Implication et action des dirigeants : quelles pistes pour améliorer la sécurité de l'information en PME ?

Authors

  • Yves Barlette Groupe Sup de Co Montpellier Business School

Keywords:

sécurité, dirigeant, implication, action, délégation

Abstract

This article focuses on the role of SME managers in IS security (ISS), as these companies often suffer from more important ISS problems than larger companies. Although many specialists and scholars agree on the importance of their role, SME managers sometimes show little involvement or little action regarding ISS, leading to potentially disastrous consequences. In the literature, involvement and action are often merged, which limits the exploration of this issue. The research question dealt with in this paper is: How to improve the role of managers in their company's ISS? In order to respond, we examined (1) the barriers and drivers of managers’ involvement and action, (2) the consequences of their involvement and actions (3) how the roles in ISS management are shared out. This empirical study uses a qualitative methodology and an interpretive approach. The results extend our understanding of the factors that influence managers' involvement and action in ISS. Four contexts were identified, which were used as a framework for the analysis of the roles of the various people involved in SME ISS. This paper makes a theoretical contribution by shedding light on new factors of managers' involvement and actions. The smallest SMEs seldom have a chief information officer (CIO) or a chief information security officer (CISO). In this case, we found that employees sometimes assume informal responsibility for IS and ISS. We identified various factors to explain this informal position and several related issues. We also contribute to managerial practices by identifying avenues to better involve managers in the ISS of their SMEs. Our major contribution is showing for the first time that when an employee assumes the role of a CISO, whether informally or not, it is of utmost importance to provide top management support. This study is original because managers' involvement and actions are studied separately, which provides more detailed results and allowed us to propose practical recommendations to improve ISS, according to the identified situations.

Author Biography

Yves Barlette, Groupe Sup de Co Montpellier Business School

Yves Barlette est professeur associé du Groupe Sup de Co Montpellier Business School, depuis 1989. Il enseigne les systèmes d'information. Il étudie la Sécurité des Systèmes d'Information depuis l'année 2000. Ses recherches sont consacrées aux comportements des dirigeants et des employés, relatifs à la sécurité des informations.

References

Ashenden, D. (2008), "Information security management: A human challenge?", Information security technical report, n°13, p. 195-201.

Anderson, E.E., Choobineh J., (2009), Enterprise information security strategies, Computers & Security, n°27, p. 22-29.

Avolio, F.M. (2000), "Best practices in network security: as the networking landscape changes, so must the policies that govern its use. Don’t be afraid of imperfection when it comes to developing those for your group", Network Computing, Vol. 60, n°20, p. 60-72.

Barlette, Y. (2008), "Une étude des comportements liés à la sécurité des systèmes d’information en PME", Systèmes d’Information et Management, Vol. 13, n°4, p. 7-30.

Barlette, Y., Fomin, V.V., (2009), The adoption of Information Security management Standards: A Literature Review. In Knapp K.J. Ed.), Cyber-Security & Global Information Assurance: Threat, analysis and response solutions, p. 119-140. IGI Global, USA.

Baumard P., Ibert J., (2003), Quelles approches avec quelles données? In R.-A. Thiétart et coll., Méthodes de recherche en management, p. 82-103, Dunod, Paris.

Boss, S.R., Kirsh L.J., Angermeier I., Shingler R.A., Boss R.W. (2009), "If someone is watching, I'll do what I'm asked: mandatoriness, control and information security", European Journal of Information Systems, n°18, p. 151-164.

Bruce, G. et Dempsey R., (1997), Security in Distributed Computing - Did You Lock the Door?, Hewlett Packard Company, Palo Alto, USA.

Clusif, (2004), Retour sur investissement en SSI : quelques clés pour argumenter.

Clusif, (2008), Politiques de sécurité des systèmes d'information et sinistralité en France.

Clusif, (2010), Menaces Informatiques et Pratiques de Sécurité en France.

Coles-Kemp, L. (2009), "Information Security Management: An entangled research challenge", Information security technical report, Vol. 14, n°4, p. 181-185.

Davenport, T. (2002), Privilégier l'information sur la technologie, http://www.lesechos.fr/formations/manag_info/articles/article_1_1.htm (accédé le 20 avril 2011)

Dhillon, G., Backhouse J. (2001), "Current directions in IS security research: towards socio-organizational perspectives", Information Systems Journal, Vol. 11, p. 127-153.

Dlamini, M.T., Eloff, J.H.P., Eloff, M.M. (2009), "Information security: The moving target", Computers & Security, n°28, p. 189-198.

Dong, L., Neufeld, D., Higgins, C. (2009), "Top management support of enterprise systems implementations", Journal of Information technology, n°24, p. 55-80.

Dutta, A., McCrohan, K. (2002), "Management's role in information security in cyber economy", California Management Review, Vol. 45, n°1, p. 67-87.

Eisenhardt, K.M. (1989), "Building theories from case study research", Academy of Management Review, Vol. 14, n°532, p. 57-74.

ENISA, (2009), Les dix bonnes pratiques de l’ENISA en matière de sensibilisation à la sécurité, http://www.enisa.europa.eu/act/ar/deliverables/2009/ar-security-practices-fr/?searchterm=good%20practices

(Accédé le 29 avril 2011).

Fallery, B., (2006), "Les trois approches de l'analyse de données textuelles : lexicale, linguistique, thématique", Working Paper.

Forcht, K.A., Ayers W.C., (2000), "Developing a computer security policy for organizational use and implementation", Journal of computer information systems, Vol. 41, n°2, p. 52-57.

Forte, D. (2008), "Selling security to top management", Network Security, March, p. 18-20.

Goodhue, D.L., Straub, D.W. (1991), "Security concerns of systems users: a study of perceptions of the adequacy of security measures", Information and Management, Vol. 20, n°1, p. 13-27.

Grover, V. (1993), "Empirically derived model for the adoption of customer-based inter-organizational systems", Decision Sciences, Vol. 24, n°3, p. 603-639.

Gupta, A., Hammond, R. (2005), "Information systems security issues and decisions for small businesses: an empirical examination", Information Management and Computer Security, Vol. 13, n°4, p. 297-310.

Hagen, J.M., Albrechtsen, E., Hovden, J. (2008). "Implementation and effectiveness of organizational information security measures", Information Management and Computer Security, Vol. 16, n°4, p. 377-397.

Helmich, D.L., Brown W.B., (1972), "Successor type and organizational change in the corporate enterprise", Administrative science quarterly, Vol. 17, p. 371-381.

Hofstede, G., Neuijen, B., Daval-Ohayv, D., Sanders, G., (1990), "Measuring organizational cultures: a qualitative and quantitative study across twenty cases", Administrative science quarterly, Vol. 35, p. 286-316, Cornell university.

INSEE, (2008), Tableaux de l'Économie Française, INSEE Références, Paris.

Jaouen, A. (2010), "Typologie de dirigeants de très petite entreprise", Journal of Small Business and Entrepreneurship, Vol.23, n°1, 33p.

Jarvenpaa, S.L., Ives, B. (1991), "Executive commitment and participation in the management of information technology", MIS Quarterly, Vol. 15, n°2, p. 205-227.

Julien, P.A., Marchesnay M., (1996), L'entrepreneuriat, Economica, Paris.

Johnston, A.C., Hale, R., (2009), "Improved Security through Information Security Governance", Communications of the ACM, Vol. 52, n°1, p. 126-129.

Kankanhalli, A., Hock-Hai T., Bernard C.Y.T., Kwok-Kee W., (2003), "An integrative study of information systems security effectiveness", International journal of information management, Vol. 23, p. 139-154.

Kayworth, T., Whitten, D., (2010), "Effective information security requires a balance of social and technology factors", MIS Quarterly executive, Vol. 9, n°3, p. 163-175.

Khoo, B., Harris, p., Hartman, S. (2010), "Information Security Governance Of Enterprise Information Systems: An Approach To Legislative Compliant", International Journal of Management and Information Systems, Vol. 14, n°3, p. 49-55.

Klein, H.K., Myers, M.D. (1999), "A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems", MIS Quarterly, Vol. 23, n°1, p. 67-94.

Knapp, K.J., Marshall, T.E., Kelly Rainer, R., Nelson Ford, F. (2006), "Information security: management's effect on culture and policy", Information Management and Computer Security, Vol. 14, n°16, p. 24-36.

