The rapid proliferation of mobile devices makes mobile security a weak point in many organisations’ security management. Though there are a number of frameworks and methods available for improving security management, few of these target mobile devices, and most are designed for large organisations. Small and medium size organisations are known to be vulnerable to mobile threats, and often subject to the same legal requirements as larger organisations (for example the European General Data Protection Regulation). However they typically lack the resources and specialist competences necessary to use the available commercial frameworks. This article describes an Action Design Research project to devise and test a low cost, low learning curve framework for improving mobile security management. The project is conducted together with a small Swedish consulting company with the pseudonym Novukon. The results show that simple theoretical models can be integrated with well-known analysis techniques to inform managers and provide practical help for small companies to improve mobile security practice. A set of nine design principles are included to guide further research.

Aguilar, F. J. (1967). Scanning the business environment. New York: Macmillan.

Allam, S., Flowerday, S. V., and Flowerday, E. (2014). Smartphone information security awareness: A victim of operational pressures. Computers and Security, 42, 55–65.

Ashenden, D. and Lawrence, D. (2013). Can We Sell Security Like Soap? A New Approach to Behaviour Change. New Security Paradigms Workshop 2013, 87–94.

Barbier, J., Bradley, J., Macaulay, J., Medcalf, R., and Reberger, C. (2012). BYOD and Virtualization - Top10 Insights of Cisco IBSG Horizons Study. CISCO IBSG Horizons, 1–5.

Brodin, M. (2015). Combining ISMS with Strategic Management: The case of BYOD. IADIS International Conference Information Systems, 161–168.

Brodin, M. (2016a). BYOD vs. CYOD - What is the difference? IADIS International Conference Information Systems. Vilamoura, Portugal.

Brodin, M. (2016b). Management of Mobile Devices – How to Implement a New Strategy. Proceedings of the 27th International Business Information Management Association Conference: Innovation Management and Education Excellence Vision 2020: From Regional Development Sustainability to Global Economic Growth, 1261–1268.

Brodin, M. (2016c). Mobile device strategy - A management framework for securing company information assets on mobile devices. Licentiate Thesis. Skövde.

Brodin, M. (2017). Mobile Device Strategy: From a Management Point of View. Journal of Mobile Technologies, Knowledge and Society, 2017, 1–9.

Brodin, M. (2019). A Framework for GDPR Compliance for Small- and Medium-Sized Enterprises. European Journal for Security Research, 4(2), 243–264.

Brodin, M. and Rose, J. (2019). Mobile information security management for small organisation technology upgrades : the policy-driven approach and the evolving implementation approach. Int. J. Mobile Communications, X(Y), ??

Brodin, M., Rose, J. and Åhlfeldt, R.-M. (2015). Management issues for Bring Your Own Device. European, Mediterranean and Middle Eastern Conference on Information Systems 2015, 2015, 1–2.

Da Veiga, A. and Eloff, J. H. P. (2007). An Information Security Governance Framework. Information Systems Management, 24(4), 361–372.

Dimensional Research. (2017). The growing threat of mobile device security breaches the growing threat. Retrieved April 29, 2019, from www.dimensionalresearch.com

Fani, N., Solms, R. Von, and Gerber, M. (2016). A framework towards governing Bring Your Own Device in SMMEs. 2016 Information Security for South Africa (ISSA), 1–8.

Freeman, R. E. (1984). Strategic management: A stakeholder approach. Pitman: New York.

Garvey, P. R. and Lansdowne, Z. F. (1998). Risk matrix: an approach for identifying, assessing, and ranking program risks. Air Force Journal of Logistics, 22(1), 18–21.

Harris, J., Ives, B., and Junglas, I. (2012). IT Consumerization: When Gadgets Turn Into Enterprise IT Tools. MIS Quarterly, 2012(September), 99–112.

Hashim, J. (2015). Information Communication Technology ( ICT ) Adoption Among SME Owners in Malaysia. International Journal of Business and Information, 2(2), 221–240.

iPass. (2018). 2018 Mobile Security Report. Retrieved April 29, 2019, from https://www.ipass.com/wp-content/uploads/2018/03/iPass-Mobile-Security-Report-2018.pdf

Isaca. (2013). COBIT: A Business Framework for the Governance and Management of Enterprise IT.

ISO/IEC. (2016). ISO/IEC 27000:2016 - Information security management systems - Overview and vocabulary.

Johnson, G., Whittington, R., Scholes, K., Angwin, D., and Regnér, P. (2015). Fundamentals of strategy (3rd, Ed.). Harlow: Pearson Education.

Lepofsky, R., and Lepofsky, R. (2014). COBIT® 5 for Information Security. In The Manager’s Guide to Web Application Security:

Mendelow, A. L. (1981). Environmental Scanning - The Impact of the Stakeholder Concept. ICIS 1981 Proceedings, 20.

Miller, R. E. and Varga, J. (2011). Benefits of Enabling Personal Handheld Devices in the Enterprise - Intel. (May), 6.

MobileIron. (2017). Mobile security and risk review - Third edition.

Musarurwa, A. (2019). The bring-your-own-device unintended administrator : A perspective from Zimbabwe. Electronic Journal of Information Systems in Developing Countries, (January).

Sein, M. K., Henfridsson, O., Rossi, M., and Lindgren, R. (2011). Action Design Research. MIS Quarterly, 35(1), 37–56.

Selviandro, N., Wisudiawan, G., Puspitasari, S., and Adrian, M. (2015). Preliminary Study for Determining Bring Your Own Device Implementation Framework Based on Organizational Culture Analysis Enhanced by Cloud Management Control. 2015 3rd International Conference on Information and Communication Technology (ICoICT), 113–118.

Skycure. (2016). Mobile Threat Intelligence Report.

Supyuenyong, V., Islam, N., and Kulkarni, U. (2009). Influence of SME characteristics on knowledge management processes The case study of enterprise resource planning. Journal of Enterprise Information Management, 22(1/2), 63–80.

Verry, J. (2012). How much does ISO 27001 Certification Cost? Retrieved October 23, 2019, from PivotPoint Security website: https://www.pivotpointsecurity.com/blog/iso-27001-cost-estimate-48000-information-security-confidence-priceless/

Wandera. (2017). Summer breaking records in temperatures, roaming data and mobile malware.

Wandera. (2018). Understanding the mobile threat landscape in 2018.

Zahadat, N., Blessner, P., Blackburn, T., and Olson, B. A. (2015). BYOD security engineering : A framework and its analysis. Computers & Security, 55, 81–99.