{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T17:35:08Z","timestamp":1754156108860,"version":"3.41.2"},"reference-count":47,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2024,4,9]],"date-time":"2024-04-09T00:00:00Z","timestamp":1712620800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JSIT"],"published-print":{"date-parts":[[2024,5,7]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to examine the conditions under which small and medium enterprises (SMEs) invest in security services when they migrate their e-commerce applications to the cloud environment. Using a risk management perspective, the paper assesses the impact of security service pricing, security incident prevalence and virulence to estimate SME security spending at the market level and draw out implications for SMEs and security service providers.<\/jats:p>\n<\/jats:sec>\n<jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Security risks are inherently characterized by uncertainty. This study uses a Monte Carlo approach to understand the role of uncertainty in the decision to adopt security services. A model relating key security constructs is assembled based on key constructs from the domain. By manipulating security service costs and security incident types, the model estimates the market-level adoption of services, security incidents and damages incurred, along with measures of their relative dispersion.<\/jats:p>\n<\/jats:sec>\n<jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Three key findings emerge from this study. First, adoption of services and protection is higher when tiered security services are provided, indicating that SMEs prefer to choose their security services rather than accept uniformly priced products. Second, SMEs are considered price-sensitive, resulting in a maximum level of spending in the market. Third, results indicate that security incidents and damages can be much higher than the mean in some cases, and this should serve as a cautionary note to SMEs.<\/jats:p>\n<\/jats:sec>\n<jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>Security spending has been modeled at the firm level. Adopting a market-level perspective represents a novel contribution. Additionally, the Monte Carlo approach provides managers with tangible measures of uncertainty, affording additional information and insight when making security service adoption decisions.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/jsit-04-2023-0071","type":"journal-article","created":{"date-parts":[[2024,4,8]],"date-time":"2024-04-08T08:50:33Z","timestamp":1712566233000},"page":"257-275","source":"Crossref","is-referenced-by-count":0,"title":["Investing in security-as-a-service for e-commerce infrastructure by small and medium enterprises: a Monte Carlo approach"],"prefix":"10.1108","volume":"26","author":[{"given":"Derek L.","family":"Nazareth","sequence":"first","affiliation":[]},{"given":"Jae","family":"Choi","sequence":"additional","affiliation":[]},{"given":"Thomas","family":"Ngo-Ye","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2024,4,9]]},"reference":[{"key":"key2024050608010603400_ref001","unstructured":"Aguilar, L.A. (2015), \u201cThe need for greater focus on the cybersecurity challenges facing small and midsize businesses\u201d, US Securities and Exchange Commission, available at: www.sec.gov\/news\/statement\/cybersecurity-challenges-for-small-midsize-businesses.html (accessed 6 January 2021)."},{"issue":"4","key":"key2024050608010603400_ref002","doi-asserted-by":"publisher","first-page":"63","DOI":"10.4018\/IJEIS.2015100103","article-title":"A weighted Monte Carlo simulation approach to risk assessment of information security management system","volume":"11","year":"2016","journal-title":"International Journal of Enterprise Information Systems"},{"issue":"4","key":"key2024050608010603400_ref003","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1145\/1330311.1330325","article-title":"Information security and risk management","volume":"51","year":"2008","journal-title":"Communications of the ACM"},{"issue":"1","key":"key2024050608010603400_ref004","doi-asserted-by":"crossref","first-page":"15","DOI":"10.2165\/00003088-200140010-00002","article-title":"A brief introduction to Monte Carlo simulation","volume":"40","year":"2001","journal-title":"Clinical Pharmacokinetics"},{"issue":"7\/8","key":"key2024050608010603400_ref005","first-page":"569","article-title":"Determining overall risk","volume":"8","year":"2005","journal-title":"Journal of Risk Research"},{"issue":"3","key":"key2024050608010603400_ref006","doi-asserted-by":"crossref","first-page":"58","DOI":"10.4018\/IJCWT.2021070105","article-title":"A Monte-Carlo analysis of monetary impact of mega data breaches","volume":"11","year":"2021","journal-title":"International Journal of Cyber Warfare and Terrorism"},{"key":"key2024050608010603400_ref007","unstructured":"Cloud Security Alliance (2016), \u201cDefined categories of security as a service (preview) \u2013 continuous monitoring as a service\u201d, Retrieved October 9, 2019, from Cloud Security Alliance, available at: https:\/\/downloads.cloudsecurityalliance.org\/assets\/research\/security-as-a-service\/csa-categories-securities-prep.pdf"},{"issue":"3","key":"key2024050608010603400_ref008","doi-asserted-by":"crossref","first-page":"199","DOI":"10.1016\/0164-1212(90)90040-S","article-title":"Prediction