Applying the Action-Research Method to Develop a Methodology to Reduce the Installation and Maintenance Times of Information Security Management Systems

Society is increasingly dependent on Information Security Management Systems (ISMS), and having these kind of systems has become vital for the development of Small and Medium-Sized Enterprises (SMEs). However, these companies require ISMS that have been adapted to their special features and have been optimized as regards the resources needed to deploy and maintain them, with very low costs and short implementation periods. This paper discusses the different cycles carried out using the ‘Action Research (AR)’ method, which have allowed the development of a security management methodology for SMEs that is able to automate processes and reduce the implementation time of the ISMS.

[1]  Mario Piattini,et al.  ISMS Building for SMEs through the Reuse of Knowledge , 2013 .

[2]  Candiwan Candiwan Analysis of ISO27001 Implementation for Enterprises and SMEs in Indonesia , 2014 .

[3]  Kenneth L. Kraemer,et al.  Managing information systems , 1989 .

[4]  M. Whitman,et al.  Management Of Information Security , 2004 .

[5]  João Batista,et al.  SPI in a very small team: a case with CMM , 2000 .

[6]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[7]  K. Shadan,et al.  Available online: , 2012 .

[8]  K. Hambridge Action research. , 2000, Professional nurse.

[9]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[10]  Atul Gupta,et al.  Information systems security issues and decisions for small businesses: An empirical examination , 2005, Inf. Manag. Comput. Security.

[11]  Piotr Jedynak,et al.  Integration of Standardized Management Systems , 2015 .

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  António Dias de Figueiredo,et al.  SPI in a very small team: a case with CMM , 2000, Softw. Process. Improv. Pract..

[14]  Tuija Kuusisto,et al.  INFORMATION SECURITY CULTURE IN SMALL AND MEDIUM SIZE ENTERPRISES , 2003 .

[15]  J. Eloff,et al.  Information security management: a new paradigm , 2003 .

[16]  A. Householder,et al.  Computer attack trends challenge Internet security , 2002 .

[17]  Rossouw Von Solms Information security management : processes and metrics , 2014 .

[18]  Kristian Beckers,et al.  Supporting the Development and Documentation of ISO 27001 Information Security Management Systems through Security Requirements Engineering Approaches , 2012, ESSoS.

[19]  Diana Mekelburg Sustaining Best Practices: How Real-World Software Organizations Improve Quality Processes , 2005 .

[20]  Hareton K. N. Leung,et al.  A process framework for small projects , 2001, Softw. Process. Improv. Pract..

[21]  Mario Piattini,et al.  Security Culture in Small and Medium-Size Enterprise , 2010, CENTERIS.

[22]  David R. Barstow,et al.  Proceedings of the 25th International Conference on Software Engineering , 1978, ICSE.

[23]  Georg Disterer,et al.  ISO/IEC 27000, 27001 and 27002 for Information Security Management , 2013 .

[24]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[25]  Carolyn B. Seaman,et al.  Qualitative Methods in Empirical Studies of Software Engineering , 1999, IEEE Trans. Software Eng..

[26]  Chris Anderson The long tail : how endless choice is creating unlimited demand , 2006 .

[27]  M. Bugdol,et al.  Integrated Management Systems , 2014 .

[28]  Angela Tuffley,et al.  SPICE for small organisations , 2004, Softw. Process. Improv. Pract..

[29]  G. Dhillon Managing information system security , 1997 .

[30]  Mario Piattini,et al.  Managing Security and its Maturity in Small and Medium-sized Enterprises , 2009, J. Univers. Comput. Sci..

[31]  Mario Piattini,et al.  A Systematic Review of Methodologies and Models for the Analysis and Management of Associative and Hierarchical Risk in SMEs , 2018 .

[32]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[33]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[34]  Mario Piattini,et al.  Desirable Characteristics for an ISMS oriented to SMEs , 2011, WOSIS.

[35]  CACM Staff,et al.  Cybersecurity , 2017, Studies in Big Data.

[36]  Anastasia Papazafeiropoulou,et al.  The Government's Role in Improving Electronic Commerce Adoption , 2000, ECIS.

[37]  Steven Furnell,et al.  Approaches to IT Security in Small and Medium Enterprises , 2004, AISM.

[38]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[39]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[40]  Manuel Pérez Cota,et al.  Experiences in the Application of Software Process Improvement in SMES , 2004, Software Quality Journal.

[41]  David W. Johnson,et al.  Computer Security Risks in the Internet Era: Are Small Business Owners Aware and Proactive? , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[42]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[43]  Dennis Adams,et al.  Managing an Information System , 1990 .

[44]  A. Zambrano,et al.  Mechanisms of security based on digital certificates applied in a telemedicine network , 2008, 2008 30th Annual International Conference of the IEEE Engineering in Medicine and Biology Society.