Infromation Security Leadership Related

7/24/2019 Infromation Security Leadership Related

1/254

LEADERSHIP STYLES AND INFORMATION SECURITY IN SMALL

BUSINESSES: AN EMPIRICAL INVESTIGATION

by

Debasis Bhattacharya

A Dissertation Presented in Partial Fulfillment

of the Requirements for the Degree

Doctor of Business Administration

UNIVERSITY OF PHOENIX

April 2008


2/254

3324059

3324059

2008

Copyright 2008by

Bhattacharya, Debasis

All rights reserved


3/254

2008 by DEBASIS BHATTACHARYAALL RIGHTS RESERVED


4/254


5/254


6/254

v

ABSTRACT

Small businesses often display a lack of concern towards cybercrime and information

security problems. A lack of concern usually results in delayed or incorrectly

implemented security measures, which increases vulnerability to cybercrime. The first

purpose of this quantitative, descriptive, correlational research study was to empirically

investigate leadership styles and assess the level of concern regarding information

security problems within small businesses that belong to particular chambers of

commerce or trade associations within the state of Hawaii. The second purpose of this

study was to determine the degree of a possible relationship between leadership styles

and the level of concern towards information security problems within these small

businesses. The 122 small business participants in the study completed the Multifactor

Leadership Questionnaire and the Small Business Security Questionnaire to test whether

a statistically significant correlation exists between particular leadership styles and the

level of concern regarding information security problems. The results of this study

showed a significant correlation between transactional and transformational leadership

styles and the level of concern towards information security problems within small

businesses. This research suggests that small businesses leaders need to demonstrate

more than one leadership style to broaden their preparation against a range of information

security issues and problems. The findings may be applicable to small business leaders

who proactively search for a cost-effective and optimal combination of leadership styles,

technologies, and policies that will mitigate the evolving threats of cybercrime and

information security problems.

DEDICATION

Deleted: Section Break (Next


7/254


8/254


9/254

viii

TABLE OF CONTENTS

LIST OF TABLES.............................................................................................xvi

LIST OF FIGURES .........................................................................................xviii

CHAPTER 1: INTRODUCTION.........................................................................1

Background of the Problem.................................................................................. 2

Statement of the Problem......................................................................................5

Purpose of the Study............................................................................................. 6

Dependent and Independent Variables .................................................................7

Intervening Variables............................................................................................ 8

Significance of the Study......................................................................................9

Significance of the Study to Leadership.............................................................10

Nature of the Study............................................................................................. 10

Research Questions............................................................................................. 16

Research Question 1 ....................................................................................17



Hypotheses.......................................................................................................... 18

Hypothesis 1 ................................................................................................ 19

Hypothesis 2 ................................................................................................ 19

Hypothesis 3 ................................................................................................ 19

Theoretical Framework.......................................................................................20

Leadership Theories..................................................................................... 21

Information Security Management Theories...............................................23


10/254

ix

Definition of Terms............................................................................................. 24

Assumptions........................................................................................................ 26

Scope and Limitations.........................................................................................27

Delimitations....................................................................................................... 28

Summary.............................................................................................................28

CHAPTER 2: LITERATURE REVIEW............................................................ 30

Literature Review Search.................................................................................... 31

Historical Overview............................................................................................ 33

Evolution of Leadership Theories and Models...................................................34

Trait Theories............................................................................................... 35

Behavioral Theories.....................................................................................35

Servant Leadership Theory..........................................................................36

Situational Leadership Theory.....................................................................37

Contingency Theory .................................................................................... 37

Path-Goal Theory.........................................................................................38

Theory of Transformational Leadership.............................................................38

Transformational Leadership (Independent Variable).................................39

Transactional Leadership (Independent Variable).......................................40

Passive-Avoidant Leadership (Independent Variable)................................41

Evolution of Cybercrime and Information Security ........................................... 42

Comparison with Traditional Crime............................................................42

Evolving Legislation against Cybercrime ...................................................44

Efforts of Law Enforcement against Cybercrime........................................45


11/254

x

Role of E-Commerce................................................................................... 45

Information Security Theories and Related Research ........................................ 46

Cultural Theory and Risk Management....................................................... 47

Economic Model of Information Security...................................................48

Integrated System Theory of Information Security.....................................49

Current Findings and Alternative Viewpoints ....................................................50

Leadership Theories in the 21stCentury ............................................................. 50

Kouzes and Posners Model ........................................................................51

Pseudo Transformational Leadership .......................................................... 51

Innovation and Performance........................................................................52

Leadership Styles within Small Businesses.................................................53

Information Security Management in the 21stCentury....................................... 54

Security Assessments................................................................................... 54

Preventative Security................................................................................... 55

Intrusion Detection ......................................................................................58

Incident Response........................................................................................59

Physical Security ......................................................................................... 60

Insider Access Abuse................................................................................... 61

Outsourcing Cyber Security ........................................................................63

Information Security Within Small Businesses ..................................................63

Significance of Small Businesses to the US Economy................................65

Categories of Small Businesses and Information Security..........................66

Information Security Problems (Dependent Variables) ..............................67


12/254


13/254

xii

Pearsons Correlation and Multiple Regression Analysis ...........................95

Validity and Reliability....................................................................................... 96

Internal Validity........................................................................................... 97

External Validity.......................................................................................... 98

Reliability Analysis ..................................................................................... 99

Summary.............................................................................................................99

CHAPTER 4: RESULTS.................................................................................. 101

Study Process....................................................................................................102

Sample Participants ...................................................................................102

Survey Development ................................................................................. 103

Pilot Testing...............................................................................................104

Data Collection..........................................................................................105

Post-survey Interviews............................................................................... 106

Reliability Analysis ...................................................................................107

Post-hoc Confirmatory Factor Analysis ....................................................107

Non-Response Bias Analysis..................................................................... 108

Descriptive Statistical Analysis ........................................................................108

Independent Variables ............................................................................... 109

Dependent Variables.................................................................................. 113

Intervening Variables................................................................................. 114

Other Security Variables............................................................................119

Results of Research Questions and Hypothesis................................................122

Research Question 1 and Hypothesis 1 .....................................................122


14/254

xiii



Multiple Regression Analysis...........................................................................136

Predictors of Insider Access Abuse ...........................................................136

Predictors of Power Failure .......................................................................137

Predictors of Data Integrity .......................................................................138

Predictors of Data Availability .................................................................. 139

Predictors of Data Theft.............................................................................140

Predictors of Data Sabotage.......................................................................141

Summary of Predictors for Seven Security Concerns ...............................141

Predictors across Leadership Styles, Technology and Procedures............143

Qualitative Data for Triangulation.................................................................... 144

Summary of Findings........................................................................................146

Conclusions.......................................................................................................150

CHAPTER 5: CONCLUSIONS AND RECOMMENDATIONS....................151

Conclusions.......................................................................................................152

Literature Review ......................................................................................152

Assumptions .............................................................................................. 155

Limitations.................................................................................................156

Delimitations.............................................................................................. 157

Reliability ..................................................................................................157

Intervening Variables................................................................................. 158

Other Security Variables............................................................................158


