ISO/IEC 27001: An empirical multi-method research

The adoption of digital technologies, the emergence of platform-based business models, and the switch to smart working practices are increasing the number of potential entry points in firms’ networks and therefore their potential vulnerabilities. However, despite the relevance of the issue, the managerial debate on the topic is still scant and several research gaps exist. Under this premise, this doctoral thesis touches on the following aspects. First, by discussing the issue with senior executives and information security experts, it highlights the most relevant information security challenges in the context of Industry 4.0. In doing this, it also shows where current approaches fail short, and what emerging practices are gaining relevance. Second, by conducting a systematic literature review, the thesis provides a comprehensive synthesis of the academic body of knowledge on ISO/IEC 27001 (i.e., the most renowned international management standard for information security and the fourth most widespread ISO certification) as well as it formulates a theory-based research agenda to inspire future studies at the intersection between information systems and managerial disciplines. Third, by resorting to Grey models, it investigates the current and future diffusion patterns of ISO/IEC 27001 in the six most important countries in terms of issued certificates. Fourth, by performing an event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies, the dissertation sheds light on the performance implications of ISO/IEC 27001 adoption as well as the role of some contextual factors in affecting the outcomes of the adoption. Overall, this doctoral thesis provides several contributions to both theory and practice. From a theoretical point of view, it highlights the need for managerial disciplines to start addressing information security-related aspects. Moreover, it demonstrates that investments in information security pay off also from a financial perspective. From a practical point of view, it shows the increasingly central role that ISO/IEC 27001 is likely to have in the years to come and it provides managers with evidence on the possible performance effects associated to its adoption.The adoption of digital technologies, the emergence of platform-based business models, and the switch to smart working practices are increasing the number of potential entry points in firms’ networks and therefore their potential vulnerabilities. However, despite the relevance of the issue, the managerial debate on the topic is still scant and several research gaps exist. Under this premise, this doctoral thesis touches on the following aspects. First, by discussing the issue with senior executives and information security experts, it highlights the most relevant information security challenges in the context of Industry 4.0. In doing this, it also shows where current approaches fail short, and what emerging practices are gaining relevance. Second, by conducting a systematic literature review, the thesis provides a comprehensive synthesis of the academic body of knowledge on ISO/IEC 27001 (i.e., the most renowned international management standard for information security and the fourth most widespread ISO certification) as well as it formulates a theory-based research agenda to inspire future studies at the intersection between information systems and managerial disciplines. Third, by resorting to Grey models, it investigates the current and future diffusion patterns of ISO/IEC 27001 in the six most important countries in terms of issued certificates. Fourth, by performing an event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies, the dissertation sheds light on the performance implications of ISO/IEC 27001 adoption as well as the role of some contextual factors in affecting the outcomes of the adoption. Overall, this doctoral thesis provides several contributions to both theory and practice. From a theoretical point of view, it highlights the need for managerial disciplines to start addressing information security-related aspects. Moreover, it demonstrates that investments in information security pay off also from a financial perspective. From a practical point of view, it shows the increasingly central role that ISO/IEC 27001 is likely to have in the years to come and it provides managers with evidence on the possible performance effects associated to its adoption

The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

Purpose \u2013 After 15 years of research, this paper aims to present a review of the academic literature on the ISO/ IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theorybased research agenda to inspire interdisciplinary studies in the field. Design/methodology/approach \u2013 The study is structured as a systematic literature review. Findings \u2013 Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors. Originality/value \u2013The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities

ADOPTION OF THE INFORMATION SECURITY MANAGEMENT SYSTEM STANDARD ISO/IEC 27001: A STUDY AMONG GERMAN ORGANIZATIONS

Against the backdrop of numerous security breaches and cyber-attacks, organizations need to take measures to secure their data and information. However, the well-known management system standard ISO/IEC 27001 for information security has shown a lower adoption rate - in terms of annual ISO survey data - than was previously expected by scholars and practitioners. Through the lens of Rogers' diffusion of innovation theory, we consider the adoption of ISO/IEC 27001 as a 'preventive innovation' and aim to identify factors that help gain a better understanding of its adoption. Therefore, we conducted a survey among German organizations on the use and impact of management system standards, explicitly distinguishing between organizations that implement ISO/IEC 27001 and those that are additionally certified against this standard. This study provides insights and contributes to an advanced understanding of motives, impacts, barriers, and useful measures to increase adoption of ISO/IEC 27001. Our findings may be useful to organizations considering the adoption of this management system standard, to certification bodies providing certification services, and to policymakers seeking means to improve information security in organizations

Information Security Risk Management (ISRM) Model for Saudi Arabian Organisations

This research aimed to investigate the factors influencing information security risk management (ISRM) and develop an ISRM model for large Saudi Arabian organisations. The study employed an exploratory research method following a top-down design approach. The research was conducted in two sequential phases: an interview and a focus group discussion. The research identified 14 factors grouped into the people, process, and technology that influence ISRM in large Saudi Arabian organisations. The proposed model can successfully guide large Saudi Arabian organisations to implement ISRM standards more effectively

Cyber-Security Policy Decisions in Small Businesses

Cyber-attacks against small businesses are on the rise yet small business owners often lack effective strategies to avoid these attacks. The purpose of this qualitative multiple case study was to explore the strategies small business owners use to make cyber-security decisions. Bertalanffy\u27s general systems theory provided the conceptual framework for this study. A purposive sample of 10 small business owners participated in the interview process and shared their decision-making methodologies and influencers. The small business owners were vetted to ensure their strategies were effective through a series of qualification questions. The intent of the research question and corresponding interview questions was to identify strategies that successful small business owners use to make cyber-security decisions. Data analysis consisted of coding keywords, phrases, and sentences from semi structured interviews as well as document analysis. The following themes emerged: government requirements, peer influence, budgetary constraints, commercial standards, and lack of employee involvement. According to the participants, budgetary constraints and peer influence were the most influential factors when making decisions regarding cyber-security strategies. Through exposing small business owners to proven strategies, the implications for social change include a reduction of their small business operating costs and assistance with compliance activities

