literature review on information system security

We apologize for the inconvenience...

To ensure we keep this website safe, please can you confirm you are a human by ticking the box below.

If you are unable to complete the above request please contact us using the below link, providing a screenshot of your experience.

https://ioppublishing.org/contacts/

System security assurance: : A systematic literature review

New citation alert added.

This alert has been successfully added and will be sent to:

You will be notified whenever a record that you have chosen has been cited.

To manage your alert preferences, click on the button below.

New Citation Alert!

Please log in to your account

Information & Contributors

Bibliometrics & citations, view options.

• Harkat H Camarinha-Matos L Goes J Ahmed H (2024) Cyber-physical systems security Computers and Industrial Engineering 10.1016/j.cie.2024.109891 188 :C Online publication date: 17-Apr-2024 https://dl.acm.org/doi/10.1016/j.cie.2024.109891
• Alzahrani A Khan R (2024) Secure software design evaluation and decision making model for ubiquitous computing Computers in Human Behavior 10.1016/j.chb.2023.108109 153 :C Online publication date: 12-Apr-2024 https://dl.acm.org/doi/10.1016/j.chb.2023.108109

Index Terms

General and reference

Security and privacy

Systems security

Social and professional topics

Computing / technology policy

Computer crime

Software and its engineering

Software creation and management

Software organization and properties

Recommendations

An agent-based system to support assurance of security requirements.

Current approaches to evaluating security assurance either focus on the software development stage or at the end product software. However, most often, it is after the deployment or implementation phase that specified security requirements may be ...

Quantitative security assurance metrics: REST API case studies

Security assurance is the confidence that a system meets its security requirements based on specific evidences that an assurance technique provide. The notion of measuring security is complex and tricky. Existing approaches either (1) consider one ...

Identification of Basic Measurable Security Components for a Distributed Messaging System

The lack of appropriate information security solutions in software-intensive systems can have serious consequences for businesses and the stakeholders. Carefully designed security metrics can be used to offer evidence of the security behavior of the ...

Information

Published in.

Elsevier Science Publishers B. V.

Netherlands

Publication History

Author tags.

• Security assurance
• Security assurance methods
• Security requirements
• Security metrics
• System and environments
• Review-article

Contributors

Other metrics, bibliometrics, article metrics.

• 2 Total Citations View Citations
• 0 Total Downloads
• Downloads (Last 12 months) 0
• Downloads (Last 6 weeks) 0

View options

Login options.

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Share this publication link.

Copying failed.

Share on social media

Affiliations, export citations.

• Please download or close your previous search result export first before starting a new bulk export. Preview is not available. By clicking download, a status dialog will open to start the export process. The process may take a few minutes but once it finishes a file will be downloadable from your browser. You may continue to browse the DL while the export process is in progress. Download
• Download citation
• Copy citation

We are preparing your search results for download ...

We will inform you here when the file is ready.

Your file of search results citations is now ready.

Your search export query has expired. Please try again.

Information

• Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

• Active Journals
• Find a Journal
• Proceedings Series
• For Authors
• For Reviewers
• For Editors
• For Librarians
• For Publishers
• For Societies
• For Conference Organizers
• Open Access Policy
• Institutional Open Access Program
• Special Issues Guidelines
• Editorial Process
• Research and Publication Ethics
• Article Processing Charges
• Testimonials
• Preprints.org
• SciProfiles
• Encyclopedia

Article Menu

• Subscribe SciFeed
• Recommended Articles
• PubMed/Medline
• Google Scholar
• on Google Scholar
• Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

The impact of artificial intelligence on data system security: a literature review.

1. Introduction

2. literature trends: ai and systems security, 3. materials and methods, 4. discussion, 4.1. business decision making, 4.2. electronic commerce business, 4.3. ai social applications, 4.4. neural networks, 4.5. data security and access control mechanisms, 5. conclusion and future research directions, future research issues, author contributions, institutional review board statement, informed consent statement, data availability statement, acknowledgments, conflicts of interest.

• Sheptunov, S.A.; Sukhanova, N.V. The Problems of Design and Application of Switching Neural Networks in Creation of Artificial Intelligence. In Proceedings of the 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), Yaroslavl, Russia, 7–11 September 2020; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2020; pp. 428–431. [ Google Scholar ]
• Kim, M.S. The Design of Industrial Security Tasks and Capabilities Required in Industrial Site. In Proceedings of the 2021 21st ACIS International Semi-Virtual Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, SNPD-Winter, Ho Chi Minh City, Vietnam, 28–30 January 2021; ACIS International: Mt. Pleasant, MI, USA, 2021; pp. 218–223. [ Google Scholar ]
• Melville, N.; McQuaid, M. Generating shareable statistical databases for business value: Multiple imputation with multimodal perturbation. Inf. Syst. Res. 2012 , 23 , 559–574. [ Google Scholar ] [ CrossRef ]
• Zhu, F.; Li, G. Study on Security of Electronic Commerce Information System. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC 2011), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 1546–1549. [ Google Scholar ]
• Hu, X.; Wang, K. Bank Financial Innovation and Computer Information Security Management Based on Artificial Intelligence. In Proceedings of the 2020 2nd International Conference on Machine Learning, Big Data and Business Intelligence (MLBDBI) Taiyuan, China, 23–25 October 2020; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2020; pp. 572–575. [ Google Scholar ]
• Singh, J. Real Time BIG Data Analytic: Security Concern and Challenges with Machine Learning Algorithm. In Proceedings of the 2014 Conference on IT in Business, Industry and Government: An International Conference by CSI on Big Data (CSIBIG), Indore, India, 8–9 March 2014; Excellent Publishing House: New Delhi, India, 2014. [ Google Scholar ]
• Choi, H.; Young, K.J. Practical Approach of Security Enhancement Method Based on the Protection Motivation Theory. In Proceedings of the 2021 21st ACIS International Semi-Virtual Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD-Winter), Ho Chi Minh City, Vietnam, 28–30 January 2021; ACIS International: Mt. Pleasant, MI, USA, 2021; pp. 96–97. [ Google Scholar ]
• Sun, Y.; Men, T.; Huang, G. Analysis and Design of China’s E-Bank CAPTCHA. In WIT Transactions on Information and Communication Technologies ; WIT Press: Southampton, UK, 2014; Volume 61, pp. 1343–1350. [ Google Scholar ]
• Popkova, E.; Alekseev, A.N.; Lobova, S.V.; Sergi, B.S. The theory of innovation and innovative development. AI scenarios in russia. Technol. Soc. 2020 , 63 , 101390. [ Google Scholar ] [ CrossRef ]
• Zhong, X.; Ji, G. RETRACTED ARTICLE: Research on the Development Measures of Housing Security System. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 586–588. [ Google Scholar ]
• Workman, M. Validation of a biases model in strategic security decision making. Inf. Manag. Comput. Secur. 2012 , 20 , 52–70. [ Google Scholar ] [ CrossRef ]
• Li, F. The Research on Information Safety Problem of Digital Campus Network. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC 2011), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 828–831. [ Google Scholar ]
• Sukhanova, N.V.; Sheptunov, S.A.; Glashev, R.M. The Neuron Network Model of Human Personality for Use in Robotic Systems in Medicine and Biology. In Proceedings of the 2019 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies IT and QM and IS, Sochy, Russia, 23–27 September 2019; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2019; pp. 11–16. [ Google Scholar ]
• Ekenberg, L.; Danielson, M.; Boman, M. Imposing security constraints on agent-based decision support. Decis. Support Syst. 1997 , 20 , 3–15. [ Google Scholar ] [ CrossRef ]
• Loideain, N.N.; Adams, R. From alexa to siri and the GDPR: the gendering of virtual personal assistants and the role of data protection impact assessments. Comput. Law Secur. Rev. 2020 , 36 , 105366. [ Google Scholar ] [ CrossRef ]
• Khelvas, A.; Demyanova, D.; Gilya-Zetinov, A.; Konyagin, E.; Khafizov, R.; Pashkov, R. Adaptive Distributed Video Surveillance System. In Proceedings of the 2020 International Conference on Technology and Entrepreneurship—Virtual (ICTE-V), Bologna, Italy, 20–23 September 2020. [ Google Scholar ]
• Brahan, J.W.; Lam, K.P.; Chan, H.; Leung, W. AICAMS: Artificial intelligence crime analysis and management system. Knowl. Based Syst. 1998 , 11 , 355–361. [ Google Scholar ] [ CrossRef ]
• Nikolskaia, K.; Naumov, V. Ethical and Legal Principles of Publishing Open Source Dual-Purpose Machine Learning Algorithms. In Proceedings of the 2020 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies, IT and QM and IS, Yaroslavl, Russia, 7–11 September 2020; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2020; pp. 56–58. [ Google Scholar ]
• Hu, Z.; Chiong, R.; Pranata, I.; Bao, Y.; Lin, Y. Malicious web domain identification using online credibility and performance data by considering the class imbalance issue. Ind. Manag. Data Syst. 2019 , 119 , 676–696. [ Google Scholar ] [ CrossRef ]
• Angioni, M.; Musso, F. New perspectives from technology adoption in senior cohousing facilities. TQM J. 2020 , 32 , 761–777. [ Google Scholar ] [ CrossRef ]
• Huang, L.; Ye, C. Research of Secure University E-Government Based on PKI. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 7174–7177. [ Google Scholar ]
• Sedova, N.A.; Sedov, V.A.; Dudareva, O.V.; Bazhenov, R.I.; Lavrushina, E.G. An Autosteering Gear System with a Fuzzy Regulator Adjusted by a Neural Network. In Proceedings of the Proceedings of the 2019 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies IT and QM and IS, Sochy, Russia, 23–27 September 2019; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2019; pp. 197–202. [ Google Scholar ]
• Chen, L. Intelligent mobile safety system to educational organization. In Proceedings of the ICE-B 2010 International Conference on e-Business, Athens, Greece, 26–28 July 2010; pp. 55–62. [ Google Scholar ]
• Beheshtian-Ardekani, M.; Salchenberger, L.M. An empirical study of the use of business expert systems. Inf. Manag. 1988 , 15 , 183–190. [ Google Scholar ] [ CrossRef ]
• Lv, X. Information Security Risk Evaluation for E-Campus. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC 2011), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 2153–2154. [ Google Scholar ]
• An, W.; Wang, H. Design for the Configuration Software of Coalmine Security Monitoring. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 2947–2950. [ Google Scholar ]
• He, Q.; Chen, G. Research of Security Audit of Enterprise Group Accounting Information System Under Internet Environment. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 516–519. [ Google Scholar ]
• Zhang, Q.; Li, Z.; Song, C. The Improvement of Digital Signature Algorithm Based on Elliptic Curve Cryptography. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 1689–1691. [ Google Scholar ]
• Xiong, Y. Research on the internet banking security based on dynamic password. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 4746–4749. [ Google Scholar ]
• Stafford, T.F. Platform-Dependent Computer Security Complacency: the Unrecognized Insider Threat. IEEE Trans. Eng. Manag. 2021 , 1–12. [ Google Scholar ] [ CrossRef ]
• Bellavista, P.; Corradi, A.; Stefanelli, C. An open secure mobile agent framework for systems management. J. Netw. Syst. Manag. 1999 , 7 , 323–339. [ Google Scholar ] [ CrossRef ]
• Samtani, S.; Kantarcioglu, M.; Chen, H. Trailblazing the artificial intelligence for cybersecurity discipline: A multi-disciplinary research roadmap. ACM Trans. Manag. Inf. Syst. 2020 , 11 , 17. [ Google Scholar ] [ CrossRef ]
• Gao, L.; Zheng, D. Analysis on Code Stability and Fault Tolerance. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 155–159. [ Google Scholar ]
• Dhieb, N.; Ghazzai, H.; Besbes, H.; Massoud, Y. Scalable and Secure Architecture for Distributed IoT Systems. In Proceedings of the 2020 IEEE Technology and Engineering Management Conference (TEMSCON), Virtual, 3–6 June 2020. [ Google Scholar ]
• Cheong, M.; Leins, K.; Coghlan, S. Computer Science Communities: Who is Speaking, and Who is Listening to the Women? Using an Ethics of Care to Promote Diverse Voices. In Proceedings of the FAccT 2021 ACM Conference on Fairness, Accountability, and Transparency, Virtual, 3–10 March 2021; pp. 106–115. [ Google Scholar ]
• Prakash, U.M.; Thamaraiselvi, V.G. Detecting and Tracking of Multiple Moving Objects for Intelligent Video Surveillance Systems. In Proceedings of the 2nd International Conference on Current Trends in Engineering and Technology (ICCTET), Coimbatore, India, 8 July 2014; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2014; pp. 253–257. [ Google Scholar ]
• Spaan, M.T.J.; Lima, P.U. A Decision-Theoretic Approach to Dynamic Sensor Selection in Camera Networks. In Proceedings of the ICAPS 2009 19th International Conference on Automated Planning and Scheduling, Thessaloniki, Greece, 19–23 September 2009; pp. 297–304. [ Google Scholar ]
• Lei, X. Cyber-Security Analysis for Process Control Oriented Information System. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 289–292. [ Google Scholar ]
• Cherviakov, L.M.; Sheptunov, S.A.; Oleynik, A.V.; Bychkova, N.A. Digitalization of Quality Management of the Strategic Decision-Making Process. In Proceedings of the 2020 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies (IT and QM and IS), Yaroslavl, Russia, 7–11 September 2020; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA; pp. 193–196. [ Google Scholar ]
• Qu, T.; Huang, G.Q.; Zhang, Y.; Dai, Q.Y. A generic analytical target cascading optimization system for decentralized supply chain configuration over supply chain grid. Int. J. Prod. Econ. 2010 , 127 , 262–277. [ Google Scholar ] [ CrossRef ]
• Titov, A.A.; Rogov, A.A. Mathematical Support of Modeling Methods in Quality Management Problems of Complex System and Processes. In Proceedings of the 2019 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies (IT and QM and IS), Sochy, Russia, 23–27 September 2019; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA; pp. 308–311. [ Google Scholar ]
• El-Gayar, O.F.; Fritz, B.D. A web-based multi-perspective decision support system for information security planning. Decis. Support Syst. 2010 , 50 , 43–54. [ Google Scholar ] [ CrossRef ]
• Tagiltseva, J.A.; Kuzina, E.L.; Bortnik, O.A.; Shlikov, E.E.; Magomedov, S.S.; Vasilenko, M.A.; Drozdov, N.A. Modeling the Effectiveness of Solutions for Technogenic Safety in the Electrical Industry. In Proceedings of the 2019 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies (IT and QM and IS), Sochy, Russia, 23–27 September 2019; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA; pp. 100–105. [ Google Scholar ]
• Jacome-Grajales, N.; Escobedo-Briones, G.; Roblero, J.; Arroyo-Figueroa, G. Application of Business Intelligence to the Power System Process Security. In Proceedings of the 2013 3rd International Conference on Innovative Computing Technology (INTECH), London, UK, 29–31 August 2013; pp. 258–262. [ Google Scholar ]
• Fenz, S.; Neubauer, T. Ontology-based information security compliance determination and control selection on the example of ISO 27002. Inf. Comput. Secur. 2018 , 26 , 551–567. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Canal, G.; Borgo, R.; Coles, A.; Drake, A.; Huynh, D.; Keller, P.; Sklar, E.I. Building trust in human-machine partnerships. Comput. Law Secur. Rev. 2020 , 39 , 105489. [ Google Scholar ] [ CrossRef ]
• Sarne, D.; Grosz, B.J.; Owotoki, P. Effective Information Value Calculation for Interruption Management in Multi-Agent Scheduling. In Proceedings of the ICAPS 2008 18th International Conference on Automated Planning and Scheduling, Sydney, Australia, 14–18 September 2008; pp. 313–321. [ Google Scholar ]
• Lee, P.; Yau, C.; Tan, K.; Chee, M. Predictive Model on the Likelihood of Online Purchase in E-Commerce Environment. In Proceedings of the Annual Meeting of the Decision Sciences Institute, San Diego, CA, USA, 23–26 November 2002; pp. 569–574. [ Google Scholar ]
• Hansen, J.V. Internet commerce security: Issues and models for control checking. J. Oper. Res. Soc. 2001 , 52 , 1159–1164. [ Google Scholar ] [ CrossRef ]
• Almeida, F.; Duarte Santos, J.; Augusto Monteiro, J. The challenges and opportunities in the digitalization of companies in a post-COVID-19 world. IEEE Eng. Manag. Rev. 2020 , 48 , 97–103. [ Google Scholar ] [ CrossRef ]
• Al-Omari, M.; Rawashdeh, M.; Qutaishat, F.; Alshira’H, M.; Ababneh, N. An intelligent tree-based intrusion detection model for cyber security. J. Netw. Syst. Manag. 2021 , 29 , 20. [ Google Scholar ] [ CrossRef ]
• Gaglio, S.; Gatani, L.; Lo Re, G.; Urso, A. A logical architecture for active network management. J. Netw. Syst. Manag. 2006 , 14 , 127–146. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Stathaki, C.; Xenakis, A.; Skayannis, P.; Stamoulis, G. Studying the Role of Proximity in Advancing Innovation Partnerships at the Dawn of Industry 4.0 Era. In Proceedings of the European Conference on Innovation and Entrepreneurship (ECIE), Rome, Italy, 17–18 September 2020; pp. 651–658. [ Google Scholar ]
• Martin-Fiatin, J.; Znaty, S.; Hubaux, J. A survey of distributed enterprise network and systems management paradigms. J. Netw. Syst. Manag. 1999 , 7 , 9–26. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Maturana, F.; Shen, W.; Norrie, D.H. MetaMorph: An adaptive agent-based architecture for intelligent manufacturing. Int. J. Prod. Res. 1999 , 37 , 2159–2173. [ Google Scholar ] [ CrossRef ]
• Lee, T.; Kim, S.; Kim, K. A research on the vulnerabilities of PLC using search engine. In Proceedings of the ICTC 2019 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future, Jeju City, South Korea, 16–18 October 2019; pp. 184–188. [ Google Scholar ]
• Haddlesey, P. Artificial Intelligence ; The Housing Assistance Council: Washington, DC, USA, 2003; pp. 18–20. [ Google Scholar ]
• Martynov, V.V.; Shavaleeva, D.N.; Zaytseva, A.A. Information Technology as the Basis for Transformation Into a Digital Society and Industry 5.0. In Proceedings of the 2019 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies (IT and QM and IS), Sochy, Russia, 23–27 September 2019; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA; pp. 539–543. [ Google Scholar ]
• Zhao, N.; Yen, D.C.; Chang, I. Auditing in the e-commerce era. Inf. Manag. Comput. Secur. 2004 , 12 , 389–400. [ Google Scholar ] [ CrossRef ]
• Schneiderman, R. Outsourcing: How safe is your job? Electron. Des. 2004 , 52 , 48–54. [ Google Scholar ]
• Kseniia, N.; Minbaleev, A. Legal Support of Cybersecurity in the Field of Application of Artificial Intelligence Technology. In Proceedings of the 2020 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies (IT and QM and IS), Yaroslavl, Russia, 7–11 September 2020; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA; pp. 59–62. [ Google Scholar ]
• Kafeza, E.; Kafeza, I. Privacy issues in AmI spaces. Int. J. Netw. Virtual Organ. 2009 , 6 , 634–650. [ Google Scholar ] [ CrossRef ]
• Efimova, O.V.; Baboshin, E.B.; Igolnikov, B.V.; Dmitrieva, E.I. Promising Digital Solutions for the Efficient Technological and Managerial Processes on Transport. In Proceedings of the 2020 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies (IT and QM and IS), Yaroslavl, Russia, 7–11 September 2020; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA; pp. 92–95. [ Google Scholar ]
• Zhao, W.; Li, S. Analysis of Coal Mine Safety Monitoring Data Based on Column-Oriented Database. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 1920–1922. [ Google Scholar ]
• Grandhi, L.S.; Grandhi, S.; Wibowo, S. A Security-UTAUT Framework for Evaluating Key Security Determinants In Smart City Adoption by the Australian City Councils. In Proceedings of the 2021 21st ACIS International Semi-Virtual Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, SNPD-Winter, Ho Chi Minh City, Vietnam, 28–30 January 2021; ACIS International: Mt. Pleasant, MI, USA; pp. 17–22. [ Google Scholar ]
• Saya, W.P. The building of intelligence. AFE Facil. Eng. J. 2005 , 32 , 7–11. [ Google Scholar ]
• Hong, T.; Hofmann, A. Data Integrity Attacks Against Outage Management Systems. IEEE Trans. Eng. Manag. 2021 . [ Google Scholar ] [ CrossRef ]
• Clarke, R. Regulatory alternatives for AI. Comput. Law Secur. Rev. 2019 , 35 , 398–409. [ Google Scholar ] [ CrossRef ]
• La Fors, D.K. Legal remedies for a forgiving society: Children’s rights, data protection rights and the value of forgiveness in AI-mediated risk profiling of children by dutch authorities. Comput. Law Secur. Rev. 2020 , 38 , 105430. [ Google Scholar ] [ CrossRef ]
• Shumilov, A.; Philippovich, A. Gesture-based animated CAPTCHA. Inf. Comput. Secur. 2016 , 24 , 242–254. [ Google Scholar ] [ CrossRef ]
• Lin, W.; Ke, S.; Tsai, C. CANN: An intrusion detection system based on combining cluster centers and nearest neighbors. Knowl. Based Syst. 2015 , 78 , 13–21. [ Google Scholar ] [ CrossRef ]
• De Fátima Stankowitz, R.; Salvação, P.M.; Lima, E.B.; de Medeiros Amaro, M.L.; Morales, H.M.P. Proposal of an Electronic Health Record Integrated to an Artificial Intelligence System for Early Detection of Sepsis. Towards the Digital World and Industry X.0. In Proceedings of the 29th International Conference of the International Association for Management of Technology (IAMOT), Cairo, Egypt, 13–17 September 2020; pp. 918–927. [ Google Scholar ]
• Gómez-Vallejo, H.J.; Uriel-Latorre, B.; Sande-Meijide, M.; Villamarín-Bello, B.; Pavón, R.; Fdez-Riverola, F.; Glez-Peña, D. A case-based reasoning system for aiding detection and classification of nosocomial infections. Decis. Support Syst. 2016 , 84 , 104–116. [ Google Scholar ] [ CrossRef ]
• Maksim, B.; Pavel, W.; Irina, V.; Mikhail, S.; Margarita, C. Development of a Software Library for Game Artificial Intelligence. In Proceedings of the 2020 IEEE International Conference Quality Management, Transport and Information Security, Information Technologies (IT and QM and IS), Yaroslavl, Russia, 7–11 September 2020; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA; pp. 188–192. [ Google Scholar ]
• Sharif, M.; Kausar, A.; Park, J.; Shin, D.R. Tiny Image Classification Using Four-Block Convolutional Neural Network. In Proceedings of the ICTC 2019—10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future, Jeju City, South Korea, 16–18 October 2019; pp. 1–6. [ Google Scholar ]
• Yang, Y.; Zeng, H.; Li, Z. The Video Surveillance System Based on DSP and Wireless Network. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC) ; Zhengzhou, China, 8–10 August 2011, Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 2657–2659. [ Google Scholar ]
• Zhang, Y.; Huang, H. VOIP Voice Network Technology Security Strategies. In Proceedings of the 2011 2nd International Conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Zhengzhou, China, 8–10 August 2011; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2011; pp. 3591–3594. [ Google Scholar ]
• Rosário, A.; Vilaça, F.; Raimundo, R.; Cruz, R. Literature review on health knowledge management in the last 10 years (2009–2019). Electron. J. Knowl. Manag. 2021 , 18 , 338–355. [ Google Scholar ] [ CrossRef ]
• Raimundo, R.; Rosário, A. Blockchain system in the higher education. Eur. J. Investig. Health Psychol. Educ. 2021 , 11 , 21. [ Google Scholar ] [ CrossRef ]
• Rosário, A.; Fernandes, F.; Raimundo, R.; Cruz, R. Determinants of Nascent Entrepreneurship Development. In Handbook of Research on Nascent Entrepreneurship and Creating New Ventures ; Carrizo Moreira, A., Dantas, J.G., Eds.; IGI Global: Hershey, PA, USA, 2021; pp. 172–193. [ Google Scholar ]
• Kayes, A.S.M.; Kalaria, R.; Sarker, I.H.; Islam, M.S.; Watters, P.A.; Ng, A.; Hammoudeh, M.; Badsha, S.; Kumara, I. A Survey of Context-Aware Access Control Mechanisms for Cloud and Fog Networks: Taxonomy and Open Research Issues. Sensors 2020 , 20 , 2464. [ Google Scholar ] [ CrossRef ] [ PubMed ]

