Exploring the Adoption of the International Information Security Management System Standard ISO/IEC 27001: A Web Mining-Based Analysis

In the light of digitalization and recent EU policy initiatives, information is an important asset that organizations of all sizes and from all sectors should secure. However, in order to provide common requirements for the implementation of an information security management system, the internationally well-accepted ISO/IEC 27001 standard has not shown the expected growth rate since its publication more than a decade ago. In this article, we apply web mining to explore the adoption of ISO/IEC 27001 through a series of 2664 out of more than 900 000 German firms from the Mannheim Enterprise Panel dataset that refers to this standard on their websites. As a result, we present a ‘‘landscape’’ of ISO/IEC 27001 in Germany, which shows that firms not only seek certifications themselves but often refer on their websites to partners who are certified instead. Consequently, we estimate a probit model and find that larger and more innovative firms are more likely to be certified to ISO/IEC 27001 and that almost half of all certified firms belong to the information and communications technology (ICT) service sector. Based on our findings, we derive implications for policy makers and management and critically assess the suitability of web mining to explore the adoption of management system standards.

[1]  Christoph Stamm ISO 26000 Gets Taken Around: Diffusion Work as Crucial Link Between Standard Creation and Adoption , 2019, Corporate Social Responsibility and Corporate Change.

[2]  Heidi Armbruster,et al.  Organizational innovation: The challenge of measuring non-technical innovation in large-scale surveys , 2008 .

[3]  Erind Hoti,et al.  THE TECHNOLOGICAL, ORGANIZATIONAL AND ENVIRONMENTAL FRAMEWORK OF IS INNOVATION ADAPTION IN SMALL AND MEDIUM ENTERPRISES. EVIDENCE FROM RESEARCH OVER THE LAST 10 YEARS , 2015 .

[4]  Klaus F. Zimmermann,et al.  The Internet as a Data Source for Advancement in Social Sciences , 2015, SSRN Electronic Journal.

[5]  Y. Benslimane,et al.  Information Security between Standards, Certifications and Technologies: An Empirical Study , 2016, 2016 International Conference on Information Science and Security (ICISS).

[6]  Gary King,et al.  Logistic Regression in Rare Events Data , 2001, Political Analysis.

[7]  Katerina Gotzamani,et al.  An empirical study of the ISO 9000 standards’ contribution towards total quality management , 2001 .

[8]  Philip Shapira,et al.  Use of web mining in studying innovation , 2014, Scientometrics.

[9]  Hendrik Blockeel,et al.  Web mining research: a survey , 2000, SKDD.

[10]  W. Kip Viscusi,et al.  A Note on "Lemons" Markets with Quality Certification , 1978 .

[11]  Aseem Prakash,et al.  Information Asymmetries as Trade Barriers: ISO 9000 Increases International Commerce. , 2009 .

[12]  Janna Axenbeck,et al.  Web Mining of Firm Websites: A Framework for Web Scraping and a Pilot Study for Germany , 2018 .

[13]  Vladislav V. Fomin,et al.  The Adoption of Information Security Management Standards: A Literature Review , 2009 .

[14]  Bettina Müller,et al.  The Mannheim Enterprise Panel (MUP) and Firm Statistics for Germany , 2014 .

[15]  Pedro Oliveira,et al.  How ISO 27001 Can Help Achieve GDPR Compliance , 2019, 2019 14th Iberian Conference on Information Systems and Technologies (CISTI).

[16]  G. Tejay,et al.  Reducing cyber harassment through de jure standards: a study on the lack of the information security management standard adoption in the USA , 2011 .

[17]  A. Rosso,et al.  Innovative Events , 2017 .

[18]  G. M. Peter Swann,et al.  The Economics of Standardization: An Update , 2010 .

[19]  Jan L. Youtie,et al.  Pathways from discovery to commercialisation: using web sources to track small and medium-sized enterprise strategies in emerging nanotechnologies , 2012, Technol. Anal. Strateg. Manag..

[20]  Jan L. Youtie,et al.  Entry strategies in an emerging technology: a pilot web-based study of graphene firms , 2013, Scientometrics.

[21]  Alfred A. Marcus,et al.  Implementing ISO 9000: performance improvement by first or second movers , 2004 .

