SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
In the modern information economy, the security of information is critically important to organizations. Information‐security risk assessments (ISRAs) allow organizations to identify key information assets and security risks so security expenditure can be directed cost‐effectively. Unfortunately conducting ISRAs requires special expertise and tends to be complex and costly for small to medium sized organizations (SMEs). Therefore, it remains unclear in practice, and unknown in literature, how SMEs address information security imperatives without the benefit of an ISRA process. This research makes a contribution to theory in security management by identifying the factors that influence key decision-makers in SMEs to address information security risks. The study has identified three key motivating factors from a series of case studies. Firstly, the need for sufficient information security to maintain reputation with external clients whilst conforming to the level of information security practices typical in industry culture. Secondly, (mis)perceptions of the existing state of information security and level of exposure to security threats in the organization. Thirdly, the perceived need to focus on higher corporate business priorities rather than on information security.