To read the full version of this content please select one of the options below:

From theory to practice: guidelines for enhancing information security management

Ioanna Topa (University of the Aegean, Mytilene, Greece)
Maria Karyda (University of the Aegean, Mytilene, Greece)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 8 July 2019

Abstract

Purpose

This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.

Design/methodology/approach

Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.

Findings

The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.

Practical implications

This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.

Originality/value

This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.

Keywords

Acknowledgements

This research was sponsored by the IPATIA grant provided by University of the Aegean, Greece.

Citation

Topa, I. and Karyda, M. (2019), "From theory to practice: guidelines for enhancing information security management", Information and Computer Security, Vol. 27 No. 3, pp. 326-342. https://doi.org/10.1108/ICS-09-2018-0108

Publisher

:

Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited