COMPUTER SECURITY IN SMALL BUSINESS: AN EMPIRICAL STUDY*
During the past 30 years improved technology has produced ever smaller computers that substantially surpass the processing and data storage capabilities of older machines. At the same time the purchase price for these machines has decreased so that acquisition is now a viable option for most small businesses. The combined effects of improved capabilities and lower cost have resulted in substantial numbers of small businesses employing computers in their business operations.(1)
One significant barrier to effective use of computers in small business is inattention to computer security. Evidence that computer security for small businesses is an important issue comes from several sources. First, the significance of computer security has been explored in the literature.(2) For example, Bryant (1984) contends that the security of small systems is one of the most difficult challenges faced by management.(3) Becker believes small systems require the same kind of security as large computer systems,(4) whereas Baker suggests that small systems require even more security.(5) Some justification for this last suggestion is apparent when one compares the size differences between large and small system hardware and data media. The diminutive sizes in the small system environment make system components much more prone to theft. Also, the number of potential intruders into a small system are many times larger than that of a large system due to the widespread knowledge of popular operating systems (e.g., MS-DOS) and applications software (e.g., Lotus 1-2-3). Second, the significance of security in small systems has also been discussed in the end-user computing literature.(6)
Despite evidence pointing to the importance of computer security for the effective use of computers, there are indications that many users are unaware of the need for security measures.(7) In fact, a lack of awareness of computer security was a primary reason that the U.S. Congress passed the "Small Business Computer Security and Education Act of 1984." Two goals of this act were to: (1) improve the management of information technology in small business and, (2) to encourage and educate small business owners about security threats to this technology.
Accordingly, the general purpose of this study was to investigate both the awareness and implementation of security measures used in small business. Two research questions were of interest. First, to what extent are small business firms attempting to exert some form of control over potential security exposures? Control in this context means the ability to exercise restraint or direct influence over a given situation; it is an action taken to make an event conform to plan.(8) Controls function to prevent, detect, and correct the causes of a security exposure. For security measures to be effective, all three types of control are required. A restatement of the question is: To what extent are small businesses aware of or implementing measures that prevent, detect, or correct possible security exposures?
The second question concerns awareness and implementation of measures to protect the various components of a computer system. The components of a computer system that are usually protected are hardware, software, and data. Since both data and software are stored on the same media, measures designed to protect one are also effective in protecting the other. In addition to specific security measures designed to protect a particular component, some measures effectively protect the entire system. Thus, the second question is: To what extent are small businesses aware of or implementing measures that protect hardware, software, or the entire system?
Before proceeding, it should be noted that the definition of computer security used in this paper is derived from Cronin: