Next Article in Journal
How Organizational Resources and Managerial Features Affect Business Performance: An Analysis in the Greek Wine Industry
Next Article in Special Issue
Secure One-Way Hash Function Using Cellular Automata for IoT
Previous Article in Journal
Investigating Preceding Determinants Affecting Primary School Students Online Learning Experience Utilizing Deep Learning Neural Network
Previous Article in Special Issue
Uncertainty and Financial Analysts’ Optimism: A Comparison between High-Tech and Low-Tech European Firms
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 15
Issue 4
10.3390/su15043516
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Identification of SMEs in the Critical Factors of an IS Backup System Using a Three-Stage Advanced Hybrid MDM–AHP Model

by
You-Shyang Chen
1,
Jerome Chih-Lung Chou
2,*,
Yu-Sheng Lin
3,
Ying-Hsun Hung
4,* and
Xuan-Han Chen
2
1
College of Management, National Chin-Yi University of Technology, Taichung 411030, Taiwan
2
Department of Information Management, Hwa Hsia University of Technology, New Taipei City 235, Taiwan
3
Executive Doctoral Business Administration, Danphine University of Business, CEDEX 16, 75775 Paris, France
4
Department of Finance, Chaoyang University of Technology, Taichung 413310, Taiwan
*
Authors to whom correspondence should be addressed.
Sustainability 2023, 15(4), 3516; https://doi.org/10.3390/su15043516
Submission received: 7 December 2022 / Revised: 10 February 2023 / Accepted: 12 February 2023 / Published: 14 February 2023
(This article belongs to the Special Issue Risk Control, Rational Decision-Making, Sustainable Industrial Development, and Insurance Sustainability)
Browse Figures
Versions Notes

Abstract

:
Backup system work represents “the last mile” of information security (IS). To avoid data loss or damage, enterprises should execute data backup periodically to ensure the integrity and availability of such data. Additionally, due to the continuous emergence of IS incidents featuring malicious attacks in recent years, major firms in countries around the world have successively reported being under attack by ransomware viruses. In particular, small and medium enterprises (SMEs) became the potential targets of malicious attacks based on their different types of IS awareness and degrees of digitalization; therefore, IS work has become one of the essential topics with special significance for numerous SMEs. To this end, this paper studied the factors influencing SMEs’ adoption of IS backup systems in the hope that the critical decision-making behaviors of SMEs regarding the issue of IS could be learned. Practical suggestions can be made for the marketing schemes adopted by IS manufacturers concerning the planning of IS backup systems. Thus, this study used three methodological stages to address the exciting issue of IS backup systems for SMEs. In the first stage, 11 factors at two hierarchies involving three constructs influencing SMEs’ adoption of IS backup systems were summarized via a literature review. The constructs included financial consideration (FC), the IS incident, and business IS decision making (BISD-M). In the second stage, an expert questionnaire was applied; an advanced hybrid modified Delphi method (MDM) and analytic hierarchy process (AHP) with expert input were constructed to identify the sorting of overall weights based on the 11 factors included in the first stage. Following the empirical conclusions, the top three critical factors were “disaster loss amount”, “enterprise’s downtime”, and “supplier’s contractual requirements”. The conclusions of this study indicated that two factors were included in the FC construct; thus, the FC construct influenced IS the most, and the BISD-M construct took second place. In the final stage, through re-checking three actual cases, the results of this study were verified with specific respect to the FC. In conclusion, to popularize IS backup systems among SMEs and fully implement IS, manufacturers may start from the FC in the hope that the severe impact caused by IS incidents featuring malicious attacks can be slowed down and the losses encountered can be lowered. The empirical results and conclusions of this study can be used for reference by SMEs, and both theoretical and empirical foundations have been provided for further studies in academic circles; the results above also show a significant application contribution of this study.

1. Introduction

In this section, the background and motive of relevant research themes regarding the issues of small and medium enterprises (SMEs) and information security (IS) are introduced and explored. In addition, the research highlights and purpose are highlighted.

1.1. Research Background and Motive

Since traditional SMEs have always played an important role and provided numerous jobs in the process of the high-speed economic development of most countries, SMEs have thus become a main force in the employment market. They have also prevented the industrial structure being monopolized by a minority of large enterprises [1]. Therefore, they are very important. For example, it has been indicated by the reported statistical data that the number of employees of SMEs reached 11,521,000 in March 2021 [2]. The relevant data indicated that the number of SMEs reached approximately 1.49 million in 2019, representing 97.65% of the total number of enterprises; the number of people employed by SMEs reached approximately 9.05 million, accounting for 78.73% of the total employed population. Both the number of SMEs and the number of people employed by them has ranked in first place over the years. The total sales volume and the total domestic sales volume of SMEs has reached approximately TWD 12.7 trillion and TWD 11.2 trillion, respectively. It is implied from the data listed above that SMEs play an important role in the stabilization of the economy and the creation of jobs; thus, SMEs have important beneficial effects in terms of shaping a country’s economy.
With the continual development of information technology (IT) and the emergence of the digital era, technologies including big data and artificial intelligence have been frequently used in the workplace. This has resulted in a rapid change in the production environment, and it has had an impact on the associated corporate operation models. Compared with large enterprises, SMEs often lack sufficient resources [3,4,5]; therefore, for SMEs, the utilization of IT for the improvement of their productivity and competitiveness has already become a trend, which further demonstrates the importance of IT for enterprise operations. IT refers to technology that is capable of enhancing enterprises’ productivity and market competitiveness, including devices, systems, networks, data, etc. When an enterprise sustains its operation by relying on IT, it must build a mechanism to control and protect it [6,7]. Otherwise, the exposure of enterprises to threat will increase. However, these existing threats may have a great negative impact on companies, including operation interruption, financial loss, legal liability for data disclosure, etc. In addition to the damages caused to goodwill and customer confidence, such threats will even influence the enterprise’s chance of survival; therefore, greater caution must be taken regarding the issue of IS [8,9].
Although IS is still an unavoidable and active issue for larger sized enterprises, the capacity of SMEs with a relatively insufficient budget and manpower to protect IS will still be required to defend against increasingly malicious attackers. Consequently, they will accumulate a great deal of IS technical debt, leading to being “deep in debt”, due to the rapid changes in attacking techniques. The reason for this lies in the fact that SMEs prioritize the development of core products and the promotion of their business, due to their limited financial resources. As a result, only an extremely small portion of residual resources are allocated to coping with the issue of IS, such as cybersecurity [10,11], with the idea of leaving things to chance; therefore, specifically due to this type of mentality and operation, SMEs become one of the major targets for hackers [12,13].
According to the data regarding the threats from ransomware attack incidents that took place in 2020, a new enterprise is attacked by ransomware every 10 s, on average, worldwide. Furthermore, at least one employee from 46% of enterprises will use a smartphone to download ransomware unintentionally, thus threatening the network and data security of enterprises. In particular, during the global lockdown caused by the COVID-19 pandemic, the number of Trojans that stole data also soared due to the increasing use of mobile phones, according to a report of 2022 interactive cyber security [14]. According to the statistics reported from this event, the computer system was subjected to the most frequent intrusion attacks, accounting for 62.9%, while phishing web fraud took second place (25.2%). These top two categories accounted for nearly 90% in total. The detailed information extracted from a survey of network use by the Taiwan Network Information Center [15] is shown in Figure 1 below. The figure clearly shows that the IS issue is very important to SMEs; thus, this interesting issue motivated this study.
In recent years, because of major negative news events caused by different types of rogue programs including ransomware and backdoor mining, the management level of SMEs has gradually attached importance to the issue of IS (e.g., cybersecurity [8,16]). Consequently, they are capable of sustaining enterprise operations as well as solutions, i.e., a backup system. IS that complies with industry specifications could ensure the continuity of enterprise operations without interruption. Moreover, the backup system could properly maintain the security of enterprise data in addition to creating a trustworthy business image for enterprises; therefore, having an IS backup system is considered to be important. Large enterprises and the financial industry do not have to seriously face the problems regarding the execution of IS backup systems because they have relatively sufficient information resources. However, most of the 1.49 million SMEs may not have allocated professional information personnel who are capable of IS management due to their relatively weak resources in most countries. As a consequence, these SMEs may find it impossible to properly execute complete IS backup system operations on their own; then, they would consider spending money on hiring external manufacturers to provide such professional services. Subsequently, the proper maintenance of the security of enterprise data through IS backup systems would substantially lower the losses suffered by companies in the event of IS incidents [17,18]. However, based on our comprehensive survey, the relevant literature in recent years has always discussed the topic of enterprises establishing an information system, but very few studies have profoundly focused on the issue of a relevant IS backup system for SMEs. Thus, the IS backup system of SMEs, as the research motive of this study, will be further explored.
As has been mentioned above, due to the lack of relevant professional information personnel, it is often the case that the adoption of an IS backup system is discussed but never settled. To this end, if we can identify relevant critical factors influencing the adoption of IS backup systems in advance, it will be of great importance and have a considerable influence on enterprises. As a result, critical factors that may influence the adoption of IS backup systems by SMEs is a major subject that will be discussed and identified in this study.
Through a literature review, we identified that a combination of excellent techniques, including the modified Delphi method (MDM) [19,20,21], expert questionnaire [22,23], and the advanced analytic hierarchy process (AHP) [24,25,26], is suitable for application in numerous fields to identify critical influencing factors. Consequently, this study aimed to establish an advanced hybrid MDM–AHP model with an expert questionnaire, in three stages, through the integration of four main techniques or methods. These included (1) a comprehensible literature review, (2) MDM, (3) expert questionnaire of IS, and (4) AHP, to effectively define important constructs influencing relevant IS issues and explore the adoption of IS backup systems by SMEs, in addition to their factors. Then, information was provided to allow SMEs to make decisions regarding IS, and their adoption of an IS backup system was analyzed according to the sequence of the weights of the calculated factors. Suggestions on relevant IS issues were also provided. Hopefully, this study will provide useful references for relevant stakeholders that will aid in decision making, allowing the consideration of an IS issue from different viewpoints, against the background of the COVID-19 pandemic [27,28].

1.2. Research Highlights and Research Purposes

System backup has always been “the last mile” for enterprises to protect their key data and directly face the problem of data consistency [29], as well as acting as the final important firewall. We can rely on the service functions provided by backup systems to assist enterprises in enhancing the degree of IS and reducing their losses upon the occurrence of disasters, such as ransomware attacks [30]. In addition, due to the lack of professional information talent, most SMEs entrust external software and hardware service suppliers with the provision of relevant information, as well as external technical support and advice. Therefore, in addition to the restrictions related to the internal factors of enterprises, which influence decision making related to the adoption of IS backup systems, enterprises may also consider the opinions of software and hardware service suppliers. However, the opinions of software and hardware service suppliers are mostly based on their consideration of sales performance instead of the actual demands of SMEs. As a result, the difficulty in successfully building an IS backup system [31] will be increased substantially and its influencing factors will become much more complicated. As previously stated, three framework stages were constructed and proposed in this study, which aimed to solve the above predicament. The first stage was to review the related literature to address the initial factors influencing IS backup systems for effective IS. The second stage was to effectively implement the hybrid key techniques or intelligent MDM–AHP models described in the previous subsection to further identify the determinants and overall weights. The final stage was to use three real cases to highlight the importance of IS for SMEs. Hence, the purposes of this study mainly consisted of the following five core parts:
(1)
To build a three-stage hybrid MDM–AHP methodology to address the IS topic and provide a useful reference to help SMEs with their individual requirements.
(2)
To determine the possible relevant factors influencing the adoption of IS backup systems by SMEs through sorting and analysis of the relevant literature.
(3)
To construct an advanced hybrid MDM–AHP model to identify the critical factors influencing the adoption of IS backup systems by SMEs.
(4)
To carry out an expert questionnaire-based survey for MDM. The experts included were the IS-related personnel of SMEs and the personnel of the information system integration manufacturers and product manufacturers who had more than 10 years of experience. This was conducted in the hope that the relevant constructs and their factors could be identified, and the weights of these factors could be calculated and sorted.
(5)
To discuss and verify three case studies and make conclusions concerning research achievements, research findings or suggestions, etc.
The remaining structure of this paper is presented as follows: Section 2 summarizes the literature review of IS-related studies, including the related issues of SMEs, common virus attacks, and backup systems. Section 3 describes the architecture of the proposed MDM–AHP model. Section 4 analyzes and discusses the empirical results, and Section 5 draws conclusions and suggestions from the analytical results.