15/254

xiv




Implications.......................................................................................................168

Implications for Global Leadership...........................................................168

Implications for Small Business Leaders ..................................................170

Recommendations............................................................................................. 172

Recommendation 1: Leadership Styles Assessment..................................172

Recommendation 2: Information Security Assessment.............................174

Recommendation 3: Application of Cybercrime Leadership ....................176

Recommendations for Future Research..................................................... 179

Summary........................................................................................................... 181

Conclusions.......................................................................................................181

REFERENCES .................................................................................................182

APPENDIX A: INFORMED CONSENT FORM............................................ 197

APPENDIX B: COPY OF SURVEY INSTRUMENTS ..................................199

APPENDIX C: PERMISSION TO USE MLQ ................................................202

APPENDIX D: PERMISSION TO USE SECURITY SURVEY.....................204

APPENDIX E: HUMAN RESEARCH SUBJECTS CERTIFICATION.........206

APPENDIX F: RELIABILITY ANALYSIS....................................................209

APPENDIX G: FREQUENCY TABLES......................................................... 211

APPENDIX H: CHI-SQUARE TESTS............................................................214

APPENDIX I: PEARSONS CORRELATIONS............................................. 217


16/254

xv

APPENDIX J: MULTIPLE REGRESSION ANALYSIS................................ 221

APPENDIX K: SMALL BUSINESS SECURITY CHECKLIST.................... 225

APPENDIX L: POST-HOC CONFIRMATORY FACTOR ANALYSIS....... 229

APPENDIX M: NON-RESPONSE BIAS ANALYSIS...................................232

APPENDIX N: RESOURCES FOR CYBERCRIME VICTIMS .................... 234


17/254

xvi

LIST OF TABLES

Table 1 14 Dependent Variables...........................................................................7

Table 2 Three Independent Variables................................................................... 8

Table 3 Five Intervening Variables ...................................................................... 8

Table 4 Full Range Leadership Model with Nine Factors .................................14

Table 5Literature Surveyed in Support of the Research Questions ...................32

Table 6 Variables, Research Questions, and Survey Items ................................91

Table 7 Structure of Online Survey..................................................................104

Table 8 Post-Survey Interview Questions ........................................................ 106

Table 9 Independent Variables: Three Leadership Styles ...............................109

Table 10 Descriptive Statistics of Independent Variables...............................110

Table 11 Descriptive Statistics of Factors within each Leadership Style........ 113

Table 12 Descriptive Statistics of 14 Dependent Variables.............................114

Table 13 Intervening Variables .......................................................................115

Table 14Intervening Variable: Connectivity Options ......................................118

Table 15 Access to Computers and Networks..................................................119

Table 16 Information Security Policies and Procedures.................................120

Table 17 Information Security Technologies...................................................120

Table 18 Data Importance............................................................................... 121

Table 19 Information Security Experiences within Past 12 Months................122

Table 20 Pearson's Correlations - Transformational Leadership Style ..........123

Table 21 Pearson's Correlations - Transformational Leadership Factors ..... 125

Table 22 Multiple Regression Analysis - Predictors of Data Secrecy.............126


18/254

xvii

Table 23 Multiple Regression Analysis - Predictions of Data Availability ..... 127

Table 24 Pearson's Correlations - Transactional Leadership Style ................130

Table 25 Pearson's Correlations - Transactional Leadership Factors ...........132

Table 26 Pearson's Correlations - Passive-Avoidance Leadership Style........ 134

Table 27 Pearson's Correlations Passive-Avoidance Leadership Factors ..135

Table 28 Multiple Regression Analysis - Predictors of Insider Access Abuse 136

Table 29 Multiple Regression Analysis - Predictors of Power Failure...........137

Table 30 Multiple Regression Analysis - Predictors of Data Integrity ...........138

Table 31 Multiple Regression Analysis - Predictors of Data Availability....... 139

Table 32 Multiple Regression Analysis - Predictors of Data Theft.................140

Table 33 Multiple Regression Analysis - Predictors of Data Sabotage ..........141

Table 34 Summary of Predictors for Seven Security Problems .......................142

Table 35 Summary of Post-Survey Interview Responses .................................144

Table 36 Summary of Findings for Research Questions .................................147

Table 37 Summary of Findings for Research Hypothesis................................148

Table 38 Summary of Significant and Noteworthy Findings ...........................149

Table 39 Cybercrime Leadership using Leadership Style Score .....................176

Table 40 Example of Cybercrime Leadership .................................................177

Table 41 Cybercrime Leadership, Technology and Policy..............................178


19/254

xviii

LIST OF FIGURES

Figure 1. Torbjorns (2004) Four Worldviews and Grid/Group Typology........ 48

Figure 2. Computer Security Incidents in the US (CSI/FBI, 2006). ..................65

Figure 3. Technologies Used by Businesses in the US (CSI/FBI, 2006). ..........72

Figure 4. Map of Research Methodology and Design........................................ 85

Figure 5. Histogram of Transformational Leadership Styles ...........................111

Figure 6. Histogram of Transactional Leadership Styles .................................111

Figure 7. Histogram of Passive-Avoidance Leadership Styles ........................112

Figure 8. Business Area.................................................................................... 115

Figure 9. Number of Employees ...................................................................... 116

Figure 10. Annual Revenues ............................................................................116

Figure 11. Number of Computers..................................................................... 117

Figure 12.Leadership Augmentation Model for Cybercrime..........................169

Figure 13. Cybercrime Leadership Framework Overview for Small Business170

Figure 14. Cybercrime Leadership Framework Details for Small Business .... 171

Figure 15. Assessment of Key Leadership Factors .......................................... 173

Figure 16. Computation of Leadership Style Scores........................................174

Figure 17. Basic Information Security Assessment (Easttom, 2006)............... 175


20/254


21/254


22/254


23/254

4

Small business owners are often entrepreneurs who set the company vision,

demonstrate problem-solving and decision-making capabilities, take risks, and launch

strategic initiatives (Fernald, Solomon, & Tarabishy, 2005). According to one study of

194 small businesses (O'Regan, Ghobadian, & Sims, 2005), effective leadership styles is

likely to lead to better business performance. ORegan et al. claimed that small

businesses that emphasize any specific leadership style show better performance than

businesses with weak or uncertain leadership styles.

According to the available literature on small businesses, leadership, and

information security, no previous research focuses on the possible relationship between

leadership styles and information security problems. This study intended to fill this void.

This study assessed the leadership styles of small business leaders and the influence

leadership styles exerted upon information security experiences and problems. This

research study offers three potential benefits: (a) an assessment of the prevalent small

business leadership styles in the state of Hawaii; (b) a more precise identification of the

specific leadership styles that best mitigate information security threats and problems;

and (c) guidance for small business owners on the most effective leadership styles against

information security threats.

Using the Multifactor Leadership Questionnaire (MLQ) survey from Bass and

Avolio (2004) and the Small Business Security Survey (Ryan, 2000), this study examined

the leadership styles within a sample of small businesses that belong to various chambers

of commerce (CoCHawaii, 2007) or trade associations (SBH, 2007) within the state of

Hawaii. Chapter 2 discusses the theoretical aspect of leadership styles and information

security problems in more detail.


