Trends in information technology (IT) are enabling even the smallest of firms not only to be IT-equipped but also to achieve previously unreachable levels of information technology sophistication. Even so, 65% of small- and medium-sized businesses have not devised a disaster recovery plan. This research study asked small business executives two questions: "What disaster recovery practices are appropriate to protect against a disaster?" and "Why are these practices adopted?" This paper discusses the results from a Delphi study of nine executives.

The results of the Delphi study include two lists of ten items deemed to be the most important, one enumerating disaster recovery practices and the other listing the reasons for either adopting or not adopting these practices. A consensus among the Delphi panelists was not achieved, perhaps because of the preventative and clustered nature of disaster recovery. Each identified reason coincided with theoretical constructs of classical innovation diffusion theory, suggesting it to be an appropriate theoretical perspective for information security research.

Agarwal, R., and Prasad, J. (1997), "The role of innovation characteristics and perceived voluntariness in the acceptance of information technologies," Decision Sciences, 28(3): 557-582.

Ajzen, I. (1991), The theory of planned behavior. Organizational and Human Decision Processes, 50: 179-211.

Baskerville, R. (2005), "Information Warfare: A comparative framework for business information security," Journal of Information System Security, 1 (1): 23-50.

Betts, M. (1999), Businesses worry about long-term data losses. Computerworld, 33(38): 22.

Buffington, J. L. (1997), "Today's window of exposure for data loss," Computer Technology Review, Winter, 74-81.

Burrell, G. and Morgan, G. (1979), Sociological Paradigms and Organizational Analysis. Heinemann, London.

Carland, J. W., Hoy, F., Boulton, W. R., and Carland, J. C. (1984), "Differentiating entrepreneurs form small business owners: A conceptualization," Academy of Management Review, 9(2): 354-359.

Cazier, J.A. and Medlin, B.D. (2006), "How secure is your password? An analysis of e-commerce passwords and their crack times," Journal of Information System Security, 2(3): 69-82.

Colraine, R. (1998), "Protect more, recover faster is the rule," Computing Canada, 24(30): 34.

Connor, D. (2006a), Hurricanes to test disaster recovery. Network World, 23(24), 12.

Connor, D. (2006b), The new face of disaster recovery. Network World, 23(18), 32 and 34- 36.

Copeland, M. V. (2006), The mighty micro-multinational. Business 2.0, 7(6), 107-114.

Cragg, P. B., and King, M. (1993), "Small-firm computing: Motivators and inhibitors," MIS Quarterly, 17(1): 47-60.

d'Amboise, G., and Muldowney, M. (1988), "Management theory for small business:Attempts and requirements," Academy of Management Review, 13(2): 226-240.

Davis, F. (1989), "Perceived usefulness, perceived ease of use, and user acceptance of information technology," MIS Quarterly, 13(3): 318-339.

Delone, W. (1988), "Determinants of success for computer usage in small business," MIS Quarterly, 12(1): 50-61.

Dhillon G. and Backhouse, J. (2001), "Current directions in IS security research: towards socio-organizational perspectives," Information Systems Journal, 11(2): 127-153.

Duke, B. (2006), "Data security: behind the headlines," ABA Banking Journal, 97(8): 18.

Eckert, B. (2006), "Protect computerized data with off-site backups," Nursing Homes, 55(5): 42.

Essex, D. (2000), "Data resurrection," Computerworld, 34(10): 76-78.

Ferelli, M. (2001), "Disaster recovery tips: Steps you should take today for the future," Computer Technology Review, 21(1): 10.

Fishbein, M., and Ajzen, I. (1975), Beliefs, Attitude, Intention and Behavior: An Introduction to Theory and Research. Reading, MA: Addison-Wesley.

Freeman, E. Q. (2000), "E-merging risks: Operational issues and solutions in a cyberage," Risk Management, 47(7): 12-15.

Gartner. (2002), Gartner says most small and midsize businesses are not prepared for a crisis. Retrieved August 2, 2006, from http://www.dataquest.com/press_gartner/quickstats/busContinuity.html

Gibb, F., and Buchanan, S. (2006), "A framework for business continuity management," International Journal of Information Management, 26(2): 128-141.

Harada, R. (2003), "Are You Prepared for Long-Term Data Preservation," Computer Technology Review, October, 23(19): 8.

Hawkins, S. M., Yin, D. C., and Chou, D. C. (2000), "Disaster recovery planning: A strategy for data security," Information Management and Computer Security, 8(5): 222- 229.

Igbaria, M., Zinatelli, N., Cragg, P. B., and Cavaye, A. L. M. (1997), "Personal computing acceptance factors in small firms: A structural equation model," MIS Quarterly, 21(3): 279-302.

ISO/IEC (2000), ISO/IEC 17799: Information technology — Code of practice for information security management (International Standard ISO/IEC 17799:2000(E)). Geneva: International Standards Organization.

Janusz, C. (1993), "Selecting UPS systems for midrange computers," Computer Technology Review, 13(11): 110-112.

Karahanna, E., Straub, D. W., and Chervany, N. L. (1999), "Information technology adoption across time: A cross-sectional comparison of pre-adoption and post- adoption beliefs," MIS Quarterly, 23(2): 183-231.

King, C. (1996), "Powerful protection for Windows 95 workstations," Computer Technology Review, Fall/Winter, 28-31.

King, J. L., Gurbazani, V., Kraemer, K. L., McFarlan, F. W., Raman, K. S., and Yap, C. S. (1994), "Institutional factors in information technology innovation," Information Systems Research, 5(2), 139-169.

Kontzer, T., and Greenmeier, L. (2006), "Sad state of data Security," InformationWeek, 1070, 18-21.

Korzyk, A.D., Sutherland, J.W., and Weistroffer, H.R. (2006), "A conceptual model for integrative information systems security," Journal of Information System Security, 2(1): 44-59.

Kotulic, A. G., and Clark, J. G. (2004), "Why there aren't more information security research studies," Information and Management, 41(5): 597-607.

LaPage, A., and Gaylord, K. (2003), "Protect against data loss with W2K's backup utility," Windows Professional, 8(2): 8-12.

Lewis, D. (2005), "Personal disaster recovery software: An essential part of business disaster recovery plans," Computer Technology Review, 25(6): 10.

Lowry, P., Romans, D., and Curtis, A. (2004), "Global journal prestige and supporting disciplines: A scientometric study of information systems journals," Journal of the Association for Information Systems, 2004, 5(2): 29-75.

Lowenthal, S. and Robidoux, B. (1992), "Disk mirroring under AIX protects against critical data Loss," Computer Technology Review, Fall, 12(14): 49-52.

Marlin, S. (2005), "Data losses blamed on stores and software," InformationWeek, 1037, 30.

Marshall, J., and Heffes, E. M. (2006), "Surveys: Data losses spur consumer flight," Financial Executive, 22(1): 10.

Mearian, L. (2005), "IT managers criticize federal data-loss bill," Computerworld, 29(30): 10.

Molina, J. (1996), "A RAID status report," Computer Technology Review, 16(9), September, 44-5.

Moore, F. (1999), "Long term data preservation," Computer Technology Review, Third Quarter, 32-33.

Mylonopoulos, N., and Theoharakis, V. (2001), "On-site: Global perceptions of IS journals," Communications of the ACM, 44(9): 29-33.

Nooteboom, B. (1988), "The facts about small business and the real values of its 'life world': A social philosophical interpretation of this sector of the modern economy," American Journal of Economics and Sociology, 47(3): 299-314.

NPower. Communications, protection, readiness (CPR): NPower's nonprofit guide to business continuity and disaster recovery. Retrieved August 2, 2006, from http://npowerny.org/sites/npower_ny/files/page/CPR.pdf

O'Bannon, I. M. (2006), "Beep, beep, beep...back it up," CPA Technology Advisor, 16(2): 20-21.

Okoli, C., and Pawlowski, S. D. (2004), "The Delphi method as a research tool: an example, design considerations and applications," Information and Management, 42(1): 15-29.

Palvia, P. C. (1996), "A model and instrument for measuring small business user satisfaction with information technology," Information and Management, 31(2): 151-163.

Pathasarathy, M., and Bhattercherjee, A. (1998), "Understanding post-adoption behavior in the context of online services," Information Systems Research, 9(4): 362-379.

Patrowicz, L. J. (1998), "A river runs through IT," CIO, 11(2): 36-43.

Premkumar, G., Ramamurthy, K., & Nilkanta, S. (1994), "Implementation of electronic data interchange: An innovation diffusion perspective," Journal of Management Information Systems, 11(2): 157-187.

Phelan, S., and Hayes, M. (2003), "Before the deluge - and after," Journal of Accountancy, 195(4): 57-63.

Phillips, J. T. (1999), "Will data conversion lose your records?" Information Management Journal, 33(4): 56-59.

Rainer, K. and Miller, M. (2005), "Examining differences across journal rankings," Communications of the ACM, 2005, 48(2): 91-94.

Raymond, L., and Pare, G. (1992), "Measurement of information technology sophistication in small manufacturing businesses," Information Resource Management Journal, 5(2): 4-16.

Rike, B. (2003), "Prepared or not...That IS the vital question," Information Management Journal, 37(3): 25-33.

Rogers, E. M. (2003), Diffusion of Innovations (Fifth ed.). New York, NY: Free Press.

Scandura, T. A., and Williams, E. A. (2000), "Research methodology in management: Current practices, trends, and implications for future research," Academy of Management Journal, 43(6): 1248-1264.

Small Business Administration (2008), FAQ's: frequently asked questions: Advocacy small business statistics and research. Retrieved 4 October, 2008 from http://app1.sba.gov/faqs/faqIndexAll.cfm?areaid=24

Street, C. T., and Meister, D. B. (2004), "Small business growth and internal transparency: The role of information systems," MIS Quarterly, 28(3): 473-506.

Surendra, N., Peace, A.G., and Connolly, D. (2008), "The ethics of IT disaster recovery planning: Five case studies," Journal of Information Systems Security, 4(1): 21-40.

Thong, J. Y. L. (1999), "An integrated model of information systems adoption in small businesses," Journal of Management Information Systems, 15(4): 187-214.

Tipton, H.F. and Henry, K. (eds.) (2007), The Official (ISC)² Guide to the CISSP CBK. New York, NY: Auerbach Publications.

Wailgum, T. (2006), "How to play with the big boys," CIO, 19(8): 1.

Wenk, D. (2004), "Is 'Good Enough' storage good enough for compliance?" Disaster Recovery Journal, 17(11): 1-3.

Yi, M. Y., Jackson, J. D., Park, J. S., and Probst, J. C. (2006), "Understanding information technology acceptance by individual professionals: Toward an integrative view," Information and Management, 43(3): 350-363.

Zaltuman, G., Duncan, R., and Holbek, J. (1973), Innovations and Organizations. New York: Wiley.