2. Literature Review

In this section, for the first stage of the study, the relevant critical factors influencing the adoption of IS backup systems by SMEs are discussed and explored. Therefore, the literature review included the definition of SMEs, backup specifications of finance, the IS of SMEs, etc.

2.1. Definition of SMEs and Relevant Applications

(1)
Definition of SMEs
SMEs are non-subsidiary, independent, small-sized or medium-sized businesses defined by their number of employees and financial measurements; however, these restrictions vary in different countries. For example, an upper limit of 250 employees defines certain SMEs in the countries of the European Union; however, the USA defines SMEs as having less than 500 employees. In contrast, other countries have set a limit of 200 employees. In Taiwan, a so-called SME refers to an enterprise with paid-in capital below TWD 100 million or no more than 200 employees.
In particular, SMEs are critical to industry value chains of economic development and their respective resources in achieving specific goals, particularly in the Industry 4.0 era. SMEs can help to highlight the value of Industry 4.0 in achieving a sustainable competitive advantage and providing insight into how limited resources can be used effectively [32], in order to promote the country and demonstrate the high importance and advanced position of value creation for SMEs.
Apparently, SMEs play a stable role in and follow the process of economic development in various countries, as mentioned above.
(2)
Outsourcing of IS
Unfortunately, compared with large enterprises, SMEs have two major disadvantages, i.e., capital scarcity and insufficient human resources. These two disadvantages make it impossible for SMEs to build a complete IS protection system on their own; therefore, a great many SMEs comply with the trend associated with service outsourcing and seek relatively professional IS manufacturers to provide protection services [33,34,35]. In addition, most SMEs have set up departments in order to be in charge of legal affairs and accounting, but very few SMEs have IS-related department or positions, which indicates that IS is nothing but “an option” with an accessory nature for many SMEs. Although the achievements of IS cannot be absolutely quantified, serious consequences often result, and a huge negative influence would be imposed on companies after the occurrence of a serious IS incident, such as man-made disasters relating to employees’ IS awareness [36].
Conversely, it is clear that IS is of great significance to the sustainable development of SMEs; thus, understanding the adoption of IS by SMEs against the huge negative influence is very important from the perspectives of practitioners and academicians.

2.2. IS and Related Incidents

(1)
Significance of IS
Recently, due to the quick progression of IT, the scope of users has been gradually expanded from information personnel to every employee. As a result, enterprises have become increasingly dependent on the information system; thus, they face greater challenges in terms of IS. IS is “a part of the overall management system, and IS shall be established, practiced, operated, monitored, reviewed, maintained, and improved on the basis of operational risks” [37]. Hsu et al. [38] concluded that IS was a set of methods that systematically analyzed and managed IS risks for the purpose of preventing enterprise information from being abused or stolen. Parker [39,40] believed that IS meant the generation, storage, use, transmission, display, and control of all data relating to dictation, printing, and recording used by individuals or organizations to prevent unauthorized access, use, leakage, destruction, modification, or destruction. This is to ensure the confidentiality, integrity, and availability of information systems, and to prevent natural disasters or deliberate or inadvertent damages by humans. Yildirim et al. [41] examined enterprise IS in SMEs, and it can be speculated that when communications and operations management and security policy improve, other security parameters of the companies—such as organizational, personnel, and physical and environmental securities—improve as well, according to the findings of this study. Since people do the work, security personnel are the most important security link. To this end, all security policies drafted by enterprises or organizations rely on “people” with security awareness. In this case, IS is considered an important process in the management procedures of the overall operation of an organization. Hasan et al. [42] indicated that the cybersecurity readiness of organizations guides future research and enhances the current understanding of how organizations can better equip themselves in order to have the lowest occurrence and impact of cyber-attacks. The study of Huang et al. [43] indicated that people’s adoption intention is improved by changing their perceived knowledge, awareness, and controllability; however, of these, changing the perceived controllability is the most effective. Govender et al. [44] pointed out that incorporating IS into the culture of the IT staff members that support these technologies is a key function that must be considered in parallel to improved security technology.
Given the reviews mentioned above, we know that IS is of emerging importance to enterprises in the era of the rapid expansion of IT, and a lack of IS can be associated with significant consequences.
(2)
IS Incidents
Regarding IS incidents, it is necessary to review the annual general information security (GIS) in order to learn about the status quo of enterprises’ IS, as the statistical data have quite high reference values. Thus, we increased the alert from the research results reported for GIS by iThome [45], and the top 10 potential IS incidents are shown in Figure 2 below. If viewed from the rankings of IS risk, the top three risks were a ransomware information security incident (46.6%), a hacker (40.6%), and social engineering (38%). In particular, a ransomware information security incident and social engineering are often secretly implanted inside enterprises through approaches [46] such as a malicious link, malicious mail, and leak intrusion. These two types of threats have almost become daily challenges faced by IS teams. Therefore, enterprises need to continuously strengthen their real-time detection and interception mechanisms and early warning and monitoring capabilities at ordinary times, and cultivate their capacity for leak repair, quick restoration, or clearing in real time. Moreover, enterprises should adjust their means of responding to the newly emerging rogue programs in a timely manner, e.g., strengthening their firewall policy. Furthermore, it is worth noting that the degree of threat from business email compromise (BEC) fraud is becoming increasingly serious, and it has already become one of the top 10 IS risks that concerns IS officers. However, attention should also be paid to the IS risk of fake news [47] that has also begun to emerge, and currently represents 5.4%.
Specifically, since cyber-attacks have been increasing exponentially in recent years, the importance of IS training for employees in relation to discerning cyber-attacks is attracting increasing attention from those within academia and industries [48]. Thus, we understand that IS training for employees is urgent in order to ensure IS, particularly for SMEs.
(3)
Attack Sources of IS Incidents
It is also necessary to address and understand the main sources of attack for IS incidents in order to avoid violation events. The statistical results of the main sources of attack on enterprises’ IS incidents in 2021 was extracted from iThome [49], and they are shown in Figure 3. From this image, it can be seen that the top three sources include a hacker (54%), a breach caused by ransomware (ransomware) (50.6%), and information security vulnerabilities (49%). A hacker was the main source of malicious attacks that were launched externally [50], while internal employees were the targets of social network engineering by external attackers due to their insufficient IS awareness [36]; therefore, we have to be very cautious and defend against harmful situations to ensure the IS of SMEs.
This is also supported by the results obtained by Kweon et al. [48]. According to their research data, the direct and/or indirect exploitation of human elements resulted in the majority of incidents, and a significant number of IS incidents were created and found; thus, employees’ IS awareness [36] constitutes one of the critical aspects of protection.

2.3. Common Virus Attack Methods

(1)
Rogue Programs—Ransomware
As a type of malware with special blackmailing purposes, ransomware causes users to lose control over their systems or data. In this case, users are forced to pay the ransom to retrieve their lost data or systems that have been kidnapped by such rogue programs [51]. In the last two years, a considerable number of IS events have been aimed at companies, such as oil companies, automation equipment companies, semiconductor sealing and testing companies, PCB companies, and wearable device manufacturers, who were successively attacked. Hackers used ransomware to encrypt corporate data and demand high ransoms [52]. From our literature review, it has been identified that one of the better approaches to IS is the rigorous execution of IS backup—thus, creating an important secure archive of enterprise assets to protect against calamity.
Importantly, the Beazley Group, a British insurance group, published an analysis report of their handling of an accidental leakage of 3300 documents, pointing out that hacker attacks or rogue programs were still the primary cause for data leakage, and the most common rogue programs were ransomware and financial Trojan programs [53]. Particularly, the Beazley Group found out that many hackers launched their attacks through ransomware-as-a-service (RaaS); the enterprise data reported by the Beazley Group indicated that SMEs accounted for as high as 71% of the enterprises targeted. The reason for this was that SMEs would usually outsource their IT information services, and then their employees would access relevant data through remote desktop protocol (RDP); however, hackers are able to implant ransomware and demand ransoms from enterprises by cracking RDP transmission passwords. In 2018, the average amount of ransom paid by blackmailed enterprises reached USD 116,000, while the highest ransom paid by the Beazley Group for its clients did not exceed USD 1 million [53]. Additionally, WannaCry, a famous ransomware, utilized the NSA “ExternalBlue” exploit program and AES-128 and RSA algorithms to maliciously encrypt users’ archives in computers with globally executed Microsoft Windows operating systems via the Internet for the purpose of blackmailing Bitcoin. At the same time, ransomware attacks have emerged as a major cybersecurity threat by encrypting user data for system infection [54]. Thus, we can see that the IS backup system plays an important role in protecting against ransomware attacks.
Data backup only provides a temporary solution to ransomware attacks. The periodic backup of data in the archives serves to protect them from being contaminated or deleted by ransomware. However, enterprises should extend the periodic practices of creating backup archives to repair the archives’ servers that are damaged by ransomware. It is only by doing so that enterprises may be able to reduce the change in operational errors during data repair when they are attacked by ransomware, so as to lower the operational downtime resulting from attacks [55]. Currently, the best methods to prevent direct ransomware attacks are to rely on backup, strengthen users’ education, install software preventing rogue programs in relevant information-related devices, and prevent users from opening malicious emails, etc. [56].
(2)
Rogue Web Mining Programs
Hackers also attempt to make a fortune by mining cryptocurrencies. In recent years, a great number of rogue web-mining programs have emerged [57], and they have utilized users’ computers to mine from popular websites, which is impossible to defend against effectively. Coinhive is an example of a rogue mining program [57]. The programs mining Monero are packed in JavaScript at the browser end, and website dealers are able to utilize the computing power of users’ computers to mine Monero by embedding Coinhive programming code in their websites [58]. Therefore, in recent years, it has been discovered that cryptocurrency mining and mining kidnapping are a primary threat in terms of network crimes. In the first half of 2018, the number of cryptocurrency mining activities detected grew by 96% compared with that in the whole year of 2017. Compared with that in the first half of 2017, it grew by 956%, thus demonstrating the severity of the threat. Mining programs have been preferentially embedded in places where users may stay for quite a long time. For example, the users of long video channels and streaming media have also become targets.
Discount offers are specifically provided to visitors of some websites with malvertisements. Once a user clicks a discount offer, it loads an ETN web mining program in the background and redirects the user to a normal shopping website to avoid being b discovered. Mining programs even use the computing resources of mobile phones for continuous mining until the power is used up [59], which would result in overheating and even faults in mobile phones. Starbucks, a transnational coffee chain shop, once proved that the customers in their shop located in Buenos Aires, Argentina, were being utilized to engage in digital currency mining without their knowledge. Therefore, users’ devices that are connected to wireless networks may be used to mine Monero digital currency [60] without their knowledge. To this end, greater caution must be taken.
(3)
Denial-of-Service Attack
A denial-of-service attack (DoS attack) is also known as a flooding attack [61,62]. This is a network attack approach aimed at exhausting the network or system resources of target computers and interrupting or stopping services for a period of time. As a consequence, normal users cannot access these computers. Hackers use two or more captured computers in the network as “zombies” to launch DoS attacks against specific targets, which is called a distributed denial-of-service attack (DDoS attack) [63,64,65]. DoS is commonly seen in some online games and has been extensively used by dissatisfied players or competitors. The DDoS initiators usually target important services and famous websites, e.g., banks, credit card payment gateways, and root name servers, etc.
Recently, hackers have begun to turn their eye to order-placing platforms in the supply chains of more valuable high-tech enterprises, paralyzing their systems under DDoS attacks [66]. The high-tech enterprises would then be willing to pay a ransom as a result of suffering from relevant losses. The practice is described as follows: The hackers acquire enterprises’ contact windows, e.g., public relations, human resources, and investor contact windows, or customer services through open information; then, they send ransom mails. In short, attackers first launch trial actions to win the trust of the victim enterprises.

