{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T05:24:09Z","timestamp":1775280249119,"version":"3.50.1"},"reference-count":75,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2016,7,7]],"date-time":"2016-07-07T00:00:00Z","timestamp":1467849600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>The information society is increasingly more dependent on Information Security Management Systems (ISMSs), and the availability of these kinds of systems is now vital for the development of Small and Medium-Sized Enterprises (SMEs). However, these companies require ISMSs that have been adapted to their special features, and which are optimized as regards the resources needed to deploy and maintain them. This article shows how important the security culture within ISMSs is for SMEs, and how the concept of security culture has been introduced into a security management methodology (MARISMA is a Methodology for \u201cInformation Security Management System in SMEs\u201d developed by the Sicaman Nuevas Tecnolog\u00edas Company, Research Group GSyA and Alarcos of the University of Castilla-La Mancha.) for SMEs. This model is currently being directly applied to real cases, thus allowing a steady improvement to be made to its implementation.<\/jats:p>","DOI":"10.3390\/fi8030030","type":"journal-article","created":{"date-parts":[[2016,7,7]],"date-time":"2016-07-07T09:49:06Z","timestamp":1467884946000},"page":"30","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["The Importance of the Security Culture in SMEs as Regards the Correct Management of the Security of Their Assets"],"prefix":"10.3390","volume":"8","author":[{"given":"Antonio","family":"Santos-Olmo","sequence":"first","affiliation":[{"name":"Research and Development Department, Sicaman Nuevas Tecnolog\u00edas, Tomelloso 13700, Spain"},{"name":"Research Group GSyA, University of Castilla-la Mancha, Ciudad Real 13700, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0086-1065","authenticated-orcid":false,"given":"Luis","family":"S\u00e1nchez","sequence":"additional","affiliation":[{"name":"Research Group GSyA, University of Castilla-la Mancha, Ciudad Real 13700, Spain"},{"name":"Project Prometeo of Senescyt, University of the Armed Forces (ESPE), SanGolqui 170501, Ecuador"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ismael","family":"Caballero","sequence":"additional","affiliation":[{"name":"Research Group Alarcos, University of Castilla-la Mancha (UCLM), Ciudad Real 13700, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sara","family":"Camacho","sequence":"additional","affiliation":[{"name":"Language department, Universidad T\u00e9cnica de Ambato, Ambato 180150, Ecuador"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eduardo","family":"Fernandez-Medina","sequence":"additional","affiliation":[{"name":"Research Group GSyA, University of Castilla-la Mancha, Ciudad Real 13700, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2016,7,7]]},"reference":[{"key":"ref_1","unstructured":"Santos-Olmo, A., S\u00e1nchez, L.E., Ismael, C., Camacho, S., Daniel, M., and Fern\u00e1ndez-Medina, E. (2015, January 10\u201312). Importancia de la Cultura de la Seguridad en las PYMES para la correcta Gesti\u00f3n de la Seguridad de sus Activos. Proceedings of the VIII Congreso Iberoamericano de Seguridad Inform\u00e1tica (CIBSI15), Quito, Ecuador. (In Spanish)."},{"key":"ref_2","unstructured":"Whitman, M., and Mattord, H. (2012). Principles of Information Security, Cengage Learning."},{"key":"ref_3","first-page":"92","article-title":"ISO\/IEC 27000, 27001 and 27002 for information security management","volume":"4","author":"Disterer","year":"2013","journal-title":"J. Inf. Secur."