Implication et action des dirigeants : quelles pistes pour améliorer la sécurité de l'information en PME ?
Keywords:sécurité, dirigeant, implication, action, délégation
AbstractThis article focuses on the role of SME managers in IS security (ISS), as these companies often suffer from more important ISS problems than larger companies. Although many specialists and scholars agree on the importance of their role, SME managers sometimes show little involvement or little action regarding ISS, leading to potentially disastrous consequences. In the literature, involvement and action are often merged, which limits the exploration of this issue. The research question dealt with in this paper is: How to improve the role of managers in their company's ISS? In order to respond, we examined (1) the barriers and drivers of managers’ involvement and action, (2) the consequences of their involvement and actions (3) how the roles in ISS management are shared out. This empirical study uses a qualitative methodology and an interpretive approach. The results extend our understanding of the factors that influence managers' involvement and action in ISS. Four contexts were identified, which were used as a framework for the analysis of the roles of the various people involved in SME ISS. This paper makes a theoretical contribution by shedding light on new factors of managers' involvement and actions. The smallest SMEs seldom have a chief information officer (CIO) or a chief information security officer (CISO). In this case, we found that employees sometimes assume informal responsibility for IS and ISS. We identified various factors to explain this informal position and several related issues. We also contribute to managerial practices by identifying avenues to better involve managers in the ISS of their SMEs. Our major contribution is showing for the first time that when an employee assumes the role of a CISO, whether informally or not, it is of utmost importance to provide top management support. This study is original because managers' involvement and actions are studied separately, which provides more detailed results and allowed us to propose practical recommendations to improve ISS, according to the identified situations.
Ashenden, D. (2008), "Information security management: A human challenge?", Information security technical report, n°13, p. 195-201.
Anderson, E.E., Choobineh J., (2009), Enterprise information security strategies, Computers & Security, n°27, p. 22-29.
Avolio, F.M. (2000), "Best practices in network security: as the networking landscape changes, so must the policies that govern its use. Don’t be afraid of imperfection when it comes to developing those for your group", Network Computing, Vol. 60, n°20, p. 60-72.
Barlette, Y. (2008), "Une étude des comportements liés à la sécurité des systèmes d’information en PME", Systèmes d’Information et Management, Vol. 13, n°4, p. 7-30.
Barlette, Y., Fomin, V.V., (2009), The adoption of Information Security management Standards: A Literature Review. In Knapp K.J. Ed.), Cyber-Security & Global Information Assurance: Threat, analysis and response solutions, p. 119-140. IGI Global, USA.
Baumard P., Ibert J., (2003), Quelles approches avec quelles données? In R.-A. Thiétart et coll., Méthodes de recherche en management, p. 82-103, Dunod, Paris.
Boss, S.R., Kirsh L.J., Angermeier I., Shingler R.A., Boss R.W. (2009), "If someone is watching, I'll do what I'm asked: mandatoriness, control and information security", European Journal of Information Systems, n°18, p. 151-164.
Bruce, G. et Dempsey R., (1997), Security in Distributed Computing - Did You Lock the Door?, Hewlett Packard Company, Palo Alto, USA.
Clusif, (2004), Retour sur investissement en SSI : quelques clés pour argumenter.
Clusif, (2008), Politiques de sécurité des systèmes d'information et sinistralité en France.
Clusif, (2010), Menaces Informatiques et Pratiques de Sécurité en France.
Coles-Kemp, L. (2009), "Information Security Management: An entangled research challenge", Information security technical report, Vol. 14, n°4, p. 181-185.
Davenport, T. (2002), Privilégier l'information sur la technologie, http://www.lesechos.fr/formations/manag_info/articles/article_1_1.htm (accédé le 20 avril 2011)
Dhillon, G., Backhouse J. (2001), "Current directions in IS security research: towards socio-organizational perspectives", Information Systems Journal, Vol. 11, p. 127-153.
Dlamini, M.T., Eloff, J.H.P., Eloff, M.M. (2009), "Information security: The moving target", Computers & Security, n°28, p. 189-198.
Dong, L., Neufeld, D., Higgins, C. (2009), "Top management support of enterprise systems implementations", Journal of Information technology, n°24, p. 55-80.
Dutta, A., McCrohan, K. (2002), "Management's role in information security in cyber economy", California Management Review, Vol. 45, n°1, p. 67-87.
Eisenhardt, K.M. (1989), "Building theories from case study research", Academy of Management Review, Vol. 14, n°532, p. 57-74.
ENISA, (2009), Les dix bonnes pratiques de l’ENISA en matière de sensibilisation à la sécurité, http://www.enisa.europa.eu/act/ar/deliverables/2009/ar-security-practices-fr/?searchterm=good%20practices
(Accédé le 29 avril 2011).
Fallery, B., (2006), "Les trois approches de l'analyse de données textuelles : lexicale, linguistique, thématique", Working Paper.
Forcht, K.A., Ayers W.C., (2000), "Developing a computer security policy for organizational use and implementation", Journal of computer information systems, Vol. 41, n°2, p. 52-57.
Forte, D. (2008), "Selling security to top management", Network Security, March, p. 18-20.
Goodhue, D.L., Straub, D.W. (1991), "Security concerns of systems users: a study of perceptions of the adequacy of security measures", Information and Management, Vol. 20, n°1, p. 13-27.
Grover, V. (1993), "Empirically derived model for the adoption of customer-based inter-organizational systems", Decision Sciences, Vol. 24, n°3, p. 603-639.
Gupta, A., Hammond, R. (2005), "Information systems security issues and decisions for small businesses: an empirical examination", Information Management and Computer Security, Vol. 13, n°4, p. 297-310.
Hagen, J.M., Albrechtsen, E., Hovden, J. (2008). "Implementation and effectiveness of organizational information security measures", Information Management and Computer Security, Vol. 16, n°4, p. 377-397.
Helmich, D.L., Brown W.B., (1972), "Successor type and organizational change in the corporate enterprise", Administrative science quarterly, Vol. 17, p. 371-381.
Hofstede, G., Neuijen, B., Daval-Ohayv, D., Sanders, G., (1990), "Measuring organizational cultures: a qualitative and quantitative study across twenty cases", Administrative science quarterly, Vol. 35, p. 286-316, Cornell university.
INSEE, (2008), Tableaux de l'Économie Française, INSEE Références, Paris.
Jaouen, A. (2010), "Typologie de dirigeants de très petite entreprise", Journal of Small Business and Entrepreneurship, Vol.23, n°1, 33p.
Jarvenpaa, S.L., Ives, B. (1991), "Executive commitment and participation in the management of information technology", MIS Quarterly, Vol. 15, n°2, p. 205-227.
Julien, P.A., Marchesnay M., (1996), L'entrepreneuriat, Economica, Paris.
Johnston, A.C., Hale, R., (2009), "Improved Security through Information Security Governance", Communications of the ACM, Vol. 52, n°1, p. 126-129.
Kankanhalli, A., Hock-Hai T., Bernard C.Y.T., Kwok-Kee W., (2003), "An integrative study of information systems security effectiveness", International journal of information management, Vol. 23, p. 139-154.
Kayworth, T., Whitten, D., (2010), "Effective information security requires a balance of social and technology factors", MIS Quarterly executive, Vol. 9, n°3, p. 163-175.
Khoo, B., Harris, p., Hartman, S. (2010), "Information Security Governance Of Enterprise Information Systems: An Approach To Legislative Compliant", International Journal of Management and Information Systems, Vol. 14, n°3, p. 49-55.
Klein, H.K., Myers, M.D. (1999), "A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems", MIS Quarterly, Vol. 23, n°1, p. 67-94.
Knapp, K.J., Marshall, T.E., Kelly Rainer, R., Nelson Ford, F. (2006), "Information security: management's effect on culture and policy", Information Management and Computer Security, Vol. 14, n°16, p. 24-36.
Knapp, K.J., Morris R.F., Marshall, T.E., Byrd T.A. (2009), "Information security policy: An organizational-level process model", Computers & Security, n°28, p. 493-508.
Kotulic, A., Clark, J.G. (2004), "Why there aren't more information security research studies", Information and Management, Vol. 41, n°5, p. 597-607.
Kyobe, M. (2008). "The impact of entrepreneur behaviours on the quality of e-commerce security: A comparison of urban and rural findings", Journal of global information technology management, Vol. 11, n°2, p. 58-79.
