648700_ref001","first-page":"409","article-title":"Organisational resilience in a cloud-based enterprise in a supply chain: a challenge for innovative SMEs","volume":"30","year":"2015","journal-title":"International Journal of Computer Integrated Manufacturing"},{"issue":"3","key":"key2020120619252648700_ref002","doi-asserted-by":"crossref","first-page":"88","DOI":"10.1109\/MSP.2012.65","article-title":"Developing secure products in the age of advanced persistent threats","volume":"10","year":"2012","journal-title":"Security & Privacy"},{"issue":"2","key":"key2020120619252648700_ref003","first-page":"1","article-title":"The Heartbleed bug: insecurity repackaged, rebranded and resold","volume":"11","year":"2015","journal-title":"Crime, Media, Culture"},{"issue":"2","key":"key2020120619252648700_ref004","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1108\/14691930010377469","article-title":"Intellectual capital: recognizing both assets and liabilities","volume":"1","year":"2000","journal-title":"Journal of Intellectual Capital"},{"first-page":"63","article-title":"A study on advanced persistent threats","year":"2014","key":"key2020120619252648700_ref005"},{"issue":"3","key":"key2020120619252648700_ref006","doi-asserted-by":"crossref","first-page":"323","DOI":"10.1142\/S1363919601000403","article-title":"Delivering business critical information systems though application service providers: the need for a market segmentation strategy","volume":"5","year":"2001","journal-title":"International Journal of Innovation Management"},{"issue":"4","key":"key2020120619252648700_ref007","doi-asserted-by":"crossref","first-page":"538","DOI":"10.1016\/j.clsr.2015.05.004","article-title":"The prospects of easier security for small organisations and consumers","volume":"31","year":"2015","journal-title":"Computer Law & Security Review"},{"key":"key2020120619252648700_ref008","unstructured":"F-Secure (2015), \u201cThe Dukes: seven years of Russian Cycberespionage\u201d, available at: www.f-secure.com\/documents\/996508\/1030745\/dukes_whitepaper.pdf"},{"issue":"2","key":"key2020120619252648700_ref009","first-page":"203","article-title":"A management perspective on risk of security threats to information systems","volume":"6","year":"2005","journal-title":"Information Technology and Management"},{"first-page":"1","article-title":"Considering technical and financial impact in the selection of security countermeasures against advanced persistent threats (APTs)","year":"2015","key":"key2020120619252648700_ref010"},{"issue":"4","key":"key2020120619252648700_ref011","doi-asserted-by":"crossref","first-page":"297","DOI":"10.1108\/09685220510614425","article-title":"Information systems security issues and decisions for small businesses: an empirical examination","volume":"13","year":"2005","journal-title":"Information Management & Computer Security"},{"issue":"5","key":"key2020120619252648700_ref012","doi-asserted-by":"crossref","first-page":"861","DOI":"10.1016\/j.ijinfomgt.2013.07.001","article-title":"The usage and adoption of cloud computing by small and medium businesses","volume":"33","year":"2013","journal-title":"International Journal of Information Management"},{"first-page":"76","article-title":"Assuming a state of compromise: a best practise approach for SMEs on incident response management","year":"2014","key":"key2020120619252648700_ref013"},{"issue":"1","key":"key2020120619252648700_ref014","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1016\/j.jsis.2013.11.001","article-title":"Information systems strategizing, organizational sub-communities, and the emergence of a sustainability strategy","volume":"23","year":"2014","journal-title":"The Journal of Strategic Information Systems"},{"volume-title":"Qualitative Market Research: Principle and Practice","year":"2002","key":"key2020120619252648700_ref015"},{"issue":"5","key":"key2020120619252648700_ref016","doi-asserted-by":"crossref","first-page":"332","DOI":"10.1108\/09685221211286511","article-title":"Information security and business continuity management in interorganizational IT relationships","volume":"20","year":"2012","journal-title":"Information Management & Computer Security"},{"issue":"3","key":"key2020120619252648700_ref017","doi-asserted-by":"crossref","first-page":"583","DOI":"10.1016\/j.ijinfomgt.2013.03.001","article-title":"IT incidents and business impacts: validating a framework for continuity management in information systems","volume":"33","year":"2013","journal-title":"International Journal of Information Management"},{"first-page":"144","article-title":"\u201cA practical study on advanced persistent threats","year":"2012","key":"key2020120619252648700_ref018"},{"first-page":"286","article-title":"\u201cExamining the effects of knowledge, attitude and behaviour on information security awareness: a case on SME\u201d","year":"2013","key":"key2020120619252648700_ref019"},{"issue":"2","key":"key2020120619252648700_ref020","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1201\/1078\/45099.22.2.20050301\/87273.2","article-title":"Information security threats and practices in small businesses","volume":"22","year":"2005","journal-title":"Information Systems