| dc.description.abstract | The aim of this study was to contribute to the understanding of information security practices and challenges in small and medium-sized businesses in Norway. The research focuses on organizational culture and leadership practices related to information security. Additionally, the study has been interested in mapping the number of security incidents, as well as their associated costs. The study collected a fresh set of data by conducting a survey of 236 small and medium-sized businesses across various industries and between the 11 Norwegian counties. The findings reveal that a significant number of Norwegian SMBs have experienced information security incidents over the past four years. While some incidents were severe and resulted in substantial costs, the median cost of incidents was found to be moderate and manageable for most businesses. However, it is emphasized that businesses should constantly raise their security levels to prepare for worst- case scenarios. Furthermore, the study highlights the role of cyber insurance in protecting businesses against data breaches. Approximately one out of every six participants reported that their organization had purchased cyber insurance and the findings show an increased likelihood to invest in such coverage for organizations that had experienced data breaches. This may indicate that the organizations recognize the importance of increasing security measures following a security incident. Interestingly, the research does not find a statistically significant relationship between the “Culture Security Level” and the probability or cost of incidents. The study acknowledges limitations in the methodology used to assess the “Culture Security Level” and highlights the need for further research. Based on the findings, it is concluded that the Norwegian SMB sector on average does not possess sufficient security measures to mitigate information security risk adequately. Overall, this thesis provides valuable insight into the information security landscape of Norwegian SMBs, highlights the challenges and offers recommendations for improving security practices. | |