24/254


25/254

6

Purpose of the Study

The first purpose of this quantitative, descriptive, correlational research study was

to investigate leadership styles and assess the level of concern towards information

security problems within small businesses that belong to various chambers of commerce

(CoCHawaii, 2007) or trade associations (SBH, 2007) within the state of Hawaii. The

second purpose of this study was to determine the degree of a possible relationship

between leadership styles and the level of concern towards information security problems

within small businesses.

The research design of the study involved a pilot study, online survey, and phone

interviews to triangulate data from survey respondents. The online survey used two peer-

reviewed, valid, and reliable surveys. The two surveys included the Multifactor

Leadership Questionnaire (Bass & Avolio, 2004) and the Small Business Security Survey

(Ryan, 2000). The specific study population included 2825 small businesses located in

the state of Hawaii, with 500 or fewer employees (SBA, 2007), that belonged to various

chambers of commerce (CoCHawaii, 2007) or trade associations (SBH, 2007) within the

state of Hawaii.

Leedy and Ormrod (2001) claimed that quantitative descriptive design involves

exploring possible correlations among two or more phenomena (p.191). Data was

analyzed using descriptive statistics, correlational analysis, and multiple regression

methods. The research design accomplished the goals of the study by providing empirical

evidence regarding the potential relationship between three independent variables

(transformational, transactional, passive-avoidant leadership styles) and 14 dependent

variables (information security problems).


26/254

7

Dependent and Independent Variables

There are 14 dependent variables. As shown in Table 1, each represented a

specific information security problem that a small business may face (Ryan, 2000).

Using a Likert scale, the study examined the level of concern for each security problem.

Table 1

14 Dependent Variables

Information security problem Examples of problem in small businesses

Insider access abuse Unauthorized login by employees

Viruses Programs that enter through attachments in email

Power failure Loss of data due to abrupt shutdown of computers

Software problems Vulnerable software due to absence of patches

Data integrity Corruption of customer list or sales data

Transaction integrity Corruption of financial transaction with bank

Outsider access abuse Unauthorized entry by former employees

Data secrecy Confidentiality of payroll information

Data availability Availability of access to time sheet data

Data theft Theft of confidential employee information

Data sabotage Intentional destruction of financial data

User errors Accidental erasure of data by untrained user

Natural Disaster Damage to computer systems from floods

Fraud Impersonation and deceit used to elicit information

The three independent variables, as shown in Table 2, were the transformational,

transactional, and passive-avoidant leadership styles as defined by Bass and Avolio


27/254


28/254


29/254


30/254


31/254


32/254


33/254


34/254

15

face, as shown in Table 1. This study examined five intervening variables, shown in

Table 3, to determine if intervening variables influenced the level of concern regarding

information security problems.

A multidisciplinary array of applications supports the validity and reliability of

the two study instruments (Bass & Avolio, 2004), as does pre-testing and application in a

dissertation project (Ryan, 2000) and a subsequent study reported in a peer-reviewed

journal (Gupta & Hammond, 2005). Bass and Avolio noted that internal consistency

rating, using Cronbachs coefficient alpha, were above .70 for all scales except for active

management-by-exception. Gupta and Hammond (2005) reported that their reliability

tests on the Small Business Security Questionnaire resulted in Cronbach coefficient alpha

values ranging from 0.64 to 0.785. In other words, both instruments were reliable.

The Pass Power Analysis and Sample Size (PASS) 2005 software was used for

statistical power analysis to determine the probability of avoiding Type II errors (Rubin

& Babbie, 2005). According to Rubin and Babbie (2005), a Type II error occurs if we

fail to reject a false null hypothesis (p. 604). Assuming a significance level of .05 and a

medium effect size with r2= 0.09, the power of the test of significance of correlation for

sample size of 200 is .99. Using the same parameters of medium effect size, the power of

test of significance of correlation for sample size of 100 is .86. The result indicated that

the probability of committing a Type II error is 0.01 (1 - .99) for samples larger than 200

and 0.14 (1 - .86) for a sample size of 100, assuming a medium effect size with r2= 0.09

and at .05 significance level.

The generalization of this studys results will be enhanced if the selected research

design, methodology, and systematic sampling approach fit well with the purpose of the


35/254

16

study (Creswell, 2003). According to Triola (2004), the more the survey respondents

correlate with the general population, the higher the confidence level in the accuracy and

validity of the data will be. The focus on a state like Hawaii allowed the researcher to

select small businesses with diverse business profiles (CoCHawaii, 2007).

The survey was conducted online using Zoomerang (2007), an established,

commercial online survey provider. The estimated time to complete the online survey

was 10 minutes. The estimated 30-minute in-depth interviews with the 10 randomly

selected small business owners were conducted over the telephone. The data was

exported to SPSS version 16.0 for Windows software to perform descriptive statistical

analysis, correlation analysis, and multiple regression analysis. Correlation analysis and

multiple regression analysis provided information to answer the research questions and

related hypotheses.

Research Questions

Creswell (2003) stated that research questions are interrogative statements or

questions that the investigator seeks to answer (p. 108). According to Rubin and Babbie

(2005), research questions need to be posed in a way that can be answered by observable

evidence (p. 117). Research questions should be feasible, but not so narrow that they are

no longer worth investigating (Rubin & Babbie). This study included 14 dependent

variables and three independent variables as shown above in Tables 1 and 2 respectively.

The following research questions guided this study and established the hypotheses

through quantitative data collection and analysis.


36/254


37/254


38/254

19

Hypothesis 1

H10: There is no relationship between the transformational leadership style score

and the level of concern for information security problems within small

businesses.

H1a: There is a relationship between the transformational leadership style score


businesses.

Hypothesis 2

H20: There is no relationship between the transactional leadership style score and

the level of concern for information security problems within small businesses.

H2a: There is a relationship between the transactional leadership style score and

the level of concern for information security problems within small businesses.

Hypothesis 3

H30: There is no relationship between the passive-avoidant leadership style score


businesses.

H3a: There is a relationship between the passive-avoidant leadership style score


businesses.

H1awas tested to determine if there was a statistically significant relationship

between the transformational leadership style score of small businesses and the level of

concern for information security problems. H2awas tested to determine if a statistically

significant relationship existed between the transactional leadership style score of small


39/254


40/254

21

For many decades, research on leadership has centered on such questions as

autocratic versus democratic leadership, directive versus participative decision-making,

task versus relationship focus, and initiation versus consideration behavior (Bass, 1990).

Bass controversially noted that with increased globalization, business re-engineering, and

organizational transformations, the greater the need for increased research on leadership

development in individuals, groups, and large organizations. As observed, little research

exists on the impact of leadership styles on information security within small businesses,

despite the increase in cybercrime targeting small businesses.

This study complements and extends the previous literature on small business

leadership styles and information security problems. The subsequent discussion gives an

overview of the leadership theories and ideas about effective information security

management that contributes to this studys theoretical framework. Chapter 2 elaborates

further on theories and ideas.

