A utilitarian re-examination of enterprise-scale information security management

Abstract: An action is utilitarian when it is both useful and practical. In this paper we examine a number of traditional information security management practices in order to ascertain their utility. That analysis is performed according to the particular set of challenges and requirements experienced by very large organizations. Examples of such organizations include multinational corporations, the governments of large nations, and global investment banks. We identify a number of information security management practic… Show more

“…The most relevant one is related to the security controls, in particular considering the set of 133 controls described in the (Liao and Chueh, 2012b), entailed too rigid procedures (Crowder, 2013) and were costly to implement due to the possibility of an only partial automation through hardware and software tools (Montesino et al, 2012). As for the new version of the ISO/IEC 27001, Ho et al (2015) note that the standard still does not provide guidance on the mutual interdependence among the different control items; similarly, Stewart (2018) and Topa and Karyda (2019) refer to the lack of indications regarding a cost/benefit assessment in the selection of controls. On this, Bettaieb et al (2019) propose an approach based on machine learning for the identification of the most relevant controls, given the characteristics and the context of the implementing organization.…”

“…Even though smaller public companies might expect greater returns from certification than larger firms (Deane et al, 2019), only large companies seem to assign sufficient priority to ISS due to resource availability (Dionysiou, 2011;Gillies, 2011). With regard to the implementation processas stressed by Stewart (2018) -ISO/IEC 27001 is designed for TQM 33,7 an "average organization," and it might not be suitable for companies deviating the most from this average profile, e.g. owing to their dimension or level of centralization (Smith et al, 2010;Stewart, 2018).…”

“…In the case illustrated by Hlača et al (2008), the ISO/IEC 27001 was adopted in light of the growing number of certified companies worldwide. The rationale behind this is illustrated in Stewart (2018) through the concept of network effects. This dynamic seems further reinforced by the global reputation of the ISO umbrella of standards (Deane et al , 2019).…”

“…The literature has also highlighted a lack of guidance regarding possible interdependencies between the organization and the external environment. As reported by Smith et al (2010) and Stewart (2018), many implementations fail because of an unstructured approach toward shared assets – e.g. services and IT infrastructure shared among local units of the same corporation – and poor identification of the organizations' dependencies from third parties and outsourced services.…”

“…Crowder, 2013) – several articles indicate that ISO/IEC 27001 is mostly developed by IT departments alone (Van Wessel et al , 2011; Akowuah et al , 2013). Stewart (2018) notes that information security leaders are unlikely to be included in the management committee. Everett (2011) reports that limited directors' awareness often results in low budget allocation.…”

The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

“…The most relevant one is related to the security controls, in particular considering the set of 133 controls described in the (Liao and Chueh, 2012b), entailed too rigid procedures (Crowder, 2013) and were costly to implement due to the possibility of an only partial automation through hardware and software tools (Montesino et al, 2012). As for the new version of the ISO/IEC 27001, Ho et al (2015) note that the standard still does not provide guidance on the mutual interdependence among the different control items; similarly, Stewart (2018) and Topa and Karyda (2019) refer to the lack of indications regarding a cost/benefit assessment in the selection of controls. On this, Bettaieb et al (2019) propose an approach based on machine learning for the identification of the most relevant controls, given the characteristics and the context of the implementing organization.…”

“…Even though smaller public companies might expect greater returns from certification than larger firms (Deane et al, 2019), only large companies seem to assign sufficient priority to ISS due to resource availability (Dionysiou, 2011;Gillies, 2011). With regard to the implementation processas stressed by Stewart (2018) -ISO/IEC 27001 is designed for TQM 33,7 an "average organization," and it might not be suitable for companies deviating the most from this average profile, e.g. owing to their dimension or level of centralization (Smith et al, 2010;Stewart, 2018).…”

“…In the case illustrated by Hlača et al (2008), the ISO/IEC 27001 was adopted in light of the growing number of certified companies worldwide. The rationale behind this is illustrated in Stewart (2018) through the concept of network effects. This dynamic seems further reinforced by the global reputation of the ISO umbrella of standards (Deane et al , 2019).…”

“…The literature has also highlighted a lack of guidance regarding possible interdependencies between the organization and the external environment. As reported by Smith et al (2010) and Stewart (2018), many implementations fail because of an unstructured approach toward shared assets – e.g. services and IT infrastructure shared among local units of the same corporation – and poor identification of the organizations' dependencies from third parties and outsourced services.…”

“…Crowder, 2013) – several articles indicate that ISO/IEC 27001 is mostly developed by IT departments alone (Van Wessel et al , 2011; Akowuah et al , 2013). Stewart (2018) notes that information security leaders are unlikely to be included in the management committee. Everett (2011) reports that limited directors' awareness often results in low budget allocation.…”

The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

Information security and value creation: The performance implications of ISO/IEC 27001

Forecasting the diffusion of ISO/IEC 27001: a Grey model approach