2.4. Relevant Specifications for Data Backup

In the construct of a continual operation plan, enterprises usually adopt two major measures, i.e., system backup and system standby. System backup [67] has been clearly determined in relevant law, and it is used to store important information, communication system software, and other safety-related information backups in independent facilities or fireproof cabinets located in “a different place” from the operating system. System standby—in addition to the stipulation of requirements for the allowable time from interruption to service resumption of the information communication system—in the relevant law has been further amended to stipulate that standby equipment or another method shall be adopted for replacement and service provision within an allowable timeframe when the original service is interrupted. The data backup rules [68] mainly assist organizations in evaluating computer rooms or environments where critical information systems are located, and they consider each possible risk in the procedures of continual operation management. Therefore, these organizations may make plans or improvements and guarantee that, using their limited resources, they can achieve the relevant actions so as to realize the goal of an emergency response and continual operation. The data backup rules can be divided into the IS audit for early stage prevention, and the disaster recovery plan (DRP) [69] for the late-stage execution upon the occurrence of a disaster, so as to ensure that each post-disaster recovery measure formulated by organizations can be smoothly implemented.
Due to the references in this section, it is known that one of better approaches to hold IS is of awareness on rigorous execution data IS backup system [70]; thus, IS backup system is very important to have a secure archive of enterprise important asset against calamity.

3. Research Methodology

In this section, the research framework and algorithm process, as well as an advanced hybrid MDM–AHP-based model, are explained, representing the second stage; moreover, three-case demonstrations are validated and illustrated, representing the third stage.

3.1. Research Framework and Algorithm Process of the MDM–AHP Model

In recent years, hybrid models have been successfully and continuously applied to solve the critical factor problems of application fields, such as environmental policy making [71], the promotion of new technology [72], urban planning [73], and green financing [74]. Following this line of thought, we proposed a three-stage research framework to determine the critical factors for adopting IS backup systems for SMEs. For the three-stage research framework, in accordance with the research purpose mentioned above, as well as the contents of problems identified in the literature review (the first stage), this study mainly targeted the complete exploration of factors influencing the adoption of IS backup systems by SMEs (the second stage). This was carried out as follows. (1) First, three types of experts, including backup product manufacturers, information system integration manufacturers, and enterprise-information-(security)-related personnel, were included as the main subjects via a questionnaire survey. (2) Then, MDM was adopted for screening. (3) Finally, effective AHP was utilized to identify the critical factors influencing the adoption of IS backup systems by SMEs. The research results can be provided to relevant stakeholders, such as enterprises, information system integration manufacturers, and backup product manufacturers, as a reference and basis for the formulation of decisions in the future. The overall framework of this study is shown in Figure 4.
As for the details of processing flow, this study started with a literature review and then utilized MDM, an expert questionnaire, and AHP, to establish three constructs of factors influencing the adoption of IS backup systems by SMEs, in addition to 11 specific factors. Later, the importance of critical factors was sorted based on the weights of the critical factors calculated. After that, relevant results and suggestions were provided. Additionally, in order to enable readers to have a clear understanding of the methodological structure of this study, as well as the steps and algorithms of the hybrid study, we synthesized a research flowchart in the form of a graphical representation, as shown in Figure 5 below. In particular, in the second stage, which is listed as a highlight, we specifically described the research flowchart of the specific second stage methodology, as shown in Figure 6. Moreover, the details of relevant subsequent flows are further explained in the following four subsections.

3.2. Scope of MDM–AHP Research

After the detailed literature review was undertaken, representing the first stage of this study, expert participants were included. Two types of expert from enterprises (leadership and IS-related personnel) and manufacturers (personnel of information system integration manufacturers and IS product manufacturers) were included in the second stage. The enterprise experts were included to be able to highlight the demands of enterprises, while the manufacturers were included to suggest schemes and plan framework configuration, etc. Relevant IS issues included line configuration, routing planning, firewall policy, software control at the application layer, and users’ behavioral analysis, etc. In order to avoid a loss of focus in the research, critical factors influencing the adoption of IS backup systems by SMEs were studied and identified in this study.

3.3. Research Objects

Since people with more than 10 years of work experience in relevant fields have a certain degree of professional judgment on the issue of IS, three types of personnel were included, as mentioned above. In total, there were nine types of personnel in professional fields, i.e., supervisor of information system integration manufacturer, sales business representative, system engineer, IS engineer, network engineer, hardware/software development engineer, information officer, IT personnel, and backup product technical supervisor. We included experts from backup product manufacturers, experts on information system integration manufacturers, and enterprise IS experts, in order to ensure that the IS backup system adopted met the IS needs.

3.4. Research Tools

3.4.1. MDM

Due to its significant effect, the Delphi method has been applied to the prediction of new public policies in the second stage and, more recently, has also been widely applied in various different fields, such as health research [75] and international entrepreneurship [76]. During the processing of the Delphi method, a research method of collective decision making by anonymous experts was adopted to engage in repeated interviews or questionnaire surveys regarding a specific issue. Finally, unanimous consent was reached after the elimination of disturbance from multiple factors (e.g., group polarization, group think, and the bandwagon effect), based on expert knowledge and opinion. Murry and Hammons [77] concluded that the empirical results from experts’ collective negotiation, discussion, and joint decision making should be more rigorous than the conclusions drawn by individuals’ independent thinking, especially when the members engaged in such a collective discussion were experts with professional knowledge in the field. However, if face-to-face discussion is adopted, it is likely that the collective decision making might not achieve the original effect due to the disturbance of the aforementioned factors. Furthermore, in addition to the adoption of anonymity in the Delphi method, the collective opinions are presented through statistical gathering of the results of interview or questionnaire surveys. Therefore, the Delphi method is regarded as a qualitative and quantitative method with good performance [78,79].
However, the Delphi method has three major problems: (1) it is time consuming to test; (2) it is difficult to control the progress; and (3) contradictions in the opinions of the expert groups arise. Meaningfully, in order to solve the aforementioned problems, MDM was adopted in this study to simplify the multifarious questionnaire process. First, a great deal of information revealed by the literature review was used to select and synthesize expert opinions. This was used to replace the questionnaire designed for the integration of expert opinions so that the expert groups were able to concentrate on their opinions regarding the research issue. Moreover, each critical factor could be sorted based on experts’ professional knowledge and practical experience to serve as the main axis of the AHP research in the next stage and speed up the experimental operations. As for the questionnaire design, the five-point Likert scale was adopted with corresponding values of 1 = “very unimportant”, 2 = “unimportant”, 3 = “average”, 4 = “important”, and 5 = “very important.” Higher points represented a higher degree of approval. The average of each sub-criterion represented the average intensity of this criterion. The criteria of the consistency test standard commonly used in MDM included the following: (1) Mean value M mainly represents the degree of concentration of data in order to gather the statistics related to the data centralization trend measure. When mean value M is ≥3.5, the members of the expert groups deem this index highly critical. It is used to judge if a consensus is reached on this index in the interviewed expert groups. (2) QD: The consistency test is judged based on the QD of the distribution of the expert opinions, i.e., half of the middle 50% of the overall distribution of the expert opinions. The smaller the QD, the higher the degree of concentration of the expert opinions. Faherty [80] concluded that the interviewed expert groups reach a high consensus on a certain index if the QD of the distribution of the expert groups’ opinions on this index is ≤0.6; if the QD is 0.6~1.0, a medium consensus is reached, and when the QD exceeds 1.0, no consensus is reached among the interviewed expert groups. Additionally, if a high consensus is reached for more than 75% of all index items [77], it indicates the high consistency of expert opinions, and the questionnaire survey of this study can be deemed as already completed.

3.4.2. AHP

Thomas L. Saaty [81], a professor from the University of Pittsburgh, developed a systematic decision-making method called a novel AHP. This method is mainly applied for uncertain conditions and decision-making problems involving multiple evaluation criteria. As for decision-making problems with multiple attributes, AHP provides a framework for problem analysis, splits a complicated problem into attributes with rank order, gives a subjective judgment value to the relative importance of each attribute, and synthesizes this result to decide the priority of the attributes [82]. The specific practice of AHP is described as follows: synthesize the opinions from experts and scholars as well as decision makers in each rank; adopt a nominal scale to execute and quantify the pairwise comparison between factors; establish a pairwise comparison matrix; and then obtain the Eigen vector of each matrix. Later, the Eigen vector is taken as the priority between factors in each hierarchy, and the maximum eigenvalue is obtained to evaluate the consistency index (CI) and consistency ratio (CR) of the comparison matrix [83] so that the strength of relative weights can be learned. The degree of consistency of the whole hierarchy can thus be evaluated on this basis to provide the reference index for decision makers. To this end, AHP is a good qualitative and quantitative research method that can be used to analyze many decision-making problems, systematize complicated problems, synthesize and sort information through quantification, and provide decision makers with the sufficient information and basis for scheme selection, so as to reduce the risks of mistakes during decision making [84].
The specific steps of AHP are as follows: (1) Confirm the problem: as many factors as possible that possibly influence the problem shall be included. (2) Establish a three-hierarchical framework: identify the criteria and sub-criteria of the problem. The hierarchies established shall be independent from each other, and there shall be no more than seven evaluation factors in each hierarchy. (3) Establish a pairwise comparison matrix of each hierarchy: establish a goal of the first hierarchy, objects of the second hierarchy (i.e., criteria), and evaluation criteria of the third hierarchy (i.e., sub-criteria). The importance is compared with pairwise coupling of the criteria, and a pairwise comparison matrix is established. Scales 1~9 are used to indicate the evaluation measure of the pairwise coupling of the objects and criteria. (4) Calculate Eigen vectors and eigenvalues and obtain the relative weights of the factors in each hierarchy: make a pairwise comparison matrix and calculate and obtain the maximum eigenvalue of the pairwise comparison matrix and weight vectors of the criteria. (5) Calculation of weights of the goal and criteria: the maximum Eigen vector obtained is the weight of each criterion. (6) Consistency test: use CI and CR as the benchmarks.