Click here to enlarge figure

Share and Cite

Raimundo, R.; Rosário, A. The Impact of Artificial Intelligence on Data System Security: A Literature Review. Sensors 2021 , 21 , 7029. https://doi.org/10.3390/s21217029

Raimundo R, Rosário A. The Impact of Artificial Intelligence on Data System Security: A Literature Review. Sensors . 2021; 21(21):7029. https://doi.org/10.3390/s21217029

Raimundo, Ricardo, and Albérico Rosário. 2021. "The Impact of Artificial Intelligence on Data System Security: A Literature Review" Sensors 21, no. 21: 7029. https://doi.org/10.3390/s21217029

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

The TQM Journal

ISSN : 1754-2731

Article publication date: 16 March 2021

Issue publication date: 17 December 2021

After 15 years of research, this paper aims to present a review of the academic literature on the ISO/IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theory-based research agenda to inspire interdisciplinary studies in the field.

Design/methodology/approach

The study is structured as a systematic literature review.

Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors.

Originality/value

The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities.

• ISO/IEC 27001
• Information security
• Systematic literature review
• Management system standards

Culot, G. , Nassimbeni, G. , Podrecca, M. and Sartor, M. (2021), "The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda", The TQM Journal , Vol. 33 No. 7, pp. 76-105. https://doi.org/10.1108/TQM-09-2020-0202

Emerald Publishing Limited

Copyright © 2021, Giovanna Culot, Guido Nassimbeni, Matteo Podrecca and Marco Sartor

Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode

1. Introduction

Economy and society are becoming increasingly data-driven, yet most of the debate across managerial disciplines has been focusing on how to extract value from data – e.g. through business model innovation ( Spiekermann and Korunustovska, 2017 ; Hagiu and Wright, 2020 ; Iansiti and Lahkani, 2020 ) – rather than protecting what seems to be a crucial asset today: information. Emerging technologies, platform-based business models and the spread of smart working practices are multiplying the number of entry points in computer networks and thus their vulnerability ( Hooper and McKissack, 2016 ; Lowry et al. , 2017 ; Corallo et al. , 2020 ). Holistic approaches are required to face the increasingly complex challenge of information system security (ISS): substantial managerial focus is needed to balance trade-off decisions between protection and legal compliance, on the one hand, and cost and operational agility, on the other (e.g. Vance et al. , 2020 ; D'Arcy and The, 2019 ; Burt, 2019 ; Antonucci, 2017 ). In spite of an increasing practitioners' interest in the topic (e.g. Gartner, 2018 ; McKinsey, 2019 ), ISS is still perceived in academia as an essentially technical topic ( Aguliyev et al. , 2018 ; Lezzi et al. , 2018 ; Sallos et al. , 2019 ).

Over the years, ISS standards and frameworks have been playing a pivotal role in the dissemination of now much-needed holistic – technical, organizational and managerial – approaches ( Von Solms, 1999 ; Ernst and Young, 2008 ). Among them, ISO/IEC 27001 is probably the most renowned one, being the third most widespread ISO certification worldwide, following ISO 9001 and ISO 14001 ( ISO, 2019 ). The standard was designed and published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 as an evolution of BS 7799. It “[…] specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization”; the requirements “[…] are generic and are intended to be applicable to all organizations, regardless of type, size or nature” (ISO/IEC 27001:2013). Several leading organizations ask their business partners to be ISO/IEC 27001 certified – e.g. Netflix for post-production partners – and widespread publicity has been given over the years to the attainment of ISO/IEC 27001 certification by prominent technological providers, including Apple Internet Services, Amazon Web Services, GE Digital, several Microsoft business units and – more recently – Facebook's Workplace (e.g. Venters and Whitley, 2012 ).

Overall, the literature on ISS standards is marked by ongoing concerns about their efficacy and validation (e.g. Siponen and Willison, 2009 ; Silva et al. , 2016 ; Niemimaa and Niemimaa, 2017 ). After 15 years of scientific research on ISO/IEC 27001 and in light of its growing popularity, we believe that it is time for academia to assess how these fundamental concerns have been addressed so far with respect to this specific standard and to question related research prospects against a context characterized by an ever-increasing connectivity and digitalization. We believe that more interdisciplinarity in the study of ISS standards is necessary considering how – according to many observers (e.g. Blackburn et al. , 2020 ; The Economist, 2020 ) – the COVID-19 health crisis is expected to accelerate the role of digital technologies in the business environment as well as in daily life.

This study moves in this direction by developing a systematic literature review on ISO/IEC 27001. As Webster and Watson (2002) point out, a systematic approach is the starting point for advancing research in a given field, laying strong foundations for future studies. Differently than previous reviews, our work does not focus on a specific topic in the ISO/IEC 27001 research – i.e. diffusion in Barlette and Fomin (2010) and technical approaches in Ganji et al. (2019) – but aims at providing a comprehensive synthesis of the debate in the field. The results are read through the lenses of social systems thinking to formulate a theory-based research agenda to inspire future studies at the intersection between information systems (IS) and managerial disciplines, including quality management. In line with renewed calls for theory-grounded research (e.g. Breslin et al. , 2020 ; Post et al. , 2020 ) and following Seuring et al. (2020) considerations, we extend the reach of three specific system theoretical approaches to the study of ISO/IEC 27001. As we leverage theoretical perspectives never applied for ISO/IEC 27001 and not common in research on other voluntary standards ( Sartor et al. , 2016 , 2019 ; Orzes et al. , 2018 ), we trust that our effort can stimulate the academic debate by integrating new streams of theory and allowing scientific exchange beyond what is already present.

Under this premise, this study delivers two main contributions to the literature. First, we present and organize the body of knowledge on ISO/IEC 27001 across several research streams and topics, providing a comprehensive overview targeted at scholars from different backgrounds. Second, we add a novel analytical perspective to the research on ISO/IEC 27001 through the lenses of social systems thinking, which may apply to the study of other voluntary standards as well.

Our paper has also substantial practical implications. The results of the literature review provide managers with an overall picture of the knowledge created over the years by academic research on the ISO/IEC 27001 standard, including relevant elements to consider in pursuing, implementing and managing the certification. Moreover, policymakers may find pertinent perspectives that inform their decisions regarding public support to the diffusion process of the certification. The paper actually shifts the focus of the debate from firm-level implementation of ISO/IEC 27001 to a system-level perspective, urging decision-makers to consider ISS needs and practices in the broader business environment in which organizations exchange data and information.

The remainder of the paper is structured as follows. The next section illustrates the methodology adopted for the literature review. Thereafter, we present the descriptive characteristics of the contributions included in our analysis. The results of the thematic coding are presented in two main sections. Next, the discussion revolves around the main issues and current knowledge gaps, followed by the formulation of a theory-based research agenda. We conclude outlining the contributions of our research.

2. Review approach

Management system standards are inherently multi-dimensional phenomena that can be analyzed according to several research perspectives ( Uzumeri, 1997 ; Heras-Saizarbitoria and Boiral, 2013 ); we opted, thus, for a systematic approach to the literature review to minimize the implicit biases of the researchers involved in the identification, selection and coding of papers. The approach – following the guidelines of Tranfield et al. (2003) , Rousseau et al. (2008) and Seuring and Gold (2012) – is in line with previous studies on other voluntary standards (e.g. Sartor et al. , 2016 ; Boiral et al. , 2018 ).

The review protocol was structured to meet the following research objectives: (1) provide a comprehensive overview of the literature on ISO/IEC 27001; (2) classify themes, sub-themes and type of evidence; (3) underscore recurring patterns, conflicting results and unexplored research areas.

The first step was the identification of the literature. We performed a formal search on multiple online scientific databases: Elsevier's Scopus and Science Direct, Clarivate's Web of Science, EBSCO Business Source Complete and EconLit, ProQuest's Social Sciences, JSTOR, Wiley Online Library and Emerald Insight. The keywords were selected to include different spellings of the standard – i.e. “ISO270**,” “ISO 270**,” “IEC 270**,” “IEC270**,” “ISO/IEC 270**,” “ISO / IEC 270**,” “ISO / IEC270**” and “ISO/IEC270**” – using the operator OR between the terms. The research on title, abstract and keywords covered the period until November 2020. We included only peer-reviewed journal articles, books and book chapters written in English for a total of 537 unique records.

As a second step, abstracts and full texts were screened for their fit with the objectives of the study. Two researchers were involved independently. We excluded contributions that: (1) referred to other standards and (2) merely mentioned the ISO/IEC 27001 without a structured analysis or discussion. We included both theoretical and empirical contributions that: (1) focused specifically on ISO/IEC 27001, (2) analyzed ISO/IEC 27001 together with other standards, (3) discussed ISS/cybersecurity issues at large with explicit reference to ISO/IEC 27001. This way, 116 contributions were pre-selected, their content was further analyzed and their references enabled the identification of other works through a forward/backward citation analysis ( Webster and Watson, 2002 ). This process led to a final list of 96 contributions.

The third step in the process was to analyze the material to capture thematic trends, meanings, arguments and interpretations ( Mayring, 2000 ; Duriau et al. , 2007 ). Books and book chapters were classified based on year and authors' affiliation/geography. Journal articles were classified based on year, publication outlet, disciplinary area, authors' affiliation/geography, methodology and underpinning theory (if any).

Thereafter, we performed a content analysis on journal articles following Seuring and Gold's (2012) methodological recommendations. The coding categories and main themes included in Figure 1 were defined deductively, drawing from previous literature reviews on other standards and frameworks (e.g. Stevenson and Barnes, 2002 ; Heras-Saizarbitoria and Boiral, 2013 ; Manders et al. , 2016 ; Boiral et al. , 2018 ) and refined inductively through iterative cycles during the coding process. The specific sub-themes were identified inductively, aggregating the arguments emerging from the content analysis by similarity.

The coding activity was conducted independently by two researchers ( Duriau et al. , 2007 ). Each researcher mapped on an Excel spreadsheet the recurrence of the sub-themes in the papers, coding whether the evidence was of a conceptual (C) or rather empirical (E) nature. In addition, the researchers noted some relevant passages for each paper/sub-theme to facilitate the interpretation of the results. The few instances of disagreement were resolved through formal discussion.