Leadership Theories

This study focused on the relationship between leaders and followers within small

businesses. In small businesses, defined as organizations with 500 or fewer employees

(SBA, 2007), the leadership styles of business owners and key employees influence the

performance of the entire organization more directly than in larger companies. Burns

(1979) proposed a theory that leadership is comprised of transactional and transforming

components. Burns defined transactional leadership as a form of leadership that involves

a system of exchange between leaders and followers. Contingent reward and management

by exception are elements of this exchange system (Burns).


41/254


42/254

23

Information Security Management Theories

The management of information security concerns within small businesses draws

upon theories on employee motivation, expectancy of outcomes, culture, economics, and

integrative theories of economic security. Herzberg, Mausner, and Snyderman (1959)

constructed a two-dimensional paradigm of factors to reflect employees perceptions of

job satisfaction. According to Herzberg et al., hygiene factors included company policies,

supervision of employees, interpersonal relationships, working conditions, salaries,

benefits, and job security. The absence of hygiene factors can cause job dissatisfaction,

but the presence of hygiene factors does not necessarily motivate employees or create job

satisfaction. Motivation factors include achievement, recognition, responsibility,

possibility of growth, relationships with supervisors, and job security (Herzberg et al.).

Vrooms (1964) expectancy theory extended Herzbergs theory of motivation by

claiming that a factors degree of influence is based on the importance an individual

places on that factor. According to Vroom, if an individual believed that a certain

outcome is possible, his or her expectation of that outcome is high. The degree of

motivation is higher when an individual realizes that a certain level of performance leads

to a desired outcome (Vroom). Vrooms theory is important to the prevention of

information security threats and the detection of existing vulnerabilities within small

businesses. Assuming that small business owners value information security prevention

and vigilance, small business employees can expect their safe computing practices to lead

to lower incidents of attacks and cybercrime.

Because small businesses are constantly changing in the 21stcentury, the

motivation of employees to remain vigilant against cybercrime is important (Baker &


43/254

24

Wallace, 2007). According to Baker and Wallace, the management of information

security is an ongoing process that requires the continuous motivation and vigilance of

employees. Related theories about cultural factors described the impact of social

assumptions and constraints on the worldviews of the individual (Torbjorn, Oltedal,

Moen, & Hroar, 2004). According to Torbjorn et al., worldviews can influence the

approach to risk evaluation and information security management.

Gordon and Loeb (2002) provided controversial insight into the incremental

benefits of information security, and proposed that an optimal choice of information

security investments justifies the incremental benefits. Hong, Yen-Pin, Loui, and Tang

(2003) proposed an integrated system theory of information security management based

on core underlying information policy, risk management, management system, and

contingency theories. Chapter 2 gives additional details concerning information security

theories.

Definition of Terms

The following operational terms and definitions provide a clear understanding of

their uses within the context of this study:

1. Bot-network: Computers hijacked by cybercriminals, without the knowledge of their

owners, to forward spam and viruses to computers over the internet (Easttom, 2006).

2. Cybercrime: According to the US Department of Justice (CC&IPS, 2006), cybercrime

is any violation of criminal law that involve a knowledge of computer technology

for their perpetration, investigation, or prosecution. This broad definition of

cybercrime includes computer crimes committed solely through the internet, such as

dissemination of viruses and worms. However, according to the US Department of


44/254

25

Justice, this legal definition also includes traditional crimes like child pornography,

hate crimes, fraud, and identity theft that are committed via the internet (CC&IPS).

3. Denial of service attack: This cybercrime makes information systems unavailable to

users. It often results in lost revenue and productivity (Easttom, 2006).

4. Information Security: According to Ryan (2000), information security is that set of

technologies, policies, procedures, and engineering principles that contribute to

protecting the confidentiality, integrity, and availability of information systems and

assets. Information security detects attempts to compromise the confidentiality,

integrity, or availability of information systems or assets; and recovering from

problems with or attacks upon information systems or assets (p. xix xx).

5. Leadership Styles: A general term used in this study to categorize the various

dimensions of leadership articulated in the full range leadership model of Bass and

Avolio (2004). As mentioned previously, leadership styles include transformational,

transactional, and passive-avoidant styles (the studys proposed independent

variables).

6. Multifactor Leadership Questionnaire (MLQ): The latest version of the survey

instrument from Bass and Avolio (2004) examined various leadership styles within

organizations. The MLQ measured the studys proposed independent variables.

7. Phishing: Unauthorized attempts to gain personal information for criminal gain

(Easttom, 2006).

8. Small Business: According to the United States Small Business Administration (SBA,

2007), and for the purposes of this proposed study, an organization located within the

United States with 500 or fewer employees.


45/254

26

9. Small Business Security Questionnaire: Initially developed by Ryan (2000) as part of

a doctoral dissertation on information security issues within small businesses in the

USA. This survey, subsequently administered in other studies and reported in peer-

reviewed journals, measured the studys proposed dependent variables.

10.Spam: Unsolicited electronic messages sent to online recipients (Easttom, 2006).

11.Security Breach: A violation of security policy or defenses (Easttom, 2006).

12.Virus: Malicious software that invades without authorization (Easttom, 2006).

Assumptions

This quantitative, descriptive, correlational research study drew upon four

assumptions. The first assumption was that owners and leaders of small businesses would

take the appropriate amount of time to participate in the online survey, and that they

would give honest answers. The two sections of the survey included questions on

leadership styles, and information security experiences and problems. The estimated time

to complete the entire online survey was 10 minutes or less.

The second assumption was that the systematic sampling of 800 small businesses

from the study population of 2,825 members of various chambers of commerce or trade

associations would yield an adequate number of respondents for gathering

comprehensible, honest, and reliable data. Generally, online surveys are thought to have

higher response rates than paper-based ones, as online users are more receptive to filling

out online surveys that completing paper forms and returning them via postal mail (Rubin

& Babbie, 2005).

The third assumption involved retaining the confidentiality and privacy of the

selected survey participants. Since the survey would ask for disclosure of security issues


46/254

27

and concerns within small businesses, protecting the confidentiality and privacy of the

small business participant was important. Study participants did not want their identities

disclosed to potential competitors or cybercriminals. Thus, study response data was not

linked to any identifying information about the study participants and businesses.

The fourth assumption was that adherence to social science research guidelines

would avert any threats to the physical, emotional, or economic wellbeing of the study

participants. Since the survey examined leadership styles of small business leaders, the

study assumed that the participants would not incur emotional harm in responding to the

questions about their leadership styles. Since the survey involved disclosing information

security concerns within the small business, the study assumed that no economic harm

would occur to the small business because of their responses to the survey questions.

Scope and Limitations

The studys scope was limited to the potential relationship that may exist between

leadership styles and information security concerns within small businesses who are

members of the various chambers of commerce and trade associations within Hawaii.

Consequently, results of this study limited generalization of the results to mid-sized and

larger organizations with more than 500 employees. The geographic location of the study

participants in the state of Hawaii also limited the generalization of the results to small

businesses located elsewhere in the United States as well as those overseas.

