{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,8]],"date-time":"2026-05-08T22:17:41Z","timestamp":1778278661121,"version":"3.51.4"},"reference-count":60,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2016,11,14]],"date-time":"2016-11-14T00:00:00Z","timestamp":1479081600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2016,11,14]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This study aims to investigate information technology security practices of very small enterprises.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The authors perform a formal information security field study using a representative sample. Using the Control Objectives for IT (COBIT) framework, the authors evaluate 67 information security controls and perform 206 related tests. The authors state six hypotheses about the findings and accept or reject those using inferential statistics. The authors explain findings using the social comparison theory and the rare events bias theory.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Only one-third of all the controls examined were designed properly and operated as expected. About half of the controls were either ill-designed or did not operate as intended. The social comparison theory and the rare events bias theory explain managers\u2019s reliance on small experience samples which in turn leads to erroneous comprehension of their business environment, which relates to information security.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>This information is valuable to executive branch policy makers striving to reduce information security vulnerability on local and national levels and small business organizations providing information and advice to their members.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>Information security surveys are usually over-optimistic and avoid self-incrimination, yielding results that are less accurate than field work. To obtain grounded facts, the authors used the field research approach to gather qualitative and quantitative data by physically visiting active organizations, interviewing managers and staff, observing processes and reviewing written materials such as policies, procedure and logs, in accordance to common practices of security audits.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-09-2015-0041","type":"journal-article","created":{"date-parts":[[2016,11,18]],"date-time":"2016-11-18T13:13:52Z","timestamp":1479474832000},"page":"534-556","source":"Crossref","is-referenced-by-count":6,"title":["Explaining small business InfoSec posture using social theories"],"prefix":"10.1108","volume":"24","author":[{"given":"Eli","family":"Rohn","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gilad","family":"Sabari","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Guy","family":"Leshem","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020121120232574600_ref001","doi-asserted-by":"crossref","first-page":"513","DOI":"10.1108\/IMCS-08-2013-0058","article-title":"Teaching information security management: reflections and experiences","volume":"22","year":"2014","journal-title":"Information Management & Computer Security"},{"key":"key2020121120232574600_ref002","volume-title":"AICPA Standards and Statements","author":"AICPA","year":"2015"},{"key":"key2020121120232574600_ref003","unstructured":"AOL\/NCSA (2004), \u201cAOL\/NCSA online safety study\u201d, Research Report, American Online and the National Cyber Security Alliance, available at: http:\/\/tinyurl.com\/oqpgrjw"},{"key":"key2020121120232574600_ref004","volume-title":"Information Security Breaches Survey","author":"BDBI","year":"2014"},{"key":"key2020121120232574600_ref005","article-title":"Cyber security myths versus reality: how optimism bias contributes to inaccurate perceptions of risk","volume":"8","author":"BITSIGHT","year":"2015","journal-title":"Dimensional Research"},{"issue":"5","key":"key2020121120232574600_ref006","doi-asserted-by":"crossref","first-page":"413","DOI":"10.1016\/j.ijinfomgt.2008.02.002","article-title":"An economic modelling approach to information security risk management","volume":"28","year":"2008","journal-title":"International Journal of Information Management"},{"key":"key2020121120232574600_ref007","doi-asserted-by":"crossref","first-page":"82","DOI":"10.3758\/BF03333674","article-title":"Overconfidence