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Barthe, G., Livshits, B., and Scandariato, R. (2012). Engineering Secure Software and Systems, Springer.","DOI":"10.1007\/978-3-642-28166-2"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Von Solms, R. (1993). Information Security Management: Processes and Metrics. [Ph.D. Thesis, University of Johannesburg].","DOI":"10.1108\/09685229310041893"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Dhillon, G. (1997). Managing Information System Security, Palgrave Macmillan.","DOI":"10.1007\/978-1-349-14454-9"},{"key":"ref_7","unstructured":"Candiwan, C. (2014, January 17\u201319). Analysis of ISO27001 implementation for enterprises and SMEs in indonesia. Proceedings of the International Conference on Cyber-Crime Investigation and Cyber Security (ICCICS2014), Kuala Lumpur, Malaysia."},{"key":"ref_8","unstructured":"Whitman, M., and Mattord, H. (2013). Management of information security, Cengage Learning."},{"key":"ref_9","unstructured":"Johnson, M. (2015). Cybercrime: Threats and Solutions, Ark Group."},{"key":"ref_10","unstructured":"Furnell, S.M., Gennatou, M., and Dowland, P.S. (2000, January 7). Promoting security awareness and training within small organisations. Proceedings of the 1st Australian Information Security Management Workshop, Deakin University, Geelong, Australia."},{"key":"ref_11","unstructured":"Schlienger, T., and Teufel, S. (2003, January 9\u201311). Information security culture\u2014From analysis to change. Proceedings of the 3rd Annual IS South Africa Conference, Johannesburg, South Africa."},{"key":"ref_12","unstructured":"Lichtenstein, S., and Swatman, P.M.C. (2001, January 25\u201326). Effective management and policy in E-business security. Proceedings of the Fourteenth Bled Electronic Commerce Conference, Bled, Slovenia."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Cole, K.S., Stevens-Adams, S.M., and Wenner, C.A. (2013). A Literature Review of Safety Culture, Sandia National Laboratories.","DOI":"10.2172\/1095959"},{"key":"ref_14","first-page":"87","article-title":"The Ethics of management control systems: Developing technical and moral values","volume":"53","author":"Rosanas","year":"2005","journal-title":"Bus. Ethics"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"425","DOI":"10.1016\/j.cose.2005.07.002","article-title":"The Human Factor in Security","volume":"24","author":"Schultz","year":"2005","journal-title":"Comput. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Bugdol, M., and Jedynak, P. (2015). Integrated Management Systems, Springer.","DOI":"10.1007\/978-3-319-10028-9"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"615","DOI":"10.1016\/S0167-4048(00)07021-8","article-title":"Information Security\u2014The Third Wave?","volume":"19","year":"2000","journal-title":"Comput. Secur."},{"key":"ref_18","unstructured":"Bozic, G. (2012, January 21\u201325). The role of a stress model in the development of information security culture. Proceedings of the MIPRO 35th International Convention, Opatija, Croatia."},{"key":"ref_19","unstructured":"Magklaras, G., and Furnell, S. (2004, January 25\u201326). The insider misuse threat survey: Investigating IT misuse from legitimate users. Proceedings of the 5th Australian Information Warfare & Security Conference, Perth, Western Australia."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1046\/j.1365-2575.2001.00099.x","article-title":"Current directions in information systems security research: Toward socio-organizational perspectives","volume":"11","author":"Dhillon","year":"2001","journal-title":"Inform. Syst. J."},{"key":"ref_21","unstructured":"Galletta, D.F., and Polak, P. (2003, January 12\u201313). An empirical investigation of antecedents of internet abuse in the workplace. Proceedings of the AIS SIG-HCI Workshop, Seattle, DC, USA."},{"key":"ref_22","unstructured":"CSI\/FBI (2005). Tenth Annual CSI\/FBI Computer Crime and Security Survey, Computer Security Institute."},{"key":"ref_23","unstructured":"ISBS (2006). Information Security Breaches Survey 2006, Department of Trade and Industry."},{"key":"ref_24","unstructured":"AusCERT (2005). Australian Computer Crime and Security Survey, AusCERT."},{"key":"ref_25","unstructured":"Ernst&Young (2006). 2006 Global Information Security Survey, EYGM Limited."},{"key":"ref_26","unstructured":"DTI The Empirical Economics of Standards, Department of Trade and Industry. Available online: http:\/\/www.immagic.com\/eLibrary\/ARCHIVES\/GENERAL\/UK_DTI\/T050602D.pdf."