Finally, the results of the coding activity were examined. We calculated the descriptive characteristics of the papers included in the review and the proportion of studies addressing each sub-theme. A synthesis of the relevant passages reported in the literature for each sub-theme was also prepared and discussed within the research team. The following sections illustrate the outcomes of our analysis.

As books and book chapters are practitioner-oriented and rarely peer-reviewed, we did not include them in the scientific coding and present them in a standalone subsection. The coding process followed the same methodological approach as journal articles.

3. Characteristics of the literature

The classification of the 96 contributions brings to light how the debate on ISO/IEC 27001 developed within the scientific and practitioners community. The main findings are summarized in Figure 2 and clarified in the following paragraphs.

The first contribution on the topic was published in 2005, the same year of the release of ISO/IEC 27001. Since then, the average number of contributions is six per year, with an uptake in the interest in recent years. This trend is correlated to the growing popularity of the standard ( ISO, 2019 ) and probably to ISS becoming a hot topic in the aftermath of publicly reported scandals (e.g. Starwood Hotels, Cambridge Analytica/Facebook, Apple, Evernote, Heartland).

The analysis of the publication outlets shows that most of the papers belong to the IS literature, either in journals specifically related to ISS or on outlets more broadly related to IS and technology, including computer sciences. The strong technical connotation is confirmed by the analysis of the authors' affiliation.

In terms of geography, the authors belong mainly to institutions located in European countries. The distribution partially reflects the geographical focus of the empirical studies included in the review and is consistent with the international diffusion of ISO/IEC 27001 certifications ( ISO, 2019 ).

From a methodological standpoint, the vast majority of the papers has a conceptual nature. It should be noted that research on ISO/IEC 27001 is characterized by a relatively low theoretical underpinning: six papers built on established theories, i.e. the circuit of power framework in Smith et al. (2010) , the resource-based view (RBV) and the crisis management theory in Bakar et al. (2015) , the technology acceptance model (TAM) in Ku et al. (2009) , Van Wessel et al. (2011) and Dos Santos Ferreira et al. (2018) , the theory of cultural differences in Asai and Hakizabera (2010) and the technology–organization–environment (TOE) framework in Mirtsch et al. (2021) .

4. Thematic findings

4.1 iso/iec 27001 and other standards/frameworks.

Only 33% of the journal articles included in the review focus exclusively on ISO/IEC 27001. The vast majority of contributions examines it together with other ISS standards and management certifications. Themes and issues are essentially related to standard comparison and integration, as illustrated in the following paragraphs and in Table 1 .

Regarding the relation of ISO/IEC 27001 and other standards with similar scope , it should be noted that the list of options available to organizations approaching ISS and cybersecurity is long and articulated. In general terms: standards may cover information security at large including non-information technology (non-IT) assets – as ISO/IEC 27001 – or rather have a technological connotation. This technological connotation might, in turn, be generalist – such as the Control Objectives for Information and Related Technologies (COBIT) and the Information Technology Infrastructure Library (ITIL) – or rather target specific IS layers and related safeguards. Moreover, ISS initiatives are characterized by different purposes, including the definition of requirements (e.g. the HI TRUST Common Security Framework – CSF and ISO 15408 – Common Criteria), the provision of risk assessment instruments (e.g. the National Institute of Standards and Technology – NIST Special Publication – SP 800–30, ISO 27005 and COBIT) and the dissemination of best practices (e.g. ISO 27002, Committee of Sponsoring Organizations of the Treadway Commission – COSO, Information Security Forum – ISF and NIST 800–53).

In light of these differences, several studies indicate complementarities and synergies between ISO/IEC 27001 and other standards/frameworks for a more comprehensive approach to ISS and cybersecurity (e.g. Lomas, 2010 ; Rezakhani et al. , 2011 ; Fuentes et al. , 2011 ). Substantial issues, however, are reported in the literature with respect to their integration, including a different scope, the number of requirements and the only partial overlap among them and the different terminology used ( Broderick, 2006 ; Pardo et al. , 2012 ; Beckers et al. , 2013 ; Bettaieb et al. , 2019 ). Against these challenges, several papers (17 contributions, 23%) suggest harmonization methods, also supported by empirical testing (e.g. Pardo et al. , 2012 , 2013 ; Mesquida et al. , 2014 ; Bettaieb et al. , 2019 ). The issues addressed in these studies are diverse. Tarn et al. (2009) , Rezakhani et al. (2011) , Tsohou et al. (2010) , Pardo et al. (2012) , Leszczyna (2019) and Al-Karaki et al. (2020) present a framework for the categorization of various ISS standards; along the same lines, Mesquida et al. (2014) and Pardo et al. (2013 , 2016) approach ISO standards related to software quality, IT service management and ISS. Seven papers ( Susanto et al. , 2011 ; Montesino et al. , 2012 ; Sheikhpour and Modiri, 2012a , b ; Mukhtar and Ahmad, 2014 ; Bettaieb et al. , 2019 ; Faruq et al. , 2020 ) focus specifically on the alignment between the security controls recommended by ISO/IEC 27001 with other standards. Beckers et al. (2016) , Bounagui et al. (2019) , Leszczyna (2019) and Ganji et al. (2019) explore integration issues. An interesting perspective is provided by Simić-Draws et al. (2013) , which defines a method for law-compatible technology design.

Similar integration issues are analyzed in the literature with respect to other Management system standards , especially other ISO management systems. Overall, the potential benefits of management system integration have been described in terms of implementation synergies (e.g. Crowder, 2013 ) and better outcomes (e.g. Bakar et al. , 2015 ; Hannigan et al. , 2019 ), despite possibly an increasing level of complexity ( Heston and Phifer, 2011 ). However, researchers also highlight partial misalignments in the terminology, structure and scope of management system standards ( Barafort et al. , 2019 ). Methods and harmonization strategies are described in six papers in our review (8%). Heston and Phifer (2011) illustrate a framework for the selection of standards depending on organizational archetypes. Majerník et al. (2017) describe a conceptual model for the integration of ISO/IEC 27001, ISO 9001 for quality management, ISO 14001 for environmental management and OHSAS 18001 for occupational health and safety (now replaced by the ISO 45001). The work of Barafort et al. (2017 , 2018 , 2019) focuses on risk management activities foreseen by ISO/IEC 27001, ISO 9001, ISO 21500 (guidance on project management) and ISO/IEC 20000 (IT service management). Hoy and Foley (2015) delve into the integration of ISO 9001 and ISO/IEC 27001 audits.

Along the same lines, a further area of inquiry concerning ISO/IEC 27001 and other ISO management standards examines diffusion patterns, the order of implementation and possible effects on country-level economic indicators ( Gillies, 2011 ; Cots and Casadesús, 2015 ; Başaran, 2016 ; Armeanu et al. , 2017 ). The results show that ISO/IEC 27001 is often implemented after ISO 9001 ( Mirtsch et al. , 2021 ), and its diffusion is correlated with ISO/IEC 20000, following the logic that more specific standards are subsequently adopted after more general ones ( Cots and Casadesús, 2015 ).

4.2 Motivations

In the literature on voluntary standards, significant attention has been paid to the motivations driving organizations in the pursuit of certifications (e.g. Heras-Saizarbitoria and Boiral, 2013 ; Sartor et al. , 2016 ). This is also a common topic in the ISO/IEC 27001 literature, observed in 48% of the studies, although mostly through conceptual arguments.

Following Nair and Prajogo (2009) , we classified the motivations as functionalist – i.e. organizations expect the standard to improve processes and documentation – and institutionalist – i.e. organizations view the certification as a means to better qualify against external stakeholders, including competitors, customers and regulatory agencies. Results are shown in Table 2 .

Most of the studies reporting functionalist motivations refer to expectations around higher levels of ISS. This is obviously related to the scope of the standard as well as to the continuous improvement logic underpinning the ISMS ( Lomas, 2010 ; Smith et al. , 2010 ; Pardo et al. , 2016 ) and the acquisition of new skills and competences ( Ku et al. , 2009 ; Bakar et al. , 2015 ). Several papers also indicate expectations around more efficiency in the processes related to information management (e.g. Kossyva et al. , 2014 ; Hlača et al. , 2008 ; Annarelli et al. , 2020 ). This seems particularly relevant for organizations with previous experience in the implementation of other management systems, as they are aware of the benefits of a structured approach on processes and accountabilities ( Crowder, 2013 ).

Several institutionalist motivations also emerge from our analysis. Many authors report expectations for a better corporate image: through the attainment of the certification, it is possible to demonstrate that the organization can be considered a trustworthy partner by its stakeholders, including employees, suppliers, financial institutions and customers ( Freeman, 2007 ; Liao and Chueh, 2012a ). This, in turn, appears to be an indirect goal to attract more customers and consolidate client relationships ( Beckers et al. , 2013 ). In this respect, Lomas (2010) underlines that in the UK, information security scandals have raised public awareness; Ku et al. (2009) stress that organizations embrace the ISO/IEC 27001 certification to show that they are willing to take a more proactive stance.

Along the same lines, it has been suggested that ISO/IEC 27001 may be adopted following market demands, i.e. large private-sector corporations demand their suppliers to be certified ( Ţigănoaia 2015 ; Barafort et al. , 2019 ). The reason for this might be independent of large corporations being certified themselves, but rather – as reported by Everett (2011) – be related to a standardization in the bidding and procurement process. In this respect, however, it should be noted that several companies pursue an informal implementation – i.e. they shape ISMS in compliance with the standard but do not seek the certification – as ISMS requirements can be self-certified through suppliers' questionnaires ( Cowan, 2011 ; Dionysiou, 2011 ).

A further motivation mentioned in the studies refers to the presence of governmental regulatory and promotion activities fostering ISO/IEC 27001 diffusion. The past decade has seen a progressive intensification of national (e.g. in the USA, the “National Strategy to Cyberspace Security”) and international initiatives (e.g. the Organization for Economic Cooperation and Development – OECD guidelines, European-level initiatives such as the recent EU Cybersecurity act). Overall, these initiatives have been contributing to the dissemination of ISS awareness ( Ku et al. , 2009 ); some of them have fostered explicitly the ISO/IEC 27001 certification, as in the case of Japan ( Everett, 2011 ; Gillies, 2011 ). Smith et al. (2010) note that the Australian Government preferred ISO/IEC 27001 over other ISS standards because of its flexibility in accommodating local legal requirements. The reach of European-level policies is well described in Dionysiou (2011) , together with the peculiar example of Cyprus adopting certification as a “ticket to the European market” (p. 198).

Finally, some studies point to the presence of isomorphic dynamics. In the case illustrated by Hlača et al. (2008) , the ISO/IEC 27001 was adopted in light of the growing number of certified companies worldwide. The rationale behind this is illustrated in Stewart (2018) through the concept of network effects. This dynamic seems further reinforced by the global reputation of the ISO umbrella of standards ( Deane et al. , 2019 ).

4.3 Implementation

A considerable number of studies (68%) report issues and opportunities related to the implementation of the standard. We classified them according to three main questions: (1) how effectively ISO/IEC 27001 tools and methods provide support to the implementing organization?; (2) how do organizations structure the project governance ?; (3) what differences in the actual adoption of practices have been documented?

The themes and sub-themes identified in the studies are illustrated in Table 3 .

As for the efficacy of the (1) tools and methods indicated by ISO/IEC 27001, the literature is ambivalent. Whereas several authors (e.g. Smith et al. , 2010 ) praise ISO/IEC 27001 flexibility, a number of studies see this as a potential drawback in the implementation process (e.g. Lomas, 2010 ; Rezaei et al. , 2014 ). The requirements are often perceived as too formal and wide-ranging; they provide guidance for what should be done, but organizations are responsible for choosing “how” to achieve those goals ( Bounagui et al. , 2019 ). The lack of precise methodological indications may translate into low accuracy in the risk analysis and asset assessment. Much is left to the expertise of the individuals in charge (e.g. Ku et al. , 2009 ; Liao and Chueh, 2012a ), with often too much emphasis placed on the technical side ( Ozkan and Karabacak, 2010 ; Itradat et al. , 2014 ).

Some specific issues in this respect emerge from the literature. The most relevant one is related to the security controls, in particular considering the set of 133 controls described in the Annex A of the 2005 version of the standard. Although no longer mandatory in the current version (ISO/IEC 27001:2013), it is still worth mentioning the main problems highlighted by previous research. Controls seemed not to be applicable in organizations with low-technological profiles ( Liao and Chueh, 2012b ), entailed too rigid procedures ( Crowder, 2013 ) and were costly to implement due to the possibility of an only partial automation through hardware and software tools ( Montesino et al. , 2012 ). As for the new version of the ISO/IEC 27001, Ho et al. (2015) note that the standard still does not provide guidance on the mutual interdependence among the different control items; similarly, Stewart (2018) and Topa and Karyda (2019) refer to the lack of indications regarding a cost/benefit assessment in the selection of controls. On this, Bettaieb et al. (2019) propose an approach based on machine learning for the identification of the most relevant controls, given the characteristics and the context of the implementing organization.

The literature has also highlighted a lack of guidance regarding possible interdependencies between the organization and the external environment. As reported by Smith et al. (2010) and Stewart (2018) , many implementations fail because of an unstructured approach toward shared assets – e.g. services and IT infrastructure shared among local units of the same corporation – and poor identification of the organizations' dependencies from third parties and outsourced services.

The support provided by ISO/IEC 27001 in aligning the organization ISMS to local legislation has also been discussed. The standard states that the implementing organization should identify autonomously the applicable local regulation and contractual obligations ( Diamantopoulou et al. , 2020 ; Simić-Draws et al. , 2013 ); however, in the absence of precise instructions, organizations face complex reconciliations and the challenge of complying with multiple local legislations in the case of multinational enterprises ( Broderick, 2006 ). In connection to this, recent studies have investigated how the norm supports organizations in complying with the General Data Protection Regulation (GDPR), issued in 2016, to regulate data protection and privacy in the European Union and the European Economic Area. The ISO/IEC 27001 was last updated in 2013, i.e. before the GDPR publication, while the new regulatory requirements were included in the new ISO/IEC 27552 (Privacy Information Management). Nevertheless, previous research has highlighted similar requirements between the GDPR and ISO/IEC 27001 ( Annarelli et al. , 2020 ) as well as the fact that a structured ISMS is a prerequisite to meet the European directives ( Serrado et al. , 2020 ).

Another issue underscored in the studies concerns the fact that ISO/IEC 27001 does not provide adequate guidance on cultural and psychological dimensions relevant for ensuring employees' compliance ( Van Wessel et al. , 2011 ). As highlighted by Topa and Karyda (2019) , there are only limited indications regarding the appraisal of individual habits and values, e.g. privacy concerns and compliance attitude. Similarly, Asai and Hakizabera (2010) underline the presence of cultural differences in the attitude toward ISS.

With regard to the second overarching theme – (2) project governance – the studies show that IT, organizational and legal competencies are necessary, and therefore, companies need to formulate well-defined coordination mechanisms (e.g. Crowder, 2013 ). In terms of the structure of the project team and implementation phases, the literature reports various approaches, normally starting with local pilots and then moving on to large-scale rollouts ( Ku et al. , 2009 ; Van Wessel et al. , 2011 ). Along the same lines – although it is a well-documented fact that a successful management system requires leadership endorsement (e.g. Crowder, 2013 ) – several articles indicate that ISO/IEC 27001 is mostly developed by IT departments alone ( Van Wessel et al. , 2011 ; Akowuah et al. , 2013 ). Stewart (2018) notes that information security leaders are unlikely to be included in the management committee. Everett (2011) reports that limited directors' awareness often results in low budget allocation. An unsolved implementation issue seems to be the potential involvement of consultants. Whereas specialistic ISS competencies lead many organizations to seek external support (e.g. Dionysiou, 2011 ; Hoy and Foley, 2015 ; Annarelli et al. , 2020 ), several studies underline how this may hamper organizational learning and lead to unsuccessful implementation ( Ku et al. , 2009 ; Gillies, 2011 ). In any case, there is agreement on the fact that the process to obtain the ISO/IEC 27001 certification usually absorbs significant company resources in terms of working hours and financial resources (e.g. Gillies, 2011 ; Van Wessel et al. , 2011 ).

Finally, the last theme emerging from our review concerns the possibility of differences in the (3) actual adoption of practices , namely, to what extent the written documentation is internalized by the organization ( Nair and Prajogo, 2009 ). This has emerged as a key research area in relation to other standards and voluntary initiatives (e.g. Heras-Saizarbitoria and Boiral, 2013 ; Orzes et al. , 2018 ), but few studies addressed specifically the question with regard to ISO/IEC 27001. Some papers stress that a “cosmetic and not substantial” application of the standard might take place ( Culot et al. , 2019 , p. 83) and that some companies “put in as little effort as possible” ( Everett, 2011 , p. 7). Moreover, the reasons why several companies conform to ISO/IEC 27001 requirements but not seek formal certification are overall under-investigated ( Mirtsch et al. , 2021 ).

Comparatively more attention has been paid to employee compliance. The studies refer to organizational inertia – i.e. employees are skeptical about the required reconfiguration of processes and reluctant to change (e.g. Heston and Phifer, 2011 ; Topa and Karyda, 2019 ) – and opposition whenever the implementation of the standard is externally mandated ( Smith et al. , 2010 ).