in ignorant experts","volume":"17","year":"1981","journal-title":"Bulletin of the Psychonomic Society"},{"key":"key2020121120232574600_ref008","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1007\/s11292-014-9222-7","article-title":"The persuasion and security awareness experiment: reducing the success of social engineering attacks","volume":"11","year":"2015","journal-title":"Journal of Experimental Criminology"},{"issue":"1","key":"key2020121120232574600_ref009","doi-asserted-by":"crossref","first-page":"114","DOI":"10.1108\/14626001211196433","article-title":"Impact of owner\u2019s knowledge of information technology (IT) on strategic alignment and IT adoption in US small firms","volume":"19","year":"2012","journal-title":"Journal of Small Business and Enterprise Development"},{"key":"key2020121120232574600_ref010","unstructured":"Chickovski, E. (2010), \u201cProtect your small business against cyber attacks\u201d, available at: www.entrepreneur.com\/article\/206656"},{"key":"key2020121120232574600_ref011","unstructured":"Conner, C. (2013), \u201cRecord number of cyber attacks target small business\u201d, available at: http:\/\/tinyurl.com\/CyberSecVZ"},{"key":"key2020121120232574600_ref012","doi-asserted-by":"crossref","first-page":"189","DOI":"10.1016\/j.cose.2008.11.007","article-title":"Information security: the moving target","volume":"28","year":"2009","journal-title":"Computers & Security"},{"key":"key2020121120232574600_ref013","unstructured":"EIG (2015), \u201cA vast majority of US small business owners believe cybersecurity is a concern\u201d, available at: http:\/\/tinyurl.com\/q6tn2mz"},{"key":"key2020121120232574600_ref014","unstructured":"European Commission. (2016), \u201cWhat is an SME?\u201d, available at: http:\/\/ec.europa.eu\/growth\/smes\/business-friendly-environment\/sme-definition\/index_en.htm"},{"key":"key2020121120232574600_ref015","article-title":"The value of cyber security in small business","year":"2015"},{"issue":"5","key":"key2020121120232574600_ref016","doi-asserted-by":"crossref","first-page":"410","DOI":"10.1108\/IMCS-07-2013-0053","article-title":"Current challenges in information security risk management","volume":"22","year":"2014","journal-title":"Information Management & Computer Security"},{"key":"key2020121120232574600_ref017","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1177\/001872675400700202","article-title":"A theory of social comparison processes","volume":"7","year":"1954","journal-title":"Human Relations"},{"key":"key2020121120232574600_ref018","article-title":"Embracing digital technology","year":"2013","journal-title":"MIT Sloan Management Review"},{"issue":"6","key":"key2020121120232574600_ref019","doi-asserted-by":"crossref","first-page":"434","DOI":"10.1016\/j.cose.2007.06.003","article-title":"Making security usable: are things improving?","volume":"26","year":"2007","journal-title":"Computers & Security"},{"issue":"1","key":"key2020121120232574600_ref020","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1016\/j.cose.2005.12.004","article-title":"The challenges of understanding and using security: a survey of end-users","volume":"25","year":"2006","journal-title":"Computers & Security"},{"key":"key2020121120232574600_ref021","unstructured":"GOV.UK (2016), \u201cOCSIA supporting education, awareness and training\u201d, available at: http:\/\/tinyurl.com\/UKcyber01"},{"key":"key2020121120232574600_ref022","doi-asserted-by":"crossref","first-page":"297","DOI":"10.1108\/09685220510614425","article-title":"Information systems security issues and decisions for small businesses: an empirical examination","volume":"13","year":"2005","journal-title":"Information Management & Computer Security"},{"key":"key2020121120232574600_ref023","volume-title":"Essentials of Business Research Methods","year":"2015"},{"key":"key2020121120232574600_ref024","first-page":"34","article-title":"\u201cEvaluating results of a small business security survey","year":"2014"},{"key":"key2020121120232574600_ref025","doi-asserted-by":"crossref","first-page":"517","DOI":"10.1016\/j.tics.2009.09.004","article-title":"The description \u2013 experience gap in risky choice","volume":"13","year":"2009","journal-title":"Trends in Cognitive