Management"},{"issue":"4","key":"key2020120619252648700_ref021","doi-asserted-by":"crossref","first-page":"454","DOI":"10.1177\/1050651908320362","article-title":"Qualitative sampling methods: a primer for technical communicators","volume":"22","year":"2008","journal-title":"Journal of Business and Technical Communication"},{"issue":"6","key":"key2020120619252648700_ref022","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1016\/j.jisa.2014.10.012","article-title":"A methodology for estimating the tangible cost of data breaches","volume":"19","year":"2014","journal-title":"Information Security and Applications"},{"issue":"2","key":"key2020120619252648700_ref023","doi-asserted-by":"crossref","first-page":"158","DOI":"10.1177\/001041407500800203","article-title":"The comparable-cases strategy in comparative research","volume":"8","year":"1975","journal-title":"Comparative Political Studies"},{"issue":"2","key":"key2020120619252648700_ref024","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1201\/1086\/45241.14.2.20050501\/88289.3","article-title":"Desktop security and usability trade-offs: an evaluation of password management systems","volume":"14","year":"2005","journal-title":"Information Systems Security"},{"issue":"1","key":"key2020120619252648700_ref025","doi-asserted-by":"crossref","first-page":"246","DOI":"10.1016\/j.ssresearch.2012.06.002","article-title":"Convenient yet not a convenience sample: jury pools as experimental subject pools","volume":"42","year":"2013","journal-title":"Social Science Research"},{"first-page":"89","article-title":"Applying digital forensics in the future internet enterprise systems - European SME\u2019s perspective","year":"2010","key":"key2020120619252648700_ref026"},{"first-page":"244","article-title":"Managing security threats and vulnerabilities for small to medium enterprises","year":"2007","key":"key2020120619252648700_ref027"},{"volume-title":"The Logic of Comparative Social Inquiry","year":"1970","key":"key2020120619252648700_ref028"},{"issue":"3","key":"key2020120619252648700_ref029","doi-asserted-by":"crossref","first-page":"475","DOI":"10.1007\/s10796-014-9506-5","article-title":"Adoption of software as a service (SaaS) enterprise resource planning (ERP) systems in small and medium sized enterprises (SMEs)","volume":"17","year":"2015","journal-title":"Information Systems Frontiers"},{"issue":"1","key":"key2020120619252648700_ref030","first-page":"1","article-title":"Adoption of security as a service","volume":"14","year":"2013","journal-title":"Journal of Internet Services and Applications"},{"issue":"3","key":"key2020120619252648700_ref031","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1057\/palgrave.ejis.3000537","article-title":"An analysis of the traditional is security approaches: implications for research and practice","volume":"14","year":"2005","journal-title":"European Journal of Information Systems"},{"issue":"3","key":"key2020120619252648700_ref032","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1057\/ejis.2012.59","article-title":"Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations","volume":"23","year":"2014","journal-title":"European Journal of Information Systems"},{"issue":"7","key":"key2020120619252648700_ref033","doi-asserted-by":"crossref","first-page":"484","DOI":"10.1108\/02635570310489188","article-title":"The role of critical information in enterprise knowledge management","volume":"103","year":"2003","journal-title":"Industrial Management & Data Systems"},{"issue":"1","key":"key2020120619252648700_ref034","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.jnca.2010.07.006","article-title":"A survey on security issues in service delivery models of cloud computing","volume":"34","year":"2011","journal-title":"Journal of Network and Computer Applications"},{"key":"key2020120619252648700_ref035","unstructured":"Symantec (2015), \u201cAdvanced persistent threats: a symantec perspective\u201d, available at: www.symantec.com\/content\/en\/us\/enterprise\/white_papers\/b-advanced_persistent_threats_WP_21215957.en-us.pdf"},{"issue":"1","key":"key2020120619252648700_ref036","doi-asserted-by":"crossref","first-page":"87","DOI":"10.1016\/j.jsis.2014.01.003","article-title":"Information systems strategy and strategy-as-practice: a joint agenda","volume":"23","year":"2014","journal-title":"The Journal of Strategic Information Systems"},{"issue":"4","key":"key2020120619252648700_ref037","doi-asserted-by":"crossref","first-page":"161","DOI":"10.1080\/07421222.1999.11518226","article-title":"Password security: an empirical study","volume":"15","year":"1999","journal-title":"Journal of Management Information Systems"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2016-0047\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2016-0047\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:01Z","timestamp":1753406581000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/3\/226-239\/105959"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,10]]},"references-count":37,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,7,10]]}},"alternative-id":["10.1108\/ICS-07-2016-0047"],"URL":"https:\/\/doi.org\/10.1108\/ics-07-2016-0047","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2017,7,10]]}}}