3.5. Questionnaire Design

3.5.1. Questionnaire Survey in the Second Stage

The content and type of questionnaire were determined through the complete literature review undertaken in the first stage; meanwhile, classification and integration were carried out at the same time with reference to the relevant IS law and relevant detailed implementation rules issued by the government. Three constructs (i.e., financial consideration (FC), IS incident, and business IS decision making (BISD-M)) and 15 factors were determined and listed in total. The first draft questionnaire was completed and sent to the expert subjects. Finally, the constructs and factors were corrected based on their expert opinions. The importance of the initial factors in each construct was appraised and selected regarding the three constructs and 15 original factors listed in Table 1 below. However, during the selection of experts in MDM, nine experts (subjects mentioned in Section 3.3) were invited to complete the questionnaire survey and conduct an objective evaluation of the results, considering the diversified backgrounds, different concepts, and different perspectives of the expert group, as well as the need for the reinforcement of the research effect. The content of the questionnaire used in this study was mainly divided into three parts: Part 1 recorded the basic information of respondents; Part 2 contained the instructions regarding the completion of the questionnaire as well as examples; and Part 3 was the questionnaire itself.

3.5.2. Questionnaire Design in the Second Stage

After the questionnaire survey process, experts’ opinions were collected to evaluate whether each factor complied with the status quo of practice. Only factors with importance reaching a certain degree and factors with questionnaire results reaching the degree of consensus of the experts could be included in the framework established in study. This was to establish a three-tier hierarchical framework and begin the questionnaire work in the second stage, as well as to continually execute the weight investigation between constructs and their factors. The actual results of the questionnaire were identified and divided into three categories (i.e., goal, criterion construct, and factor). Furthermore, three constructs and 11 factors were further identified, as shown in Figure 7 below.
Next, the problems with the pairwise comparison of attributes were adopted in AHP to extract decision makers’ preferences as judgments, and decision makers’ opinions were collected through the utilization of the questionnaire. AHP divides the evaluation measure into five grades, including “Equal importance”, “Moderate importance”, “Strong importance”, “Very strong importance”, and “Extreme importance”, which are represented by the measured values of 1, 3, 5, 7, and 9, respectively. There are four relative importance levels between these five divided values. Since these four levels cannot be distinguished and have to be compromised, they are thus represented by the measured values of 2, 4, 6, and 8 [82].

3.6. Questionnaire Validity and Reliability

It is necessary that the measurement of the questionnaire’s validity and reliability is further explained. (1) First, CI can be used for the consistency test to check if the pairwise comparison matrix constituted by the decision makers’ answers is a consistency matrix, so as to avoid the influence of bad decision making on the questionnaire’s quality. When CI = 0, it indicates that the judgments are completely consistent. When CI > 0, it indicates that the judgments are inconsistent. Saaty [82] believed that CI < 0.1 referred to the allowable bias error. (2) Second, the CI of a positive transposed matrix from evaluation measures 1–9 generated under different orders is called a random index (RI). (3) Finally, AHP was used in this study to obtain the weights of expert opinions, and CR was utilized to measure the overall consistency of the comparison matrix. CR is a ratio between CI and RI. According to the suggestion of Saaty [82], when CR < 0.1, the consistency of the matrix is satisfying, but when CR > 0.1, it indicates that this consistency is unacceptable. The relevant information of RI is shown in Table 2; the equations of CI and CR are formatted as Equations (1) and (2) below, respectively.
CI = λ m a x n n 1
CR = CI RI

4. Empirical Results and Case Study for the Second and Third Stages

In this section, for the second stage, all empirical results and the same cases were analyzed and discussed according to the advanced hybrid MDM–AHP-based model mentioned in the first two subsections. The last two subsections contain three case studies and some in-depth discussion and exploration, representing the third stage of this study.

4.1. Experts’ Empirical Results in the Second Stage

(1)
Narrative Statistics of Experts Interviewed in the Second Stage
In order to avoid any bias in the survey results, one representative was selected from each expert group involved in the questionnaire survey during the second stage of this study. The narrative statistics are shown in Table 3. Due to the characteristic differences per industry, there were more male representatives than female representatives. Specifically, there were eight males and one female included in this study. Moreover, with respect to seniority, one expert had more than 30 years of work experience, one expert had 21–25 years of work experience, two experts had 16–20 years of work experience, and five experts had 10–15 years of work experience. Regarding age range, five experts were aged 31–40 years, three experts were aged 41–50 years, and one expert was older than 51 years. As for geographic area (location), eight experts were from Northern Taiwan, and one expert was from Northern Taiwan. It was clear that all they had seniority as an IS professional.
(2)
Analysis of Questionnaire Results in the Second Stage
In the second stage, nine questionnaires were distributed and then recovered; according to the suggestion of Saaty [82], there should be no more than seven evaluation factors in each hierarchy, for human beings are unable to compare more than seven things. Therefore, this criterion was followed in this study for the selection of the initial factors. Moreover, each factor was quantified and the degree of consensus of the experts on such factors reviewed. The empirical results are shown in Table 4. The five-point Likert scale was adopted: 1 (strongly disagree), 2 (disagree), 3 (neither disagree nor agree), 4 (agree), and 5 (strongly agree). In this study, a mean value M ≥ 4 and QD ≤ 1 were adopted as the basis for the degree of consensus of experts to screen important factors, such as the basic factors for the questionnaire study in the second stage, also shown in Table 4 below. From Table 4, factors including bundling, the time interval of IS incidents, software/hardware service suppliers, and leader’s position and experience were eliminated from the 15 initial factors selected in the first stage. The remaining 11 factors were adopted as important factors to be used in the next stage. Moreover, we calculated the relative weight for the purpose of comparison and improvement, which was defined as the factor score divided by the total score of all factors for each of the remaining factors. This weight indicated the relative importance of the factor from the first stage of the analysis. The relative weight ranged from 0.0835 to 0.0975, as shown in Table 5 below. From Table 5, the relative importance of the factor was clearer than from Table 4.
(3)
Narrative Statistics of Experts Interviewed in the Second Stage
Fifteen experts were interviewed in the second stage, including three experts from backup product manufacturers, three experts from information system integration manufacturers, and nine enterprise IS experts, among which there were thirteen males and two females. Moreover, with respect to seniority, two experts had more than 30 years of work experience, two experts had 21–25 years of work experience, six experts had 16–20 years of work experience, and five experts had 10–15 years of work experience. All of them had an educational background of junior college and above.
(4)
Analysis of Questionnaire Results in the Second Stage
There were four directions in which to address the results of the questionnaire from 15 experts, with respect to three constructs and 11 identified factors, as follows:
(a)
Constructs: Through an AHP construct analysis of expert questionnaires involving the critical factors influencing the adoption of IS backup systems by SMEs, we concluded in this study that: FC construct (0.5924) → BISD-M construct (0.2940) → IS incident construct (0.1136). The detailed data are shown in Table 6 and Figure 8 below for λ = 3.001859309, CI = 0.000929654, and CR = 0.001602852.
(b)
FC construct: Based on the AHP analysis result of FC, it was concluded that: disaster loss amount (0.4002) → enterprise’s downtime (0.3037) → product price (0.1713) → information budget (0.1248). The empirical data are shown in Table 7 and Figure 9 below for λ = 4.00382, CI = 0.001274960, and CR = 0.002198206.
(c)
IS incident construct: Next, it was concluded based on the AHP analysis result of the IS incident construct that: IS incident accountability (0.3211) → man-made disasters (0.3114) → natural disasters (0.2082) → experiencing an IS incident (0.1593). The actual data are shown in Table 8 and Figure 10 below for λ = 4.00027, CI = 0.000091538, and CR = 0.000157825.
(d)
BISD-M construct: It was also concluded based on the AHP analysis of the BISD-M construct that: supplier’s contractual requirements (0.3844) → regulatory requirements (0.3501) → auditing requirements (0.2656). The actual data are shown in Table 9 and Figure 11 below for λ = 3.000113571, CI = 0.000056785, and CR = 0.000097906.

4.2. Empirical Results

During the two stages of this empirical study, the questionnaire was completed by nine professional IS personnel with more than 10 years of related industry experience, This screened the degree of importance of the factors influencing the adoption of IS backup systems by SMEs (goal in Hierarchy 1); then, it concluded three constructs (criteria in Hierarchy 2), and finally, itemized the factors (factors in Hierarchy 3). The final questionnaire survey was then implemented, following which AHP was implemented, and the results were discussed. The results of the analysis were focused on the following six aspects:
(1)
According to the analysis results of this expert questionnaire survey, the FC construct was the highest (0.5924) among the three constructs, indicating the top priority given by SMEs to economic benefits and performance orientation. The extended meaning lies in that professional IS personnel do not bring substantial operating profits to companies, and as a result, companies do not usually hire professional IS personnel. The common practices highlighted were as follows: (a) free tools or instructions (e.g., SQL dump) are frequently used for backup; and (b) professional IS personnel who are known by companies are usually invited to operate and set up relevant programs with a favor or a lump-sum financial expense (e.g., a business lunch). The reverse meanings of these situations can be comprehended as follows: (a) Due to the FC, SMEs do not have recurrent expenditure costs budgeted for continual contract maintenance and system updating; therefore, they cannot hire professional IS personnel. As a consequence, the company’s information environment has become a good target for intruders; (b) due to the lack of long-term-employed professional IS personnel, SMEs cannot judge if the solutions proposed by the manufacturers are reasonable and suitable for the situations they are currently facing, and they can only consider financial cost as the judgment basis. If this continues, a vicious circle will form.
(2)
The disaster loss amount was the highest in the FC construct, accounting for 40% (0.4002), mainly because the disaster loss amount is definite and must be paid. Therefore, the disaster loss amount cannot be overlooked by the board of directors or in financial statements.
(3)
IS incident accountability in the IS incident construct exceeded 32% (0.3211), and man-made disasters exceeded 31% (0.3114). The overall total of these factors exceeded 63%, indicating that manual IS incident accountability is extremely significant; it can thus be deduced that the majority of IS incidents are caused by man-made factors, either intentional or unintentional.
(4)
The supplier’s contractual requirements in the BISD-M construct approached 40% (0.3844), which mainly included consideration of business interests and economic cost for the breach of a contract. For example, if an enterprise does not have the qualification for bid leading in government procurement flow, it will not be able to bid and profit from the subsequent completion of the bid project. If the enterprise is found to be in breach after winning a bid, a negative influence will be imposed on its profits, given that all enterprises intend to make profits. Therefore, the supplier’s contractual requirements are greater than that of the regulatory requirements and auditing requirements.
(5)
The global weights of factors are calculated in Table 10. It is clear that the top three critical factors are the disaster loss amount (0.2371), enterprise downtime (0.1799), and the supplier’s contractual requirements (0.1130). Moreover, we also generated a spider analysis after AHP to present the criteria weights. Figure 12 shows the spider chart of the 11 factors.
(6)
We compared the global weights with the weights from the first stage. After integrating MDM with AHP, the difference in importance among the factors became more significant, thus helping us to identify the more critical factors in achieving the research goal. The weight difference was small, making all factors seem equally important if using the traditional survey method. The weight comparison result for the first stage and second stage is shown in Figure 13.