and control of ada software defects","volume":"12","year":"1990","journal-title":"Journal of Systems and Software"},{"volume-title":"Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations","year":"2005","key":"key2024050608010603400_ref009"},{"issue":"8","key":"key2024050608010603400_ref010","doi-asserted-by":"crossref","first-page":"353","DOI":"10.1016\/j.im.2011.08.003","article-title":"Organizational information systems competences in small and medium-sized enterprises","volume":"48","year":"2011","journal-title":"Information and Management"},{"key":"key2024050608010603400_ref011","doi-asserted-by":"crossref","first-page":"102681","DOI":"10.1016\/j.cose.2022.102681","article-title":"Two decades of cyberattack simulations: a systematic literature review","volume":"116","year":"2022","journal-title":"Computers and Security"},{"issue":"2\/3","key":"key2024050608010603400_ref012","doi-asserted-by":"crossref","first-page":"152","DOI":"10.1504\/IJCIS.2017.088235","article-title":"Towards effective cybersecurity resource allocation: the Monte Carlo predictive modelling approach","volume":"13","year":"2017","journal-title":"International Journal of Critical Infrastructures"},{"journal-title":"Workshop on the Economics of Information Security","article-title":"Assessing damages of information security incidents and selecting control measures: a case study approach","year":"2005","key":"key2024050608010603400_ref013"},{"issue":"5","key":"key2024050608010603400_ref014","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2019.103215","article-title":"To outsource or not: the impact of information leakage risk on information security strategy","volume":"57","year":"2020","journal-title":"Information and Management"},{"issue":"5","key":"key2024050608010603400_ref015","doi-asserted-by":"crossref","first-page":"410","DOI":"10.1108\/IMCS-07-2013-0053","article-title":"Current challenges in information security risk management","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"first-page":"74","article-title":"Anti-counterfeit scheme using Monte Carlo simulation for E-commerce in cloud systems","year":"2015","key":"key2024050608010603400_ref016"},{"volume-title":"Risk versus Risk: Tradeoffs in Protecting Health and the Environment","year":"1995","key":"key2024050608010603400_ref017"},{"issue":"4","key":"key2024050608010603400_ref018","doi-asserted-by":"crossref","first-page":"1002","DOI":"10.1111\/joms.12678","article-title":"Assessing trust and risk perceptions in the sharing economy: an empirical study","volume":"58","year":"2021","journal-title":"Journal of Management Studies"},{"volume-title":"How to Measure Anything in Cybersecurity Risk","year":"2023","key":"key2024050608010603400_ref019"},{"key":"key2024050608010603400_ref020","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2107556.2107564","article-title":"SECaaS: security as a service for cloud-based applications","volume-title":"Second Kuwait Conference on e-Services and e-Systems","year":"2011"},{"volume-title":"Cost of a Data Breach Report 2023","year":"2023","author":"IBM Security","key":"key2024050608010603400_ref021"},{"volume-title":"Security as a Service Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028","year":"2023","author":"IMARC Group","key":"key2024050608010603400_ref022"},{"volume-title":"Risk Management Vocabulary","year":"2002","author":"ISO","key":"key2024050608010603400_ref023"},{"key":"key2024050608010603400_ref024","unstructured":"Kaspersky Lab (2015), \u201cDamage control: the cost of security breaches, IT security risks special report series\u201d, available at: https:\/\/media.kaspersky.com\/pdf\/it-risks-survey-report-cost-of-security-breaches.pdf (accessed 6 January 2021)."},{"issue":"6","key":"key2024050608010603400_ref025","doi-asserted-by":"crossref","first-page":"746","DOI":"10.1016\/j.im.2018.03.004","article-title":"Criteria for selecting cloud service providers: a Delphi study of quality-of-service attributes","volume":"55","year":"2018","journal-title":"Information and Management"},{"first-page":"1561","article-title":"Methodologies for evaluating information security investments \u2013 What Basel II can change in the financial industry","year":"2005","key":"key2024050608010603400_ref026"},{"volume-title":"Of Acceptable Risk \u2013 Science and the Determination of Safety","year":"1976","key":"key2024050608010603400_ref027"},{"first-page":"82","article-title":"An empirical investigation of software fault distribution","year":"1993","key":"key2024050608010603400_ref028"},{"issue":"5","key":"key2024050608010603400_ref029","doi-asserted-by":"crossref","first-page":"954","DOI":"10.1080\/08874417.2021.1954563","article-title":"The security-as-a-Service market for small and medium enterprises","volume":"62","year":"2022","journal-title":"Journal of Computer Information Systems"},{"first-page":"1177","article-title":"Does the \u2018goldilocks conjecture\u2019 apply to software reuse? An exploratory study using a Domain-Specific reuse model","year":"2002","key":"key2024050608010603400_ref030"},{"key":"key2024050608010603400_ref031","doi-asserted-by":"crossref","first-page":"171","DOI":"10.1006\/ijhc.1996.0009","article-title":"The relationship between errors and size