4.4 Outcomes

As illustrated in Table 4 , few studies (26%) have cited the outcomes of the ISO/IEC 27001 certification, with just half of them providing empirical evidence in support. Only three studies focus explicitly on the impact of the standard. Tejay and Shoraka (2011) and Deane et al. (2019) analyze through an event study the impact of the certification on stock market performance; Kossyva et al. (2014) discuss conceptually its benefits in a co-opetitive setting. The other papers either report impacts in the description of case studies and through expert opinions ( Van Wessel et al. , 2011 ; Crowder, 2013 ; Rezaei et al. , 2014 ; Hannigan et al. , 2019 ; Annarelli et al. , 2020 ) or derive outcomes from conceptual reasoning ( Freeman, 2007 ; Dionysiou, 2011 ; Fuentes et al. , 2011 ; Gillies, 2011 ; Bakar et al. , 2015 ).

The performance dimensions emerging from our analysis are diverse, some more in line with the scope of the standard – i.e. lower risk levels ( Freeman, 2007 ; Rezaei et al. , 2014 ) and improved business continuity ( Van Wessel et al. , 2011 ; Bakar et al. , 2015 ) – others related to organizational and financial improvements. The studies refer to streamlined and efficient processes because of ISMS redesign ( Fuentes et al. , 2011 ; Crowder, 2013 ). Process improvements may translate into increasing employees' and customers' satisfaction, even though Van Wessel et al. (2011) report that, for one of the companies they analyzed, the certification also meant losing some operational flexibility. Kossyva et al. (2014) suggest a reduction in miscommunication and opportunism in information exchange.

Some authors looked at the impact of the certification from a financial perspective. The cases analyzed in Van Wessel et al. (2011) report a payback period in line with the expectations. Bakar et al. (2015) claim that ISO/IEC 27001 may prevent the leaking of private information to unauthorized parties, and subsequent legal actions, bad publicity and profit losses. Moreover, the insurance premium of certified companies is lower ( Gillies, 2011 ; Susanto et al. , 2012 ).

Besides organizational-level benefits, it should be noted that two papers correlate ISO/IEC 27001 diffusion with country-level indicators . The study of Armeanu et al. (2017) shows that the presence of ISO standards has a positive influence on the economic sentiment indicator, a cross-industry composite confidence indicator published monthly by the European Commission. Başaran (2016) illustrates the strength of the association between the number of ISO certificates and industrial property rights granted in Turkey.

4.5 Context

Several studies (50%) indicate that the adoption of ISS standards as well as ISO/IEC 27001 motivations, implementation and outcomes should be read against the context in which the organization operates, as shown in Table 5 .

Most of the papers stressing differences among countries refer to international (e.g. Europe, OECD) and governmental (e.g. Japan, Australia) initiatives fostering the diffusion of ISO/IEC 27001 (e.g. Lomas, 2010 ; Dionysiou, 2011 ; Serrado et al. , 2020 ). Other studies highlight higher adoption in offshored countries – e.g. Taiwan, Singapore and India – because of the need to ensure a secure environment for intellectual property to maintain attractiveness ( Ku et al. , 2009 ). Less export-oriented countries might – on the contrary – be less likely to see high adoption rates ( Dyonysiou, 2011 ). Interestingly, Heston and Phifer (2011) point out that multinational enterprises (MNEs) – although structuring their process homogeneously at global level – might formally pursue the certification only in some countries depending on local opportunities and constraints.

Country-specific elements are underscored also in relation to cultural differences in terms of employees' attitudes toward ISMS compliance ( Asai and Hakizabera, 2010 ; Topa and Karyda, 2019 ). Moreover, the approach to ISO/IEC 27001 implementation seems different between European and Chinese companies ( Van Wessel et al. , 2011 ).

Differences based on organizations' size are mentioned in the literature to a lesser extent. Even though smaller public companies might expect greater returns from certification than larger firms ( Deane et al. , 2019 ), only large companies seem to assign sufficient priority to ISS due to resource availability ( Dionysiou, 2011 ; Gillies, 2011 ). With regard to the implementation process – as stressed by Stewart (2018) – ISO/IEC 27001 is designed for an “average organization,” and it might not be suitable for companies deviating the most from this average profile, e.g. owing to their dimension or level of centralization ( Smith et al. , 2010 ; Stewart, 2018 ).

In terms of industry -specific dynamics, the literature points to differences in the diffusion patterns. Although the standard is generic by design, it is adopted more in regulated industries – such as financial services and health care ( Dionysiou, 2011 ; Heston and Phifer, 2011 ; Mukhtar and Ahmad, 2014 ) – and where information security attacks have been historically more frequent ( Deane et al. , 2019 ). In other industries, there seems to be less interest ( Everett, 2011 ; Liao and Chueh, 2012a , b ), although it might represent a differentiation factor ( Ku et al. , 2009 ; Crowder, 2013 ). Finally, although the standard does not require the implementing organization to have any form of IT in place, it is often perceived as applicable only to highly digitalized contexts ( Crowder, 2013 ).

On the contrary, the most recent literature shines the spotlight on the limited effectiveness of ISO/IEC 27001 against emerging technologies. Overall, the studies underline the fact that the emergence of cloud computing, the internet of things and platform-based business models makes it increasingly difficult to define the scope and boundaries of the ISMS ( Culot et al. , 2019 ). Being ISO/IEC 27001 process-driven seems better suited to meet these challenges than more document-oriented standards ( Beckers et al. , 2013 ). However, ISO/IEC 27001 alone seems not sufficient to guarantee both IS security and safety ( Park and Lee, 2014 ), but it may represent the backbone on which more specific standards are integrated ( Leszczyna, 2019 ).

Lastly, the literature highlights the presence of contingencies related to the organizational culture. Depending on this, ISS can be understood as a purely technical issue rather than a far-reaching business goal (e.g. Everett, 2011 ). In a survey, cultural change is identified as the main challenge to overcome ( Gillies, 2011 ); organizations more prone to innovation and change are expected to be more successful in the standard implementation (e.g. Ku et al. , 2009 ; Liao and Chueh, 2012a ).

4.6 Themes and topics related to books and book chapters

In addition to what has been illustrated in the previous sections, the results of the analysis of the books and chapters on ISO/IEC 27001 are consistent with the themes emerging from the coding of academic articles. As shown in Table 6 , besides some contributions providing a general overview of the norm (e.g. Accerboni and Sartor, 2019 ; Arnason and Willet, 2007 ), most of the books focus either on the relationship of ISO/IEC 27001 with other standards for ISS (e.g. Calder 2008 , 2018 ; Calder and Geraint, 2008 ) or on complementing the norm guidelines with implementation methods, technical tools (e.g. Calder, 2006a ; Calder and Watkins, 2008 ; Beckers, 2015 ) and risk management approaches (e.g. Calder and Watkins, 2010 ). Legal issues and the auditing process have received comparatively little attention so far ( Pompon, 2016 ). Managerial topics related to the standard implementation refer to limited leadership awareness ( Calder, 2010 ) as well as to motivations and guidelines' effectiveness ( Erkonen, 2008 ; Dionysiou et al. , 2015 ).

5. Summary and research challenges

The systematic review on ISO/IEC 27001 helps to clarify the main themes and results elaborated in almost 15 years of academic research on the standard. Emerging clearly from the literature is that: (1) a structured approach to information and cybersecurity requires the integration of multiple standards; (2) the motivations to pursue the ISO/IEC 27001 certification are also related to governmental incentives and market demands; (3) implementation entails several challenges due to guidelines that are generic by design, different approaches/internalization levels are possible; (4) there is limited evidence demonstrating the outcomes of the certification; (5) integration of ISS standards, motivations, implementation and outcomes are dependent on a series of contextual factors, including the technological environment in which the organization operates. Overall, the paucity of empirical studies on ISO/IEC 27001 is striking, especially in light of significant public efforts to sustain the diffusion of the certification. The fact that the academic debate has seen a limited cross-fertilization between subject areas further exacerbates the knowledge gaps on this subject.

Today, value creation is all about exchanging information within and beyond organizational boundaries ( Culot et al. , 2020 ; Hagiu and Wright, 2020 ). New forms of inter-organizational collaborations allow intellectual property and data to flow between organizations ( Bititci et al. , 2012 ; Pagani and Pardo, 2017 ). The scale and scope of such interactions are posing new challenges to ISS ( Hinz et al. , 2015 ; Jeong et al. , 2019 ; Feng et al. , 2020 ). Supply chains are becoming increasingly digitalized, augmenting the risk of losing intellectual property ( Kache and Seuring, 2017 ; Ardito et al. , 2019 ; Büyüközkan and Göçer, 2018 ). Online platforms and tech giants are connecting vast numbers of suppliers and customers ( Jacobides et al. , 2018 ; Benitez et al. , 2020 ); the participants of these ecosystems place their trust in the platform orchestrators' ability to ensure ISS at large, including those of relevant third parties ( Burns et al. , 2017 ). The spread of cloud-based solutions implies massive outsourcing of data storage and computing capabilities ( Beckers et al. , 2013 ; Markus, 2015 ).

Overall, this scenario demands ISS to be seen no longer as an issue affecting single organizations in isolation but more as a question of flows and relations involving multiple partners; an inherently “wicked problem” calling for a broad rethinking of assumptions ( Lowry et al. , 2017 ). This rings all the more relevant with regard to the challenges that the COVID-19 pandemic is generating. Social distancing resulted for many organizations in a surge of work-from-home arrangements, higher activity on customer-facing networks and greater use of online services and platforms, all of which are causing immense stress on ISS controls and operations ( Boehm et al. , 2020 ; Deloitte, 2020 ). In parallel, several concerns have been raised about contact-tracing applications deployed in the attempt to contain the contagion; the potential damages from the misuse of personal and biometric data are unprecedented ( Harari, 2020 ). As we write, the storm continues to rage in many areas of the world, yet many observers believe that a structural shift is taking place, making digitalization a key feature of the “new normal” ( Smith, 2020 ; The Economist, 2020 ).

These considerations should also inform research on ISO/IEC 27001 going forward. Faced with a world where organizational boundaries are increasingly meaningless, the same concept of IS perimeter obsolete ( Dhillon et al. , 2017 ; Cavusoglu et al. , 2015 ). Overall, there is an apparent contradiction between the low technological specificity and organizational-level focus of the standard, on the one hand, and ISS requirements that are increasingly advanced and systemic, on the other.

Two aspects emerging from the review seem particularly relevant in this respect. First, other standards, frameworks and not-standardized practices may be integrated on the structure of ISO/IEC 27001 for more comprehensive approaches. Second, the ISO/IEC 27001 certification is often pursued in accordance with inter-organizational requirements – e.g. large companies demanding their suppliers be certified, governmental actions sustaining the certification, expectations of image improvements and better relations with key stakeholders. Both these aspects, however, have been only superficially addressed so far. The integration of multiple standards and practices has been mostly tackled by technical studies defining methods; whereas the inter-organizational implications of ISO/IEC 27001 have emerged in the literature only with regard to institutional motivations driving adoption.

Against this backdrop, we believe that a shift in the attention is needed from “the part” to “the whole” in the study of ISO/IEC 27001. In light of the growing number of certifications coupled with the endorsement of major digital players, it is important to intensify scientific efforts; the next section is thus devoted to the formulation of a set of research directions addressing these issues.

5.1 Theory-based research agenda

Transaction cost theory ( Coase, 1937 ; Williamson, 1985 ): As the focus is placed on the costs arising from an economic exchange between a buyer and a seller, the theory has been used to analyze voluntary standards adoption patters and performance implications related to lower information asymmetries (e.g. Prajogo et al. , 2012 ).

Resource-based view ( Penrose, 1959 ; Barney, 1991 ): Under the assumption that firms should identify and make use of resources that are valuable, rare and difficult to imitate in order to gain competitive advantage, researchers have investigated the motivations to adopt voluntary standards, the implementation process and the impact on performance (e.g. Darnall, 2006 ; Schoenherr and Talluri, 2013 ; Jabbour, 2015 );

Institutional theory ( Meyer and Rowan, 1977 ; DiMaggio and Powell, 1983 ): The perspective has been leveraged on mainly for investigating voluntary standards diffusion since societal influence might explain why organizations converge and become similar (e.g. Nair and Prajogo, 2009 ; Boiral and Henri, 2012 ).

Signaling theory ( Spence, 1973 ): Studies have addressed the role of voluntary standards in supplier selection under conditions of imperfect information, mostly focusing on performance implications, absorption levels and time-dependent dynamics (e.g. Terlaak and King, 2006 ; Narasimhan et al. , 2015 ).

Stakeholder theory ( Freeman, 1984 ): Due to the integration of business and social issues under this view, prior research has explored how the pressure from (non-business) stakeholders might influence the motivations driving standard implementation and absorption as well the impact on operational and reputational performance (e.g. Castka and Prajogo, 2013 ).

Although these theories can be applied effectively also for the study of ISO/IEC 27001, we believe that future research should not be limited to the standard implementation within single organizations, but (1) address its role within the suite of ISS practices and standards and (2) take into consideration that the scope of ISS reaches beyond organizational boundaries. Figure 3 clarifies how these two perspectives can be investigated, including a possible theoretical underpinning and a summary of the main research opportunities, which are outlined in the following paragraphs. In the figure, the perspectives form a matrix that identifies four overarching research areas with different scopes.

With respect to these four quadrants, the rationale behind the research agenda is based on the tenets of social systems thinking (e.g. Checkland, 1997 ; Weinberg, 2001 ). We drew from various approaches within this school of thought to provide a comprehensive, yet parsimonious analytical framework targeted at academics from different backgrounds. Reframing and reorganizing research topics through a system-based approach has proved to offer a good basis to provide new stimulus to scientific research and novel outlooks to the business community (e.g. Bititci et al. , 2012 ; Schleicher et al. , 2018 ).

In simple terms, a system is a set of interrelated elements, such that a change in one element affects others in the system ( Von Bertalanffy, 1956 ); the system is characterized by a common purpose, functions as a whole and adapts to changes in the environmental conditions ( Boulding, 1956 ; Katz and Kahn, 1978 ). Different theories co-exist under this umbrella, this plurality yielding a rich research stream with a strong interdisciplinary connotation ( Mele et al. , 2010 ; Post et al. , 2020 ).

the suite of standards, formal and informal practices – including ISO/IEC 27001 – that are implemented by organizations to manage ISS and cybersecurity; and

the network of relations in which organizations are embedded, be it supply chains, platform-based ecosystems or industries.

Different frameworks can be applied to these two systems. The first finds analytical support, particularly in the congruence systems model as originally formulated by Nadler and Tushman (1980 , 1984) and recently re-elaborated by Schleicher et al. (2018) . The model sees organizational practices as systems, identifies their inputs and outputs as well as their underlying components, i.e. tasks, individuals, formal and informal processes. These components are assumed to exist in a state of relative balance, their congruence determining the overall effectiveness of the system. Another important characteristic of such systems is the principle of equifinality ( Katz and Kahn, 1978 ; Schleicher et al. , 2018 ), suggesting that different configurations of various system components can lead to the same output or outcome.

Several research opportunities stem from this view to investigate both the implementation of ISO/IEC 27001 – e.g. the congruence between requirements and actual practices, the opportunity to pursue a certification as opposed to informal implementation and not-standardized practices – and the managerial implications of multiple standard integration, including the analysis of congruence as a predictor of ISS performance. Overall, future research can develop typologies and taxonomies on the basis of the elements identified by the model to clarify the role of ISO/IEC 27001 within the suite of ISS standards and practices.

Collaborative systems – As outlined by Schneider et al. (2017) drawing from Luhmann (1995 , 2013) – to elucidate how individual organizations shape their approach to ISS depending on the network of relations they are embedded in.

Complex adaptive systems (CAS) – According to the conceptualization of Choi et al. (2001) and Carter et al. (2015) – which shift the unit of analysis from the single organization to the whole network of relations, thus enabling the analysis of ISS practices at the level of the supply chain and the business ecosystem.

On the one hand, collaborative systems are based on the general principle that organizational structures and processes need to adapt against changes in the economic, technological and regulatory environment ( Luhmann, 1995 ). Individual organizations can opt for internal solutions, but can also pursue joint initiatives, such as embracing standards or orchestrating industry-wide responses. These joint initiatives are more likely to happen if there is a history of cross-organizational collaboration connecting the agents and when concerns about the relevance of the issue to be addressed are shared between them ( Schneider et al. , 2017 ). These considerations are relevant to future research investigating organizations implementing internal ISS methodologies as opposed to standards, especially in light of new technologies and business models. Similarly, they can be tested with respect to standard diffusion patterns as well as taking the correlation between standards and implementation methodologies into account.

On the other hand, CAS is conceptualized as dynamic networks of autonomous agents (or firms) that interact with one another and in their environment to produce evolving systems ( Choi et al. , 2001 ; Carter et al. , 2015 ). The study of CAS is characterized by three analytical dimensions: the internal mechanisms governing the relations among the agents, the adaptability of the network to changes in the external environment and the presence of co-evolutionary dynamics spreading through specific portions of the network. ISO/IEC 27001 – like other norms and standards – are internal mechanisms of control that limit the freedom of individual agents within the network with the goal of achieving higher system efficiency. The key questions for future research, which can be answered through a CAS perspective, are related to the role of ISO/IEC 27001 in guaranteeing ISS at the level of the supply chain/business ecosystem and the presence of possible performance trade-offs, for instance related to lower flexibility in suppliers' selection. Moreover, future studies can investigate the role of ISO/IEC 27001 and other ISS standards in supporting/impeding network reconfiguration against changes in the external environment, e.g. the rapid changes triggered by the current pandemic outlined in the previous section. Moreover, it is possible to identify how ISS approaches spread through specific portions of the network, e.g. platform operators vs ecosystem participants, downstream vs upstream firms along manufacturing supply chains.

