University of South Australia Division of Information Technology, Engineering and Environment School of Computer and Information

Science

Honours Degree in IT Minor Thesis

Research (Minor) Thesis Proposal

Research of Small-Medium Enterprise (SME) IT Security Policy Framework of South Australia, Focus Review on GPs Clinical Information Security Framework

Student: William Wye Kitt Thye

ID Number: 11063805

Mail ID: thywy001

Program code: LHCP

Supervisor: Dr Gaye Deegan

Associate Supervisor: Dr Martini

Minor Thesis Coordinator: G Stewart von Itzstein

Table of Content

1. Abstract2. Introduction3. Initial Literature Review4. Methodology5. Timeline 6. References

1. Abstract:

SME (Small and medium-size enterprise) sector are one critical roles in Australia economy context, contribute more than 50% of the country GDP [21]. Australia as a reputably strong economy and digitally-integrated businesses and consumer, cyber threats has become a major economic issue for the SME due to their limited IT budgets, financial restriction, and limited resources [3]. Many aspects such as the information and access control, business continuity and the strategic policies should be taking account to dealt with security issues across different level. Review of existing standards could be useful to address the issues across all level and implement strategic policies across all level. In this paper, we would focus on review of the GPs Clinical Security, have a clear view on the GPs existing practices on the digital information and internal management and base on the finding will propose effective policies which could fit in to the operation practices. Throughout the research, survey will be conducted with the GPs professional in different organization for information collection. A detail review and compare of different security framework and evaluate of the framework efficiency and adaptation level will be done in this research by review and critic the existing policies standards. In the end of this research, best practice security policies framework will be developed as part of recommendation and suggestion to the GPs to implement or own the policies as the baseline of e-health information security.

Key word: Information Security, SME Policies, security framework.

2. Introduction

In South Australia, SME hole major roles of the state economy, accounting for 99.8% of business and become a major export industry for South Australia [1]. The business success increasingly depends on the reliable IT infrastructure and digital assets, many business models has shift to e-commerce to reach out more opportunities and many business operations has shift to computerize [2]. The security become part of the main concern as SME are the vulnerable target compare to the other large company or cooperation [3]. IT risk relatively increases for SME not only due to the lack of expertise and practice on handling the security threats, but also due to the lack of financial capability to invest in the IT infrastructure and security management [4]. Many SME doesn’t exist strategic security policies which causing them huge loss in business when the security has breaches. Some SMEs does have IT Security Policies exist but the IT policies doesn’t suite the individual’s business characteristic or structures due to the complexity of the policies and many are adopting from others existing policies which doesn’t fit to their own business [5]. With the increasing of IT security threats, SMEs should prepare to avoid huge loss in businesses in order to continue survive in the competitive environment. In this research, we will discuss how should the security policy should be created accordingly to the company size, structure, financial capability on IT adoption and the business environment to achieve maximum efficiency of the security. This research will also focus review on the Australia SMEs Healthcare, particularly GPs and the IT security within the industries to further extract the level of security and problem exist within and provide best suggestion on policies creation which could be adopt by the GPs with the best practices which could satisfied the boundary of the information security standard and practices.

3. Literature Review3.1 SME Characteristic

It is important to define and understand the nature of SME in Australia to further develop strategic security policies according to the capability of the SME involvement. According to the Australia Government, Department of Industry Innovation, Science, Research and Tertiary Education Report on SME Statistic Analysis, the definition of SME has been set as below:

Business Type

Size of Employment

Micro Businesses

0-4

Small Businesses

5-19

Medium business

20-199

Large Businesses

>200

SME small business are the backbone for the South Australia state economy, with 98 % of overall businesses and employ one third of the state workforce [1]. Many SME provide customize services or products to the customers or the markets. The cooperation and collaboration within small business are become more common. Many SMEs in South Australia operated as family business and managed by the founders, family members or others. The business owner normally involves directly with the customer and are the core for one business [8]. According to Australia Communication and Media Authority (ACMA) published report, more than 94% of the SMEs in Australia has use internet as daily communication and operation basis, which include email, online banking and other communication or business process such as online banking. Trends of using online cloud services has also shown increases with a figure of 47% [9]. Moreover, due to the financial capability, SMEs that adopt computerise in business rarely update the software or technology infrastructure. This make the SMEs become more vulnerable and become the easy targets for security threats and has increases the risk of the SMEs IT and information assets lost [10]. All these has shown the trends of adopting technology in SMEs as part of the transformation of digital business process and daily operation which raise more concern about the compliances of all the technology used and management of the SMEs as they tend to ignore or make assumption as they are unlikely to encounter

cyber-attack on their business which lead to high risk and more concern in business losses when happened [5].

3.2 Security area for SME to concernDue to the financial capability, operation standard and management, time scales availability and as well as limited expertise knowledge in Information Technology management, SMEs shows lack systematic approach to organizing the business processes and underestimated the issues of IT security risk [12]. Many of the SMEs management doesn’t think of them as a potential target for hackers or intruders compare to the large company and thus lower the IT security priority to minimise the financial expenses and such misconception develop huge threats to the modern IT infrastructure in used by the SMEs. Another aspect often been underestimated are the information control for individual SMEs in the industries. From the statistic, many security issues happen not only due to external factor such as hacker or intruder, many happen due to the internal factor such as poor information control by the employee or workers and due to the working environment and culture [11]. Knowledge on understand and knowing how to deal with a situation and how to use the asset which are beneficial to business are most important assets of SMEs, proper security measurement has to be done to ensure all the valuable assets form been intrude, which should be include the other human factor such as malicious / disgruntled employees or former employees. This fact has become increasingly important as the IT infrastructure used by many of the SMEs involve with the business or services provided to customers as well as the SMEs using the IT infrastructure for the business operation and process such as internet access on everyday work desk, remote access, BYOD, cloud storage, ERP, CRM system etc[20]. All the relationship of all IT infrastructure as well as the user’s relation has to be proper define and come out the best policies to cover all security aspect in the SME. IT Management and information security really become the crucial process and most of the SMEs will have much less prepared for the potential internal and external risk.

3.3 Scenario of Security ThreatsSMEs have limited capability and thus most ignore or underestimate the security risk. However, few crucial areas for all SME must considering despite they don’t have financial capability to implement the security infrastructure or evaluation such as data has become the most vulnerable target in SMEs security [6]. All sort of information could be obtained from the data of the

SME. Confidential data often been breach during cyber-attacks as well as internal factors such as former employee leaking out information of account access, espionage etc. This could be causing the company facing huge loss in business and severely could cause a business to shut down due to the loss. According to the reports from Symantec, the number of detections of ransomware increased by 36 percent during 2016, from 340,000 in 2015 to 463,000 during 2016. The daily rate of antivirus detections for ransomware also increased during 2016, averaging at approximately 846 per day at the beginning of the year and rising to more than 1,539 a day at year end. [7]. SMEs are in fact the major victim in the ransomware attack. The recent global ransomware attack, WannaCry ransomware are the major issues, which report large number of SMEs has encounter such security issues due to the IT infrastructure has not proper secure. Due to the lack of resources and IT related knowledge, many of the SMEs still using the outdating software as the daily business operating basis such as Window XP, which the services and updates has been stopped and the Window 7 security problem which allow the rampage of the ransomware [7] [13].

3.4 Approach to security Policy for different levels in SME. 3.4.1 Structure

Different from large companies which have the capability to invest in the organisational aspect of IT security, SMEs usually ignore or abandon these areas and such action causing huge security risk within the SMEs because despite the sizes of the organisational structure, a missing of strategy and documentation on the IT security could lead to many uncertainty and risk when the SMEs encounter security issues. Many SMEs have no standard or basic protocols or any idea how to deal with the security breach problem when happened [16]. The security practices culture within the organisation are highly important as the day to day operational rely on the decision of IT administration or the roles of the IT administration and thus simple strategic policies has to be develop and systematic documentation has to be prepared and kept for future references [18]. A clear and specific strategic guideline that would help the administrative personal to proper access and control the IT security must be shown. Roles of the personal within a SMEs should proper

define. Any cross-relation roles have to be proper define to ensure the information security to be secure not only in technical perspective but also psychological and social factors. In term of management, SMEs could adopt basic 3Ps concept in security which are: Process, Policies and Procedures to prevent internal fact cause of information leakage [].

3.4.2 Process & procedure

For SME, the business process and procedure are the key to review the stability and security of the business. Having a proper control and following up the business procedure during a business process could effectively reduce the risk of security. From the use of ICT such as the internet, emailing, transaction and info registration, as well as the system such as CRM, ERP, POS, EMD for all industries, all must have a standard procedure to follow and policies have to proper documented.

3.4.3 Established or Adopt Policy

Having security policy are crucial for the SMEs. The Information Security Frameworks can be review form the large corporations or government institutions, which could be adopted, modified or keep the certain level of services quality and security policies in order to cover all the major areas of security and still feasible for the companies with low IT budgets.

However, management and practices are the main concern of security and thus the policies should include all the factors such as relation and the roles of information technology user.

Process

ProcedurePolicies

Have a clear view on the roles on one organisation could allow SMEs to better define the roles characteristic and job scripts to efficient set up access control and management, as well allow SME to have a clear view on the process and all sort of management according to the nature of the jobs or position. In this case, most of the SME facing limited IT budget and might have no IT administer, thus small company employees often have to multi task or handle certain business process which might not include under the initial job script such as the IT managements. This issue has to be address and review to include into part of the policies regarding the management of the information system infrastructure security measurement and defined the job position that could involve with the IT administration.

3.5 Basic Policies Coverage

IT security policies in SMEs must consider not only the requirements of information security from a technical perspective, but also psychological and social factors, which influence the role of information security policies in companies. The roles and users position have to be specified to avoid complex cross relation of authorities’ access control on the IT infrastructure. For most of the SMEs, they either exist their own IT administrator or without one, which if they don’t, they could rely heavily to the third party, which are outsourcing and different policies should have established to ensure the security.

3.5.1 Crucial Roles of IT Administrator

IT administrators are the roles responsible for all technical issues, which include the information security. The IT Administrator job script are varied depends on the work culture and environment. Job such as assigning and modifying user access in operating systems, setting up and maintaining Internet connections, maintaining the IT infrastructure to handling the security protocols as well as policies and documents managements. In many cases, due to the limited

Roles

ManagementProcess

budgets or capabilities, many SMEs does not exist a clear roles of IT administrators, the roles of IT Administrator could have shift to other employees that hold other position within the company, these people have bared lot more responsibilities and pressure, or even lack on the resources or knowledge so they often neglect security. Security is not easily visible and therefore often not rewarded appropriately by management; engagement in security is sometimes even hindered or at least ridiculed. Usually security aspects receive higher priority only after the company has been hit by a serious incident [14]. Regarding the amount of available IT personnel resources, the following three scenarios are most common in SMEs:

1. No dedicated IT administrator: One of the employees manages the IT network and security in addition to his or her normal duties. Uncleared or undefined assignment of responsibility, missing policies, limited resources, and knowledge and have minimal security safeguards usually characterize this scenario. Financial investments in IT security are only considered after major incidents has occurred such as hacking attack, data breaches, loss of data due to non-existing backup strategies, ransomware, or malware infection.

2. One dedicated IT administrator: This scenario maximizes management’s dependency of the IT administrator. Issues of security occurred when external administrator or IT service company is assigned to ful-fill the necessary IT administration tasks and without a clear adoption of security policies or framework exist between the company and the third parties’ administration service providers. Even the company does exist employed IT Administrator, policies and standard documentation might not exist and when incident happened IT administrator could not ful-fill or proceed further task.

3. More than one dedicated administrator: This scenario reduces the dependency of a single IT administrator and allows mutual controlling and overlapping responsibilities. In this scenario, a clear policy regarding the security and roles of the administrator have to be specific as there could have possibilities of overlapping of responsibilities and job tasks. Cross position and task review have to be verified to prevents confusion when handling the IT and security issues.

3.5.2 Outsourcing

In most of the cases, SMEs often exist employed IT administrator and have no personal IT Administrator exist within the company. In this case, SMEs are the users of the IT infrastructures and mostly rely on the outsourcing third party to manage the IT infrastructure as well as provide them business supports. Thus, a clear security policy has to establish between the SMEs organisational and the external IT consultants. Clearly understand the process and procedure and how the external IT consultant work is crucial part of outsourcing progress to ensure both parties could have a standard compliance in security management as well as minimise the security risk. External security consultants’ experts and arranging security audits can be viable in schemes to reduce the potential risks from only having one or few IT administrative personnel or being supported by a single IT service company. Thus, combining the introduction of external

consultants with training programs for the employees can reduce the risk of internal resistance to an external auditing program. The results of an audit always have to be presented as suggestions for enhancement and not as criticisms of the personnel’s achievements. Having policies to perform security audits on a regular basis, for example, once or twice a year, can significantly and effectively reduce the dependability of the IT administrators [14] [19].

3.6 Review on Security Policy Guideline

It is important to understand the fundamental of Information Security and the major aspect: Policies, Procedures, and Standard. The information security policies process should involves identifying best practices and application law, reviewing current policies, deriving security controls, populating the security control framework, and determining format and policies titles [22]. It is also important to review the existing related security policy from different area which could be the potential guideline in deriving a framework that could be adopt or flexible to be changes as different industries have a different view as well as requirement in the security of information system but never the less, the security are the main factor that determine the success of a business which required to adopt and have a policies review on the practice to avoid unnecessary risk or lost[23].

The issues of SMEs there are existing guideline related to the information security which published and provided by the IT professional institution or government department are in term of managerial there are difficulty and issues in changing the employee behaviour in the practice which new conceptual frameworks are needed that identify and integrate complex behaviour modification and cultural change [18].

3.7 Review of SME In SA Health Care Industries

SA healthcare industries formed with many individual or medium sizes of GPs other than the large cooperation hospital. The management of the SA GPs are independents and operate with limited resources. Although there are ICT Policy exist for all GPs in SA, but it acts as a guideline and might not be follow by the GPs if the authorities don’t have audit and review. Many SMEs GPs might have no capability to follow up the compliance of the existing policy and need to make change to ensure the security are up to date and control with standard. The policies that exist are sets of guidelines and suggestion, many GPs practice might not adopt the security policies as these required resources and time to form and establish, even managing the documentation of the policies [18].

3.7.1 Issues with Enterprise Patient Administration System(EPAS)

EPAS has been introduced in SA Government Authority aim to provide efficiency and reduce time in the patient information registration reduce the complex procedure of traditional data and information record method by using hand writing and file storage and be a foundation for delivering SA state wide Electronic Health Record(EHR) which are part of the nation E-Health

Strategy but many problems exist ever since the system been introduced and need to further review. Case shown the systems have error, replacing paper base causing huge functional breakdown issues in some rural GPs and Hospital services. Such integrate system also bring out the concern of security issues as recent scenario shows Australia’s biggest data breach of medical information, more than 550,000 customers of the Australian Red Cross Blood Services had personal and medical details exposed online and leaked [17]. These cases have raises the major concern of Australia Healthcare system security such as the EPAS and national My Health Record System which data and other security breaches issues in healthcare has increases and healthcare services are the 2nd most targets for the information security in Australia [7]. 

3.7.2 Review of e-health Record and clinical management System of GPs

According to Australian Institute of Health and Welfare, due to the lack of data causing the data and details information of healthcare become inaccurate. The major issues are the GPs of Australia did not access or use the National E-Health Record which happen due to the practice culture and the adoption issues toward the E-Health System. Furthermore, due to the financial and the differences of business model and characteristic, the Clinical Management System for GPs could be very and the services provider could be different. From the research finding, there are existing software vendors suggested by the authorities but the concern are how many GPs follow the guidelines and how many GPs have established policies between these services vendors. All these raise the concern of the patient information security. Another issue to address are many GPs still using outdated IT infrastructure or software which make them vulnerable target toward the network and information security as research and survey shows many GPs still using Window XP, Windows 7 as the basic daily computer operation which expose the security risk such as data breaches and ransomware attack as the system has not up to date and facing security issues [13].

According to the research, Australian government has established a National Health Information Agreement(NHIA) on 2013 between the Australian Government and State/Territory government health authorities aim to coordinate the development, collection, and dissemination of health information in Australia, including the development, endorsement, and maintenance of national data standards. But the issues of information system and policies adoption of local GPs and state operation have huge different in term of practice and operation culture causing the security and information policies not been implement or follow effectively [20].

4. Methodology: Research survey of SME Healthcare Policies through review of GPs practices, operation, and management.

The research will be conducted in both theoretical literature based as well as survey of professional candidates that related with GPs, the research survey will come out series of questions derived from the need of understanding the South Australia GPs practices and the structure design to abstract the problem of security issues that exist in the local healthcare system. Interview and survey question will be conduct and possible information and data will be collect for better understand and to derive effective security policies framework for the GPs.

4.1 Literature Based

The beginning of my research will be based on the review and extract of the information and details of already published research papers in the field of SMEs Security Policy as well as others related sources such as the government statistic and website. As the research topic consider new and involve with many different issues regarding the SMEs Security, it has difficulty to define a line of security in details and the scope can be narrow down into focus on GPs healthcare industries on the information security practices, standard and policies which have more references resources.

Across all the information gathered from the literature and papers published online, with the trustable sources, I am able to put my aims and objectives of my research into perspective together with the evidence finding of the survey, which allow me to derive conclusion and recommendation of security policy for the GPs industries and could further conduct the research by focusing on other industries in future.

4.2 Survey Analysis

Survey will be the key finding and evidence to support my thesis. With the results from the survey I will be able to analyse and have more understanding on the GPs practice, view and awareness on the information security which could allow me to further develop effect framework and guideline for the GPs in the South Australia GPs community. Without the survey, my hypothesis of the research regarding the understanding of GPs awareness on the information security is really low as base on the finding the GPs facing issues of adoption of new digital healthcare system which could lead to exposure of security as part of the issues of practice, with the survey could prove the hypothesis and finding. Interview with local GPs association which could provide more details of information and clear view of the local GPs operation and business process. The following are the example survey questionnaire which will be used during the conduct of interview aim to extract further information regarding the GPs operation and information management.

Survey Question

Section 1 Organisation view

-Practice/ operation

1. Review the organisation structure of the individual GPs clinic. Organisation flow, size, existing roles.

Understanding the Clinic Organisation Chart allow us to understand the management and roles of each GP or clinical function. Best could obtain standard and general conclusion which could have a clear view of local GP operate procedure.

2. Do all GPs Clinic have a clear roles and job script as well as the access control on the database?

This is one of the major issues and important to understand the GPs clinic operation as the access control are the crucial for security. Many security issues of data or information leakage are due to the internal human factor such as the general daily work habits and practices which lead to security problem.

3. Does the clinic or workplace exist roles of IT Administrator? If doesn’t, how the organisation manage the ICT management?

This question is aimed to know does all SMEs GPs have their existing roles of IT Administrator in the organisation which link to the fact that mention before in the literature finding, management of the information security and IT required a clear roles and progress and heavy rely to the roles of IT Administrator. If one organisation doesn’t exist a clear roles or job script that state who will response to certain information security management, it will be a huge risk as when incident happen there will be no one could handle the situation.

4. (Only Answer if the answer on question 3 was negative: No IT administrator)Does your organisation outsourcing any IT related company to provide your organisation support and services?

Section 2 Information Technology view5. Is there possible to know which clinical management system in use by the local GPs? Are they

having a different provider or mostly came from one single provider? Do the GPs follow the guideline when implement or outsourcing the software or infrastructure?

This question required for knowing the existing GP operation system provider, which could link to the crucial issues regarding the outsourcing of 3rd party’s software and IT management of individual SMEs of GPs. According to the research finding, Australia Government Department of Human Services and Australia Digital Health Agency(ADHA) both exist document and resources regarding the clinical software vendors which stated the features and the functionality, it is important to know did GPs following the guideline when selecting the software products.

6. Does the clinical software support the feature and function that are mandatory for the health ethic and practices listed by the government department?

7. Does your organisation follow the guideline of using the healthcare system? Example the clinical system supports the national or state healthcare strategy.

8. Does your organisation use the cloud system in the clinical management system?9. How you store and manage the clinical data: Include patient data and the management, financial

record.10. How do you share the patient information and record with others related bodies or organisation

such as Pathology or Public Hospital?11. Does your software and system support online Medicare claiming?12. Have you aware of the online guideline of clinical software services provider and standard that

exist in the professional institution, agency or government department such as Australian Digital Health Agency or Australian Department of Human Services?

Section 3 Security Overview

13. Does your company ever face or encounter any security breach issues?14. Does your organisation have proper physical security control or monitor? Example like CCTV

security monitor etc.15. Does your organisation management system have install of antivirus, firewall or any related

software?IF Does: Does your organisation update or renew any security software?

16. Does your organisation have document that clearly identified and stated the access control in the access of information system or application?

17. Do you ever allow your co-workers to access your personal work desk computer?18. Have you ever use the organisation or work computer to download other content that not related

to the work?19. Does your organisation have a clear view on roles and job description? 20. Are there any policies exist between the GPs and all the services provider? Which include all sort

of system and software in use such as the billing, transaction, medical record system etc.-If does, have such policies been documented or review?-If doesn’t, could you state the reason there are no policies and standard exist in your organisation?

Important to understand all the operation system used by the GPs on the daily basis which does the service provider have establish standard policies regarding the security and does those policies been review or up to date.

21. Does the GPs realise or notice any existing information regarding the information security policies, standard or guideline that published online by the government or professional institution?

This question aims to know how many GPs realise or notice the existing guidelines and policies regarding the information security and how many GPs actual take action or put in resources, time and practices into managing the information security.

Section 4 Barrier/Inhibition Overview

22. What is the reason for your organisation did not exist the standard information security policies?23. Does your organisation have issues or trouble using the existing healthcare system?24. Does the organisation members have the fundamental training or awareness regarding the

information security?

5. TimelineSchedule for Semester 2, 2017

Initial of the research

Period One 27 February – 27 March- Arranged to be supervise by finding and confirmed research topic supervisor.

- Arranged topic of areas research.Period Two 28 March – 30April

- Finding of literature review- Confirming area of research topic- Narrow scope of research

Period Three 1May – 27 June- Review on the construction of proposal- Review on the content of the literature

reviewPeriod Four 28 June – 27 July

- Construct of methodology- Continue reading of paper- Extract of finding- Prepare of survey question

Period Five 28 July – 28 Sept- Finalise survey question- Complete ethical approval- Established contact- Undergoes survey progress

Period Six 29 Sept – 20 Oct- Writing of thesis- Finalise collection of survey responses- Construct data for analysis of finding- Initial presentation of research paper

Period Seven 21 Nov – 1 Dec- Continue writing of thesis- Submit of thesis- Complete of research

6. References 1. StateDevelopmentSA, ‘2016 South Australian Small Business Statement’[Online]. Available:

https://statedevelopment.sa.gov.au/upload/small-business/small-business-statement.pdf?t=1493337600023

2. Kalakota, R. and Robinson, M., 1999. e-Business. Roadmap for Success: Addison Wesley.

3. Onwubiko, C. and Lenaghan, A.P., 2007, May. Managing security threats and vulnerabilities for small to medium enterprises. In Intelligence and Security Informatics, 2007 IEEE (pp. 244-249). IEEE.

4. Eva Maria Falkner, Martin R.W. Hiebl, (2015) "Risk management in SMEs: a systematic review of available evidence", The Journal of Risk Finance, Vol. 16 Issue: 2, pp.122-144.

5. Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), pp.523-548.

6. Saripalli, P. and Walters, B., 2010, July. Quirc: A quantitative impact and risk assessment framework for cloud security. In Cloud Computing (CLOUD), 2010 IEEE 3rd International Conference on (pp. 280-288). IEEE.

7. Symantec,2017, Internet Security Threat Report Vol22, April 2017[Online] Available: https://s1.q4cdn.com/585930769/files/doc_downloads/lifelock/ISTR22_Main-FINAL-APR24.pdf

8. Swanepoel, J.A. and Harrison, A.W., 2015. The business size distribution in Australia.

9. ACMA Australia Government, (Jan2014) ‘’Communication report 2012-13series: Report 1—Australian SMEs in the digital economy’’

10. Clusel, S., Guarnieri, F., Martin, C. and Lagarde, D., 2013, September. Assessing the vulnerability of SMEs: a qualitative analysis. In 22nd European Safety and Reliability Conference-ESREL 2013 (pp. 8-pages). CRC Press.

11. Ongori, H. and Migiro, S.O., 2010. Information and communication technologies adoption in SMEs: literature review. Journal of Chinese Entrepreneurship, 2(1), pp.93-104.

12. Dimopoulos, V., Furnell, S., Jennex, M. and Kritharas, I., 2004, November. Approaches to IT Security in Small and Medium Enterprises. In AISM (pp. 73-82)

13. ACSC, News: Ransomware campaign impacting organisations globally, May 2017[Online]Available: https://www.acsc.gov.au/news/ransomware-campaign-impacting-organisations-globally.html

14. Weippl, E. and Klemen, M., 2006. Implementing IT security for small and medium enterprises. Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues: Managerial and Technical Issues, p.112.

15. Levy, M., Powell, P. and Yetton, P., 2002. The dynamics of SME information systems. Small Business Economics, 19(4), pp.341-354.

16. MacGregor, R. and Vrazalic, L., 2008. A profile of Australian regional SME non-adopters of e-commerce. Small Enterprise Research, 16(1), pp.27-46.

17. OAIC, Investigation Report: DonateBlood.com.au data breach (Australian Red Cross Blood Service), August 2017[Online]Available: https://www.oaic.gov.au/resources/privacy-law/commissioner-initiated-investigation-reports/donateblood-com-au-data-breach-australian-red-cross-blood-service.pdf

18. Dojkovski, S., Lichtenstein, S. and Warren, M., 2006, January. Challenges in fostering an information security culture in Australian small and medium sized enterprises. In ECIW2006: proceedings of the 5th European conference on Information Warfare and Security (pp. 31-40). Academic Conferences Limited.

19. Pai, A.K. and Basu, S., 2007. Offshore technology outsourcing: overview of management and legal issues. Business Process Management Journal, 13(1), pp.21-46.

20. Dojkovski, S., Lichtenstein, S. and Warren, M.J., 2007, January. Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. In ECIS (pp. 1560-1571).

21. National Australia Bank, 2017. Chapter 1: Moment that matter: understanding Australia SMEs. [Online]Available: https://business.nab.com.au/wp-content/uploads/2017/06/J002580_MTM-Whitepaper-IPSOS-FINAL_C1-2.pdf

22. Douglas J. Landoll, Information Security Policies, Procedures, and Standards: A Practitioner's Reference. Chapter 6: Information Security Policy Project.

23. Bahmanziari, T., Pearson, J.M. and Crosby, L., 2003. Is trust important in technology adoption? A policy capturing approach. Journal of Computer Information Systems, 43(4), pp.46-54.