[22]  Zulkifli Mohamed Udin,et al.  The Adoption of Business Continuity Management Best Practices Among Malaysian Organizations , 2017 .

[23]  James M. Utterback,et al.  A dynamic model of process and product innovation , 1975 .

[24]  M. Delmas,et al.  The Diffusion of Voluntary International Management Standards: Responsible Care, ISO 9000, and ISO 14001 in the Chemical Industry , 2007 .

[25]  Andrew A. King,et al.  The effect of certification with the ISO 9000 Quality Management Standard: A signaling approach , 2006 .

[26]  Bilal Khan,et al.  Implementation of ISO 27001 in Saudi Arabia – obstacles, motivations, outcomes, and lessons learned , 2011 .

[27]  Deniz Tuncalp,et al.  Diffusion and Adoption of Information Security Management Standards Across Countries and Industries , 2014 .

[28]  Mustafa V. Uzumeri,et al.  ISO 9000 and other metastandards: Principles for management practice? , 1997 .

[29]  J. Tann,et al.  The Adoption of ISO 9000 Standards within the Egyptian Context: A Diffusion of Innovation Approach , 2007 .

[30]  Placide Poba-Nzaou,et al.  Understanding information technology security standards diffusion: An institutional perspective , 2015, 2015 International Conference on Information Systems Security and Privacy (ICISSP).

[31]  W. Bogner,et al.  Deciding on ISO 14001: Economics, Institutions, and Context , 2002 .

[32]  J. Sylvan Katz,et al.  Web indicators for complex innovation systems , 2006 .

[33]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[34]  John Elder,et al.  Practical Text Mining and Statistical Analysis for Non-structured Text Data Applications , 2012 .

[35]  Dorin Maier,et al.  Innovation as a Part of an Existing Integrated Management System , 2015 .

[36]  María J. Montes-Sancho,et al.  An Institutional Perspective on the Diffusion of International Management System Standards: The Case of the Environmental Management Standard ISO 14001 , 2007 .

[37]  Toshi H. Arimura,et al.  Is ISO 14001 a Gateway to More Advanced Voluntary Action? The Case of Green Supply Chain Management , 2010 .

[38]  E. Rogers Diffusion of Innovations , 1962 .

[39]  Tina Wakolbinger,et al.  A review of management theories in the context of quality, environmental and social responsibility voluntary standards , 2018 .

[40]  Pedro Pinto,et al.  On the Track of ISO/IEC 27001:2013 Implementation Difficulties in Portuguese Organizations , 2018, 2018 International Conference on Intelligent Systems (IS).

[41]  Neil F. Doherty,et al.  Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis , 2005, Inf. Resour. Manag. J..

[42]  Tawei Wang,et al.  The Impact of ISO 27001 Certification on Firm Performance , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[43]  Charles J. Corbett,et al.  Management Systems Standards: Diffusion, Impact and Governance of ISO 9000, ISO 14000, and Other Management Standards , 2015, Found. Trends Technol. Inf. Oper. Manag..

[44]  Sumantra Ghoshal,et al.  The Strategy Process: Concepts, Contexts, Cases , 1991 .

[45]  Stefan Fenz,et al.  Interactive Selection of ISO 27001 Controls under Multiple Objectives , 2008, SEC.

[46]  Andrew King,et al.  Follow the small? Information-revealing adoption bandwagons when observers expect larger firms to benefit more from adoption , 2007 .

[47]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[48]  W. Lexis J. Schumpeter, Theorie der wirtschaftlichen Entwicklung , 1913 .

[49]  Jing Hu,et al.  Research on partner selection mechanism of technological standard alliance: From the perspective of network embeddedness , 2015, 2015 Portland International Conference on Management of Engineering and Technology (PICMET).

[50]  David Lenz,et al.  Predicting innovative firms using web mining and deep learning , 2019, PloS one.

[51]  Frederic Marimon,et al.  The relationship between environmental management systems and organizational innovations , 2012 .

[52]  Tiago Oliveira,et al.  Literature Review of Information Technology Adoption Models at Firm Level , 2011 .