Maturity based approach for ISMS Governance

Information security is an integral element of fiduciary duty. The purpose of information security is to protect an organization’s valuable resources, such as information. Information security is also a subset of IT governance and must be managed within an Information Security Management System (ISMS). Key element of the operation of an ISMS are ISMS processes. Current research focuses on economics and cost benefit analysis of information security investment regarding single measures protecting information. ISMS processes are not in the focus of current research. Actually a specific ISMS process framework which clearly differentiates between ISMS processes and security measures controlled by ISMS processes as well as a description of ISMS processes and their interaction does not exist yet. ISMS processes as well as their maturity level need to be aligned to the implementing organization and their mission to be cost-effective. Considering limited resources as well as ensuring an efficient use of those resources not every ISMS process should be established and operated at the same level of maturity. Taking into account that business alignment and cost-effectiveness are important for the successful operation of an ISMS, research contributions must address both problems – ISMS processes as well as the determination their target maturity level. Therefore the overall objective of this doctoral thesis is to make the appropriateness of an ISMS transparent as well as to avoid unnecessary costs of information governance which is still a major issue/problem for many organizations. This doctoral thesis aims to fill this research gap by proposing an ISMS process framework, based on a set of agreed upon ISMS processes in existing applicable standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS instead of focusing on measures and controls. By this the systemic character of the ISMS and the perception of relevant roles of the ISMS as a management system consisting of processes is strengthened. For an efficient use of the ISMS process framework a method to determine the individually necessary maturity level of the ISMS processes is proposed.La seguridad de la información es un elemento integral del deber fiduciario. El propósito de la seguridad de la información es proteger los recursos de una organización, incluyendo en los mismos la información. La seguridad de la información es también un subconjunto de la gobernanza de TI y debe gestionarse dentro de un Sistema de Gestión de la Seguridad de la Información (por sus siglas en inglés ISMS). El elemento clave del funcionamiento de un ISMS son los procesos del ISMS. La investigación actual se centra en aspectos económicos como el análisis de coste-beneficio de la inversión en seguridad de la información en relación a medidas individuales de protección de la información. De esta forma, los procesos del ISMS no están en el foco de la investigación actual. Así, todavía no existe un marco de proceso ISMS específico que diferencie claramente entre procesos ISMS y medidas de seguridad controladas por procesos ISMS, así como una descripción de procesos ISMS y su interacción. Para construir este marco, los procesos del ISMS, así como su nivel de madurez, deben estar alineados con la organización que los implanta así como con su misión. Tomando en consideración que las empresas presentan unos recursos limitados y que los recursos disponibles deben ser explotados de forma eficiente, no todos los procesos del ISMS deben ser establecidos y operados en el mismo nivel de madurez. Teniendo en cuenta que la alineación con el negocio y la rentabilidad son aspectos importantes para el funcionamiento exitoso de un ISMS, las contribuciones a la investigación del tópico deben abordar tanto los procesos del ISMS como la determinación de su nivel de madurez objetivo. Por lo tanto, el objetivo general de esta tesis doctoral es encaminar a las organizaciones hacia la construcción de un ISMS transparente, así como evitar costos innecesarios de la gobernanza de la información aspecto que sigue siendo una dificultad para muchas organizaciones. Esta tesis doctoral propone un marco de proceso ISMS basado en un conjunto de procesos acordados de ISMS en las normas vigentes existentes como la serie ISO 27000, COBIT e ITIL. Dentro del marco, se describen los procesos identificados y se especifica su interacción y las interfaces entre los mismos. Este marco ayuda a centrarse en el funcionamiento del ISMS en lugar de poner el foco en medidas y controles. Con esta aproximación, se fortalece el carácter sistémico del ISMS y la percepción de los roles relevantes del ISMS como un sistema de gestión que consiste en procesos. Para un uso eficiente del marco del proceso ISMS se propone un método para determinar el nivel de madurez individualmente necesario de los procesos del ISMS.Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Antonio de Amescua Seco.- Secretario: Tomás San Feliú Gilabert.- Vocal: Rafael Valencia Garcí

Investigating the Barriers to Quality 4.0 Adoption in the Indian Manufacturing Sector: Insights and Implications for Industry and Policymaking