4.3. Case Study and Discussion for the Third Stage

In considering the aforementioned AHP execution results, we know that the FC construct showed a major positive correlation with the adoption of an IS backup system by SMEs. Therefore, three actual cases are hereby proposed and justified in this study with specific respect to FC, ransomware cases, and the results of interviews with experts. These were then discussed, analyzed, and solved from three aspects, i.e., case status, problem study and analysis, and solutions.
(1)
Retail POS System
(a)
Case study 1: A POS system company has always adhered to the service concept of “Everything is customer-oriented” to ensure the smooth implementation of customers’ business; however, when any failure occurs in the system, the customers will not have to worry or waste their precious time, for the company will handle the failures promptly. A problem arose, however, when a failure occurred in the POS system of a certain restaurant during a busy holiday period, while employees were unable to identify the failure and replace the relevant software and hardware required to solve the problem.
(b)
Problem study and analysis: Use of new hardware and rebooting of the POS system in the case of an emergency must be taken into account. When a system failure occurs, the manufacturer should carry replacement terminal equipment to be sent to the customer right away so that they may replace any defective parts on the spot. Although this method is very effective for the replacement of defective hardware (e.g., the motherboard), the faulty hardware may cause data loss due to the budget of the FC. The relevant data may permanently disappear unless backup data are otherwise prepared in advance.
(c)
Solution: The OEM (original equipment manufacturer) version of the enterprise solution must be provided before the POS system is delivered to ensure the system security of the users. After the POS system is delivered, incremental backup with predetermined time intervals shall be practically executed and synchronized to a cloud end or a destination designated by the company. Later, if any problem occurs with the system, the customer may replace defective hardware, and the engineers of the manufacturer may restore the data of the POS system by remote connection. This represents a good alternative solution for this case study.
(2)
GitLab Version Control
(a)
Case study 2: An online game software development company formulates a mandatory requirement that employees should download the latest programming codes to write programs from the GitLab version control center constructed by the company. They must then upload the programming codes being written before they go off duty to ensure data security and a smooth development progress. However, a problem arose when a senior manager used the computer equipment in the company’s internal network to browse pornographic websites. As a consequence, the company was blackmailed by ransomware, and its servers and all employees’ computer equipment were compromised.
(b)
Problem study and analysis: The origin of the problem was in the fact that the IS requirement implemented by this company did not apply to the senior management. The company only required its employees to abide by this requirement, which was merely a formality; however, in order to pursue the convenience of connection to its internal network, this company failed to strictly execute VLAN network partitioning. All employees and the servers shared the same VLAN, and therefore they could not be effectively isolated when the problem occurred. Moreover, this company failed to install any antivirus software capable of detecting the encryption behaviors of ransomware or set up a blacklist of external networks to control and block pornographic websites. The company only hired hardware personnel to serve as IS specialists, but failed to hire professional IS personnel or outsource professional IS work due to the budget of the FC.
(c)
Solution: First, priority should be given to the recovery of programming codes. Fortunately, this company did not execute an information confidentiality policy, and the employees could take programming codes home. This enabled them to locate the programming codes, and although these were not the latest versions, this reduced their losses. Next, it is absolutely necessary that the top management are requested to support the implementation of an IS policy, outsource professional IS tasks, ask IS manufacturers to plan and establish IS, and punish relevant misconduct among personnel. Thankfully, this case study was more reflective of shock than damage.
(3)
Duplicate Data Management Server—Provision of Manageable and Updated Virtual Data Copy for Storage and Testing
(a)
Case study 3: A certain manufacturing company relies highly on an ERP system for its production operation and connections with production management, quality assurance, purchasing, warehousing, accounts, etc. However, a problem arose when the information development team of this company needed data from the real production environment to assist the system simulation testing and coordinate debugging work.
(b)
Problem study and analysis: The traditional practice is to restore the backup archives to a machine with the same specification as the parameters. However, the restoration process requires a significant amount of time, and the restored version cannot catch up with the latest backup of archival data. For example, backup is executed once every hour and each backup takes half an hour, but the time required for restoration exceeds half an hour. For the time lag, a serious problem exists concerning the recovery of the system and data used.
(c)
Solution: Backup software capable of accessing backup archives directly through mounting should be used so that the execution of restoration work is not required. The backup software will generate indices for all system directories and archives in the backup archives, match with the archives used in operations, and transfer backup archive zones to the machine by means of background transmission. Subsequently, operation instructions can be issued in real time without having to wait for a full upload (stored in the background to wait for execution). This provides an effective solution for overcoming this particular problem.

4.4. In-Depth Tracking and Discussion of Cases for the Third Stage

In this study, relatively in-depth tracking and discussion of the three actual cases mentioned above were carried out to facilitate the shaping of case-based knowledge, understand the importance of IS, and provide a useful reference of potential solutions.
(1)
It was learned in this study through AHP that the “disaster loss amount” and “enterprise’s downtime” are the most critical factors influencing the adoption of an IS backup system by SMEs. However, case study 1 indicated that the end-users of a POS system did not have the relevant knowledge or skills related to IS. Moreover, whether the whole POS system can be used as normal is closely related to the enterprise’s revenue. If the POS system breaks down, the customers will leave and a negative influence will be imposed on the enterprise’s profits. In the best/better feasible solution, it is a good idea that general retail companies develop an OEM version of the enterprise solution to quickly and smoothly solve a crisis caused by a system problem without wasting personnel’s time on a round trip. In this case, this may also shorten the enterprise’s business interruption time and lower the disaster loss amount (e.g., the reduction in revenue). Additionally, the company may save its backup costs when many customers order an OEM version of the enterprise solution (similar to group purchasing) to apportion the expenses. In addition, the POS system manufacturer carries out the backup work so as to lower the operating cost. Thus, many customers ordering the OEM version provides a good means of recovering this problem effectively. More importantly, the company’s system can be further guaranteed and secured.
(2)
In the case of GitLab version control, corporate IS appeared to have become a nonbinding slogan for senior managers. As is shown in Figure 10, the factor of IS incident accountability in the IS incident construct accounted for 32.11%, representing the highest amount, while man-made disasters accounted for 31.14%. Most companies only have personnel with a hardware background but without a professional IS background serving as their information specialists, and they do not seek help from professional outsourcing manufacturers. Consequently, it can be naturally and rationally presumed that the IS-related provisions formulated by information specialists in these companies, given this background, are naturally not supported by the senior managers. This situation also contains echoes of the FC construct shown in Figure 9, in which the information budget accounts for the lowest amount at 12.48%. It is thus clear that IS does not draw the attention it deserves. To this end, upon examining the root of the matter, the solution should be the practical execution and implementation of IS requirements that is also applicable to the senior management, as well as pursuing assistance from professional IS personnel.
(3)
In the case of the duplicate data management server, the backup software adopted should have the functions of not only backup, but also the effective utilization of backup archives. The traditional thinking of using the machines with the worst efficiency to serve as backup hosts requires change. The original money-spending unit that consumes abundant storage space but fails to help the company gain actual interests should be converted to a profiting unit that assists the development of the testing environment. Generally speaking, companies usually have a production environment and a testing environment. A development team may upgrade versions to the actual production environment for operation only after no error occurs in the functional tests in the testing environment. However, as a matter of fact, the content data of most testing environments and production environments may not be updated again after being updated probably only once upon establishment due to the extremely large time difference. Consequently, the differences in these two environments are enormous, which leads to the issue of excessive cost during environment conversion. Taking the SQL database as an example, the degrees of coordination of the database actually used with abundant data, and the testing database with very little data with the rewriting of database efficiency are completely different during the development process. Therefore, the efficiency optimization demand of the database is an important and indivisible factor in each project. This also provides double assurance on the alternative future potential solutions for the same case predicaments to interested parties.

5. Conclusions and Suggestions

This section provides conclusions and suggestions based on the empirical results, which are explained from four aspects, i.e., research conclusions and findings, research suggestions, the research contribution, and the subsequent research direction.

5.1. Research Conclusions and Findings

With the proposed hybrid MDM–AHP model, MDM was adopted as the investigation method of this study, and expert opinions were collected to shape a questionnaire. Afterwards, AHP was employed to test whether the questionnaire results were effective and re-check the indicator value of CR; the research results all showed a value of CR < 0.1, indicating that the consistency result of this study was acceptable. Three important research conclusions and findings were synthesized for this study, as follows:
(1)
The empirical results showed that the importance of three constructs was sorted as follows based on weights: FC (0.5924) → BISD-M (0.2940) → IS incident (0.1136). In the first FC construct, the most critical factor was the disaster loss amount (0.4002); in the second BISD-M construct, the most critical factor was the supplier’s contractual requirements (0.3844); in the final IS incident construct, the most critical factor was the IS incident accountability (0.3211). Undoubtedly, it is thus clear that the disaster loss amount was still the critical factor emphasized the most by relevant decision makers when the adoption of backup software was considered on behalf of SMEs.
(2)
Furthermore, the sorting results of the overall weight of critical factors indicated that factors ranking the highest were the disaster loss amount (0.4002), supplier’s contractual requirements (0.3844), and enterprise’s downtime (0.3037); it is thus clear that FC was still important to SMEs. To be precise, SMEs pay special attention to the reduction in their profits due to the issue of IS. In particular, budgeted information expenditure cannot lead to obvious real-time profits within a short amount of time; on the contrary, serious losses can be a direct result of a disaster, and in this case, the importance of IS can be revealed. Otherwise, if we cannot prove the importance of IS, but still expect enterprise owners to continually provide budgets for IS expenditure every year, this will be undoubtedly impossible for SMEs in the absence of a complete financial system. Thus, the FC construct attracts much concern and holds a high degree of importance to experts in SMEs, and it is key to identifying the factors for the adoption of an IS backup system.
(3)
It was also shown in this study, through the combination of all empirical results, that SMEs are relatively reluctant to invest in backup systems due to their relatively small capital amount and their main orientation of profitability. However, the consequences resulting from the failure to implement system backup are not affordable by SMEs. Importantly, when the budget of the enterprise is limited, IS is often neglected, which leads to the exposure of the enterprise to various threats and attacks, and IS crises, such as encrypted ransomware, computer poisoning, and sensitive data leakage. Thus, according to the principle of the diversification of insurance risks, it was proposed in this study, with reference to the analysis results of case study 3, that the upstream system integration manufacturers may uniformly purchase IS backup system services originally required of SMEs themselves to apportion the expenses and greatly lower the acquisition cost. As a result, the willingness of SMEs to purchase IS backup system services can be enhanced and achieved completely.

5.2. Discussion and Research Suggestions

In this study, critical factors influencing the adoption of an IS backup system by SMEs were discussed, analyzed, and identified, taking Taiwan as an example. Opinions from IS experts in relevant industries were integrated, and an objective result was synthesized and proposed as a reference to assist the marketing of IS backup systems in the future. It is hoped that this will solve the transaction disputes arising between buyers and sellers due to distrust or information asymmetry. To this end, this study is of tremendous reference value for the IS backup system market. Finally, the following discussion and research suggestions are put forward for regulation development by the government, according to the analysis of the empirical results in this study, in the hope that the future IS issues of SMEs can be overcome with substantial expansibility:
(1)
Speed up the correction and implementation of relevant laws and regulations and encourage SMEs to adopt IS backup systems by means of financial subsidy or deduction.
(2)
Guide information system integration manufacturers and backup product manufacturers to coordinate with the government’s preferential finance and taxation policies and assist SMEs in adopting IS backup systems. Establish a list of manufacturers certified by the government to improve the confidence level, and regulate manufacturers who adopt abnormal sales pitches for sales at the same time to reduce consumption disputes.
(3)
Identify the policy in effect that government agencies should strengthen, and assist with the establishment of courses for the cultivation of information talent, matched by employment guidance. Meanwhile, encourage SMEs to employ IS talent with licenses recognized by the government using preferential finance and taxation policies. The holders of these licenses should be spot-checked on an irregular basis in the hope that the unhealthy trend in license borrowing can be reduced.
(4)
More importantly, the relevance of the study is for SMEs that are the most vulnerable to various kinds of virus attacks from the external environment. One of the most dangerous viruses is ransomware, a malicious Trojan virus that interferes with the proper operation of a personal computer by encrypting the contents of memory, blocking access, and displaying a ransom demand. However, ransomware is not a new type of malware; it has been known for more than 15 years. Due to the quantity of ransomware available and ease of spread through spam or through downloading infected files, it constantly attracts significant attention from researchers aiming to find new tools to combat ransomware. Importantly, the originality of this study’s methodology provides a new tool, which allows decision making in relation to the implementation of a backup system as part of the general IS system for SMEs. The total solutions proposed by this study expand the toolset aimed at combating virus attacks; in particular, we added a new methodology that takes into account the critical factors of the internal and external environments in the activities of SMEs. This makes it possible for enterprises to complement the existing process of periodic data backup with an upgraded system, in addition to archiving and protecting backup archives from infection or ransomware removal. Enterprises should continue the periodic practice of using backup archives to restore archive servers corrupted by ransomware. Thus, the research results of this study can be used for reference and to support the use of IS to provide effective protection for enterprises.