Sciences"},{"key":"key2020121120232574600_ref026","doi-asserted-by":"crossref","first-page":"534","DOI":"10.1111\/j.0956-7976.2004.00715.x","article-title":"Decisions from experience and the effect of rare events in risky choice","volume":"15","year":"2004","journal-title":"Psychological Science"},{"key":"key2020121120232574600_ref027","doi-asserted-by":"crossref","first-page":"615","DOI":"10.1111\/j.1540-5915.2012.00361.x","article-title":"Managing employee compliance with information security policies: the critical role of top management and organizational culture","volume":"43","year":"2012","journal-title":"Decision Sciences"},{"key":"key2020121120232574600_ref028","volume-title":"IIA International Professional Practices Framework for Auditors","author":"IIA","year":"2003"},{"key":"key2020121120232574600_ref029","unstructured":"ISACA (2013), COBIT 4.1: Framework for IT Governance and Control, available at: http:\/\/tinyurl.com\/cobit41z"},{"issue":"2","key":"key2020121120232574600_ref030","doi-asserted-by":"crossref","first-page":"263","DOI":"10.2307\/1914185","article-title":"An analysis of decision under risk","volume":"47","year":"1979","journal-title":"Econometrica"},{"key":"key2020121120232574600_ref031","volume-title":"NISTIR 7621: Small Business Information Security - The Fundamentals","year":"2009"},{"key":"key2020121120232574600_ref032","first-page":"445","article-title":"Influencing factors of information security management in small- and medium-sized enterprises and organizations","year":"2013"},{"key":"key2020121120232574600_ref033","volume-title":"Contributions to Probability and Statistics: Essays in Honor of Harold Hotelling","year":"1960"},{"key":"key2020121120232574600_ref034","unstructured":"Leyden, J. (2004), \u201cClueless office workers help spread computer viruses\u201d, available at: www.theregister.co.uk\/2004\/02\/06\/clueless_office_workers_help_spread\/"},{"key":"key2020121120232574600_ref035","first-page":"287","article-title":"When social comparison goes awry: the case of pluralistic ignorance","volume-title":"Social Comparison: Contemporary Theory and Research","year":"1991"},{"key":"key2020121120232574600_ref036","unstructured":"Montgomery, T. (2013), \u201cDo small businesses need to worry about cyber security?\u201d, available at: http:\/\/tinyurl.com\/ojl4equ"},{"key":"key2020121120232574600_ref037","article-title":"16 surprising statistics about small businesses","year":"2013","journal-title":"Forbes"},{"key":"key2020121120232574600_ref038","unstructured":"Newman, P. (2010), \u201cEvaluating the effect of information technology in small businesses\u201d, PhD dissertation at the school of business and technology, Doctoral dissertation, Capella University, Minneapolis, MN, p. 161."},{"key":"key2020121120232574600_ref039","doi-asserted-by":"crossref","first-page":"483","DOI":"10.1016\/j.ijinfomgt.2008.01.009","article-title":"Quantitatively assessing the vulnerability of critical information systems: a new method for evaluating security enhancements","volume":"28","year":"2008","journal-title":"International Journal of Information Management"},{"key":"key2020121120232574600_ref040","volume-title":"PCAOB Auditing and Related Professional Practice Standards","author":"PCAOB","year":"2003"},{"key":"key2020121120232574600_ref041","unstructured":"Poll, H. (2015), \u201cNationwide cyber security survey\u201d, available at: http:\/\/tinyurl.com\/Nationwide2015"},{"key":"key2020121120232574600_ref042","first-page":"38","volume-title":"Small Business Cyber Security Survey 2012","year":"2012"},{"key":"key2020121120232574600_ref043","volume-title":"Small Business: Cyber Security Survey 2012","year":"2013"},{"key":"key2020121120232574600_ref044","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: an action research study","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020121120232574600_ref045","doi-asserted-by":"crossref","first-page":"221","DOI":"10.1016\/j.cose.2011.12.001","article-title":"Unrealistic optimism on information security management","volume":"31","year":"2012","journal-title":"Computers & Security"},{"key":"key2020121120232574600_ref046","unstructured":"SBA (2013a), \u201cDisaster planning\u201d, available at: www.sba.gov\/content\/disaster-planning"},{"key":"key2020121120232574600_ref047","unstructured":"SBA (2013b), \u201cDo small businesses need to worry about cyber security?