Purpose: The research explores the shift to Quality 4.0, examining the move towards a data-focused transformation within organizational frameworks. This transition is characterized by incorporating Industry 4.0 technological innovations into existing quality management frameworks, signifying a significant evolution in quality control systems. Despite the evident advantages, the practical deployment in the Indian manufacturing sector encounters various obstacles. This research is dedicated to a thorough examination of these impediments. It is structured around a set of pivotal research questions: Firstly, it seeks to identify the key barriers that impede the adoption of Quality 4.0. Secondly, it aims to elucidate these barriers' interrelations and mutual dependencies. Thirdly, the research prioritizes these barriers in terms of their significance to the adoption process. Finally, it contemplates the ramifications of these priorities for the strategic advancement of manufacturing practices and the development of informed policies. By answering these questions, the research provides a detailed understanding of the challenges faced. It offers actionable insights for practitioners and policymakers implementing Quality 4.0 in the Indian manufacturing sector. Design/methodology/approach: Employing Interpretive Structural Modelling (ISM) and Matrix Impact of Cross Multiplication Applied to Classification (MICMAC), we probe the interdependencies amongst fourteen identified barriers inhibiting Quality 4.0 adoption. These barriers were categorised according to their driving power and dependence, providing a richer understanding of the dynamic obstacles within the Technology-Organization-Environment (TOE) framework. Findings: The study results highlight the lack of Quality 4.0 standards and Big Data Analytics (BDA) tools as fundamental obstacles to integrating Quality 4.0 within the Indian manufacturing sector. Additionally, the study results contravene dominant academic narratives, suggesting that the cumulative impact of organisational barriers is marginal, contrary to theoretical postulations emphasising their central significance in Quality 4.0 assimilation. Originality: This research delineates specific obstacles to Quality 4.0 adoption by applying the TOE (Technology-Organization-Environment) framework, detailing how these barriers interact with and influence each other, particularly highlighting the previously overlooked environmental factors. The analysis reveals a critical interdependence between 'Lack of standards for Quality 4.0' and 'Lack of standardised Big Data Analytics (BDA) tools and solutions', providing nuanced insights into their conjoined effect on stalling progress in this field. Moreover, the study contributes to the theoretical body of knowledge by mapping out these novel impediments, offering a more comprehensive understanding of the challenges faced in adopting Quality 4.0. Practical implications: This research provides concrete strategies, such as developing a collaborative platform for sharing best practices in Quality 4.0 standards, which fosters a synergistic relationship between organizations and policymakers, for instance, by creating a joint task force, comprised of industry leaders and regulatory bodies, dedicated to formulating and disseminating comprehensive guidelines for Quality 4.0 adoption. This initiative could lead to establishing industry-wide standards, benefiting from the pooled expertise of diverse stakeholders. Additionally, the study underscores the necessity for robust, standardized Big Data Analytics tools specifically designed to meet the Quality 4.0 criteria, which can be developed through public-private partnerships. These tools would facilitate the seamless integration of Quality 4.0 processes, demonstrating a direct route for overcoming the barriers of inadequate standards

IMPLEMENTATION CHALLENGES FOR INFORMATION SECURITY AWARENESS INITIATIVES IN E-GOVERNMENT

With the widespread adoption of electronic government services, there has been a need to ensure a seamless flow of information across public sector organizations, while at the same time, maintaining confidentiality, integrity and availability. Governments have put in place various initiatives and programs including information security awareness to provide the needed understanding on how public sector employees can maintain security and privacy. Nonetheless, the implementation of such initiatives often faces a number of challenges that impede further take-up of e-government services. This paper aims to provide a better understanding of the challenges contributing towards the success of information security awareness initiatives implementation in the context of e-government. Political, organizational, social as well as technological challenges have been utilized in a conceptual framework to signify such challenges in e-government projects. An empirical case study conducted in a public sector organization in Greece was exploited in this research to reflect on these challenges. While, the results from this empirical study confirm the role of the identified challenges for the implementation of security awareness programs in e-government, it has been noticed that awareness programmers often pursue different targets of preserving security and privacy, which sometimes results in adding more complexity to the organization

Enhancing and integration of security testing in the development of a microservices environment

In the last decade, web application development is moving toward the adoption of Service-Oriented Architecture (SOA). Accordingly to this trend, Software as a Service (SaaS) and Serverless providers are embracing DevOps with the latest tools to facilitate the creation, maintenance and scalability of microservices system configuration. Even if within this trend, security is still an open point that is too often underestimated. Many companies are still thinking about security as a set of controls that have to be checked before the software is used in production. In reality, security needs to be taken into account all along the entire Software Development Lifecycle (SDL). In this thesis, state of the art security recommendations for microservice architecture are reviewed, and useful improvements are given. The main target is for secure to become integrated better into a company workflow, increasing security awareness and simplifying the integration of security measures throughout the SDL. With this background, best practices and recommendations are compared with what companies are currently doing in securing their service-oriented infrastructures. The assumption that there still is much ground to cover security-wise still standing. Lastly, a small case study is presented and used as proof of how small and dynamic startups can be the front runners of high cybersecurity standards. The results of the analysis show that it is easier to integrate up-to-date security measures in a small company