5.3. Research Contribution

In conclusion, there were two core contributions of the research results, which included enterprise contributions and application contributions, as follows:
(1)
Enterprise contributions: The outcomes of the data analysis showed that the performance of the hybrid MDM–AHP model was suitable for use in this study. Thus, this study had significant research interests. In particular, the successful application of the three case studies in terms of validation from the industry community was appropriate, as the research references helped to overcome wide concerns of the interested parties and they were useful in promoting the IS issue to enterprises desiring to explore this further. Thus, this study had a core enterprise contribution.
(2)
Application contributions: The proposed model was based on a major hybrid of MDM and AHP models with expert professionals. This hybrid model created a three-stage framework to identify the important determinants influencing the adoption of an IS backup system in SEMs, which was rarely seen from our limited literature review. Therefore, this study presents a significant contribution to the IS field. Although a hybrid MDM–AHP model of methodology was not a novel technique for achieving the major goal of this study, the main application of this approach was a to achieve a good result and act as a reference to highlight the future challenges of IS issues for SMEs. This will benefit the needs and expectations of the interested parties in relation to IS. Thus, the research can be a good precursor in the field of IS backup systems.

5.4. Subsequent Research Direction

Although relatively favorable research findings have been achieved in this study, there are still some issues to be continuously discussed by follow-up research fellows, since this study represents the beginning of the discussion of IS issues, as it was restricted in terms of research time and resources. There are several suggestions regarding the future research direction to improve the study for interested parties with different purposes of use and reference, as follows:
(1)
MDM and AHP were adopted in this study in the expert questionnaire survey. However, industry categories (e.g., manufacturing or medical industry, etc.) were not specifically restricted in relation to the experts interviewed. Interestingly, the manufacturing industry and the medical industry have common features, such as manufacturing machines and medical X-ray machines, nuclear magnetic resonance (MRI), and other equipment. However, in the past, companies may have thought that as these pieces of equipment are not computers, they are safe and isolated; however, with the extensive use of IT techniques, the risks associated with IS have been present for a long time and are increasing. It is thus suggested that follow-up research fellows might follow this direction and attempt to make the subsequent empirical results more complete.
(2)
In the past, SMEs would use free software or self-developed programs with a backup function due to the restriction of expenditure; therefore, it is suggested that follow-up research fellows might follow this direction and study the differences between free software or self-developed software and purchased business software.
(3)
To avoid the information size being too large, the discussion of this study was limited to the adoption of a physical IS backup system. In particular, the so-called new normal of the post-pandemic era has introduced many new IT challenges. Most enterprises give priority to ensuring IT remote working capabilities, and they are beginning to prepare digital emergency countermeasures to deal with rare occasional outbreaks. Manufacturers participating in the global supply chain and overseas operations have been impacted by the pandemic, and many companies have introduced remote working methods to deal with emergencies. In recent times, the security and risks of cloud services have become more prominent. Thus, follow-up research fellows may take standby and cloud end as a research direction to provide different research results for reference.
(4)
It is also suggested that, following the MDM and AHP techniques used, a combination of DANP methods for integrating the DEMATEL (decision-making trial and evaluation laboratory) and ANP (analytic network process) can be employed to re-identify the issues associated with IS and differentiate them.
(5)
Other comparison methods corresponding to the AHP technique can be further explored and measured to assess their differences in the future.

Author Contributions

Conceptualization, Y.-S.C. and J.C.-L.C.; Methodology, J.C.-L.C. and Y.-S.C.; Software, X.-H.C.; Validation, J.C.-L.C. and X.-H.C.; Formal analysis, Y.-S.L. and Y.-S.C.; Investigation, Y.-S.L. and Y.-H.H.; Visualization, Y.-S.L. and Y.-H.H.; Writing—original draft, X.-H.C.; Writing—review and editing, J.C.-L.C., Y.-S.C., Y.-S.L., and Y.-H.H. All authors have read and agreed to the published version of the manuscript.

Funding

This study was partially supported by the National Science and Technology Council of Taiwan, grant number NSTC 111-2221-E-167-036-MY2.

Institutional Review Board Statement

This study did not involve humans or animals.