The online survey involved self-reporting and self-evaluation. Therefore, there

was no mechanism to control the validity of the results. The study assumed the honesty

and reliability of the participants. The reliability and validity of the survey was limited by

the nine leadership factors contained in the full range leadership model and the


47/254


48/254


49/254


50/254


51/254


52/254

33

Records of past hearings in the US House of Representatives (State of small

business security, 2006) represented important sources of evidence-based information on

the state of US cybercrime, as did recent reviews of websites that vendors like Symantec

(2007), McAfee (2007) and Microsoft (2007) use to provide small businesses with data,

security software, and services. United States federal statutes on cybercrime constituted a

key source of scholarly data. The websites of government organizations like the United

States Small Business Administration (SBA, 2007) and the US Federal Bureau of

Investigation (FBI, 2005) published critical information on the current state of small

businesses in the United States.

This literature review encompassed 182 peer-reviewed articles, all published after

2003. The majority of articles covered topics on leadership and information security. This

literature review also covered 32 relevant dissertations and 38 popular books published

after 2003. Finally, the websites of four US government organizations, one global

standards organization, nine technology vendors, one Congressional hearing on small

businesses, and surveys from three companies were examined.

Historical Overview

This study builds on the full range leadership model of Bass and Avolio (2004).

According to Bass and Avolio, leaders displayed more than one style in a particular

situation. Because this study focused on leadership styles and their impact on

information security concerns within small businesses, it also builds upon the cost-benefit

model proposed by Gordon and Loeb (2006a). The historical overview that follows

traces the evolution of pertinent leadership theories and models, offers a detailed

explanation of the transformational and transactional leadership style, and charts the


53/254


54/254

35

relationship with followers and helps to move them towards a common goal. A business

leader needs to demonstrate superior managerial qualities as well as leadership qualities.

A leader cannot lead by example unless he or she is also a good manager. Employees

follow an effective leader not because they have to but because they want to do so. A

manager who is not also an effective leader must rely upon formal authority alone to

ensure that employees accomplish their tasks (Kotter).

Trait Theories

As mentioned previously, trait theories of leadership focused on inner traits or

qualities of leaders who distinguished them from the rest of the population. Leadership

characteristics, which involved influence, intelligence, power, and energy, were assumed

inborn. Trait theories stress the qualities of the leader without covering the traits of

followers (Northouse, 2004). Research has failed to identify a consistent set of traits that

worked for all leaders and all situations faced by leaders (Hersey & Blanchard, 1996).

Trait theory lends credence to the assumption that business organizations work better if

the managers in authority have designated leadership profiles and roles (Northouse).

Hersey and Blanchard claimed that while personalities and profiles are important

elements of leadership style, the trait theory seems to be a model of the past.

Behavioral Theories

After trait theories became popular in the early 20thcentury, the pendulum swung

to behavioral theories. Behavioral theories attempted to identify the behaviors that create

effective leadership (Wren, 1995). The leadership literature identified two types of

behavioral styles: (a) task behaviors, and (b) relationship behaviors (Bass, 1990). Task


55/254

36

behaviors focus on the tasks and actions needed to be effective, while relationship

behaviors focus on the working relationship between leader and followers (Bass).

Theory X, an early behavioral leadership model from the American social

psychologist McGregor (1960), centered on command and control over a group of

subordinates. According to McGregor, employees generally dislike work and wish to

avoid it as much as possible. Managers should tightly control subordinates through clear,

unambiguous commands and expectations. Theory X is applicable to a command and

control environment in which leaders direct and expect conformity. This model is

relevant only to organizations involving a hierarchy of management and employees, and

in which control of employees is critical to company success (McGregor).

McGregors Theory Y (1960) focused on soft-management principles. Theory Y

proposed most employees equation of work with leisure; the ability of motivated

employees to direct themselves without managerial control and punishment; and the

importance of job satisfaction to employees and their performance. In sharp contrast to

Theory X, Theory Y proposed that flexibility and self-control, not authoritarian

management, are critical for good employee performance (McGregor).

Servant Leadership Theory

Almost a decade after McGregors Theory X and Y, Greenleaf (2002) developed

the controversial servant leadership model. The fundamental premise of the servant

leadership model is that the leader serves the employees who he or she leads and that this

service to the employees is the basic purpose of leadership (Spears & Lawrence, 2002).

An exemplary leader is primarily a servant, an individual whose goal is to serve others

(Greenleaf).


56/254

37

In defining the leaders purpose, the servant leader model sharply and radically

departed from Theories X, Y, and other leadership models of the day (Spears &

Lawrence, 2002) . Greenleaf (2002) proposed this theory against the backdrop of the

Vietnam War and its effects on American society. Greenleaf concluded that because large

institutions were misleading their employees, institutional leaders would do well to serve

their employees and thereby become more effective.

Situational Leadership Theory

Developed after the servant leader model, the situational theory of Hersey and

Blanchard (1996), highlighted the business situation and environment faced by the leader.

According to Hersey and Blanchard, leadership style should be matched to the

psychological or job maturity of the subordinates, which can vary from one employee to

the next. Psychological maturity involves self-confidence, and job maturity refers to the

attainment of relevant job skills. As subordinates mature, the leader should delegate more

tasks and responsibilities (Hersey & Blanchard).

According to the situational theory of leadership, a leader operated differently

based on the underlying situation or context (Hersey & Blanchard, 1996). For example,

situations such as economic downturn or threatened hostile takeover prompt the leader to

change tactics and behavior in the interest of the employees, shareholders, and customers.

The situational leadership model differed from behavioral and servant leadership theories

in its emphasis on context, situation, and employee maturity (Hersey & Blanchard).

Contingency Theory

Contingency theory matched leadership style to an underlying situation (Bass,

1990). Fiedler (1967) articulated the original contingency theory, which proposed no


57/254


58/254


59/254

40

2. Idealized Behaviors (IB): Communicates the leaders sense of power and

confidence and build respect among the followers.

3. Inspirational Motivation (IM): The transformational leader motivates

followers by providing meaning and inspiration; is articulate and enthusiastic

about their future; and expresses a compelling vision that persuades followers

to work for success.

4. Intellectual Stimulation (IS): The transformational leader emphasizes

innovation and creativity by questioning assumptions, reframing problems,

and approaching old problems with new solutions. He or she stimulates

followers intellects by encouraging the use of creativity and problem-solving

capabilities.

5. Individual Consideration (IC): The transformational leader considers each

follower an individual with potential, as opposed to just another member of

the group. By acting as coach and mentor, the leader helps each individual

follower grow to full potential.

Transactional Leadership (Independent Variable)

According to Bass (1990) transactional leadership involved an exchange between

the leader and followers in which the leader rewarded or disciplined followers in

exchange for their actions. Bass and Avolio (2004) described transactional leadership as

behaviors associated with constructive and corrective transactions (p. 97).

Transactional leaders defined clear performance expectations from their followers and

expected achievement of specific goals to in exchange for rewards. Bass and Avolio

defined transactional leadership as having the following two factors.


60/254


61/254

42

or difficulty; and prefers to remain on the sidelines when important issues or

concerns arise.