in knowledge-based systems","volume":"44","year":"1996","journal-title":"International Journal of Human Computer Studies"},{"volume-title":"Global Public Cloud Management and Security Services Market","year":"2017","author":"Persistence Market Research","key":"key2024050608010603400_ref032"},{"volume-title":"Global State of Cybersecurity in Small and Medium-Sized Businesses","year":"2019","author":"Ponemon Institute","key":"key2024050608010603400_ref033"},{"issue":"5","key":"key2024050608010603400_ref034","doi-asserted-by":"crossref","first-page":"551","DOI":"10.1016\/j.im.2014.03.009","article-title":"Bridging the divide: a qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders","volume":"51","year":"2014","journal-title":"Information and Management"},{"issue":"2","key":"key2024050608010603400_ref035","doi-asserted-by":"crossref","first-page":"391","DOI":"10.1111\/j.1540-5915.2011.00316.x","article-title":"Security assurance: How online service providers can influence security control perceptions and gain trust","volume":"42","year":"2011","journal-title":"Decision Sciences"},{"first-page":"91","article-title":"Introduction to Monte Carlo simulation","year":"2008","key":"key2024050608010603400_ref036"},{"issue":"6","key":"key2024050608010603400_ref037","doi-asserted-by":"crossref","first-page":"619","DOI":"10.1057\/palgrave.jors.2601864","article-title":"Discrete-event simulation: from the pioneers to the present, what next?","volume":"56","year":"2005","journal-title":"Journal of the Operational Research Society"},{"issue":"2","key":"key2024050608010603400_ref038","doi-asserted-by":"crossref","first-page":"96","DOI":"10.1108\/09685220910963983","article-title":"The importance of perceived trust, security and privacy in online trading systems","volume":"17","year":"2009","journal-title":"Information Management and Computer Security"},{"issue":"3","key":"key2024050608010603400_ref039","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1109\/MSP.2005.81","article-title":"Security meter: a practical decision-tree model to quantify risk","volume":"3","year":"2005","journal-title":"IEEE Security and Privacy Magazine"},{"key":"key2024050608010603400_ref040","first-page":"89","article-title":"Risk management theory: the integrated perspective and its application in the public sector","volume":"21","year":"2013","journal-title":"Estado, Gobierno y Gesti\u00f3n P\u00fablica"},{"issue":"3","key":"key2024050608010603400_ref041","doi-asserted-by":"crossref","first-page":"135","DOI":"10.1080\/10864415.2003.11044270","article-title":"The impact of customer trust and perception of security control on the acceptance of electronic commerce","volume":"7","year":"2003","journal-title":"International Journal of Electronic Commerce"},{"key":"key2024050608010603400_ref042","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1016\/j.comcom.2020.04.005","article-title":"Mathematical modeling of security impact analysis of communication network based on Monte Carlo algorithm","volume":"157","year":"2020","journal-title":"Computer Communications"},{"issue":"2","key":"key2024050608010603400_ref043","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1007\/s12525-012-0120-4","article-title":"Cloud computing in industrial SMEs: identification of the barriers to its adoption and effects of its application","volume":"23","year":"2013","journal-title":"Electronic Markets"},{"key":"key2024050608010603400_ref044","unstructured":"White House (2023), \u201cNational cybersecurity strategy\u201d, Retrieved March 10, 2023, from The White House, available at: www.whitehouse.gov\/wp-content\/uploads\/2023\/03\/National-Cybersecurity-Strategy-2023.pdf"},{"issue":"3","key":"key2024050608010603400_ref045","doi-asserted-by":"crossref","first-page":"597","DOI":"10.1111\/j.1539-6924.2007.00909.x","article-title":"Guiding resource allocations based on terrorism risk","volume":"27","year":"2007","journal-title":"Risk Analysis"},{"article-title":"Monte Carlo methods to investigate how aggregated cyber insurance claims data impacts security investments","volume-title":"17th Annual Workshop on the Economics of Information Security Conference (WEIS 2018)","year":"2018","key":"key2024050608010603400_ref046"},{"issue":"4","key":"key2024050608010603400_ref047","first-page":"136","article-title":"Discrete-event simulation","volume":"4","year":"2015","journal-title":"International Journal of Scientific and Technology Research"}],"container-title":["Journal of Systems and Information Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/JSIT-04-2023-0071\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/JSIT-04-2023-0071\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T22:23:46Z","timestamp":1753395826000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/jsit\/article\/26\/2\/257-275\/1236375"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,9]]},"references-count":47,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2024,4,9]]},"published-print":{"date-parts":[[2024,5,7]]}},"alternative-id":["10.1108\/JSIT-04-2023-0071"],"URL":"https:\/\/doi.org\/10.1108\/jsit-04-2023-0071","relation":{},"ISSN":["1328-7265","1328-7265"],"issn-type":[{"type":"print","value":"1328-7265"},{"type":"electronic","value":"1328-7265"}],"subject":[],"published":{"date-parts":[[2024,4,9]]}}}