The Adoption of Information Security Management Standards: A Literature Review

The Adoption of Information Security Management Standards: A Literature Review

Yves Barlette (GSCM-Montpellier Business School, France) and Vladislav V. Fomin (Vytautas Magnus University, Lithuania)
DOI: 10.4018/978-1-60566-326-5.ch006
OnDemand PDF Download:


This chapter introduces major information security management methods and standards, and particularly ISO/IEC 27001 and 27002 standards. A literature review was conducted in order to understand the reasons for the low level of adoption of information security standards by companies, and to identify the drivers and the success factors in implementation of these standards. Based on the findings of the literature review, we provide recommendations on how to successfully implement and stimulate diffusion of information security standards in the dynamic business market environment, where companies vary in their size and organizational culture. The chapter concludes with an identification of future trends and areas for further research.
Chapter Preview


In service-oriented, highly industrialized countries, information itself is both a raw material and a product (Castells, 1996). The critical economic role of information and information processing on a firm’s productivity may be more important than that from operational efficiency or product innovation (Steinmueller, 2005).

The relevance of information assets to businesses and governments alike can be measured by, for example, the percentage of contributions to gross domestic product (GDP) stemming from information-related processes and services (OECD, 2005). Another argument for the importance of information assets is to see them as “the ‘life-blood’ of all businesses” (Humphreys, 2005, p.15) losing which may bring the business to a dead halt. Louderback (1995) reported in 1995 that one-half of the companies that lose business critical systems for more than 10 days never recover and go out of business. This is increasingly true as companies rely more on their information systems (Kankanhalli et al., 2003). Between 1997 and 2001, U.S. organizations spent $2.5 trillion on information technology, nearly double the amount than the previous five years (Temkin, 2002; Fomin et al., 2005). Informational processes effectively become so critical that private and public institutions alike need to take an active role in ensuring the security of this critical asset (Fomin et al., 2008; GAO, 2004). In order to achieve this task, however, many issues have to be addressed.

With the growing level of interconnectivity between organizations (Barnard & von Solms, 1998), each company is taking its own measures for information security. This leads to the proliferation of different hardware-, software- and processes-based information security measures (von Solms, 1988). The poor security practices of one agent may threaten its partners in the global informational economy (Castells, 1996). This situation calls for a consistent approach to information security management at a company, inter-company, industry, and international levels. Not having proper information security measures in place can be detrimental to a business, while adopting methods for information protection can be a welcomed signal to the business partners that builds trusting relationships with customers, suppliers and stakeholders (Posthumus & von Solms, 2004). The task of adopting proper information security methods is a difficult one. Organizations need to address the task from legal, operational and compliance perspectives; the penalties for failing to succeed are greater than ever (Myler & Broadbent, 2006).

Inadequate levels of security of information systems (IS) in organizations may result in more than monetary penalties to a company. Top management and board directors can become personally accountable for the security of their IS (OECD, 2004). The leading example is the Sarbanes-Oxley Act (2002) which makes corporate executives legally responsible for the validity of reported financial data and thus responsible for the security of their information systems (Hurley, 2003). Despite the criticality of information assets to business operations and the negative implications of poor security, previous research indicates that the level of information security awareness among many managers is low (Broderick, 2006; Knapp et al., 2006).

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
Merrill Warkentin
Kenneth J. Knapp
Kenneth J. Knapp
Chapter 1
Jaziar Radianti, Jose J. Gonzalez
This chapter discusses the possible growth of black markets (BMs) for software vulnerabilities and factors affecting their spread. It is difficult... Sample PDF
Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities
Chapter 2
Somak Bhattacharya, Samresh Malhotra, S. K. Ghosh
As networks continue to grow in size and complexity, automatic assessment of the security vulnerability becomes increasingly important. The typical... Sample PDF
An Attack Graph Based Approach for Threat Identification of an Enterprise Network
Chapter 3
Robert F. Mills, Gilbert L. Peterson, Michael R. Grimaila
The purpose of this chapter is to introduce the insider threat and discuss methods for preventing, detecting, and responding to the threat. Trusted... Sample PDF
Insider Threat Prevention, Detection and Mitigation
Chapter 4
Richard T. Gordon, Allison S. Gehrke
This chapter describes a methodology for assessing security infrastructure effectiveness utilizing formal mathematical models. The goal of this... Sample PDF
An Autocorrelation Methodology for the Assessment of Security Assurance
Chapter 5
Ken Webb
This chapter results from a qualitative research study finding that a heightened risk for management has emerged from a new security environment... Sample PDF
Security Implications for Management from the Onset of Information Terrorism
Chapter 6
Yves Barlette, Vladislav V. Fomin
This chapter introduces major information security management methods and standards, and particularly ISO/IEC 27001 and 27002 standards. A... Sample PDF
The Adoption of Information Security Management Standards: A Literature Review
Chapter 7
Peter R. Marksteiner
Information overload is an increasingly familiar phenomenon, but evolving United States military doctrine provides a new analytical approach and a... Sample PDF
Data Smog, Techno Creep and the Hobbling of the Cognitive Dimension
Chapter 8
John W. Bagby
The public expects that technologies used in electronic commerce and government will enhance security while preserving privacy. These expectations... Sample PDF
Balancing the Public Policy Drivers in the Tension between Privacy and Security
Chapter 9
Indira R. Guzman, Kathryn Stam, Shaveta Hans, Carole Angolano
The goal of our study is to contribute to a better understanding of role conflict, skill expectations, and the value of information technology (IT)... Sample PDF
Human Factors in Security: The Role of Information Security Professionals within Organizations
Chapter 10
Nikolaos Bekatoros HN, Jack L. Koons III, Mark E. Nissen
The US Government is moving apace to develop doctrines and capabilities that will allow the Department of Defense (DoD) to exploit Cyberspace for... Sample PDF
Diagnosing Misfits, Inducing Requirements, and Delineating Transformations within Computer Network Operations Organizations
Chapter 11
Rodger Jamieson, Stephen Smith, Greg Stephens, Donald Winchester
This chapter outlines components of a strategy for government and a conceptual identity fraud enterprise management framework for organizations to... Sample PDF
An Approach to Managing Identity Fraud
Chapter 12
Alanah Davis, Gert-Jan de Vreede, Leah R. Pietron
This chapter presents a repeatable collaboration process as an approach for developing a comprehensive Incident Response Plan for an organization or... Sample PDF
A Repeatable Collaboration Process for Incident Response Planning
Chapter 13
Dean A. Jones, Linda K Nozick, Mark A. Turnquist, William J. Sawaya
A pandemic influenza outbreak could cause serious disruption to operations of several critical infrastructures as a result of worker absenteeism.... Sample PDF
Pandemic Influenza, Worker Absenteeism and Impacts on Critical Infrastructures: Freight Transportation as an Illustration
Chapter 14
Preeti Singh, Pranav Singh, Insu Park, JinKyu Lee
We live in a digital era where the global community relies on Information Systems to conduct all kinds of operations, including averting or... Sample PDF
Information Sharing: A Study of Information Attributes and their Relative Significance During Catastrophic Events
Chapter 15
Gregory B. White, Mark L. Huson
The protection of cyberspace is essential to ensure that the critical infrastructures a nation relies on are not corrupted or disrupted. Government... Sample PDF
An Overview of the Community Cyber Security Maturity Model
Chapter 16
Doug White, Alan Rea
In this chapter the authors present essential server security components and develop a set of logical steps to build hardened servers. The authors... Sample PDF
Server Hardening Model Development: A Methodology-Based Approach to Increased System Security
Chapter 17
Jeff Teo
Computer attacks of all sorts are commonplace in today’s interconnected, globalized society. A computer worm, written and released in one part of... Sample PDF
Trusted Computing: Evolution and Direction
Chapter 18
Miguel Jose Hernandez y Lopez, Carlos Francisco Lerma Resendez
This chapter discusses the basic aspects of Honeypots, how they are implemented in modern computer networks, as well as their practical uses and... Sample PDF
Introduction, Classification and Implementation of Honeypots
About the Contributors