Information System Security and Risk Management for Small and Medium Sized Enterprises

Abstract

This paper is aimed at assisting SMEs to identify information systems security risks. The use of Internet based commerce by SMEs exposes them to information systems security risks that they are ill equipped to recognise let alone mitigate. Unlike the identification of some business risks, identification of risks associated with information systems requires certain technical expertise. It is essential that the structure of the information system be understood before its risks can be identified. Such technical expertise is not always present in SMEs requiring extensive involvement by information systems consultants. This paper advocates the use of the Australia/New Zealand Standard: Risk Management ((SA/SNZ), 1999) in conjunction with of a modified version of Birch and McEvoy’s (1992) Structured Risk Analysis for Information Systems (SRA-IS). There is no escaping the fact that it is essential for the structure of the existing information system to be understood and modelled before risks can be identified. Once this has been done though, little information systems expertise is required to complete the analysis, keeping consultant involvement to a minimum and maximising owner/manager involvement.