},{"key":"ref_27","unstructured":"OECD (2002). OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, Organisation for Economic Co-operation and Development (OECD)."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"557","DOI":"10.1109\/32.799955","article-title":"Qualitative methods in empirical studies of software engineering","volume":"25","author":"Seaman","year":"1999","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"94","DOI":"10.1145\/291469.291479","article-title":"Action research","volume":"42","author":"Avison","year":"1999","journal-title":"Commun. ACM"},{"key":"ref_30","unstructured":"RA-MA (2014). M\u00e9todos de Investigaci\u00f3n en Ingenier\u00eda del Software, ACM."},{"key":"ref_31","unstructured":"Martins, A., and Eloff, J.H.P. (2002, January 7\u20139). Information Security Culture. Proceedings of the IFIP TC11 17th International Conference on Information Security (SEC2002), Cairo, Egipt."},{"key":"ref_32","unstructured":"Schlienger, T., and Teufel, S. (2002, January 7\u20139). Information security culture: The socio-cultural dimension in information security management. IFIP TC11 17th International Conference on Information Security (SEC2002), Cairo, Egipt."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1016\/S0167-4048(00)04021-9","article-title":"Implementing information security in the 21st century\u2014Do you have the balancing factors","volume":"19","author":"Nosworthy","year":"2000","journal-title":"Comput. Secur."},{"key":"ref_34","unstructured":"Zakaria, O., and Gani, A. (July, January 30). A conceptual checklist of information security culture. Proceedings of the 2nd European Conference on Information Warfare and Security, University of Reading, Reading, UK."},{"key":"ref_35","unstructured":"Zakaria, O., Jarupunphol, P., and Gani, A. (2003, January 20\u201321). Paradigm mapping for information security culture approach. Proceedings of the 4th Australian Conference on Information Warfare and IT Security, Adelaide, Australia."},{"key":"ref_36","unstructured":"Schein, E.H. (1992). Organizational Culture and Leadership, Jossey-Bass. [2nd ed.]."},{"key":"ref_37","unstructured":"Chia, P.A., Ruighaver, A.B., and Maynard, S.B. (2002, January 2\u20133). Understanding organizational security culture. Proceedings of the PACIS Security Culture, Tokyo, Japan."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1108\/09685220010371394","article-title":"A conceptual foundation for organizational information security awareness","volume":"8","author":"Siponen","year":"2000","journal-title":"Inform. Manag. Comput. Secur."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"308","DOI":"10.1016\/S0167-4048(01)00405-9","article-title":"Incremental information security certification","volume":"20","year":"2001","journal-title":"Comput. Secur."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1016\/j.cose.2004.01.012","article-title":"Towards information security behavioural compliance","volume":"23","author":"Vroom","year":"2004","journal-title":"Comput. Secur."},{"key":"ref_41","unstructured":"Chia, P.A., Maynard, S.B., and Ruighaver, A.B. (2002, January 4\u20135). Exploring organisational security culture: Developing a comprehensive research model. Proceedings of the IS ONE World Conference, Las Vegas, NV, USA."},{"key":"ref_42","unstructured":"Helokunnas, T., and Kuusisto, R. (2003, January 2\u20134). Information security culture in a value net. Proceedings of the 2003 IEEE International Engineering Management Conference (IEMC 2003), Albany, NY, USA."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"13","DOI":"10.4018\/jgim.2002010102","article-title":"Toward a theory-based measurement of culture","volume":"10","author":"Straub","year":"2002","journal-title":"Glob. Inform. Manag."},{"key":"ref_44","unstructured":"Kuusisto, T., and Ilvonen, I. (2003). Frontiers of e-Business Research 2003, Tampere University of Technology & University of Tampere."},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"850","DOI":"10.2307\/259210","article-title":"A framework for linking culture and improvement initiatives in organisations","volume":"25","author":"Detert","year":"2000","journal-title":"Acad. Manag. Rev."},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"280","DOI":"10.1108\/14626000410551546","article-title":"SMEs and eBusiness","volume":"11","author":"Taylor","year":"2004","journal-title":"Small Bus. Enterp. Dev."},{"key":"ref_47","unstructured":"Hutchinson, D., Armitt, C., and Edwards-Lear, D. (2014, January 1\u20133). The application of an agile approach to it security risk management for SMES. Proceedings of the 12th Australian Information Security Management Conference, Perth, Australia."},{"key":"ref_48","unstructured":"Dojkovski, S., Lichtenstein, S., and Warren, M.J. (2006, January 1\u20132). Challenges in fostering an information security culture in australian small and medium sized enterprises. Proceedings of the 5th European Conference on Information Warfare and Security, Helsinki, Finland."},{"key":"ref_49","unstructured":"Hutchinson, D., and Warren, M. (2006, January 11\u201313). e-Business Security Management for Australian Small SMEs\u2014A Case Study. Proceedings of the 7th International We-B (Working for E-Business) Conference: e-Business: How Far Have We Come?, Orlando, Florida."},{"key":"ref_50","unstructured":"Dimopoulos, V., Furnell, S., Jennex, M.E., and Kritharas, I. (2004, January 26). Approaches to IT security in small and medium enterprises. Proceedings of the 2nd Australian Information Security Management Conference, Securing the Future, Perth, Australia."},{"key":"ref_51","unstructured":"Helokunnas, T., and Iivonen, L. (2003). e-Business Research Forum\u2014eBRF 2003, Tampere University of Technology."},{"key":"ref_52","unstructured":"Warren, M.J. (2003, January 26\u201328). Australia\u2019s agenda for E-security education and research. Proceedings of the TC11\/WG11.8 Third Annual World Conference on Information Security Education (WISE3), Naval Post Graduate School, Monterey, CA, USA."},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"275","DOI":"10.1016\/j.cose.2004.01.013","article-title":"From policies to culture","volume":"23","year":"2004","journal-title":"Comput. Secur."},{"key":"ref_54","unstructured":"Furnell, S.M., and Clarke, N.L. (2005, January 18\u201320). Organisational security culture: Embedding security awareness, education and training. Proceedings of the 4th World Conference on Information Security Education (WISE 2005), Moscow, Russia."},{"key":"ref_55","unstructured":"Van Niekerk, J.C., and Von Solms, R. (2003, January 9\u201311). Establishing an information security culture in organisations: An outcomes-based education approach. Proceedings of the ISSA 2003:3rd Annual IS South Africa Conference, Johannesburg, South Africa."},{"key":"ref_56","unstructured":"Hutchinson, D., and Warren, M. (2003, January 8\u201310). Australian SMES and e-security guides on trusting the internet. Proceedings of the Fourth Annual Global Information Technology Management World Conference, Calgary, AB, Canada."},{"key":"ref_57","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1108\/09685220610648355","article-title":"Information security: Management\u2019s effect on culture and policy","volume":"14","author":"Knapp","year":"2006","journal-title":"Inform. Manag. Comput. Secur."},{"key":"ref_58","unstructured":"Lichtenstein, S. (2001). Internet Security Policy for Organisations. [Ph.D. Thesis, Monash University]."},{"key":"ref_59","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1016\/j.cose.2004.07.001","article-title":"Analysis of end-user security behaviors","volume":"24","author":"Stanton","year":"2004","journal-title":"Comput. Secur."},{"key":"ref_60","unstructured":"Lichtenstein, S., and Swatman, P.M.C. (2003). IFIP TC8\/WG 8.4 Second Working Conference on E-business: Multidisciplinary Research and Practice, Kluwer Academic Publishers."},{"key":"ref_61","unstructured":"Furnell, S., Warren, A., and Dowland, P.S. (2004, January 26\u201328). Improving security awareness and training through computer-based training. Proceedings of the 3rd World Conference on Information Security Education (WISE 2004), Monterey, CA, USA."},{"key":"ref_62","doi-asserted-by":"crossref","first-page":"67","DOI":"10.2307\/41166154","article-title":"Management\u2019s role in information security in a cyber economy","volume":"45","author":"Dutta","year":"2002","journal-title":"Calif. Manag. Rev."},{"key":"ref_63","unstructured":"Sneza, D., Sharman, L., and John, W.M. (2007, January 7\u20139). Fostering information security culture in small and medium size enterprises: An interpretive study in australia. Proceedings of the Fifteenth European Conference on Information Systems, University of St. Gallen, St. Gallen, Switzerland."},{"key":"ref_64","unstructured":"ABS (2001). 1321.0\u2014Small Business in Australia, Australian Bureau of Statistics."},{"key":"ref_65","doi-asserted-by":"crossref","first-page":"297","DOI":"10.1108\/09685220510614425","article-title":"Information systems security issues and decisions for small businesses","volume":"13","author":"Gupta","year":"2005","journal-title":"Inform. Manag. Comput. Secur."},{"key":"ref_66","unstructured":"O\u2019Halloran, J. ICT business management for SMEs. Available online: http:\/\/www.computerweekly.com\/feature\/ICT-business-management-for-SMEs."},{"key":"ref_67","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/S0167-4048(01)00209-7","article-title":"Violation of safeguards by trusted personnel and understanding related information security concerns","volume":"20","author":"Dhillon","year":"2001","journal-title":"Comput. Secur."},{"key":"ref_68","unstructured":"S\u00e1nchez, L.E., Santos-Olmo, A., Fern\u00e1ndez-Medina, E., and Piattini, M. (2013). Small and Medium Enterprises: Concepts, Methodologies, Tools, and Applications, IGI Global."},{"key":"ref_69","first-page":"3038","article-title":"Managing security and its maturity in small and medium-sized enterprises","volume":"15","author":"Rosado","year":"2009","journal-title":"J. UCS"},{"key":"ref_70","unstructured":"Santos-Olmo, A., S\u00e1nchez, L.E., Fern\u00e1ndez-Medina, E., and Piattini, M. (2011, January 2\u20135). Desirable characteristics for an ISMS oriented to SMEs. Proceedings of the 8th International Workshop on Security in Information Systems (WOSIS11), Beijing, China."},{"key":"ref_71","unstructured":"Santos-Olmo, A., S\u00e1nchez, L.E., Fern\u00e1ndez-Medina, E., and Piattini, M. (July, January 28). A Systematic Review of Methodologies and Models for the Analysis and Management of Associative and Hierarchical Risk in SMEs. Proceedings of the 9th International Workshop on Security in Information Systems (WOSIS12), Wroclaw, Poland."},{"key":"ref_72","unstructured":"ISO\/IEC27001 (2013). ISO\/IEC 27001:2013, Information Technology\u2014Security Techniques Information Security Management Systemys\u2014Requirements, International Organization for Standardization."},{"key":"ref_73","unstructured":"ISO\/IEC27002 (2013). ISO\/IEC 27002:2013, the International Standard Code of Practice for Information Security Management (en Desarrollo), International Organization for Standardization."},{"key":"ref_74","doi-asserted-by":"crossref","unstructured":"S\u00e1nchez, L.E., Santos-Olmo, A., Fern\u00e1ndez-Medina, E., and Piattini, M. (2010, January 30\u201331). Building ISMS through the Reuse of Knowledge. Proceedings of the 7th International Conference on Trust, Privacy & Security in Digital Business (TRUSTBUS\u201910), Bilbao, Spain.","DOI":"10.1007\/978-3-642-15152-1_17"},{"key":"ref_75","unstructured":"S\u00e1nchez, L.E., Santos-Olmo, A., Fern\u00e1ndez-Medina, E., and Piattini, M. (2010). ENTERprise Information Systems, Springer."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/8\/3\/30\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T19:25:37Z","timestamp":1760210737000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/8\/3\/30"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,7,7]]},"references-count":75,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2016,9]]}},"alternative-id":["fi8030030"],"URL":"https:\/\/doi.org\/10.3390\/fi8030030","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,7,7]]}}}