\u201d, available at: http:\/\/tinyurl.com\/SBAcyber02"},{"key":"key2020121120232574600_ref048","unstructured":"SBA (2016), \u201cCybersecurity for small businesses\u201d, available at: http:\/\/tinyurl.com\/SBAcyber01"},{"key":"key2020121120232574600_ref049","unstructured":"Shah, S. (2015), \u201cCyber security risk: perception vs reality in corporate America\u201d, available at: http:\/\/tinyurl.com\/BITSIGHT2013"},{"key":"key2020121120232574600_ref050","volume-title":"A Guide to the National Initiative for Cybersecurity Education","year":"2016"},{"key":"key2020121120232574600_ref051","doi-asserted-by":"crossref","first-page":"445","DOI":"10.17705\/1jais.00095","article-title":"IS security design theory framework and six approaches to the application of IS security policies and guidelines","volume":"7","year":"2006","journal-title":"Journal of the Association for Information Systems"},{"key":"key2020121120232574600_ref052","article-title":"Factors influencing protection motivation and IS security policy compliance","year":"2006","journal-title":"Innovations in Information Technology"},{"issue":"4","key":"key2020121120232574600_ref053","doi-asserted-by":"crossref","first-page":"441","DOI":"10.2307\/249551","article-title":"Coping with systems risk: security planning models for management decision making","volume":"22","year":"1998","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2020121120232574600_ref054","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1057\/ejis.2013.27","article-title":"Managing the introduction of information security awareness programmes in organisations","volume":"24","year":"2015","journal-title":"European Journal of Information Systems"},{"key":"key2020121120232574600_ref055","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1080\/09546550008427547","article-title":"Affecting trust: terrorism, internet and offensive information warfare","volume":"12","year":"2000","journal-title":"Terrorism and Political Violence"},{"key":"key2020121120232574600_ref056","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1521\/jscp.1996.15.1.1","article-title":"Unrealistic optimism: present and future","volume":"15","year":"1996","journal-title":"Journal of Social and Clinical Psychology"},{"issue":"1","key":"key2020121120232574600_ref057","doi-asserted-by":"crossref","first-page":"43","DOI":"10.1016\/j.ijinfomgt.2003.12.003","article-title":"In defense of the realm: understanding the threats to information security","volume":"24","year":"2004","journal-title":"International Journal of Information Management"},{"issue":"11","key":"key2020121120232574600_ref058","doi-asserted-by":"crossref","first-page":"1565","DOI":"10.1177\/0018726708096638","article-title":"Judgments about knowledge importance: the roles of social referents and network structure","volume":"61","year":"2008","journal-title":"Human Relations"},{"key":"key2020121120232574600_ref059","doi-asserted-by":"crossref","first-page":"430","DOI":"10.1177\/0022002704270847","article-title":"The role of personal experience in contributing to different patterns of response to rare terrorist attacks","volume":"49","year":"2005","journal-title":"Journal of Conflict Resolution"},{"issue":"4","key":"key2020121120232574600_ref060","doi-asserted-by":"crossref","first-page":"360","DOI":"10.1016\/j.ijinfomgt.2010.10.006","article-title":"Factors influencing information security management in small- and medium-sized enterprises: a case study from Turkey","volume":"31","year":"2011","journal-title":"International Journal of Information Management"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-09-2015-0041","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2015-0041\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2015-0041\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:10Z","timestamp":1753406590000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/24\/5\/534-556\/112980"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,11,14]]},"references-count":60,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2016,11,14]]}},"alternative-id":["10.1108\/ICS-09-2015-0041"],"URL":"https:\/\/doi.org\/10.1108\/ics-09-2015-0041","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2016,11,14]]}}}