Publication Date



Small businesses thrive in the developing economy of South Africa and address the important issue of unemployment and poverty that exists in the country. A large number of these businesses can be found in the province of Gauteng due to the large and diverse economic contribution the province delivers to the economy of South Africa. With the increased use of Information Systems (IS) by small businesses across the Gauteng province and in South Africa generally, there is increasingly constant exposure to information security risks. Interestingly, standards such as NISTIR 7621 specifically tailored to small businesses and which could offer great insights on how to manage security risks are by and large not followed to the letter. We find in our work that owner-managers prefer to handle matters of security ‘in their own terms’ and apply neutralisation (termed rationalisation) techniques to overcome the effects posed by security threats. We used four instrumental cases for this purpose. Our findings suggest that neutralisation manifests as values held by owner-managers and this can often create the unintended consequences of exacerbating security risk to these small businesses.