Knapp, K.J., Morris R.F., Marshall, T.E., Byrd T.A. (2009), "Information security policy: An organizational-level process model", Computers & Security, n°28, p. 493-508.

Kotulic, A., Clark, J.G. (2004), "Why there aren't more information security research studies", Information and Management, Vol. 41, n°5, p. 597-607.

Kyobe, M. (2008). "The impact of entrepreneur behaviours on the quality of e-commerce security: A comparison of urban and rural findings", Journal of global information technology management, Vol. 11, n°2, p. 58-79.

Lucas, H.C. Jr, (1981), Implementation: the key to successful information systems, Columbia University Press, New York.

Markus, M.L. (1983), "Power, politics, and MIS implementation", Communications of the ACM, Vol. 26, n°6, p. 430-444.

Miles, M. B., Huberman, A.M. (2003), Analyse des données qualitatives, De Boeck, Bruxelles.

Mitchell, R.C., Marcella, R., Baxter, G. (1999), "Corporate information security management", New Library World, Vol. 100, n°1150, p. 213-227.

Monnoyer, M.C. (2003), Le dirigeant confronté à la décision d'investissement en TIC, in Boutary, TIC et PME : des usages aux stratégies, l'Harmattan, Paris.

Mucchielli, A. (1996), Dictionnaire des méthodes qualitatives en sciences humaines et sociales. Armand Colin, Paris.

Norburn, D. et Birley S., (1988), "The top management team and corporate performance", Strategic management journal, Vol.9, n°3, p. 225-237.

Price Waterhouse Coopers, (2011), Global State of Information Security Survey, http://www.pwc.com/gx/en/ information-security-survey/pdf/giss-2011-survey-report.pdf, (accédé le 20 avril 2011).

Rainer, R.K., Marshall T.E., Knapp K.J., Montgomery G.H. (2007). "Do Information Security Professionals and Business Managers View Information Security Issues Differently?", Information Systems Security, n°16, p. 100-108.

Rees, J., (2010), "Information security for small and medium-sized business", Computer Fraud & Security, n°9, p. 18-19.

Reid, R.C., Gilbert A.H., (2009), "Cognitive Support for Senior Manager's Decision Making In Information Systems Security". Proceedings of the academy of information and management sciences, Vol. 13, n°1, p. 58-62.

Reinert, M., (1990), "Alceste : une méthodologie d'analyse des données textuelles et une application à Aurélia de G. de Nerval", Bulletin de méthodologie sociologique, n°26, p. 24-54.

Reix, R. (2004), Systèmes d'information et management des organisations, Vuibert, Paris.

Robinson, S. et Volonino L., (2004), Principles and practices of information security, Pearson Prentice Hall, New Jersey.

Rockart, J.F., Crescenzi, A.D. (1984), "Engaging top management in information technology", Sloan Management Review, Vol. 25, n°4, p. 3-16.

Ross, J. et Weill P., (2002), "Six decisions your IT people shouldn't make", Harvard Business Review, November, p. 85-91.

Schein, E.H., (1990), Organizational culture and leadership, Jossey-Bass, San Francisco.

Song, J.H., (1982), "Diversification strategies and the experience of top executives of large firms", Strategic management journal, n°3, p. 377-380.

Stevens, J.M., Beyer J.M., Trice M.H., (1978), "Assessing personal role and organizational predictors of managerial commitment", Academy of management journal, n°21, p. 380-396.

Vermeulen, C. et Von Solms R., (2002), "The information security management toolbox: Taking the pain out of security management", Information management & Computer Security, Vol. 10, n°3, p. 119-125.

Williams, P. (2007). "Executive and board roles in information security", Network Security, n°8, p. 11-14.

Yin, R.K. (2008), Case study research: design and methods, Sage Publications, Thousand Oaks, CA.

Published

2012-06-10

How to Cite

Barlette, Y. (2012). Implication et action des dirigeants : quelles pistes pour améliorer la sécurité de l’information en PME ?. Systèmes d’Information Et Management (French Journal of Management Information Systems), 17(2), 115–149. Retrieved from https://revuesim.org/index.php/sim/article/view/406

Issue

Section

Teaching case studies and experiences