Informed Consent Statement

This study did not involve humans or animals.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Wang, S.-W.; Chiu, C.-W. A study of innovative business models of SMEs. SMEs Develop. Quart. 2009, 11, 87–112. [Google Scholar]
  2. National Statistics. Newsletter of Directorate-General of Budget, Accounting and Statistics. Available online: https://www.stat.gov.tw/public/Attachment/142293693HCMH93O.pdf (accessed on 20 June 2022).
  3. Blili, S.; Raymond, L. Information technology threats and opportunities for small and medium-sized enterprises. Int. J. Inform. Manag. 1993, 13, 439–448. [Google Scholar] [CrossRef]
  4. Heidt, M.; Gerlach, J.P.; Buxmann, P. Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Inform. Syst. Front. 2019, 21, 1285–1305. [Google Scholar] [CrossRef]
  5. Pawar, S.; Palivela, H. LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). Int. J. Inform. Manag. Data Insights 2022, 2, 100080. [Google Scholar] [CrossRef]
  6. Herath, T.C.; Herath, H.S.B.; Cullum, D. An information security performance measurement tool for senior managers: Balanced scorecard integration for security governance and control frameworks. Inf. Syst. Front. 2022, 1–41. [Google Scholar] [CrossRef]
  7. van Haastrecht, M.; Yigit Ozkan, B.; Brinkhuis, M.; Spruit, M. Respite for SMEs: A systematic review of socio-technical cybersecurity metrics. Appl. Sci. 2021, 11, 6909. [Google Scholar] [CrossRef]
  8. Alzahrani, L.; Seth, K.P. The impact of organizational practices on the information security management performance. Information 2021, 12, 398. [Google Scholar] [CrossRef]
  9. Benz, M.; Chatterjee, D. Calculated risk? A cybersecurity evaluation tool for SMEs. Busin. Horiz. 2020, 63, 531–540. [Google Scholar] [CrossRef]
  10. Antunes, M.; Maximiano, M.; Gomes, R.; Pinto, D. Information security and cybersecurity management: A case study with SMEs in Portugal. J. Cybersecur. Privacy 2021, 1, 12. [Google Scholar] [CrossRef]
  11. Santos-Olmo, A.; Sánchez, L.; Caballero, I.; Camacho, S.; Fernandez-Medina, E. The importance of the security culture in SMEs as regards the correct management of the security of their assets. Future Intern. 2016, 8, 30. [Google Scholar] [CrossRef]
  12. Bryan, L.L. Effective information security strategies for small business. Int. J. Cyber Criminol. 2020, 14, 341–360. [Google Scholar]
  13. Kim, H.K.; So, W.H.; Je, S.M. A big data framework for network security of small and medium enterprises for future computing. J. Supercomput. 2019, 75, 3334–3367. [Google Scholar] [CrossRef]
  14. Check Point. 2022 Interactive Cyber Security Report. Available online: https://pages.checkpoint.com/cyber-security-report-2021.html (accessed on 20 June 2022).
  15. Taiwan Network Information Center (TNIC). Survey of Network Use of Taiwan Network Information Center. Available online: https://www.twnic.tw/doc/twrp/202012e.pdf (accessed on 20 June 2022).
  16. Rawindaran, N.; Jayal, A.; Prakash, E. Machine Learning Cybersecurity Adoption in Small and Medium Enterprises in Developed Countries. Computers 2021, 10, 150. [Google Scholar] [CrossRef]
  17. Lee, K.; Lee, S.Y.; Yim, K. Machine learning based file entropy analysis for ransomware detection in backup systems. IEEE Access 2019, 7, 110205–110215. [Google Scholar] [CrossRef]
  18. Thomas, J.; Galligher, G. Improving backup system evaluations in information security risk assessments to combat ransomware. Comput. Inform. Scien. 2018, 11, 1. [Google Scholar] [CrossRef]
  19. Basinska, K.; Wellens, N.I.; Simon, M.; Zeller, A.; Kressig, R.W.; Zúñiga, F. Registered nurses in expanded roles improve care in nursing homes: Swiss perspective based on the modified Delphi method. J. Adv. Nurs. 2021, 77, 742–754. [Google Scholar] [CrossRef] [PubMed]
  20. Gray, M.P.; Barreto, E.F.; Schreier, D.J.; Kellum, J.A.; Suh, K.; Kashani, K.B.; Kane-Gill, S.L. Consensus obtained for the nephrotoxic potential of 167 drugs in adult critically Ill patients using a modified Delphi method. Drug Saf. 2022, 45, 389–398. [Google Scholar] [CrossRef] [PubMed]
  21. Pathak, S.K.; Sharma, V.; Chougule, S.S.; Goel, V. Prioritization of barriers to the development of renewable energy technologies in India using integrated modified Delphi and AHP method. Sustain. Energy Technol. Assess. 2022, 50, 101818. [Google Scholar] [CrossRef]
  22. Murasato, Y.; Kinoshita, Y.; Shite, J.; Hikichi, Y.; Nam, C.W.; Koo, B.K. Difference in basic concept of coronary bifurcation intervention between Korea and Japan. Insight from questionnaire in experts of Korean and Japanese bifurcation clubs. Cardiovasc. Inter. Ther. 2022, 37, 89–100. [Google Scholar] [CrossRef] [PubMed]
  23. Chang, T.Y.; Lu, H.P.; Luor, T.Y.; Chang, P.W. Weighting of firefighting turnout gear risk factors according to expert opinion. Sustainability 2022, 14, 7040. [Google Scholar] [CrossRef]
  24. Mohammed, H.J.; Daham, H.A. Analytic hierarchy process for evaluating flipped classroom learning. Comput. Mater. Cont. 2021, 66, 2229–2239. [Google Scholar]
  25. Wang, F.; Lu, Y.; Li, J.; Ni, J. Evaluating environmentally sustainable development based on the PSR framework and variable weigh analytic hierarchy process. Int. J. Environ. Res. Publ. Health 2021, 18, 2836. [Google Scholar] [CrossRef] [PubMed]
  26. Awad, J.; Jung, C. Extracting the planning elements for sustainable urban regeneration in Dubai with AHP (Analytic Hierarchy Process). Sustain. Cities Soc. 2022, 76, 103496. [Google Scholar] [CrossRef]
  27. Hessami, K.; Romanelli, C.; Chiurazzi, M.; Cozzolino, M. COVID-19 pandemic and maternal mental health: A systematic review and meta-analysis. J. Matern.-Fetal Neonatal Med. 2022, 35, 4014–4021. [Google Scholar] [CrossRef]
  28. Akpan, I.J.; Udoh, E.A.P.; Adebisi, B. Small business awareness and adoption of state-of-the-art technologies in emerging and developing markets, and lessons from the COVID-19 pandemic. J. Bus. Entrep. 2022, 34, 123–140. [Google Scholar] [CrossRef]
  29. Jin, D.; Wang, Q. CDP Backup and Recovery Method for Ensuring Database Consistency. In Proceedings of the 2021 IEEE International Conference on Power Electronics, Computer Applications (ICPECA), Shenyang, China, 22–24 January 2021; pp. 722–728. [Google Scholar]
  30. Min, D.; Park, D.; Ahn, J.; Walker, R.; Lee, J.; Park, S.; Kim, Y. Amoeba: An autonomous backup and recovery SSD for ransomware attack defense. IEEE Comput. Archit. Lett. 2018, 17, 245–248. [Google Scholar] [CrossRef]
  31. Mzileni, i.; Ncubukezi, T. Impact of Information Security Threats on Small Businesses during the Covid-19 Pandemic. In Proceedings of the European Conference on Cyber Warfare and Security, Chester, UK, 16–17 June 2022; Volume 21, pp. 401–410. [Google Scholar]
  32. Estensoro, M.; Larrea, M.; Müller, J.M.; Sisti, E. A resource-based view on SMEs regarding the transition to more sophisticated stages of Industry 4.0. Eur. Manag. J. 2022, 40, 778–792. [Google Scholar] [CrossRef]
  33. Chang, S.-I.; Yen, D.C.; Ng, C.S.-P.; Chang, W.-T. An analysis of IT/IS outsourcing provider selection for small- and medium-sized enterprises in Taiwan. Inf. Manag. 2012, 49, 199–209. [Google Scholar] [CrossRef]
  34. Tayauova, G. Advantages and disadvantages of outsourcing: Analysis of outsourcing practices of Kazakhstan banks. Procedia Soc. Behav. Sci. 2012, 41, 188–195. [Google Scholar] [CrossRef]
  35. Toth, A. Information Security Challenges and Solutions in Smart Nations. In Security-Related Advanced Technologies in Critical Infrastructure Protection; Springer: Dordrecht, The Netherlands, 2022; pp. 123–132. [Google Scholar]
  36. Khando, K.; Gao, S.; Islam, S.M.; Salman, A. Enhancing employees information security awareness in private and public organisations: A systematic literature review. Comput. Secur. 2021, 106, 102267. [Google Scholar] [CrossRef]
  37. Tien, H.-W.; Chen, H.-L.; Huang, W.-T.; Yan, R.-F. Study of individual case of information security diagnosis of SMEs. MacKay Period. 2010, 8, 19–49. [Google Scholar]
  38. Hsu, W.-L. Kuo, J.-T. & Ho, Y.-C. A survey of key factors to the success of information security management system of enterprises in Taiwan. Tzu Chi College Technol. Period. 2014, 22, 95–107. [Google Scholar]
  39. Parker, D.B. The strategic values of information security in business. Comput. Secur. 1997, 16, 572–582. [Google Scholar] [CrossRef]
  40. Parker, D.B. Information security in a Nutshell. Inf. Syst. Secur. 1997, 6, 14–19. [Google Scholar] [CrossRef]
  41. Yildirim, E.Y.; Akalp, G.; Aytac, S.; Bayram, N. Factors influencing information security management in small-and medium-sized enterprises: A case study from Turkey. Int. J. Inf. Manag. 2011, 31, 360–365. [Google Scholar] [CrossRef]
  42. Hasan, S.; Ali, M.; Kurnia, S.; Thurasamy, R. Evaluating the cyber security readiness of organizations and its influence on performance. J. Inf. Secur. Appl. 2021, 58, 102726. [Google Scholar] [CrossRef]
  43. Huang, D.L.; Rau, P.L.P.; Salvendy, G.; Gao, F.; Zhou, J. Factors affecting perception of information security and their impacts on IT adoption and security practices. Int. J. Hum. Comput. Stud. 2011, 69, 870–883. [Google Scholar] [CrossRef]
  44. Govender, S.G.; Kritzinger, E.; Loock, M. A framework and tool for the assessment of information security risk, the reduction of information security cost and the sustainability of information security culture. Pers. Ubiquitous Comput. 2021, 25, 927–940. [Google Scholar] [CrossRef]
  45. iThome. iThome 2022 Information Security Survey (Part 2) Information Security Risks—Using the Information Security Risk Map to Identify Risks, the Information Security Layout First Focuses on Ransomware and Hacker Threats (Analysis Version). Available online: https://ithome.com.tw/article/153106 (accessed on 24 January 2023).
  46. Akhtar, M.S.; Feng, T. Detection of malware by deep learning as CNN-LSTM machine learning techniques in real time. Symmetry 2022, 14, 2308. [Google Scholar] [CrossRef]
  47. Choraś, M.; Demestichas, K.; Giełczyk, A.; Herrero, Á.; Ksieniewicz, P.; Remoundou, K.; Urda, D.; Woźniak, M. Advanced Machine Learning techniques for fake news (online disinformation) detection: A systematic mapping study. Appl. Soft Comput. 2021, 101, 107050. [Google Scholar] [CrossRef]
  48. Kweon, E.; Lee, H.; Chai, S.; Yoo, K. The utility of information security training and education on cybersecurity incidents: An empirical evidence. Inf. Syst. Front. 2021, 23, 361–373. [Google Scholar] [CrossRef]
  49. iThome. Corporate Information Security Survey: Information Security Challenges—What is the Threat to Information Security that Taiwanese Companies are Most Concerned about this Year? 2021. Available online: https://www.ithome.com.tw/article/144236 (accessed on 24 January 2023).
  50. Biswas, B.; Mukhopadhyay, A.; Bhattacharjee, S.; Kumar, A.; Delen, D. A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums. Decis. Support Syst. 2022, 152, 113651. [Google Scholar] [CrossRef]
  51. Maniath, S.; Poornachandran, P.; Sujadevi, V.G. Survey on Prevention, Mitigation and Containment of Ransomware Attacks. In International Symposium on Security in Computing and Communication; Springer: Singapore, 2018; pp. 39–52. [Google Scholar]
  52. Li, Z.; Liao, Q. Preventive portfolio against data-selling ransomware—A game theory of encryption and deception. Comput. Secur. 2022, 116, 102644. [Google Scholar] [CrossRef]
  53. Beazley. Beazley Breach Briefing—2019. Available online: https://www.beazley.com/news/2019/beazley_breach_briefing_2019.html (accessed on 21 June 2022).
  54. Kapoor, A.; Gupta, A.; Gupta, R.; Tanwar, S.; Sharma, G.; Davidson, I.E. Ransomware detection, avoidance, and mitigation scheme: A review and future directions. Sustainability 2021, 14, 8. [Google Scholar] [CrossRef]
  55. Stowman, A.M.; Frisch, N.; Gibson, P.C.; John, T.S.; Cacciatore, L.S.; Cortright, V.; Schwartz, M.; Anderson, S.R.; Kalof, A.N. Anatomy of a cyberattack: Part 1: Managing an Anatomic Pathology Laboratory during 25 days of downtime. Am. J. Clin. Pathol. 2022, 157, 510–517. [Google Scholar] [CrossRef] [PubMed]
  56. Marett, K.; Nabors, M. Local learning from municipal ransomware attacks: A geographically weighted analysis. Inf. Manag. 2021, 58, 103482. [Google Scholar] [CrossRef]
  57. Wu, M.H.; Lai, Y.J.; Hwang, Y.L.; Chang, T.C.; Hsu, F.H. MinerGuard: A solution to detect browser-based cryptocurrency mining through machine learning. Appl. Sci. 2022, 12, 9838. [Google Scholar] [CrossRef]
  58. Harish, R.; Kumar, V.A.; Amritha, P.P. Facilitating Cryptojacking through Internet Middle Boxes. In Advances in Electrical and Computer Technologies; Springer: Singapore, 2021; pp. 41–52. [Google Scholar]
  59. Moreb, M. The Impact of Cryptocurrency Mining on Mobile Devices. In Practical Forensic Analysis of Artifacts on iOS and Android Devices; Apress: Berkeley, CA, USA, 2022; pp. 259–280. [Google Scholar]
