Date of Award

Spring 5-1-2014

Document Type


Degree Name

Doctor of Science in Information Systems


Business and Information Systems

First Advisor

William Figg

Second Advisor

Stephan Krebsbach

Third Advisor

Surendra Sarnikar


This purpose of this study was to investigate small business security practices by a case study of independent insurance agencies located in seven rural North Dakota counties to better understand concerns in providing basic security needs for their information systems. This study utilized the National Institute of Standards and Technology document “Small Business Information Security: The Fundamentals” (NISTIR 7621) as the guide for determining what information security practices small businesses should be utilizing. This study proposed three research questions: 1) What level of security do independent insurance agencies in rural North Dakota implement when measured against the suggested practices of the NISTIR 7621 guidelines? 2) How do independent insurance agencies in rural North Dakota perceive they could improve their security practices in regards to NISTIR 7621? 3) How do independent insurance agencies in rural North Dakota perceive their rural location impacts their information security practices? To collect the evidence to respond to the research questions, this study utilized a case study design that collected both quantitative and qualitative data from participants. Participants completed a pre-interview survey based on the ten absolutely necessary security actions recommended by NISTIR 7621. The survey was utilized again during the interview portion of the study to assist the participant in understanding the security practice, assess the accuracy of the interviewee’s initial response, and adjust the response if necessary. It was determined small business, on average, fully implemented 24% of the recommended practices. On completion of the survey, participants were interviewed to address the second research question. Participants identified five resources they felt would be necessary to improve their security practices. Interview questions were also asked to address the third research question. A wide majority felt that their rural location has no impact on their information security practices. The findings from this study present some issues of concern. First, the participants are not meeting the practice recommendations even though they do appear to have a good idea of the resources they need. Secondly, most seem to be content with performing an average job or modest effort at any one practice and are reluctant to pursue the resources they would need to reach a higher level of security. Thirdly, as the respondents were interviewed, the general feeling was that there were no imminent threats and the security practices could wait. After thorough analysis, this study suggests that independent insurance agents can improve their security practices by utilizing security awareness training, updating to current operating systems and seeking outside support on more technical matters.