[53]  A. Fried,et al.  Metastructuring for Standards : How Organizations Respond to the Multiplicity of Standards , 2018 .

[54]  Xun Cao,et al.  Growing exports by signaling product quality: Trade competition and the cross‐national diffusion of ISO 9000 quality standards , 2011 .

[55]  Georg Disterer,et al.  ISO/IEC 27000, 27001 and 27002 for Information Security Management , 2013 .

[56]  Knut Blind,et al.  Zertifizierung in deutschen Unternehmen – zwischen Wettbewerbsvorteil und Kostenfaktor , 2016 .

[57]  Kevin Lane Keller Brand Synthesis: The Multidimensionality of Brand Knowledge , 2003 .

[58]  Amrik S. Sohal,et al.  The longitudinal effects of the ISO 9000 certification process on business performance , 2003, Eur. J. Oper. Res..

[59]  Charles J. Corbett,et al.  INTERNATIONAL DIFFUSION OF ISO 14000 CERTIFICATION , 2001 .

[60]  Knut Blind,et al.  ISO 9001 and product innovation: A literature review and research framework , 2016 .

[61]  Shin-yi Peng ‘Private’ Cybersecurity Standards? Cyberspace Governance, Multistakeholderism, and the (Ir)relevance of the TBT Regime , 2018 .

[62]  Tine Herreborg Jørgensen,et al.  Integrated management systems: three different levels of integration , 2006 .

[63]  Rene Saint-Germain,et al.  Information Security Management Best Practice Based on ISO/IEC 17799 , 2005 .

[64]  Validation of a web mining technique to measure innovation in high technology Canadian industries , 2016 .

[65]  Scott J. Shackelford,et al.  Have You Updated Your Toaster? Transatlantic Approaches to Governing the Internet of Everything , 2018 .

[66]  J. Quinn,et al.  The Strategy Process: Concept, Context, Cases , 2003 .

[67]  Marilyn F. Johnson,et al.  WHY FIRMS SEEK ISO 9000 CERTIFICATION: REGULATORY COMPLIANCE OR COMPETITIVE ADVANTAGE? , 1999 .

[68]  Colin Tankard,et al.  What the GDPR means for businesses , 2016, Netw. Secur..

[69]  Yu Min Wang,et al.  Understanding the determinants of RFID adoption in the manufacturing industry , 2010 .

[70]  Khalid I. Alshitri,et al.  Exploring the Reasons behind the Low ISO 27001 Adoption in Public Organizations in Saudi Arabia , 2014, 2014 International Conference on Information Science & Applications (ICISA).

[71]  Basak Manders,et al.  Implementation and Impact of ISO 9001 , 2011 .

[72]  Candiwan Candiwan Analysis of ISO27001 Implementation for Enterprises and SMEs in Indonesia , 2014 .

[73]  Patrick Y. K. Chau,et al.  A perception-based model for EDI adoption in small businesses using a technology-organization-environment framework , 2001, Inf. Manag..

[74]  Vladislav V. Fomin,et al.  ISO / IEC 27001 INFORMATION SYSTEMS SECURITY MANAGEMENT STANDARD : EXPLORING THE REASONS FOR LOW ADOPTION , 2008 .

[75]  J. S. Katz,et al.  Indicators for Complex Innovation Systems , 2006 .

[76]  Vladislav Fomin,et al.  Exploring the Suitability of IS Security Management Standards for SMEs , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[77]  Hesan A. Quazi,et al.  Motivation for ISO 14000 certification: Development of a predictive model , 2001 .

[78]  M. Spence Job Market Signaling , 1973 .

[79]  Prakash J. Singh,et al.  ISO 9000 series of standards: comparison of manufacturing and service organisations , 2006 .

[80]  Henk Jan de Vries,et al.  Business Impacts of International Standards for Information Security Management. Lessons from Case Companies , 2013, J. ICT Stand..

[81]  O. Boiral,et al.  ISO 9001 and ISO 14001: Towards a Research Agenda on Management System Standards , 2013 .

[82]  Woan-Yuh Jang,et al.  Determinants of the Adoption of Enterprise Resource Planning within the Technology-Organization-Environment Framework: Taiwan's Communications Industry , 2008, J. Comput. Inf. Syst..