Evolution of Cybercrime and Information Security

With the proliferation of the internet, the rate of cybercrime has increased (Gupta

& Hammond, 2005). The impact of cybercrime has also expanded in scope and

complexity to include all types of businesses, including small businesses (Adamkiewicz,

2005). As the technology needed to commit cybercrimes becomes more common, the

perpetrators drop in average age and grow more sophisticated (Kshetri, 2006). The

distributed and open nature of the internet is both a benefit for consumers and a hindrance

to tracking down cybercriminals (Wall, 2004).

Since computers are connected to each other in an open and distributed fashion, it

has become easier for criminals to hide behind the computers of authorized and

legitimate users (Kreuter, 2003). According to Kreuter, impersonating the identity of a

real user allowed cybercriminals to use a legitimate identity to commit a crime against an

unsuspecting small business owner. In unraveling cybercrime, law enforcement agencies

have to uncover the identity of the perpetrator (Kreuter). This study examines the various

impacts of cybercrime on small businesses in the United States.

Comparison with Traditional Crime

Key similarities and differences exist between cybercrime and crime carried out

by traditional means without the use of computer technology (Kshetri, 2006). The online

nature of cybercrime allows for criminals to survey potential victims from afar and attack

them when they least suspect an intrusion (Wall, 2004). Wall noted that software viruses,

spyware, and malware could embed themselves in the computer systems of small


62/254

43

businesses and track their activities and transactions. Covert surveillance of a small

business could lead to theft of information without the awareness of the small business

owner (Wall). Eventually, upon detection of the crime, the cybercriminals may have

already obtained damaging and confidential information about the business (Kshetri).

The nature of cybercrime allows a cybercriminal to damage thousands of small

businesses in a short period, across many legal jurisdictions (Kreuter, 2003). The actual

damage to each individual business may be small, but the collective damage across all

businesses is often large (Kshetri, 2006). Kshetri claimed that cybercrime is frequently

asymmetric and perpetuated against many businesses by a few cybercriminals. Thus law

enforcement agencies are challenged to find a cost-effective response that benefits all the

victims and prosecute the criminal (Wall, 2005).

Cybercrime differs from the traditional model of crime in which a few criminals

target a few victims in one jurisdiction, thereby allowing law enforcement to respond

with an effective investigation and prosecution of the offenders (Kshetri, 2006).

Traditionally, criminals have acted in their own geographical location and eventually

prosecuted by their own local law enforcement agencies in the local jurisdiction

(Kshetri). Another key difference between cybercrime and traditional crime, according to

the US FBI, is the reluctance of the victim to report the offense to authorities (CSI/FBI,

2006). One likely explanation is that public disclosure of cybercrime is often

embarrassing to small or large businesses (Wall, 2005). According to Wall, disclosure

could lead to a downturn in consumer confidence and trust.

In contrast to traditional criminal activities, cybercrime allows young and

inexperienced criminals with no more than basic software tools and computer technology


63/254

44

skills to create havoc among all types of business (Wall, 2005). Inexperienced criminals,

often juveniles, create viruses that damage to the computer systems of corporations and

governments (Radnofsky, 2006). Smith (2004) claimed that coordinated, sophisticated

attacks by organized cybercriminal gangs often targeted financial information of online

and traditional businesses. According to Smith, modern types of cybercrime caused

different forms of damage, but they are equally harmful to all types of business.

Evolving Legislation against Cybercrime

Legislation against cybercrime has been evolving since 1996, when the internet

became a commercial tool for small and large businesses (CC&IPS, 2006). Various

federal laws in the US protect citizens and businesses against cybercrime (Swartz, 2006).

The US PATRIOT Act of 2001 amended the original National Information Infrastructure

Act of 1996. Additional amendments are contained in the Cyber Security Enhancement

Act of 2002, signed on November 25, 2002 as part of the Homeland Security Act of

2000, and in the Computer Software Privacy and Control Act, signed on April 30, 2004.

The United States joined the European Convention on Cybercrime on September 29,

2006, and the law came into force on January 1, 2007 (CC&IPS).

Statutes and their enforcement against global cybercriminals by the US

Department of Justice (CC&IPS, 2006) are key benefits to US businesses. For example,

United States Code Title 18 1029 and 1030 provide protection against the fraudulent

use of access devices and computers (CC&IPS, 2006). However, as cybercrime becomes

more frequent and complex, legislation often lags behind the exploits of cybercriminals.

For example, the state of Indiana passed the Data Breach Law in 2006 (Swartz, 2006)

after an increase in the incidence of business and home computer data breaches.


64/254

45

Efforts of Law Enforcement against Cybercrime

As the incidence of cybercrime increases, so do the efforts of US law enforcement

agencies against its perpetrators (Wall, 2005). Wall claimed that US agencies such as the

US FBI and the US Secret Service are vigilant against cybercrime and have the authority

to prosecute criminals who perpetuate it. A website to report internet crime, the Internet

Crime Complaint Center (IC3, 2006), is a collaboration between the US FBI and the

National White Collar Crime Center (NW3C, 2006). Various websites and collaborations

between federal agencies and civilian organizations provide small businesses with

various avenues to report and prosecute perpetrators of cybercrime (Wall).

Role of E-Commerce

The proliferation of the internet since 1996 has allowed small businesses to

market their products and services to a wider range of customers (Desai, Richards, &

Desai, 2003). E-commerce transactions developed new trusts and relationships with

customers by the use of new tools like privacy seals and statements (Moores, 2005).

Online practices have led to new business models that use the internet for marketing,

sales, support, and service.

A global customer is one who purchases goods or services outside the immediate

geographical location of a small business (Hassan, Alexander, & Daniel, 2003). Global

customers and transactions often face export and import regulations, language and

currency differences, and other cultural and linguistic barriers (Hassan et al.). According

to Hassan et al., as e-commerce proliferates, issues concerning the receipt of foreign

payments increase in importance and complexity.


65/254

46

Quality customer service is important for all customers, regardless of whether

they make purchases online or from a local store (Desaiet al., 2003). According to Desai

et al., as e-commerce and global trade increase, small businesses need to include

information on global business practices, rules, and regulations in their knowledge

management infrastructure. Increase in global business knowledge allows small

businesses to effectively sell and service global customers (Hassanet al., 2003).

As small businesses expand their customer base beyond their countries, they are

exposed to cybercriminals from all over the world (Warren & Hutchinson, 2003).

According to Warren and Hutchinson, e-commerce involves working with partners and

suppliers from all over the world, and creates a greater need for authentication and

reliability in communications and transactions. Globalization increases the potential for

cybercrime from all over the world, and small businesses are vulnerable like any other

businesses (Desaiet al., 2003).

Information Security Theories and Related Research

Information security has become a leading issue of concern to many large and

small organizations over the past decade (Albrechtsen, 2007). Several research studies

focused on the application of technology solutions to managing information security

(Albrechtsen, 2007; Baker & Wallace, 2007; Chang & Lin, 2007). According to Baker

and Wallace, organizations often focus more on technological approaches to managing

information security, as opposed to a holistic approach to securing technology,

processes, people, and other organizational factors (p. 37). A holistic approach is

appropriate for small businesses as well as large organizations (Baker & Wallace).


66/254

47

According to a qualitative study by Albrechtsen (2007), users reported that they

are motivated by information security concerns but do not consistently and reliably

perform many preventative security actions. Albrechtsen also claimed that the

documented requirements of information security policies and procedures, along with

general awareness campaigns, have little effect on actual user actions and awareness. The

implication is that organizations need to do more to change user behavior rather than

merely instituting company policies and procedures to manage information security.

Chang and Lin (2007) examined the impact of company culture on information security

management within businesses in Taiwan. According to Chang and Lin, in addition to

technology, policies, and procedures, human and cultural factors are also important to

information security management.

Cultural Theory and Risk Management

Cultural theory proposes that people interact socially based on their social

constraints and understandings of the world (Douglas & Wildavsky, 1982). Douglas and

Wildavsky claimed that individuals form worldviews and opinions based on their social

and cultural contexts and assumptions. Worldviews could include their assumptions and

opinions on risk management and information security concerns (Tsohou, Karyda, &

Kokolakis, 2006). The grid/group typology proposed by Douglas and Wildavsky (1982)

displays a combination of social relations and cultural biases (see Figure 1). The

horizontal group axis refers to the extent to which an individual is incorporated into pre-

defined and bounded units of society, while the vertical grid axis denotes the degree to

which an individual is constrained by external prescriptions and social restraints

(Torbjorn et al., 2004).


67/254

48

Figure 1. Torbjorns (2004) Four Worldviews and Grid/Group Typology.

Worldviews with high group and high grid values are associated with hierarchical

cultures, which emphasize the importance of preserving social order and status (Torbjorn

et al., 2004). According to Torbjorn et al., worldviews with high grid but low group

values are associated with egalitarian cultures, which emphasize charismatic leadership,

suspicion of authority, preference for role changes, and a sense of equality. Worldviews

with low grid and low group values originate in individualistic cultures, which emphasize

personal freedoms, role choices, short-term thinking and decision-making, and a high

tolerance for risk. Worldviews with low group and high grid values tend to come from

fatalistic cultures, which emphasize minimal personal autonomy, low tolerance for risk,

and a low degree of social control (Torbjorn et al.).

Economic Model of Information Security

Gordon and Loeb (2002) indicated that the full implementation of every possible

information security control is not an optimal and efficient use of an organizations


68/254

49

resources. According to Gordon and Loeb, organizations should invest in security only

when the marginal benefit of the implementation equals the incremental cost. Gordon and

Loeb (2002, 2006b) provided a cost-benefit model to determine an optimal budget for

information security within an organization. Initially Gordon and Loeb (2006a) focused

on three questions. (1.) How much should an organization spend on information security?

(2.) How should an organization allocate its information security budget to specific

problems? (3.) What is the economic cost of information security breaches?

Hausken (2006) extended the work of Gordon and Loeb by proposing that the

best way to model the probability of an information security breach is by using a logistic

function that first exhibits increasing, then decreasing, returns and benefits (Gordon &

Loeb, 2006a). Gordon and Loeb remarked on the paucity of available research and data

on the benefits of information security investment. This study addressed the economic

model for small businesses that are financially constrained in their ability to combat

cybercrime, but cannot remain ambivalent and unresponsive.

Integrated System Theory of Information Security

Despite the prevalence of information security technologies, few information

security studies exist in the scholarly literature (Hong et al., 2003). According to Hong et

al., the lack of information security theory implied few empirical studies that examined

the effectiveness of information security technologies, policies, and procedures. Hong et

al. proposed an integrated theory that combined existing security policy, risk

management, control and auditing, management system, and contingency theories.

Hongs integrated theory covered several management activities that included the

establishment of security policies and procedures, risk assessment, information security


69/254


70/254

51

presence of the whole flock of geese increases the flying range of the birds beyond what

is possible for each bird flying alone. If a goose falls out of formation, it suddenly feels

the pressure and risk of flying alone and quickly gets back into formation. When the lead

goose gets tired, it rotates back and another goose takes its place. Leadership is common

to all the geese in the formation (Belasco & Stayer).

Kouzes and Posners Model

Kouzes and Posner (2003) named five key practices for achieving exemplary

leadership.

1. Challenge the existing process and status quo, but explore new ways.

2. Create a shared vision by looking ahead to the future and sharing the goals.

3. Encourage action within the organization by listening and motivating others.

4. Lead by example by knowing the goals and plan of the organization.

5. Encourage others to grow and prosper by rewarding their accomplishments.

Kouzes and Posner (2003) claimed that leadership is an observable, learnable set

of practices. According to the authors, teaching leadership to employees within an

organization is possible, and credibility is the foundation of leadership. Employees at all

levels of an organization, even within small businesses, can achieve exemplary leadership

capabilities. Kouzes and Posner stressed that leadership is a relationship between those

who choose to lead and those who choose to follow. Followership is important to the

leader and the organization (Kouzes & Posner).

Pseudo Transformational Leadership

Pseudo transformational leadership is behavior that is often self-centered and

unethical (Kouzes, 2003). In the 21stcentury, many examples exist of leaders who appear


71/254

52

transformational, but are in reality are pseudo transformational leaders focused on their

own success (Harland & Harrison, 2005). Numerous examples of pseudo

transformational leadership have appeared in the media during the scandals that have

erupted in companies like Enron, Arthur Anderson and WorldCom (Harland & Harrison,

2005; Lussier & Achua, 2004).

Bass and Avolio (2004) contended that despite the examples of pseudo

transformational leaders in the media, most knowledge workers in the 21stcentury

organization are unwilling to work with such leaders. Knowledge workers are willing to

follow the path and examples set by true transformational leaders and not those pseudo

transformational leaders consumed by greed (Bass & Avolio). Current reality suggests

that transformational leadership is the roadmap for aspiring leaders in the 21stcentury,

and that followers should look to genuinely transformational leaders for their future.

Innovation and Performance

Innovation is the creative ability to create new products, processes, organizations,

thinking, and vision and to assimilate new concepts into an existing organization

(Christensen, 1997). According to Drucker (2004), innovation is the core competency of

the modern century, and many sources of innovation are available to a business

enterprise. Drucker claimed that innovation originated from the core vision of the

company. If the entire company believed in change, innovation naturally resulted from its

vision. In addition to vision, core values and competencies are equally important for

success (Drucker).

Christensen (1997) described disruptive technologies and proposes that the

dilemma for innovators is to distance themselves from loyal customers so that they could


72/254

53

think and act out of the box. Christensen believed that traditional innovation involved

the exploitation of change or crises, and that the successful business of today incorporates

innovation even when the business is already successful and performing well. The core

vision of the company can embody innovation by perpetuating revolutionary ideas and

processes (Drucker, 2004).

Leadership Styles within Small Businesses

Organizations in the 21stcentury differ very much from those in the time of Plato

and even those of a hundred years ago in industrialized nations. Drucker (2004)

highlighted five qualities of the modern global business organization.

1. Lean. The number of employees is not as important as their productivity.

2. Flat. The hierarchy of managers extends to a few levels below the CEO.

3. Global. Vast geographical distances and differences in cultures and business

practices separate employees.

4. Adaptive. Company goals, processes, and objectives change every few years.

5. Competition. Fierce competition surfaces from unexpected sources.

Given emerging trends in the nature of business organizations, Drucker (2004)

proposed that contemporary leaders needed to stress the following actions.

Set the focus on common vision, goals, and objectives.

Coach employees and foster a team environment.

Set an example to fellow employees.

Take calculated risks that benefit the company.

Have the guts and resolve to survive a company crisis.

Efficiently execute tasks needed to achieve a goal.


73/254

54

Information Security Management in the 21stCentury

Although cybercrime has proliferated over the past decade, so have the

mechanisms to combat its effects (Day, 2003). Although many mechanisms involve

technology and tools, manual policies and procedures are also an integral part of efforts

against cybercrime (Easttom, 2006). Businesses of all sizes, including small businesses,

implement various mechanisms to protect their information security from cybercriminals

(Wall, 2005). This section provides details on seven security mechanisms commonly

found in small businesses.

Security Assessments

Security assessmentssize up the security risks and threats faced by a small

business (Easttom, 2006). An information security risk is a potential negative impact that

can occur to an information system; an information security threat is the actual damage

that can occur due to a risk (Day, 2003). According to Day, vulnerabilities within a

computer system in a small business could allow cybercriminals to exploit the risk and

carry out the threat. As such, security assessments attempt to discover vulnerabilities

within computer systems in order to reduce the risks (Day). A vulnerability assessment is

systematic identification and validation of the possible vulnerabilities that may exist

within a business organization (Blyth & Thomas, 2005).

The overall goal of security assessments and audits is to ensure that small

businesses are trained, knowledgeable, and aware of the threats (Blyth & Thomas, 2005).

According to Blyth and Thomas, increased awareness ensures that the information

systems of small businesses meet three basic requirements. Basic requirements include


74/254

55

availability, integrity, and confidentiality (DeZulueta, 2004). Availability ensures that a

system is accessible and usable upon demand by an authorized user or entity.

Integrity ensures completeness, wholeness, and readability of information,

meaning that data remains unchanged by an unauthorized user in ways that are not

detectable by authorized users (DeZulueta, 2004). Finally, confidentiality ensures that a

system is not accessed by unauthorized users (Ma, 2004). Numerous examples in the

security literature discuss assessments for records protection (William, 2005), audits and

security in the e-commerce era (Anderson, Hansen, Lowry, & Summers, 2006; Zhao,

Yen, & Chang, 2004), and the importance of security assessments in specific industries

like banking (Abu-Musa, 2004).

The literature on security assessments targeted specifically at small businesses is

sparse (Gupta & Hammond, 2005). However, the mainstream literature provides ample

guidance for small businesses that are limited by costs, security skills, and time

constraints. Various checklists (Day, 2003; Easttom, 2006; Szor, 2005) provide simple

and practical guides to implement security assessments, even within small businesses.

This study examined the problem that small businesses are often unaware of security

threats and risks, until the occurrence of an actual security breach.

Preventative Security

Business organizations prefer to prevent security breaches because security

breaches disrupt business performance and dampen consumer confidence (Greg Hanna,

2005a). The literature provides ample examples of software solutions to prevent security

breaches, including practical uses of anti-virus software (Campbell, 2004; Szor, 2005) as

well as a case study (Sherif & Gilliam, 2003) of virus prevention. Other technologies like


75/254

56

firewalls (Day, 2003), anti-spam products, and anti-spyware technology (Gibson, 2005;

Stafford, 2005; Thompson, 2005; Zhang, 2005) can be used by small businesses as well

as personal home users (Hazari, 2005).

Major vendors like Symantec (2007) recommend application of software patches,

but patches themselves are at risk from hackers and cybercriminals (Marshall & Heffes,

2005). Basic email safety is important and removing suspicious attachments is critical to

any business (Day, 2003; Easttom, 2006). Precautions against modular malicious codes,

especially those distributed through the internet, are becoming increasingly important

(Easttom). According to the Symantec Threat Report (Symantec, 2007), modular

malicious code accounted for 88% of the top 50 malicious code reported in the second

half of 2005. Securing wireless networks, which are common to small businesses, is

important in order to ensure that identity thieves and competitors do not pilfer data

(Gregory Hanna, 2005b; Kruh, 2003; Pietro & Mancini, 2003).

The literature also points out that preventative measures cannot mitigate all types

of security risks. In 2003, the Bugbear.B worm infected thousands of computers despite

anti-virus and personal firewall technology (Maroncelli & Karpin, 2003). Custom Trojan

programs that elude anti-virus programs (M. Blake, 2003) can penetrate the defenses of

small businesses. In addition to technology and tools, the literature emphasizes the use of

security policies, procedures, training and rules to prevent security breaches (Gellis,

2004) and future threats and disasters (Trim, 2005) in enterprises. For example,

improperly disposing of old computers and hard drives allows cybercriminals instant

access to sensitive company information (Lunsford, Robbins, & Bizarro, 2004). Day

(2003) provided a checklist, one that is also appropriate for small businesses, regarding


76/254

57

awareness of current security issues and threats and performance of regular tests on all

computers and security devices.

The literature also provides techniques for small businesses to backup and

safeguard their business data on external hard disks (McCarthy, 2006). It describes the

dangers of online storage (Mulligan, Schwartz, & Mondal, 2006), and the need to use

strong passwords and frequently change them on the basis of security policies (Harrison,

2006; Wakefield, 2004b). The literature recommends avoiding the reuse of passwords

(Blake, Kenneth, & Helmut, 2004) and controlling the use of the internet (Taillon, 2004).

A formal and established security policy that is appropriate for small businesses helps

them to enforce their preventative actions and measures (Rees, Bandyopadhyay, &

Spafford, 2003).

The ISO/IEC 17799:2005 set of standards (ISO/IEC, 2005) covers security

policy, the organization of information security, asset management, human resources

security, physical and environmental security, communications and operations

management, information systems acquisition, development and maintenance, incident

management, business continuity management and compliance (p. 1). The

comprehensive guide from ISO/IEC is applicable to small businesses as they assess their

internal networks and policies. The latest version of ISO/IEC 17799:2005 is specifically

tuned to the needs of e-commerce and global trade, and small businesses can use best

practices (Saint-Germain, 2005) to prepare for the deployment of ISO/IEC 17799:2005

(Peltier, 2003).

Overall, the literature recommended a combination of technology, processes, and

policies to prevent the incidence of cybercrime. The literature review helped to address


77/254

58

the core problem assessed by this studynamely, that many small businesses display a

lack of concern towards information security and unrealistically expect that performing

basic preventative measures alone protects against all forms of threats. This study

examined the relationship between of leadership styles within small businesses and the

level of concern towards information security problems.

Intrusion Detection

While preventative measures are useful and necessary to preempt a security

breach, they cannot cover all types of security threats. Ongoing intrusion detection

systems find patterns in misuse and attempted intrusions and warn network

administrators of an impending attack (Day, 2003). Intrusion detection technology needs

to be complemented with human policies and procedures, and physical security that

responds to notifications of an impending attack (Sherif & Ayers, 2003; Sher

Infromation Security Leadership Related

Documents

Transcript of Infromation Security Leadership Related