Type of Final Thesis:
Supervisor: Ali Sunyaev, Tobias Dehling
Research Group: Critical Information Infrastructures
Archive Number: 4.753
Status of Thesis: Completed
Date of start: 2021-02-01
Date of submission: 2021-07-04
Abstract: Information security management is a major challenge for small and medium-sized enterprises (SME), as they often lack the knowhow and resources to implement full information security management systems. Moreover, existing research focuses mainly on larger enterprises. This leaves a limited knowledge base in terms of both actual practices in SMEs and feasible best practices for SMEs.
The aim of this thesis is to enrich the knowledge base by exploring how SMEs manage information security. For this purpose, 17 interviews with SMEs in southwestern Germany were conducted and analyzed using thematic analysis.
The interviews indicated notable differences between small and medium-sized companies. While all companies had adequate technical protection, medium-sized companies were more structured on an organizational level. Smaller companies, in turn, often outsourced information security to external providers.
Overall, these findings contribute to a more holistic understanding of information security management in SMEs and can guide future research.
By using soft systems methodology to synthesize the interview findings with existing research, this thesis also provides practical implications. Particularly smaller companies need support for assessing security risks and translating those risks into security measures. SMEs of all sizes would benefit from fostering security awareness and culture among their employees.