Lucas, H.C. Jr, (1981), Implementation: the key to successful information systems, Columbia University Press, New York.
Markus, M.L. (1983), "Power, politics, and MIS implementation", Communications of the ACM, Vol. 26, n°6, p. 430-444.
Miles, M. B., Huberman, A.M. (2003), Analyse des données qualitatives, De Boeck, Bruxelles.
Mitchell, R.C., Marcella, R., Baxter, G. (1999), "Corporate information security management", New Library World, Vol. 100, n°1150, p. 213-227.
Monnoyer, M.C. (2003), Le dirigeant confronté à la décision d'investissement en TIC, in Boutary, TIC et PME : des usages aux stratégies, l'Harmattan, Paris.
Mucchielli, A. (1996), Dictionnaire des méthodes qualitatives en sciences humaines et sociales. Armand Colin, Paris.
Norburn, D. et Birley S., (1988), "The top management team and corporate performance", Strategic management journal, Vol.9, n°3, p. 225-237.
Price Waterhouse Coopers, (2011), Global State of Information Security Survey, http://www.pwc.com/gx/en/ information-security-survey/pdf/giss-2011-survey-report.pdf, (accédé le 20 avril 2011).
Rainer, R.K., Marshall T.E., Knapp K.J., Montgomery G.H. (2007). "Do Information Security Professionals and Business Managers View Information Security Issues Differently?", Information Systems Security, n°16, p. 100-108.
Rees, J., (2010), "Information security for small and medium-sized business", Computer Fraud & Security, n°9, p. 18-19.
Reid, R.C., Gilbert A.H., (2009), "Cognitive Support for Senior Manager's Decision Making In Information Systems Security". Proceedings of the academy of information and management sciences, Vol. 13, n°1, p. 58-62.
Reinert, M., (1990), "Alceste : une méthodologie d'analyse des données textuelles et une application à Aurélia de G. de Nerval", Bulletin de méthodologie sociologique, n°26, p. 24-54.
Reix, R. (2004), Systèmes d'information et management des organisations, Vuibert, Paris.
Robinson, S. et Volonino L., (2004), Principles and practices of information security, Pearson Prentice Hall, New Jersey.
Rockart, J.F., Crescenzi, A.D. (1984), "Engaging top management in information technology", Sloan Management Review, Vol. 25, n°4, p. 3-16.
Ross, J. et Weill P., (2002), "Six decisions your IT people shouldn't make", Harvard Business Review, November, p. 85-91.
Schein, E.H., (1990), Organizational culture and leadership, Jossey-Bass, San Francisco.
Song, J.H., (1982), "Diversification strategies and the experience of top executives of large firms", Strategic management journal, n°3, p. 377-380.
Stevens, J.M., Beyer J.M., Trice M.H., (1978), "Assessing personal role and organizational predictors of managerial commitment", Academy of management journal, n°21, p. 380-396.
Vermeulen, C. et Von Solms R., (2002), "The information security management toolbox: Taking the pain out of security management", Information management & Computer Security, Vol. 10, n°3, p. 119-125.
Williams, P. (2007). "Executive and board roles in information security", Network Security, n°8, p. 11-14.
Yin, R.K. (2008), Case study research: design and methods, Sage Publications, Thousand Oaks, CA.
The author bears the responsibility for checking whether material submitted is subject to copyright or ownership rights (e.g. figures, tables, photographs, illustrations, trade literature and data). The author will need to obtain permission to reproduce any such items, and include these permissions with their final submission.
It is our policy to ask all contributors to transfer for free the copyright in their contribution to the journal owner. There are two broad reasons for this:
- ownership of copyright by the journal owner facilitates international protection against infringement of copyright, libel or plagiarism;
- it also ensures that requests by third parties to reprint or reproduce a contribution, or part of it, in either print or electronic form, are handled efficiently in accordance with our general policy which encourages dissemination of knowledge within the framework of copyright.
In conformity with the French law, the author keeps the 'moral rights' related to the article:
- The 'authorship right': It is the author's right to have his name associated with each publication and exploitation of the article.
- The 'integrity right': It can be claimed by the author if he finds that during an exploitation, his work has been distorted (cutting, reassembly...).