Re: The problem is that user management doesn't demand security

[Julie Ryan <jjchryan () gwu edu>]

When discussing the responsibility of corporate governance in assessing 
risk, understanding security requirements, and defining policy, let's 
not forget the following circumstances:


A) the vast majority of companies in the US are small.    From the SBA 
website (www.sba.gov) come the following stats:

"Small firms   1.  Represent more than 99.7 percent of all employers.
         2.  Employ more than half of all private sector employees
         3.  Pay 44.5 percent of total U.S. private payroll.
         4.  Generate 60 to 80 percent of net new jobs annually.
         5.  Create more than 50 percent of nonfarm private gross domestic 
product (GDP).
         6.  Supplied 22.8 percent of the total value of federal prime 
contracts (about $50 billion) in FY 2001.
         7.  Produce 13 to 14 times more patents per employee than large 
patenting firms. These patents are twice as likely as large firm 
patents to be among the one percent most cited.
         8.  Are employers of 39 percent of high tech workers (such as 
scientists, engineers, and computer workers ) .

         9.  Are 53 percent home-based and 3 percent franchises."
(http://app1.sba.gov/faqs/faqIndexAll.cfm?areaid=24)

B) small businesses are not heavy users (or understanders) of security 
concepts.  See Information Security Practices and Experiences in Small 
Businesses, posted online at 
http://www.pirp.harvard.edu/pubs/pdf-blurb.asp?id=493


C) small businesses grow up to sometimes take over the world.....  
typically with the same attitudes towards security that they started 
with.


Julie J.C.H. Ryan, D.Sc.
Assistant Professor
Department of Engineering Management and System Engineering
School of Engineering and Applied Science
The George Washington University

http://www.seas.gwu.edu/~jjchryan/