Low Resource Availability and the Small- to Medium-sized Retail Enterprise’s Ability to Implement an Information Security Strategy

Abstract

Improperly protecting businesses from cyber-attacks can result in unnecessary expenses, hardships, increasing threats, and vulnerabilities that foster data exposure and loss. This pragmatic qualitative inquiry study was designed to explore the influence of lower resource availability on Small-to Medium-sized Retail Enterprise’ (SMEs) ability to implement information security strategies in the retail industry in the Northeastern region of the United States. This study explored the perceptions and experiences of 38 participants holding positions as CEOs, CIOs, ISSOs, Security Managers, and other information security professionals employed by an SME with 250 or fewer employees in the retail industry. Narratives provided insight into the research questions: (a) how does resource availability influence SMEs’ ability to implement an information security strategy to protect networks and systems from vulnerabilities? (b) how do SMEs in the retail industry develop and implement an information security strategy to maintain business operations? Thematic analysis grouped similar statements and repetitions that identified patterns, themes, and subthemes. National Institute of Standards and Technology (NIST) Special Publication documents were also analyzed. The results suggest that the retail industry has several information security strategies consistent with limited resources. A holistic approach to developing and implementing an information security strategy with limited resources is achievable. The current research can help retailers strategically use cost-effective tools and controls to develop, implement, or enhance their information security strategy to improve business objectives and financial performance. Enhanced cybersecurity strategies within organizations may lead to more significant opportunities, competition, and performance in the retail industry.