  60. Shahbazi, Z.; Byun, Y.C. Improving the cryptocurrency price prediction performance based on reinforcement learning. IEEE Access 2021, 9, 162651–162659. [Google Scholar] [CrossRef]
  61. Bouyeddou, B.; Harrou, F.; Kadri, B.; Sun, Y. Detecting network cyber-attacks using an integrated statistical approach. Cluster Comput. 2021, 24, 1435–1453. [Google Scholar] [CrossRef]
  62. Chen, X.; Zhou, J.; Shi, M.; Chen, Y.; Wen, J. Distributed resilient control against denial of service attacks in DC microgrids with constant power load. Renew. Sust. Energ. Rev. 2022, 153, 111792. [Google Scholar] [CrossRef]
  63. Eliyan, L.F.; Di Pietro, R. DoS and DDoS attacks in software defined networks: A survey of existing solutions and research challenges. Future Gener. Comput. Syst. 2021, 122, 149–171. [Google Scholar] [CrossRef]
  64. Awan, M.J.; Farooq, U.; Babar, H.M.A.; Yasin, A.; Nobanee, H.; Hussain, M.; Hakeem, O.; Zain, A.M. Real-time DDoS attack detection system using big data approach. Sustainability 2021, 13, 743. [Google Scholar] [CrossRef]
  65. Snehi, M.; Bhandari, A. Vulnerability retrospection of security solutions for software-defined Cyber–Physical System against DDoS and IoT-DDoS attacks. Comput. Sci. Rev. 2021, 40, 100371. [Google Scholar] [CrossRef]
  66. Rhee, E. Advanced countermeasures against IoT hacking by DDoS. Int. J. Inf. Technol. Decis. Mak. 2022, 12, 476–482. [Google Scholar] [CrossRef]
  67. Swagatika, S.; Panda, N. Cloud-based backup and data recovery. J. Inf. Optim. Sci. 2022, 43, 923–932. [Google Scholar] [CrossRef]
  68. Zhang, Y.; Zhong, L.; Yang, S.; Muntean, G.M. Distributed data backup and recovery for software-defined wide area network controllers. Trans. Emerg. Telecommun. Technol. 2022, 33, e4411. [Google Scholar] [CrossRef]
  69. Ashrafi, R.; AlKindi, H. A framework for IS/IT disaster recovery planning. Int. J. Bus. Contin. Risk Manag. 2022, 12, 1–21. [Google Scholar] [CrossRef]
  70. Kumar, R.; Venkatesh, K. Centralized and Decentralized Data Backup Approaches. In Proceedings of the International Conference on Deep Learning, Computing and Intelligence; Springer: Singapore, 2022; pp. 687–698. [Google Scholar]
  71. Marzougui, N.; Ounalli, N.; Sabbahi, S.; Fezzani, T.; Abidi, F.; Jebari, S.; Melki, S.; Berndtsson, R.; Oueslati, W. How can Sewage Sludge use in sustainable tunisian agriculture be increased? Sustainability 2022, 14, 3722. [Google Scholar] [CrossRef]
  72. Nazam, M.; Hashim, M.; Nută, F.M.; Yao, L.; Zia, M.A.; Malik, M.Y.; Usman, M.; Dimen, L. Devising a mechanism for analyzing the barriers of blockchain adoption in the textile supply chain: A sustainable business perspective. Sustainability 2022, 14, 6159. [Google Scholar] [CrossRef]
  73. Wang, Z.; Chen, T.; Li, W.; Zhang, K.; Qi, J. Construction and demonstration of the evaluation system of public participation level in urban planning based on the participatory video of ‘general will—Particular will’. Sustainability 2023, 15, 1687. [Google Scholar] [CrossRef]
  74. Li, C.; Solangi, Y.A.; Ali, S. Evaluating the factors of green finance to achieve carbon peak and carbon neutrality targets in China: A delphi and fuzzy AHP approach. Sustainability 2023, 15, 2721. [Google Scholar] [CrossRef]
  75. Sforzini, L.; Worrell, C.; Kose, M.; Anderson, I.M.; Aouizerate, B.; Arolt, V.; Pariante, C.M. A Delphi-method-based consensus guideline for definition of treatment-resistant depression for clinical trials. Mol. Psychiatry 2022, 27, 1286–1299. [Google Scholar] [CrossRef]
  76. Etemad, H.; Gurau, C.; Dana, L.P. International entrepreneurship research agendas evolving: A longitudinal study using the Delphi method. J. Int. Entrep. 2022, 20, 29–51. [Google Scholar] [CrossRef]
  77. Murry, J.W., Jr.; Hammons, J.O. Delphi: A versatile methodology for conducting qualitative research. Rev. High. Ed. 1995, 18, 423–436. [Google Scholar] [CrossRef]
  78. Shariff, N.M.; Abd Razak, R. Exploring hospitality graduates’ competencies in Malaysia for future employability using Delphi method: A study of competency-based education. J. Teach. Travel Tour. 2022, 22, 144–162. [Google Scholar] [CrossRef]
  79. Pan, S.-M. Qualitative Study: Theory and Application; Psychology Press: Taipei, Taiwan, 2003; p. 406. [Google Scholar]
  80. Faherty, V. Continuing social work education: Results of a Delphi survey. J. Educ. Soc. Work. 1979, 15, 12–19. [Google Scholar] [CrossRef]
  81. Saaty, T.L. How to make a decision: The analytic hierarchy process. Eur. J. Oper. Res. 1971, 40, 9–10. [Google Scholar]
  82. Saaty, T.L. The Analytic Hierarchy Process; McGraw-Hill, Inc.: New York, NY, USA, 1980. [Google Scholar]
  83. Goepel, K.D. Implementation of an online software tool for the analytic hierarchy process (AHP-OS). Int. J. Anal. Hierarchy Process. 2018, 10, 469–487. [Google Scholar]
  84. Kumar, A.; Kumar, M. Implementation of analytic hierarchy process (AHP) as a decision-making tool for selection of materials for the robot arm. Int. J. Appl. Eng. Res. 2019, 14, 2727–2733. [Google Scholar]
Sustainability 15 03516 g001 550
Figure 1. Survey of network use by TNIC—statistics of intrusion attacks reported.
Figure 1. Survey of network use by TNIC—statistics of intrusion attacks reported.
Sustainability 15 03516 g001
Sustainability 15 03516 g002 550
Figure 2. Top 10 potential IS incidents of enterprises in 2022.
Figure 2. Top 10 potential IS incidents of enterprises in 2022.
Sustainability 15 03516 g002
Sustainability 15 03516 g003 550
Figure 3. Main potential attack sources of enterprises’ IS incidents in 2021.
Figure 3. Main potential attack sources of enterprises’ IS incidents in 2021.
Sustainability 15 03516 g003
Sustainability 15 03516 g004 550
Figure 4. Research structure chart of this study.
Figure 4. Research structure chart of this study.
Sustainability 15 03516 g004
Sustainability 15 03516 g005 550
Figure 5. Research flowchart of the proposed advanced MDM–AHP model for the three-stage methodology.
Figure 5. Research flowchart of the proposed advanced MDM–AHP model for the three-stage methodology.
Sustainability 15 03516 g005
Sustainability 15 03516 g006 550
Figure 6. Research flowchart of the specific second stage for the proposed advanced MDM–AHP model in detail.
Figure 6. Research flowchart of the specific second stage for the proposed advanced MDM–AHP model in detail.
Sustainability 15 03516 g006
Sustainability 15 03516 g007 550
Figure 7. Constructs of questionnaire design in the second stage and their factors.
Figure 7. Constructs of questionnaire design in the second stage and their factors.
Sustainability 15 03516 g007
Sustainability 15 03516 g008 550
Figure 8. Weights of three constructs.
Figure 8. Weights of three constructs.
Sustainability 15 03516 g008
Sustainability 15 03516 g009 550
Figure 9. Weights of FC construct.
Figure 9. Weights of FC construct.
Sustainability 15 03516 g009
Sustainability 15 03516 g010 550
Figure 10. Weights of IS incident construct.
Figure 10. Weights of IS incident construct.
Sustainability 15 03516 g010
Sustainability 15 03516 g011 550
Figure 11. Weights of BISD-M construct.
Figure 11. Weights of BISD-M construct.
Sustainability 15 03516 g011
Sustainability 15 03516 g012 550
Figure 12. A spider chart of 11 factors.
Figure 12. A spider chart of 11 factors.
Sustainability 15 03516 g012
Sustainability 15 03516 g013 550
Figure 13. Weight comparison of first stage and second stage.
Figure 13. Weight comparison of first stage and second stage.
Sustainability 15 03516 g013
Table
Table 1. Constructs of the questionnaire and factors and codes in the second stage.
Table 1. Constructs of the questionnaire and factors and codes in the second stage.
FC Construct (A)IS Incident Construct (B)BISD-M Construct (C)
Information budget (A1)Experiencing an IS incident (B1)Auditing requirements (C1)
Product price (A2)Time interval of IS incidents (B2)Regulatory requirements (C2)
Enterprise’s downtime (A3)IS incident accountability (B3)Supplier’s contractual requirements (C3)
Disaster loss amount (A4)Natural disasters (B4)Software and hardware service suppliers (C4)
Bundling (A5)Man-made disasters (B5)Leader’s position and experience (C5)
Table
Table 2. RI data.
Table 2. RI data.
Order123456789101112131415
RI000.580.901.121.241.321.411.451.491.511.481.561.571.59
Table
Table 3. Narrative statistical data of experts interviewed in the second stage.
Table 3. Narrative statistical data of experts interviewed in the second stage.
RespondentExperts from Backup Product Manufacturers (3)Experts from IS Integration Manufacturers (3)Enterprise IS Experts (3)Total
GenderMale2338
Female1 1
Seniority10–15 years2125
16–20 years 112
21–25 years1 1
More than 30 years 1 1
AgeBelow 30 years
31–40 years2125
41–50 years1113
Above 51 years 1 1
LocationNorthern Taiwan3328
Central Taiwan 11
Southern Taiwan
Other
EducationUniversity (junior college)2237
Master11 2
Table
Table 4. Questionnaire results from the first stage.
Table 4. Questionnaire results from the first stage.
ConstructFactor123456789AverageQD
FCInformation budget5455535454.560.50
Product price5453545454.440.50
Enterprise’s downtime4555353544.330.50
Disaster loss amount4555355544.560.50
Bundling3441243212.671.00
IS incidentExperiencing an IS incident5355535544.440.50
Time interval of IS incidents4355344333.780.50
IS incident accountability4455354534.220.50
Natural disasters5443345544.110.50
Man-made disasters5543445524.110.50
BISD-MAuditing requirements5445543554.440.50
Regulatory requirements5444555554.670.50
Supplier’s contractual requirements5343434554.000.50
Software and hardware service suppliers3443444123.221.00
Leader’s position and experience3543543433.780.50
Note: The bold and black shadows refer to the factors eliminated.
Table
Table 5. Relative weight from the first stage.
Table 5. Relative weight from the first stage.
ConstructFactorAverageRelative Weight
FCInformation budget4.560.0952
Product price4.440.0927
Enterprise’s downtime4.330.0904
Disaster loss amount4.560.0952
IS incidentExperiencing an IS incident4.440.0927
IS incident accountability4.220.0881
Natural disasters4.110.0858
Man-made disasters4.110.0858
BISD-MAuditing requirements4.440.0927
Regulatory requirements4.670.0975
Supplier’s contractual requirements4.000.0835
Table
Table 6. Matrix values of three constructs.
Table 6. Matrix values of three constructs.
ConstructFCIS IncidentBISD-M
FC1.00 5.04 2.09
IS incident0.20 1.00 0.37
BISD-M0.48 2.68 1.00
Table
Table 7. Matrix values of FC construct.
Table 7. Matrix values of FC construct.
Information BudgetProduct PriceEnterprise’s DowntimeDisaster Loss Amount
Information budget1.000.620.380.39
Product price1.611.000.600.34
Enterprise’s downtime2.611.671.000.77
Disaster loss amount2.582.941.311.00
Table
Table 8. Matrix values of IS incident construct.
Table 8. Matrix values of IS incident construct.
Experiencing an IS IncidentIS incident AccountabilityNatural DisastersMan-Made Disasters
Experiencing an IS incident1.000.490.690.57
IS incident accountability2.061.001.630.96
Natural disasters1.450.611.000.64
Man-made disasters1.761.041.551.00
Table
Table 9. Matrix values of BISD-M construct.
Table 9. Matrix values of BISD-M construct.
Auditing RequirementsRegulatory RequirementsSupplier’s Contractual Requirements
Auditing requirements1.000.830.63
Regulatory requirements1.201.001.00
Supplier’s contractual requirements1.591.001.00
Table
Table 10. Global weights of the 11 factors.
Table 10. Global weights of the 11 factors.
ConstructFactorLocal WeightGlobal Weight
FCInformation budget0.12480.0739
Product price0.17130.1015
Enterprise’s downtime0.30370.1799
Disaster loss amount0.40020.2371
IS IncidentExperiencing an IS incident0.15930.0181
IS incident accountability0.32110.0365
Natural disasters0.20820.0237
Man-made disasters0.31140.0354
BISD-MAuditing requirements0.26560.0781
Regulatory requirements0.35010.1029
Supplier’s contractual requirements0.38440.1130
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Chen, Y.-S.; Chou, J.C.-L.; Lin, Y.-S.; Hung, Y.-H.; Chen, X.-H. Identification of SMEs in the Critical Factors of an IS Backup System Using a Three-Stage Advanced Hybrid MDM–AHP Model. Sustainability 2023, 15, 3516. https://doi.org/10.3390/su15043516

AMA Style

Chen Y-S, Chou JC-L, Lin Y-S, Hung Y-H, Chen X-H. Identification of SMEs in the Critical Factors of an IS Backup System Using a Three-Stage Advanced Hybrid MDM–AHP Model. Sustainability. 2023; 15(4):3516. https://doi.org/10.3390/su15043516

Chicago/Turabian Style

Chen, You-Shyang, Jerome Chih-Lung Chou, Yu-Sheng Lin, Ying-Hsun Hung, and Xuan-Han Chen. 2023. "Identification of SMEs in the Critical Factors of an IS Backup System Using a Three-Stage Advanced Hybrid MDM–AHP Model" Sustainability 15, no. 4: 3516. https://doi.org/10.3390/su15043516

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop