From theory to practice: guidelines for enhancing information security management-Reference-Cited by-同舟云学术

From theory to practice: guidelines for enhancing information security management

Published:2019-07-08 Issue:3 Volume:27 Page:326-342
ISSN:2056-4961
Container-title:Information & Computer Security
language:en
Short-container-title:ICS

Author:

Topa Ioanna,Karyda Maria

Abstract

Purpose This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005. Design/methodology/approach Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices. Findings The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards. Practical implications This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance. Originality/value This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.

Publisher

Emerald

Subject

Management of Technology and Innovation,Information Systems and Management,Computer Networks and Communications,Information Systems,Software,Management Information Systems

Reference55 articles.

1. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness;MIS Quarterly,2010

2. Collett, S. (2015), “CSOonline”, available at: www.csoonline.com/article/2881940/security-awareness/five-sneaky-ways-companies-are-changing-employees-security-behavior.html (accessed 10 January 2018)

3. Investigation of employee security behaviour: a grounded theory approach,2015

4. Future directions for behavioral information security research;Computers and Security,2013

Cited by 17 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Assessing information security culture: A mixed-methods approach to navigating challenges in international corporate IT departments;Computers & Security;2024-09

2. Enhancing Government Hospital Information Security: A Framework Integrating Modified ISO 27001 and HIPAA Standards;2024 7th International Conference on Informatics and Computational Sciences (ICICoS);2024-07-17

3. Enhancing Zero Trust Models in the Financial Industry through Blockchain Integration: A Proposed Framework;Electronics;2024-02-23

4. A Comprehensive Review on How Cyber Risk Will Affect the Use of Fintech;Procedia Computer Science;2024

5. Information security objectives and the output legitimacy of ISO/IEC 27001: stakeholders’ perspective on expectations in private organizations in Sweden;Information Systems and e-Business Management;2023-08-21