In sum, we believe that our reasoning may provide a fresh perspective on the knowledge gaps on ISO/IEC 27001. ISS requires broad interdisciplinary approaches because of the technical and societal nature of the issue coupled with the broad range of stakeholders' interests involved ( Siedlok and Hibbert, 2014 ). For managerial and organizational disciplines, however, the study of ISS is still in many respects an uncharted territory. social systems thinking may provide a great entry point for researchers of different backgrounds to engage in issues that are increasingly relevant for managers in the emerging technological and business landscape.

6. Conclusions

The aim of this study was to map the state of the literature on ISO/IEC 27001 and formulate a theory-based research agenda at the intersection between IS and managerial disciplines, including quality management. The main insights and research challenges – also related to the increasing digitalization brought about by the current COVID-19 pandemic – were discussed, leading to the formulation of a theory-based research agenda grounded on social systems thinking.

This paper contributes to the academic literature in at least two ways. First, it provides an overview of the current knowledge of the standard, highlighting emerging themes and open issues, thereby providing solid foundations for future research on the topic. Second, it explicitly indicates a set of research opportunities, considering ISO/IEC 27001 as part of a system of standard and practices and in the context of networks of business relations. Drawing from Seuring et al. (2020) indications, we borrowed three theories related to social systems thinking to read the results of our analysis through new lenses. This enabled us to problematize the assumption behind ISO/IEC 27001 research as a firm-level phenomenon. We are confident that our study can be seen as a springboard for interdisciplinary research on the matter, including quality, supply chain and operations and human resource management.

The study delivers some implications for policymakers and corporate managers. Overall, we provide a comprehensive overview on the body of knowledge on the standard, allowing for a better understanding of motivations, implementation process and possible performance implications. Managers interested in implementing the standard can read these findings to better understand the implications of being certified as well as to focus potential issues related to the high flexibility of the guidelines, the lack of leadership support and the involvement of external consultants. Policymakers can leverage our results to inform promotion and regulatory activities aimed at sustaining the diffusion of the standard. In any case, the paper argues for a system-level view in ISS. We urge decision-makers to analyze the context in which information is exchanged and the governance of ISS within such context. The issue is topical considering the increasing relevance of digital ecosystems.

To conclude, ISS and the ISO/IEC 27001 standard are still treated by academia as a technical topic; comparatively few studies adopt a managerial perspective. Today, a change of course is required in front of an increasingly interconnected world, emerging technological opportunities and related challenges. If it holds true that data is the “new oil,” then a substantial increase in the research effort is needed to understand how organizations may secure information assets and what role major international standards play in providing guidance against an ever-increasing complexity.

Coding framework

Main characteristics of the contributions included in the review ( n  = 96)

Research agenda

ISO/IEC 27001 and other standards/frameworks

Motivations for adopting ISO/IEC 27001

Implementation of ISO/IEC 27001

Outcomes of ISO/IEC 27001

Context of ISO/IEC 27001

Books and book chapters on ISO/IEC 27001

Accerboni , F. and Sartor , M. ( 2019 ), “ ISO/IEC 27001 ”, in Sartor , M. and Orzes , G. (Eds), Quality Management: Tools, Methods, and Standards , Emerald Publishing , Bingley , pp. 245 - 264 .

Aguliyev , R. , Imamverdiyev , Y. and Sukhostat , L. ( 2018 ), “ Cyber-physical systems and their security issues ”, Computers in Industry , Vol. 100 , pp. 212 - 223 .

Akowuah , F. , Yuan , X. , Xu , J. and Wang , H. ( 2013 ), “ A survey of security standards applicable to health information systems ”, International Journal of Information Security and Privacy , Vol. 7 No. 4 , pp. 22 - 36 .

Al-Karaki , J.N. , Gawanmeh , A. and El-Yassami , S. ( 2020 ), “ GoSafe: on the practical characterization of the overall security posture of an organization information system using smart auditing and ranking ”, Journal of the King Saud University – Computer and Information Sciences . doi: 10.1016/j.jksuci.2020.09.011 .

Almeida , L. and Respício , A. ( 2018 ), “ Decision support for selecting information security controls ”, Journal of Decision Systems , Vol. 27 suppl. 1 , pp. 173 - 180 .

Annarelli , A. , Nonino , F. and Palombi , G. ( 2020 ), “ Understanding the management of cyber resilient systems ”, Computers and Industrial Engineering , Vol. 149 , 106829 .

Antonucci , D. ( 2017 ), The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities , Wiley , Hoboken .

Ardito , L. , Messeni Petruzzelli , A. , Panniello , U. and Garavelli , A.C. ( 2019 ), “ Towards Industry 4.0: mapping digital technologies for supply chain management-marketing integration ”, Business Process Management Journal , Vol. 29 No. 2 , pp. 910 - 936 .

Armeanu , S.D. , Vintila , G. and Gherghina , S.C. ( 2017 ), “ A cross-country empirical study towards the impact of following ISO management system standards on Euro-area economic confidence ”, Amfiteatru Economic , Vol. 19 No. 44 , pp. 144 - 165 .

Arnason , S.T. and Willett , K.D. ( 2007 ), How to Achieve 27001 Certification: An Example of Applied Compliance Management , CRC Press , Boca Raton .

Asai , T. and Hakizabera , A.U. ( 2010 ), “ Human-related problems of information security in East African cross-cultural environments ”, Information Management and Computer Security , Vol. 18 No. 5 , pp. 328 - 338 .

Bakar , Z.A. , Yaacob , N.A. and Udin , Z.M. ( 2015 ), “ The effect of business continuity management factors on organizational performance: a conceptual framework ”, International Journal of Economics and Financial Issues , Vol. 5 No. 1S , pp. 128 - 134 .

Bamakan , S.M.H. and Dehghanimohammadabadi , M. ( 2015 ), “ A weighted Monte Carlo simulation approach to risk assessment of information security management system ”, International Journal of Enterprise Information Systems , Vol. 11 No. 4 , pp. 63 - 78 .

Barafort , B. , Mesquida , A.L. and Mas , A. ( 2017 ), “ Integrating risk management in IT settings from ISO standards and management systems perspectives ”, Computer Standards and Interfaces , Vol. 54 No. 3 , pp. 176 - 185 .

Barafort , B. , Mesquida , A.L. and Mas , A. ( 2018 ), “ Integrated risk management process assessment model for IT organizations based on ISO 31000 in an ISO multi-standards context ”, Computer Standards and Interfaces , Vol. 60 , pp. 57 - 66 .

Barafort , B. , Mesquida , A.L. and Mas , A. ( 2019 ), “ ISO 31000‐based integrated risk management process assessment model for IT organizations ”, Journal of Software: Evolution and Process , Vol. 31 No. 1 , e1984 .

Barlette , Y. and Fomin , V.V. ( 2010 ), “ The adoption of information security management standards: a literature review ”, Information Resources Management Association (Ed.) , Information Resources Management: Concepts, Methodologies, Tools and Applications , IGI Global , Hershey , pp. 69 - 90 .

Barney , J. ( 1991 ), “ Firm resources and sustained competitive advantage ”, Journal of Management , Vol. 17 No. 1 , pp. 99 - 120 .

Başaran , B. ( 2016 ), “ The effect of ISO quality management system standards on industrial property rights in Turkey ”, World Patent Information , Vol. 45 , pp. 33 - 46 .

Beckers , K. ( 2015 ), Pattern and Security Requirements: Engineering-Based Establishment of Security Standards , Springer , Berlin .

Beckers , K. , Côté , I. , Faßbender , S. , Heisel , M. and Hofbauer , S. ( 2013 ), “ A pattern-based method for establishing a cloud-specific information security management system ”, Requirements Engineering , Vol. 18 No. 4 , pp. 343 - 395 .

Beckers , K. , Dürrwang , J. and Holling , D. ( 2016 ), “ Standard compliant hazard and threat analysis for the automotive domain ”, Information , Vol. 7 No. 3 , pp. 1 - 35 .

Benitez , G.B. , Ayala , N.F. and Frank , A.G. ( 2020 ), “ Industry 4.0 innovation ecosystems: an evolutionary perspective on value cocreation ”, International Journal of Production Economics , Vol. 228 , 107735 .

Bettaieb , S. , Shin , S.Y. , Sabetzadeh , M. , Briand , L.C. , Garceau , M. and Meyers , A. ( 2019 ), “ Using machine learning to assist with the selection of security controls during security assessment ”, Empirical Software Engineering , Vol. 25 , pp. 2550 - 2582 .

Bititci , U. , Garengo , P. , Dörfler , V. and Nudurupati , S. ( 2012 ), “ Performance measurement: challanges for tomorrow ”, International Journal of Management Reviews , Vol. 14 No. 3 , pp. 305 - 327 .

Blackburn , S. , LaBerge , L. , O'Toole , C. and Schneider , J. ( 2020 ), Digital Strategy in a Time of Crisis , McKinsey Digital , available at: https://www.mckinsey.com/∼/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/Digital%20strategy%20in%20a%20time%20of%20crisis/Digital-strategy-in-a-time-of-crisis-final.ashx ( accessed 20 April 2020 ).

Boehm , J. , Kaplan , J. , Sorel , M. , Sportsman , N. and Steen , T. ( 2020 ), Cybersecurity Tactics for the Coronavirus Pandemic , McKinsey Quarterly , available at: https://www.mckinsey.com/∼/media/McKinsey/Business%20Functions/Risk/Our%20Insights/Cybersecurity%20tactics%20for%20the%20coronavirus%20pandemic/Cybersecurity-tactics-for-the-coronavirus-pandemic-vF.ashx ( accessed 14 May 2020 ).

Boiral , O. and Henri , J.F. ( 2012 ), “ Modelling the impact of ISO 14001 on environmental performance: a comparative approach ”, Journal of Environmental Management , Vol. 99 , pp. 84 - 97 .

Boiral , O. , Guillaumie , L. , Heras-Saizarbitoria , I. and Tayo Tene , C.V. ( 2018 ), “ Adoption and Outcomes of ISO 14001: a systematic review ”, International Journal of Management Reviews , Vol. 20 No. 2 , pp. 411 - 432 .

Boulding , K. ( 1956 ), “ General systems theory - the skeleton of science ”, Management Science , Vol. 2 No. 3 , pp. 197 - 208 .

Bounagui , Y. , Mezrioui , A. and Hafiddi , H. ( 2019 ), “ Toward a unified framework for Cloud Computing governance: an approach for evaluating and integrating IT management and governance models ”, Computer Standards and Interfaces , Vol. 62 , pp. 98 - 118 .

Breslin , D. , Gatrell , C. and Bailey , K. ( 2020 ), “ Developing insights through reviews: reflecting on the 20 th anniversary of the international journal of management reviews ”, International Journal of Management Reviews , Vol. 22 No. 1 , pp. 3 - 9 .

Broderick , J.S. ( 2006 ), “ ISMS, security standards and security regulations ”, Information Security Technical Report , Vol. 11 No. 1 , pp. 26 - 31 .

Burns , A.J. , Posey , C. , Courtney , J.F. , Roberts , T.L. and Nanayakkara , P. ( 2017 ), “ Organizational information security as a complex adaptive system: insights from three agent-based models ”, Information Systems Frontiers , Vol. 19 No. 3 , pp. 509 - 524 .

Burt , A. ( 2019 ), “ Cybersecurity is putting customer trust at the center of competition ”, Harvard Business Review , available at: https://hbr.org/2019/03/cybersecurity-is-putting-customer-trust-at-the-center-of-competition ( accessed 03 May 2020 ).

Büyüközkan , G. and Göçer , F. ( 2018 ), “ Digital Supply Chain: literature review and a proposed framework for future research ”, Computers in Industry , Vol. 97 , pp. 157 - 177 .

Calder , A. ( 2005 ), Nine Steps to Success: An ISO27001 Implementation Overview , IT Governance Publishing , Ely .

Calder , A. ( 2006a ), Implementing Information Security Based on ISO 27001/ISO 27002 , Van Haren , 's-Hertogenbosch .

Calder , A. ( 2006b ), Information Security Based on ISO 27001/ISO 27002 , Van Haren , 's-Hertogenbosch .

Calder , A. ( 2008 ), “ ISO 27001 and ISO 17999 ”, in Tarantino , A. (Ed.), Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices , John Wiley & Sons , Hoboken , pp. 169 - 179 .

Calder , A. ( 2010 ), “ Leveraging ISO 27001 ”, in Calder , A. (Ed.), Selling Information Security to the Board: A Primer , IT Governance Publishing , Ely , pp. 46 - 49 .

Calder , A. ( 2018 ), “ Alignment with other frameworks ”, in Calder , A. (Ed.), NIST Cybersecurity Framework: A Pocket Guide , IT Governance Publishing , Ely , pp. 63 - 68 .

Calder , A. and Geraint , W. ( 2008 ), “ The PCI DSS and ISO/IEC 27001 ”, in Calder , A. and Carter , N. (Eds), PCI DSS: A Pocket Guide , IT Governance Publishing , Ely , pp. 38 - 39 .

Calder , A. and Moir , M. ( 2009a ), “ The IT management system of tomorrow ”, in Calder , A. and Moir , S. (Eds), IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT , IT Governance Publishing , Ely , pp. 165 - 183 .

Calder , A. and Moir , S. ( 2009b ), “ IT regulatory compliance ”, in Calder , A. and Moir , S. (Eds), IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT , IT Governance Publishing , Ely , pp. 40 - 45 .

Calder , A. and Watkins , S. ( 2008 ), IT Governance: A Manager's Guide to Data Security and ISO 27001/ISO 27002 , Kogan Page , London .

Calder , A. and Watkins , S.G. ( 2010 ), Information Security Risk Management for ISO27001/ISO27002 , IT Governance Publishing , Ely .

Carter , C.R. , Rogers , D.S. and Choi , T.Y. ( 2015 ), “ Towards the theory of the supply chain ”, Journal of Supply Chain Management , Vol. 51 No. 2 , pp. 89 - 97 .

Castka , P. and Prajogo , D. ( 2013 ), “ The effect of pressure from secondary stakeholders on the internalization of ISO 14001 ”, Journal of Cleaner Production , Vol. 47 , pp. 245 - 252 .

Cavusoglu , H. , Cavusoglu , H. , Son , J.-Y. and Benbasat , I. ( 2015 ), “ Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources ”, Information Management , Vol. 52 No. 4 , pp. 385 - 400 .

Checkland , P. ( 1997 ), Systems Thinking, Systems Practice , John Wiley & Sons , Chichester .

Choi , T.Y. , Dooley , K.J. and Rungtusanatham , M. ( 2001 ), “ Supply networks and complex adaptive systems: control versus emergence ”, Journal of Operations Management , Vol. 19 No. 3 , pp. 351 - 366 .

Coase , R.H. ( 1937 ), “ The nature of the firm ”, Economica , Vol. 4 No. 16 , pp. 386 - 405 .

Corallo , A. , Lazoi , M. and Lezzi , M. ( 2020 ), “ Cybersecurity in the context of Industry 4.0: a structured classification of critical assets and business impacts ”, Computers in Industry , Vol. 114 , 103165 .

Cots , S. and Casadesús , M. ( 2015 ), “ Exploring the service management standard ISO 20000 ”, Total Quality Management and Business Excellence , Vol. 26 Nos 5-6 , pp. 515 - 533 .

Cowan , D. ( 2011 ), “ External pressure for internal information security controls ”, Computer Fraud and Security , Vol. 2011 No. 11 , pp. 8 - 11 .

Crowder , M. ( 2013 ), “ Quality standards: integration within a bereavement environment ”, The TQM Journal , Vol. 25 No. 1 , pp. 18 - 28 .

Culot , G. , Fattori , F. , Podrecca , M. and Sartor , M. ( 2019 ), “ Addressing industry 4.0 cybersecurity challenges ”, IEEE Engineering Management Review , Vol. 47 No. 3 , pp. 79 - 86 .

Culot , G. , Orzes , G. , Sartor , M. and Nassimbeni , G. ( 2020 ), “ The future of manufacturing: a Delphi-based scenario analysis on Industry 4.0 ”, Technological Forecasting and Social Change , Vol. 157 , 120092 .

Darnall , N. ( 2006 ), “ Why firms mandate ISO 14001 certification ”, Business and Society , Vol. 45 No. 3 , pp. 354 - 381 .

Deane , J.K. , Goldberg , D.M. , Rakes , T.R. and Rees , L.P. ( 2019 ), “ The effect of information security certification announcements on the market value of the firm ”, Information Technology and Management , Vol. 20 No. 3 , pp. 107 - 121 .

Deloitte ( 2020 ), “ COVID-19's impact on cybersecurity ”, available at: https://www2.deloitte.com/ng/en/pages/risk/articles/covid-19-impact-cybersecurity.html ( accessed 21 May 2020 ).

Dhillon , G. , Syed , R. and Sà-Soares , F.D. ( 2017 ), “ Information security concerns in IT outsourcing: identifying (in)congruence between clients and vendors ”, Information Management , Vol. 54 No. 4 , pp. 452 - 464 .

Diamantopoulou , V. , Tsohou , A. and Karyda , M. ( 2020 ), “ From ISO/IEC 27001:2013 and ISO/IEC 27002:2013 to GDPR compliance controls ”, Information and Computer Security , Vol. 28 No. 4 , pp. 645 - 662 .

DiMaggio , P.J. and Powell , W.W. ( 1983 ), “ The iron cage revisited: institutional isomorphism and collective rationality in organizational fields ”, American Sociological Review , Vol. 48 No. 2 , pp. 147 - 160 .

Dionysiou , I. ( 2011 ), “ An investigation on compliance with ISO 27001 in Cypriot private and public organisations ”, International Journal of Services and Standards , Vol. 7 Nos 3-4 , pp. 197 - 234 .

Dionysiou , I. , Kokkinaki , A. , Magirou , S. and Iacovou , T. ( 2015 ), “ Adoption of ISO 27001 in Cyprus enterprises: current state and challenges ”, in Khosrow-Pour , M. (Ed.), Standards and Standardization: Concepts, Methodologies, Tools, and Applications , IGI Global , Hershey , pp. 994 - 1017 .

Dos Santos Ferreira , R. , Frogeri , R.F. , Coelho , A.B. and Piurcosky , F.P. ( 2018 ), “ Information security management practices: study of the influencing factors in a Brazilian Air Force institution ”, Journal of Information Systems and Technology Management , Vol. 15 , pp. 1 - 22 .

Duriau , V.J. , Reger , R.K. and Pfarrer , M.D. ( 2007 ), “ A content analysis of the content analysis literature in organization studies: research themes, data sources, and methodological refinements ”, Organizational Research Methods , Vol. 10 No. 1 , pp. 5 - 34 .

D'Arcy , J. and Teh , P.-L. ( 2019 ), “ Predicting employee information security policy compliance on a daily basis: the interplay of security-related stress, emotions, and neutralization ”, Information Management , Vol. 56 No. 7 , 103151 .

Erkonen , S. ( 2008 ), “ ISO standards draft content ”, in Tipton , H.F. and Krause , M. (Eds), Information Security Management Handbook , Auerbach Publications , Boca Raton , pp. 265 - 272 .

Ernst and Young ( 2008 ), “ Global information security survey: moving beyond compliance ”, available at: http://130.18.86.27/faculty/warkentin/SecurityPapers/Merrill/2008_E&YWhitePaper_ GlobalInfoSecuritySurvey.pdf ( accessed 19 December 2019 ).

Everett , C. ( 2011 ), “ Is ISO 27001 worth it? ”, Computer Fraud and Security , Vol. 2011 No. 1 , pp. 5 - 7 .

Faruq , B.A. , Herlianto , H.R. , Simbolon , S.P.H. , Utama , D.N. and Wibowo , A. ( 2020 ), “ Integration of ITIL V3, ISO 20000 and ISO 27001:2013 for IT services and security management system ”, International Journal of Advanced Trends in Computer Science and Engineering , Vol. 9 No. 3 , pp. 3514 - 3531 .

Feng , N. , Cheng , Y. , Feng , H. , Li , D. and Li , M. ( 2020 ), “ To outsource or not: the impact of information leakage risk on information security strategy ”, Information Management , Vol. 57 No. 5 , 103215 .

Freeman , R. ( 1984 ), Strategic Management: A Strategic Approach , Pitman , Boston .

Freeman , E.H. ( 2007 ), “ Holistic information security: ISO 27001 and due care ”, Information Systems Security , Vol. 16 No. 5 , pp. 291 - 294 .

Fuentes , C. , Lizarzaburu , E.R. and Vivanco , E. ( 2011 ), “ Norms and International Standards related to reduce risk management: a literature review ”, Risk Governance and Control: Financial Markets and Institutions , Vol. 1 No. 3 , pp. 58 - 73 .

Ganji , D. , Kalloniatis , C. , Mouratidis , H. and Gheytassi , S.M. ( 2019 ), “Approaches to develop and implement ISO/IEC 27001 standard – information security management systems: a systematic literature review” , International Journal on Advances in Software , Vol. 12 Nos 3-4 , pp. 228 - 238 .

Gartner ( 2018 ), “ Cybersecurity and digital risk management: CIOs Must engage and prepare ”, Gartner Research , available at: https://www.gartner.com/en/doc/3846477-cybersecurity-and-digital-risk-management-cios-must-engage-and-prepare ( accessed 02 May 2020 ).

Gaşpar , M.L. and Popescu , S.G. ( 2018 ), “ Integration of the gdpr requirements into the requirements of the sr en iso/iec 27001: 2018 standard, integration security management system in a software development company ”, Acta technica napocensis-series: Applied Mathematics, Mechanics, and Engineering , Vol. 61 No. 3 , pp. 85 - 96 .

Gillies , A. ( 2011 ), “ Improving the quality of information security management systems with ISO27000 ”, The TQM Journal , Vol. 23 No. 4 , pp. 367 - 376 .

Hagiu , A. and Wright , J. ( 2020 ), “ When data creates competitive advantage ”, Harvard Business Review , Vol. 98 No. 1 , pp. 94 - 101 .

Hannigan , L. , Deyab , G. , Al Thani , A. , Al Marri , A. and Afifi , N. ( 2019 ), “ The implementation of an integrated management system at Qatar biobank ”, Biopreservation and Biobanking , Vol. 17 No. 6 , pp. 506 - 511 .

Harari , Y.N. ( 2020 ), “ The world after coronavirus ”, Financial Times , available at: https://www.ft.com/content/19d90308-6858-11ea-a3c9-1fe6fedcca75 ( accessed 21 May 2020 ).

Heras‐Saizarbitoria , I. and Boiral , O. ( 2013 ), “ ISO 9001 and ISO 14001: towards a research agenda on management system standards ”, International Journal of Management Reviews , Vol. 15 No. 1 , pp. 47 - 65 .

Heston , K.M. and Phifer , W. ( 2011 ), “ The multiple quality models paradox: how much ‘best practice’is just enough? ”, Journal of Software Maintenance and Evolution: Research and Practice , Vol. 23 No. 8 , pp. 517 - 531 .

Hinz , O. , Nofer , M. , Schiereck , D. and Trilling , J. ( 2015 ), “ The influence of data theft on the share prices and systematic risk of consumer electronics companies ”, Information Management , Vol. 52 No. 3 , pp. 337 - 347 .

Hlača , B. , Aksentijević , S. and Tijan , E. ( 2008 ), “ Influence of ISO 27001: 2005 on the port of rijeka security ”, Pomorstvo: Scientific Journal of Maritime Research , Vol. 22 No. 2 , pp. 245 - 258 .

Ho , L.H. , Hsu , M.T. and Yen , T.M. ( 2015 ), “ Identifying core control items of information security management and improvement strategies by applying fuzzy DEMATEL ”, Information and Computer Security , Vol. 23 No. 2 , pp. 161 - 177 .

Honan , B. ( 2009 ), ISO27001 in a Windows Environment: The Best Practice Handbook for a Microsoft Windows Environment , IT Governance Publishing , Ely .

Hooper , V. and McKissack , J. ( 2016 ), “ The emerging role of the CISO ”, Business Horizons , Vol. 59 No. 6 , pp. 585 - 591 .

Hoy , Z. and Foley , A. ( 2015 ), “ A structured approach to integrating audits to create organisational efficiencies: ISO 9001 and ISO 27001 audits ”, Total Quality Management and Business Excellence , Vol. 26 Nos 5-6 , pp. 690 - 702 .

Humphreys , E. ( 2007 ), Implementing the ISO/IEC 27001 Information Security Management System Standard , Artech House , Norwood .

Iansiti , M. and Lakhani , R.K. ( 2020 ), “ Competing in the age of AI ”, Harvard Business Review , Vol. 98 , pp. 60 - 67 .

ISO ( 2019 ), “ The ISO survey of management system standard certifications 2018 ”, available at: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1 ( accessed 12 January 2020 ).

IT Governance Privacy Team Team ( 2016 ), Eu General Data Protection Regulation (GDPR)–An Implementation and Compliance Guide , IT Governance Publishing , Ely .

Itradat , A. , Sultan , S. , Al-Junaidi , M. , Qaffaf , R. , Mashal , F. and Daas , F. ( 2014 ), “ Developing an ISO27001 information security management system for an Educational Institute: hashemite university as a case study ”, Jordan Journal of Mechanical and Industrial Engineering , Vol. 8 No. 2 , pp. 102 - 118 .

Jabbour , C.J.C. ( 2015 ), “ Environmental training and environmental management maturity of Brazilian companies with ISO14001: empirical evidence ”, Journal of Cleaner Production , Vol. 96 , pp. 331 - 338 .

Jacobides , M.G. , Cennamo , C. and Gawer , A. ( 2018 ), “ Towards a theory of ecosystems ”, Strategic Management Journal , Vol. 39 No. 8 , pp. 2255 - 2276 .

Jeong , C.Y. , Lee , S.-Y.-T. and Lim , J.-H. ( 2019 ), “ Information security breaches and IT security investments impacts on competitors ”, Information Management , Vol. 56 No. 5 , pp. 681 - 695 .

Kache , F. and Seuring , S. ( 2017 ), “ Challanges and opportunities of digital information at the intersection of Big Data Analytics and supply chain management ”, International Journal of Operations and Production Management , Vol. 37 No. 1 , pp. 10 - 36 .

Katz , D. and Kahn , R.L. ( 1978 ), The Social Psychology of Organizations , Wiley , New York .

Khajouei , H. , Kazemi , M. and Moosavirad , S.H. ( 2017 ), “ Ranking information security controls by using fuzzy analytic hierarchy process ”, Information Systems and e-Business Management , Vol. 15 No. 1 , pp. 1 - 19 .

Kossyva , D.I. , Galanis , K.V. , Sarri , K.K. and Georgopoulos , N.B. ( 2014 ), “ Adopting an information security management system in a co-opetition strategy context ”, International Journal of Applied Systemic Studies , Vol. 5 No. 3 , pp. 215 - 228 .

Ku , C. , Chang , Y. and Yen , D.C. ( 2009 ), “ National information security policy and its implementation: a case study in Taiwan ”, Telecommunications Policy , Vol. 33 No. 7 , pp. 371 - 384 .

Leszczyna , R. ( 2019 ), “ Standards with cybersecurity controls for smart grid—a systematic analysis ”, International Journal of Communication Systems , Vol. 32 No. 6 , e3910 .

Lezzi , M. , Lazoi , M. and Corallo , A. ( 2018 ), “ Cybersecurity for Industry 4.0 in the current literature: a reference framework ”, Computers in Industry , Vol. 103 , pp. 97 - 110 .

Liao , K.H. and Chueh , H.E. ( 2012a ), “ An evaluation model of information security management of medical staff ”, International Journal of Innovative Computing, Information and Control , Vol. 8 No. 11 , pp. 7865 - 7873 .

Liao , K.H. and Chueh , H.E. ( 2012b ), “ Medical organization information security management based on ISO27001 information security standard ”, Journal of Software , Vol. 7 No. 4 , pp. 792 - 797 .

Lomas , E. ( 2010 ), “ Information governance: information security and access within a UK context ”, Records Management Journal , Vol. 20 No. 2 , pp. 182 - 198 .

Lopes , I.M. , Guarda , T. and Oliveira , P. ( 2019 ), “ Implementation of ISO 27001 standards as GDPR compliance facilitator ”, Journal of Information Systems Engineering and Management , Vol. 4 No. 2 , em0089 .

Lowry , P.B. , Dinev , T. and Willson , R. ( 2017 ), “ Why security and privacy research lies at the centre of the information systems (IS) artefact: proposing a bold research agenda ”, European Journal of Information Systems , Vol. 26 No. 6 , pp. 546 - 563 .

Luhmann , N. ( 1995 ), Social Systems , Stanford University Press , Stanford .

Luhmann , N. ( 2013 ), Introduction to Systems Theory , Polity Press , Cambridge .

Majerník , M. , Daneshjo , N. , Chovancová , J. and Sanciova , G. ( 2017 ), “ Design of integrated management systems according to the revised ISO standards ”, Polish Journal of Management Studies , Vol. 15 No. 1 , pp. 135 - 143 .

Manders , B. , de Vries , H.J. and Blind , K. ( 2016 ), “ ISO 9001 and product innovation: a literature review and research framework ”, Technovation , Vols 48-49 , pp. 41 - 55 .

Markus , M.L. ( 2015 ), “ New games, new rules, new scoreboards: the potential consequences of big data ”, Journal of Information Technology , Vol. 30 No. 1 , pp. 58 - 59 .

Mayring , P. ( 2000 ), “ Quantitative content analysis ”, Forum for Qualitative Social Research , Vol. 1 No. 2 , pp. 1 - 10 .

McKinsey and Company ( 2019 ), “ Perspectives on transforming cybersecurity ”, available at: https://www.mckinsey.com/∼/media/McKinsey/McKinsey%20Solutions/Cyber%20Solutions/Perspectives%20on%20transforming%20cybersecurity/Transforming%20cybersecurity_March2019.ashx ( accessed 10 June 2019 ).

Mele , C. , Pels , J. and Polese , F. ( 2010 ), “ A brief review of systems theories and their managerial applications ”, Service Science , Vol. 2 Nos 1-2 , pp. 126 - 135 .

Mesquida , A.L. , Mas , A. , Feliu , T.S. and Arcilla , M. ( 2014 ), “ MIN-ITs: a framework for integration of it management standards in mature environments ”, International Journal of Software Engineering and Knowledge Engineering , Vol. 24 No. 6 , pp. 887 - 908 .

Meyer , J.W. and Rowan , B. ( 1977 ), “ Institutionalized organizations: formal structure as myth and ceremony ”, American Journal of Sociology , Vol. 83 No. 2 , pp. 340 - 363 .

Mirtsch , M. , Kinne , J. and Blind , K. ( 2021 ), “ Exploring the adoption of the international information security management system standard ISO/IEC 27001: a web-mining based analysis ”, IEEE Transactions on Engineering Management , Vol. 68 No. 1 , pp. 87 - 100 .

Montesino , R. , Fenz , S. and Baluja , W. ( 2012 ), “ SIEM-based framework for security controls automation ”, Information Management and Computer Security , Vol. 20 No. 4 , pp. 248 - 263 .

Mukhtar , Z. and Ahmad , K. ( 2014 ), “ Internal threat control framework based on information security management system ”, Journal of Theoretical and Applied Information Technology , Vol. 70 No. 2 , pp. 316 - 323 .

Nadler , D.A. and Tushman , M.L. ( 1980 ), “ A model for diagnosing organizational behavior ”, Organizational Dynamics , Vol. 9 No. 2 , pp. 35 - 51 .

Nadler , D.A. and Tushman , M.L. ( 1984 ), “ A congruence model for diagnosing organizational behavior ”, in Kolb , D.A. , Rubin , J.M. and McIntyre , J.M. (Eds), Organizational Psychology: Reading on Human Behavior in Organizations , Prentice Hall , Englewood Cliffs , pp. 587 - 603 .

Nair , A. and Prajogo , D. ( 2009 ), “ Internalization of ISO 9000 standards: the antecedent role of functionalist and institutionalist drivers and performance implications ”, International Journal of Production Research , Vol. 47 No. 16 , pp. 4545 - 4568 .

Narasimhan , R. , Schoenherr , T. , Jacobs , B.W. and Kim , M.K. ( 2015 ), “ The financial impact of FSC certification in the United States: a contingency perspective ”, Decision Sciences , Vol. 46 No. 3 , pp. 527 - 563 .

Niemimaa , E. and Niemimaa , M. ( 2017 ), “ Information systems security policy implementation in practice: from best practices to situated practices ”, European Journal of Information Systems , Vol. 26 No. 1 , pp. 1 - 20 .

Orzes , G. , Moretto , A.M. , Ebrahimpour , M. , Sartor , M. , Moro , M. and Rossi , M. ( 2018 ), “ United nations global compact: literature review and theory-based research agenda ”, Journal of Cleaner Production , Vol. 177 , pp. 633 - 654 .

Ozkan , S. and Karabacak , B. ( 2010 ), “ Collaborative risk method for information security management practices: a case context within Turkey ”, International Journal of Information Management , Vol. 30 No. 6 , pp. 567 - 572 .

Pagani , M. and Pardo , C. ( 2017 ), “ The impact of digital technology on relationships in a business network ”, Industrial Marketing Management , Vol. 67 , pp. 185 - 192 .

Pardo , C. , Pino , F.J. , Garcia , F. , Piattini , M. and Baldassarre , M.T. ( 2012 ), “ An ontology for the harmonization of multiple standards and models ”, Computer Standards and Interfaces , Vol. 34 No. 1 , pp. 48 - 59 .

Pardo , C. , Pino , F.J. , Garcia , F. , Baldassarre , M.T. and Piattini , M. ( 2013 ), “ From chaos to the systematic harmonization of multiple reference models: a harmonization framework applied in two case studies ”, Journal of Systems and Software , Vol. 86 No. 1 , pp. 125 - 143 .

Pardo , C. , Pino , F.J. and Garcia , F. ( 2016 ), “ Towards an integrated management system (IMS), harmonizing the ISO/IEC 27001 and ISO/IEC 20000-2 standards ”, International Journal of Software Engineering and Its Applications , Vol. 10 No. 9 , pp. 217 - 230 .

Park , S. and Lee , K. ( 2014 ), “ Advanced approach to information security management system model for industrial control ”, The Scientific World Journal , Vol. 2014 , 348305 .

Penrose , E. ( 1959 ), The Theory of the Growth of the Firm , Oxford University Press , Oxford .

Pompon , R. ( 2016 ), IT Security Risk Control Management: An Audit Preparation Plan , Apress , New York .

Post , C. , Sarala , R. , Gatrell , C. and Prescott , J.E. ( 2020 ), “ Advancing theory with review articles ”, Journal of Management Studies , Vol. 57 No. 2 , pp. 351 - 372 .

Prajogo , D. , Huo , B. and Han , Z. ( 2012 ), “ The effects of different aspects of ISO 9000 implementation on key supply chain management practices and operational performance ”, Supply Chain Management: International Journal , Vol. 17 No. 3 , pp. 306 - 322 .

Raabi , A. , Assoul , S. , Touhami , K.O. and Roudies , O. ( 2020 ), “ Information and cyber security maturity models: a systematic literature review ”, Information and Computer Security , Vol. 28 No. 4 , pp. 627 - 644 .

Rezaei , G. , Ansari , M. , Memari , A. , Zahraee , S.M. and Shaharoun , A.M. ( 2014 ), “ A huiristic method for information scaling in manufacturing organizations ”, Jurnal Teknologi , Vol. 69 No. 3 , pp. 87 - 91 .

Rezakhani , A. , Hajebi , A. and Mohammadi , N. ( 2011 ), “ Standardization of all information security management systems ”, International Journal of Computers and Applications , Vol. 18 No. 8 , pp. 4 - 8 .

Rousseau , D.M. , Manning , J. and Denyer , D. ( 2008 ), “ 11 evidence in management and organizational science: assembling the field's full weight of scientific knowledge through syntheses ”, The Academy of Management Annals , Vol. 2 No. 1 , pp. 475 - 515 .

Sallos , M.P. , Garcia-Perez , A. , Bedford , D. and Orlando , B. ( 2019 ), “ Strategy and organizational cybersecurity: a knowledge-problem perspective ”, Journal of Intellectual Capital , Vol. 20 No. 4 , pp. 581 - 597 .

Sartor , M. , Orzes , G. , Di Mauro , C. , Ebrahimpour , M. and Nassimbeni , G. ( 2016 ), “ The SA8000 social certification standard: literature review and theory-based research agenda ”, International Journal of Production Economics , Vol. 175 , pp. 164 - 181 .

Sartor , M. , Orzes , G. , Touboulic , A. , Culot , G. and Nassimbeni , G. ( 2019 ), “ ISO 14001 standard: literature review and theory-based research agenda ”, Quality Management Journal , Vol. 26 No. 1 , pp. 32 - 64 .

Schleicher , D.J. , Bauman , H.M. , Sullivan , D.W. , Levy , P.E. , Hargrove , D.C. and Barros-Riveira , B.A. ( 2018 ), “ Putting the system into performance management systems: a review and agenda for performance management research ”, Journal of Management , Vol. 44 No. 6 , pp. 2209 - 2245 .

Schneider , A. , Wickert , C. and Marti , E. ( 2017 ), “ Reducing complexity by creating complexity: a systems theory perspective on how organizations respond to their environments ”, Journal of Management Studies , Vol. 54 No. 2 , pp. 182 - 207 .

Schoenherr , T. and Talluri , S. ( 2013 ), “ Environmental sustainability initiatives: a comparative analysis of plant efficiencies in Europe and the US ”, IEEE Transactions on Engineering Management , Vol. 60 No. 2 , pp. 353 - 365 .

Serrado , J. , Pereira , R.F. , Mira da Silva , M. and Scalabrin Bianchi , I. ( 2020 ), “ Information security frameworks for assisting GDPR compliance in banking industry ”, Digital Policy, Regulation and Governance , Vol. 22 No. 3 , pp. 227 - 244 .

Seuring , S. and Gold , S. ( 2012 ), “ Conducting content-analysis based literature reviews in supply chain management ”, Supply Chain Management: International Journal , Vol. 17 No. 5 , pp. 544 - 555 .

Seuring , S. , Yawar , S.A. , Land , A. , Khalid , R.U. and Sauer , P.C. ( 2020 ), “ The applications of theory in literature reviews – illustrated with examples from supply chain management ”, International Journal of Operations and Production Management , Vol. 41 No. 1 , pp. 1 - 20 .

Sheikhpour , R. and Modiri , N. ( 2012a ), “ A best practice approach for integration of ITIL and ISO/IEC 27001 services for information security management ”, Indian Journal of Science and Technology , Vol. 5 No. 2 , pp. 2170 - 2176 .

Sheikhpour , R. and Modiri , N. ( 2012b ), “ An approach to map COBIT processes to ISO/IEC 27001 information security management controls ”, International Journal of Security and Its Applications , Vol. 6 No. 2 , pp. 13 - 28 .

Siedlok , F. and Hibbert , P. ( 2014 ), “ The organization of interdisciplinary research: modes, drivers and barriers ”, International Journal of Management Reviews , Vol. 16 No. 2 , pp. 194 - 210 .

Silva , L. , Hsu , C. , Backhouse , J. and McDonnell , A. ( 2016 ), “ Resistance and power in a security certification scheme: the case of c: cure ”, Decision Support Systems , Vol. 92 , pp. 68 - 78 .

Simić-Draws , D. , Neumann , S. , Kahlert , A. , Richter , P. , Grimm , R. , Volkamer , M. and Roßnagel , A. ( 2013 ), “ Holistic and law compatible IT security evaluation: integration of common criteria, ISO 27001/IT-Grundschutz and KORA ”, International Journal of Information Security and Privacy , Vol. 7 , pp. 16 - 35 .

Siponen , M. and Willison , R. ( 2009 ), “ Information security management standards: problems and solutions ”, Information Management , Vol. 46 No. 5 , pp. 267 - 270 .

Smith , J. ( 2020 ), “ Coronavirus upheaval triggers corporate search for supply chain technology ”, The Wall Street Journal , available at: www.wsj.com/amp/articles/coronavirus-upheaval-triggers-corporate-search-for-supply-chain-technology-11588189553 ( accessed 20 April 2020 ).

Smith , S. , Winchester , D. , Bunker , D. and Jamieson , R. ( 2010 ), “ Circuits of power: a study of mandated compliance to an information systems security ‘de jure’ standard in a government organization ”, MIS Quarterly , Vol. 34 No. 3 , pp. 463 - 486 .

Spence , M. ( 1973 ), “ Job market signaling ”, Quarterly Journal of Economics , Vol. 87 No. 3 , pp. 355 - 374 .

Spiekermann , S. and Korunovska , J. ( 2017 ), “ Towards a value theory of personal data ”, Journal of Information Technology , Vol. 32 No. 1 , pp. 62 - 84 .

Stevenson , T.H. and Barnes , F.C. ( 2002 ), “ What industrial marketers need to know now about ISO 9000 certification: a review, update, and integration with marketing ”, Industrial Marketing Management , Vol. 31 No. 8 , pp. 695 - 703 .

Stewart , A. ( 2018 ), “ A utilitarian re-examination of enterprise-scale information security management ”, Information and Computer Security , Vol. 26 No. 1 , pp. 39 - 57 .

Stoll , M. ( 2018 ), “ An information security model for implementing the new ISO 27001”, information resources management association ”, Censorship, Surveillance, and Privacy: Concepts, Methodologies, Tools, and Applications , IGI Global , Hershey , pp. 216 - 238 .

Susanto , H. , Almunawar , M.N. , Syam , W.P. , Tuan , Y.C. and Bakry , S.H. ( 2011 ), “ I-SolFramework views on ISO 27001 ”, Asian Transactions on Computers , Vol. 1 No. 3 , pp. 1 - 10 .

Susanto , H. , Almunawar , M.N. , Syam , W.P. and Tuan , Y.C. ( 2012 ), “ Information Security Challenge and Breaches: novelty approach on measuring ISO 27001 readiness level ”, International Journal of Engineering and Technology , Vol. 2 No. 1 , pp. 67 - 75 .

Tarn , J.M. , Raymond , H. , Razi , M. and Han , B.T. ( 2009 ), “ Exploring information security compliance in corporate IT governance ”, Human Systems Management , Vol. 28 No. 3 , pp. 131 - 140 .

Tejay , G.P.S. and Shokara , B. ( 2011 ), “ Reducing cyber harassment through de jure standards: a study on the lack of the information security management standard adoption in the USA ”, International Journal of Management and Decision Making , Vol. 11 Nos 5/6 , pp. 324 - 342 .

Terlaak , A. and King , A.A. ( 2006 ), “ The effect of certification with the ISO 9000 Quality Management Standard: a signaling approach ”, Journal of Economic Behavior and Organization , Vol. 60 No. 4 , pp. 579 - 602 .

The Economist ( 2020 ), “ The changes covid-19 is forcing on to business ”, Economist , available at: https://www.economist.com/briefing/2020/04/11/the-changes-covid-19-is-forcing-on-to-business ( accessed 20 May 2020 ).

Ţigănoaia , B. ( 2015 ), “ Some aspects regarding the information security management system within organizations–adopting the ISO/IEC 27001: 2013 standard ”, Studies in Informatics and Control , Vol. 24 No. 2 , pp. 201 - 210 .

Topa , I. and Karyda , M. ( 2019 ), “ From theory to practice: guidelines for enhancing information security management ”, Information and Computer Security , Vol. 27 No. 3 , pp. 326 - 342 .

Tranfield , D. , Denyer , D. and Smart , P. ( 2003 ), “ Towards a methodology for developing evidence‐informed management knowledge by means of systematic review ”, British Journal of Management , Vol. 14 No. 3 , pp. 207 - 222 .

Tsohou , A. , Kokolakis , S. , Lambrinoudakis , C. and Gritzalis , S. ( 2010 ), “ A security standards' framework to facilitate best practices' awareness and conformity ”, Information Management and Computer Security , Vol. 18 No. 5 , pp. 350 - 365 .

Tuczek , F. , Castka , P. and Wakolbinger , T. ( 2018 ), “ A review of management theories in the context of quality, environmental and social responsibility voluntary standards ”, Journal of Cleaner Production , Vol. 176 , pp. 399 - 416 .

Uzumeri , M. ( 1997 ), “ ISO 9000 and other meta-standards: principles for management practice? ”, The Academy of Management Executive , Vol. 11 No. 1 , pp. 21 - 36 .

Van Wessel , R. , Yang , X. and De Vries , H.J. ( 2011 ), “ Implementing international standards for Information Security Management in China and Europe: a comparative multi-case study ”, Technology Analysis and Strategic Management , Vol. 23 No. 8 , pp. 865 - 879 .

Vance , A. , Siponen , M.T. and Straub , D.W. ( 2020 ), “ Effects of sanctions, moral beliefs, and neutralization on information security policy violations ”, Information Management , Vol. 57 No. 4 , 103212 .

Vasudevan , V. , Mangla , A. , Ummer , F. , Shetty , S. , Pakala , S. and Anbalahan , S. ( 2008 ), Application Security in the ISO27001 Environment , IT Governance Publishing , Ely .

Venters , W. and Whitley , E.A. ( 2012 ), “ A critical review of cloud computing: researching desires and reality ”, Journal of Information Technology , Vol. 27 No. 3 , pp. 179 - 197 .

Von Bertalanffy , L. ( 1956 ), “ General system theory ”, in Emery , F.E. (Ed.), General System, Yearbook of the Society for the Advancement of General System Theory , George Braziller , New York .

Von Solms , R. ( 1999 ), “ Information security management: why standards are important ”, Information Management and Computer Security , Vol. 7 No. 1 , pp. 50 - 58 .

Webster , J. and Watson , R.T. ( 2002 ), “ Analyzing the past to prepare for the future: writing a literature review ”, Management Information System Quarterly , Vol. 26 No. 2 , pp. 13 - 23 .

Weinberg , G.M. ( 2001 ), An Introduction to General Systems Thinking , Dorset House Publishing , New York .

Williamson , O.E. ( 1985 ), The Economic Intstitutions of Capitalism , Simon and Schuster , New York .

Acknowledgements

The authors acknowledge the financial support of the Regione Autonoma Friuli-Venezia Giulia (Specifc Program 89/2019 - Fondo Sociale Europeo 2014/2020) and the POR FESR project G4Mob Regione Veneto.

Corresponding author

Related articles, all feedback is valuable.

Please share your general feedback

Report an issue or find answers to frequently asked questions

Contact Customer Support

• Download PDF (English)
• Alt. Display

Information Systems Security in Organisations: A Critical Literature Review

• Cosima Friedle

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List
• Healthcare (Basel)

Information Security Behavior in Health Information Systems: A Review of Research Trends and Antecedent Factors

Puspita kencana sari.

1 Faculty of Computer Science, Universitas Indonesia, Depok 16424, Indonesia

2 Faculty of Economic & Business, Telkom University, Bandung 40257, Indonesia

Putu Wuri Handayani

Achmad nizar hidayanto, setiadi yazid, rizal fathoni aji, associated data.

Search results are available from the authors.

This study aims to review the literature on antecedent factors of information security related to the protection of health information systems (HISs) in the healthcare organization. We classify those factors into organizational and individual aspects. We followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework. Academic articles were sourced from five online databases (Scopus, PubMed, IEEE, ScienceDirect, and SAGE) using keywords related to information security, behavior, and healthcare facilities. The search yielded 35 studies, in which the three most frequent individual factors were self-efficacy, perceived severity, and attitudes, while the three most frequent organizational factors were management support, cues to action, and organizational culture. Individual factors for patients and medical students are still understudied, as are the organizational factors of academic healthcare facilities. More individual factors have been found to significantly influence security behavior. Previous studies have been dominated by the security compliance behavior of clinical and non-clinical hospital staff. These research gaps highlight the theoretical implications of this study. This study provides insight for managers of healthcare facilities and governments to consider individual factors in establishing information security policies and programs for improving security behavior.

1. Introduction

The implementation of health information systems (HISs) by healthcare providers has positive value in properly managing healthcare information but also has negative impacts, such as security and privacy risks. HISs are vulnerable to violations of information security and privacy. Openness and connectedness with many heterogeneous stakeholders in the health network also increase these risks [ 1 ]. The healthcare industry lags far behind other sectors in terms of digital literacy and information security, making them a primary target [ 2 ]. Serious data breach incidents in the healthcare industry have occurred in health insurance institutions in the United States [ 3 , 4 ], health research institutes in the United Kingdom [ 5 ], providers of general laboratory testing services and specialized diagnostics in Canada [ 6 ], and hospital networks [ 7 ] and blood donor agencies in Singapore [ 8 ]. Security breaches target different types of healthcare organizations, although HIPAA Journal [ 9 ] states that 75% of data breaches occur in healthcare providers. Therefore, healthcare providers must maintain the confidentiality, availability, and integrity of patient health information [ 10 , 11 , 12 ] as part of their healthcare service delivery.

Several aspects can make the medical environment especially challenging to manage in terms of security. Healthcare has a larger risk of insider threats than the banking and insurance industries, which both hold and manage highly sensitive information [ 13 ]. The medical setting is strongly influenced by ethical considerations for various professions [ 14 ], affecting their decisions and behavior. Communication and trust issues between medical personnel and patients [ 15 , 16 ] play a fundamental role in patient care. Network expansion of healthcare service providers promotes the policy of sharing data between related parties [ 17 ], which increases the susceptibility of patient information transferred via electronic forms, including data ownership issues [ 18 ], responsibility for ensuring confidentiality [ 19 ], and responsibility for data integrity [ 20 ]. Health facilities are open public organizations [ 14 ], causing difficulties in access control and physical security [ 21 ], even though they have higher vulnerability to information security risks [ 16 ]. Insider threats posed by people with legitimate access to information systems can come from temporary staff, such as medical students, residents, or interns, who have the same need for access to medical data as permanent employees [ 14 , 16 ]. Most healthcare organizations do not prioritize information security in their resource allocation [ 14 ], as healthcare services are their primary business. Employees have different values and norms for information security [ 22 , 23 , 24 ] because it is often seen as hampering productivity in healthcare, especially in emergencies; thus, the level of negligence in security controls is relatively high [ 14 ]. In healthcare, there is not the same degree of worry or caution as in certain other sectors, including the banking industry [ 25 ]. These conditions emphasize that security behavior is a significant factor influencing healthcare organizations’ security effectiveness [ 26 ].

Health information is considered to be the most confidential information among other types of personal information [ 14 ]. It has a high value on the black market and, thus, becomes the target of organized criminal networks [ 27 ]. Some possible impacts include threats to patients based on their medical condition, financial losses and loss of resources, death, serious injury, illegal sales of limited medical equipment and medicines, loss of organizational reputation, and failure to achieve the organization’s mission and goals [ 28 , 29 ]. The most extensive health data breaches have occurred internally, with most incidents being errors and incidents of misuse [ 30 , 31 ]. Previous studies [ 22 , 32 , 33 ] have revealed cases of security breaches caused by human factors. Therefore, information security management in healthcare organizations should encourage good security behavior among employees and other related parties.

Information security behavior is essential in order to ensure that information assets are well protected [ 34 ]. Information-security-related behavior is defined as employee behavior in using organizational information systems, including hardware, software, networks, etc., that have security implications [ 35 ] as a function of the information security components defined by information security policy [ 36 , 37 ]. A previous study by Guo [ 35 ] classified security behaviors into four categories: (1) Security assurance behavior refers to the employee’s deliberate behavior to protect the organization’s information system, where this action is beyond policymakers’ expectations. (2) Security-compliant behavior refers to intentional or unintentional behavior that does not violate an organization’s information security policy, as policymakers expect. (3) Security risk-taking behavior refers to intentional employee behavior that can carry security risks for the organization’s information system, even if the employee has no motive for causing damage. (4) Security-damaging behavior refers to intentional employee behavior that can damage the security of an organization’s information system.

Security assurance and security-compliant behavior are considered desirable security behavior (DSB) because they can promote the effectiveness of information security designed by an organization. Meanwhile, security risk-taking and security-damaging behavior are considered undesirable security behavior (USB) that employees must avoid. In the healthcare context, most studies on security behavior have focused on factors that affect DSB, such as compliance with the Health Insurance Portability and Accountability Act (HIPAA)’s security and privacy rules or information security policy. Other studies have also investigated factors influencing USB, such as the intention to disclose patient information. Management can optimize the factors that drive DSB and anticipate the factors that drive USB. Therefore, it is necessary to understand the antecedent factors of both DSB and USB in the healthcare context.

Several previous studies conducted systematic literature reviews related to information security in the health context, such as [ 38 , 39 ], which focused on technical aspects and information security control. In comparison, systematic literature reviews related to information security behavior and culture [ 40 , 41 , 42 , 43 , 44 , 45 , 46 , 47 ] have not focused on the healthcare context. We found two articles [ 48 , 49 ] presenting systematic literature reviews concerning information security behavior in health organizations. The study by Page [ 48 ] discussed organizational culture in general but did not focus on healthcare organizations. The review by Yeng et al. [ 49 ] investigated healthcare professionals’ individual factors that can influence their information security practices, including psychological, social, cultural, and demographic factors. However, organizational factors also significantly influence information security practices and behaviors [ 50 , 51 ]. Thus, the present study aims to fill the gap in previous systematic reviews [ 49 ] by exploring individual and organizational factors that influence information security behavior in healthcare organizations.

In the literature on this research topic, the terms “information security” and “cybersecurity” are frequently used synonymously. Cybersecurity is related to the data in cyberspace, in contrast to information security, which is the protection of all information [ 52 ]. In smaller healthcare facilities, it is possible that HISs’ implementation will not always be online. HIS security risks include medical staff members directly disclosing patient information to their families. Therefore, this study focuses on information security behavior. We investigated the research trends and antecedent factors of information security behavior in the healthcare context involving various types of HIS users in healthcare organizations, including clinical staff, non-clinical staff, and patients. Specifically, we asked the following research question: “What are the research trends and antecedent factors of information security behavior in health information systems from organizational and individual perspectives?”

To answer this research question, we adopted a systematic literature review methodology. To conduct and report our review, we used the Preferred Reporting Items for Systematic Reviews and Meta-Analysis (PRISMA) statement [ 53 ]. PRISMA emphasizes methods through which researchers may guarantee the transparent and thorough reporting of systematic reviews [ 54 ]. PRISMA 2020 updates the PRISMA 2009 statement, which includes 27-item checklists, a flow diagram, and an explanation [ 53 ]. The choice of a systematic review will provide us the opportunity to inquire into present trends in the emphasis placed on security behavior, security threats, and the variables that affect how users behave while protecting health information.

This study is expected to have theoretical and practical implications. First, this study provides a systematic overview for researchers of antecedent factors of information security behavior, specifically in healthcare organizations. Second, this study determines the organizational and individual elements mapped to USB and DSB from HIS users. These findings can provide insight to managers in healthcare organizations to help them design information security policies and programs to prevent information security breaches, especially for internal threats. Third, this study can provide lessons for regulators to develop information security regulations in the healthcare industry—especially for information security governance and culture.

2. Materials and Methods

This study adopted the PRISMA 2020 framework ( Table S1: PRISMA 2020 Checklist ) [ 53 ]. PRISMA has been used in previous studies in the field of information systems primarily related to health services, such as user acceptance of hospital information systems [ 55 ], security and privacy in electronic health records [ 38 , 39 ], and information security culture in general [ 44 ]. This shows that information system studies can also use PRISMA in the context of health and information security.

2.1. Eligibility Criteria

We determined four inclusion criteria (IC) for this study, as follows: (IC1) original scientific articles, including research articles, conference papers, and systematic reviews; (IC2) full-text articles available and written in English; (IC3) the research examines factors that influence information security behavior; (IC4) the research investigates health information protection in healthcare organizations. For removing irrelevant studies, the following exclusion criteria (EC) were applied: (EC1) articles duplicated in another repository; (EC2) articles that report on information security behavior from multisector organizations—not specifically in the healthcare sector; (EC3) studies that evaluate information security behavior without uncovering any antecedent factors; (EC4) studies that explore HIS security in organizations other than healthcare organizations.

2.2. Search Strategy

The second step was determining the sources of information, keywords, and journal repositories. The keywords used reflected three categories: terms related to information security, behavior, and health organizations. The keywords used in searching the repositories were as follows: (“information security” OR “cybersecurity”) AND (“behavior” OR “awareness” OR “compliance” OR “practice”) AND (“hospital” OR “clinic” OR “health”). Five journal repositories were used as sources of information: ScienceDirect, PubMed, SAGE, IEEE, and Scopus. We applied a filter for publication type to retrieve only journal articles and conference papers. To explore all possible studies, there was no publication time limit. The search process was carried out in February 2022 and focused on five databases: ScienceDirect, Medline/PubMed, SAGE, IEEE Xplore, and Scopus. We exported all of the search results into BibTeX or RIS files. We imported those files into Mendeley as a reference tool to check for duplicates and conduct further analysis.

2.3. Data Items and Synthesis

The next step was to analyze some attributes of the articles collected—namely, the author names, publication year, source type, name of the journal or conference, country of study or author affiliation, research methods, sample unit (i.e., respondent), healthcare organization type, variables used in the research model, and foundational theory. The selected studies focus on factors that influence the information security behavior of HIS users who have access to patients’ health data in healthcare organizations. Articles discussing information security behavior in organizations in general but covering the health industry were excluded. After reducing the duplicate results from the repositories, we screened the reports by examining their titles and abstracts. Furthermore, the examination was carried out by searching for full-text articles of some candidates and assessing whether the articles met the inclusion criteria. If a paper met the criteria, it was added to the selected studies. The results of the selected studies are summarized in a table ( Table S2: Summary of selected studies ).

3.1. Study Selection

The search results from the specified databases returned 5573 studies with the defined keywords. Duplicate records were removed, resulting in 4677 records being screened in the next step. The title and abstract screening resulted in the exclusion of 4496 records with no mention of information security behavior in healthcare. Consequently, 181 articles were sought for retrieval, but 28 reports did not meet IC2 (no access to full text and not written in English). Next, 153 full-text articles were assessed for eligibility; 83 papers did not meet IC3 (no focus on factors influencing information security behavior), and 35 papers did not meet IC4. Performing the final step of the review resulted in 35 studies. Figure 1 shows the complete steps of the PRISMA workflow carried out in this study.

PRISMA workflow diagram (IC = Inclusion Criteria).

3.2. Study Characteristics

Figure 2 shows trends in research on information security behavior in healthcare from 2008 to 2021. We identified the first study published in 2008. One selected study in 2022 was excluded due to a lack of data to represent the year (until February 2022). The study trend increased significantly in 2020 (seven studies), which might have been a response to the COVID-19 outbreak. Healthcare providers had to change how to provide services to patients by adopting various technological solutions, which increased their vulnerability to cyberattacks [ 56 ]. During the COVID-19 pandemic, the most common cyberattacks in the health sector were ransomware and phishing attacks caused by human factors and a lack of security awareness [ 56 ]. The number of studies has doubled since 2020, but only two of the studies reviewed [ 57 , 58 ] mention COVID-19 in their discussion. The number of studies decreased slightly in 2021 (five studies) but was still higher than in previous years. Figure 2 shows the summary of selected studies for further analysis. The detailed list of selected studies is available in the Supplementary Materials (Table S2: Summary of selected studies) .

Research trends.

Of the 35 studies included in this review, we analyzed the distribution according to the countries where the studies took their samples or were conducted. Table 1 shows that developed countries dominate the studies related to information security behavior in healthcare organizations. Most of the studies involved respondents or participants from the United States (11 studies), Taiwan (five studies), the Republic of Korea (four studies), Germany (four studies), Malaysia (two studies), Saudi Arabia (two studies), Norway (one study), and Spain (one study). One study took samples from Ireland, Italy, and Greece. There were only four studies from developing countries: South Africa (two studies), India (one study), and Indonesia (one study). The categories of developed and developing countries used in this study refer to their gross national income per capita per year as calculated by the World Bank Atlas [ 59 ].

Countries involved in the selected studies.

Regarding the organization type, most studies were conducted in hospitals. Table 2 shows that 23 studies examined information security behavior in hospitals only. Five studies involved hospitals and other healthcare providers, such as private clinics, physical therapy facilities, mental healthcare facilities, nursing homes, public health centers, and physicians’ offices. Two investigated nursing schools, and two investigated academic medical centers. In the remaining three studies, the type of healthcare organization was not specified.

Types of organizations involved in the selected studies.

Table 3 shows the study characteristics according to the respondents or participants. Most of the studies involved clinical staff (25 studies), such as doctors, dentists, nurses, pharmacists, physical therapists, and nutritionists. Twenty-one studies involved non-clinical staff as respondents, such as administration staff, information technology (IT) staff, human resources experts, privacy officers, top-level management, and psychologists. In addition to the permanent staff of healthcare organizations, five studies investigated the information security behavior of temporary staff, such as medical students and interns. A single study took patients as respondents to measure their behavior in protecting personal information managed by medical facilities.

Respondents involved in the selected studies.

The research methods ( Table 4 ) were primarily quantitative, surveying respondents through questionnaires (27 studies). Some studies complemented their surveys with experiments to observe actual behavior. Seven studies used qualitative methods—both empirical (i.e., interview) and analytical (i.e., literature review and conceptual models). Meanwhile, two other studies used mixed methods (i.e., survey and interview).

Research methods of the selected studies.

Table 5 shows where the selected studies were published. Most of the selected studies were journal articles (25 studies). Three sources contained more than one selected study. Meanwhile, nine studies were published in conference proceedings, with two of these sources containing more than one selected study.

Source of the selected studies.

Table 6 defines 20 distinct theories adopted as foundational in the selected studies. Most studies used a combination of two or more theories. The theories used in multiple studies were the theory of planned behavior (TPB; 10 studies), general deterrence theory (GDT; nine studies), protection motivation theory (PMT; eight studies), health belief model (HBM; five studies), and theory acceptance model (TAM; four studies). The TPB explains that social pressure and cognitive thinking influence individual behavior [ 86 ]. GDT describes how security behavior is influenced by deterrence beliefs and fears [ 87 ]. PMT is involved in the development of the HBM, which explains how individuals carry out a cognitive evaluation to determine appropriate behavior based on the ability to deal with threats [ 88 , 89 ]. The TAM provides a model of how people come to acknowledge and utilize technology [ 90 ]. However, the TPB was only adopted in studies related to DSB, while other frequent theories were adopted in both DSB and USB research.

Foundational theories in the selected studies.

Table 7 depicts the variance in the types of information security behavior examined in the selected studies. DSB was the most observed behavior (25 studies), with behavioral concerns with respect to compliance with information security policy and regulations (17 studies) or performing security protection according to best practices (eight studies). USB was examined in seven studies, with concerns including risky security practices (four studies) and information security policy violations (three studies). Meanwhile, three studies investigated security behavior with respect to both secure and insecure practices among HIS users.

Security behaviors investigated in the selected studies.

3.3. Security Threat Model

A healthcare facility bases its information security policy on the security risk profile of the organization. The risk can be determined from security threats that may occur in the organization or refer to similar organizations as benchmarks. Previous studies [ 91 ] revealed that the most critical security threat in an HIS is a power failure, followed by human error and technological failures. Other studies [ 32 , 92 ] identified that most security threats were related to human behavior, such as password sharing, missing records, email misrouting, theft on the premises, procedures not followed, and the establishment of improper HIS privileges.

The selected studies also mention some threats and vulnerabilities to be addressed by improving information security protection by modifying the healthcare staff’s behavior. Since this systematic review focuses on the information security behavior of HIS users, most of the selected studies only show possible threats posed by insiders. We modeled the threat from selected studies by referring to [ 93 ] in breaking down the threat action, health information assets, vulnerabilities, and potential control actions. Threat action and control were classified based on ISO 27799:2016 [ 14 ] as the information security standard for health information. Figure 3 depicts various types of threats to health information, especially with insiders as the source. The number in the bar shows the number of selected studies mentioning the threat.

Threat actions were discussed in the selected studies.

Here, we discuss the top three security threat actions discussed in the selected studies. The greatest security threat is the unauthorized use of the HIS (11 studies). This threat can lead to incident events because of vulnerabilities in the healthcare facilities—for example, lack of security awareness and policy compliance [ 11 , 50 , 58 , 70 , 81 , 82 ], use of multiple entry points to access electronic medical records [ 49 , 65 ] and forgetting to log out after using the HIS at an unattended workstation [ 85 ]. The second-greatest threat is masquerading by insiders, such as staff accessing the HIS without using their own account (seven studies). The vulnerabilities that can be exploited by this threat are weak information security policy compliance [ 57 , 81 ], weak access control management [ 67 , 83 , 84 , 85 ], and sharing of workstations to access the HIS [ 25 ]. The third-greatest threat is user error in handling information (six studies). This threat can be triggered by the weakness of information security policy compliance [ 57 , 74 ], ignorance of the risk involved [ 11 ], poor security skills and security monitoring [ 1 ], low user education, and lack of awareness of information security [ 50 , 75 ].

There are some actions that cannot be classified into threat types according to ISO 27799:2016 Annex A [ 14 ]. An example would be a nurse intentionally disclosing a patient’s health information to their family [ 64 , 77 , 79 ] with the assumption that this would make the medical treatment more efficient and benefit the healthcare facility. Meanwhile, an operation error in ISO 27799:2016 [ 14 ] refers to the unintentional disclosure of confidential information. Some selected studies [ 26 , 51 , 61 , 66 , 72 , 76 ] do not mention the threat action specifically but only describe a violation of the information security policy or regulation and health information leakage in a healthcare organization.

3.4. Antecedent Factors of Security Behavior

Antecedent factors were gathered from research variables that were proven to be significant in empirical studies included in this review. Of the 35 selected studies, four were conceptual studies and, thus, were excluded from the analysis. There were 59 different variables as antecedent factors that significantly influence information security behavior directly and indirectly. The number of variables shows enormous variation in information security behavior research in healthcare. The variables are also related to the various foundational theories in the selected studies. Some factors are derived from frequent foundational theories, i.e., the TPB, PMT, GDT, and HBM. This shows that information security behavior studies are likely to use approaches from psychology (TPB and PMT), criminology (GDT), and public health (HBM) [ 94 ].

Meanwhile, factors adopted from the information system domain (TAM) are mostly insignificant in influencing security behavior. These variables were grouped into individual and organizational factors and then mapped into two types of security behavior. Human factors in cybersecurity are better viewed from various perspectives. Some previous studies [ 51 , 61 ] agree that employee security behavior can be influenced by two types of factors—namely, organizational factors and individual factors.

3.4.1. Individual Factors

Individual or personal factors investigate the individual reasoning and decision-making behind security behavior [ 95 ]. This study identified 31 distinct individual factors ( Table 8 ) from the selected studies that empirically influence information security behavior. Fifteen factors appear in multiple studies. Four of them influence DSB and USB, examined in different studies.

Individual factors as antecedents of security behavior.

Notes: DSB = desirable security behavior (such as compliance behavior, protection behavior, etc.); USB = undesirable security behavior (such as risk-taking behavior, non-compliance, etc.); N/A = not applicable (no selected studies using the factor); CS = clinical staff; NS = non-clinical staff; MS = medical student.

The most frequent individual factor in the selected studies was self-efficacy (12 studies) derived from PMT. Almost half of the desirable security behavior studies observed that self-efficacy positively and significantly influences information security behavior directly [ 1 , 23 , 51 , 57 , 61 , 72 , 74 , 75 ] and indirectly [ 62 , 63 , 70 ], through other variables (e.g., perceived behavioral control and avoidance motivation). The other most frequent factors were perceived severity (10 studies) and perceived susceptibility (4 studies). Perceived severity positively influences security compliance behavior [ 65 , 71 , 74 , 75 , 81 ] and assurance behavior [ 62 , 63 ] or negatively influences damaging behavior [ 76 ]. Perceived susceptibility also positively influences compliance behavior [ 65 , 71 , 74 ] and assurance behavior [ 63 , 76 ]. Perceived susceptibility in some studies is called perceived vulnerability [ 71 , 76 , 78 ]. According to PMT and the HBM, these factors are components of threat appraisal, which explains people’s assessment of a security threat or risk that they will manage [ 96 ]. Some selected studies used the terms perceived threat [ 63 ] and perceived risk [ 65 ] to reflect healthcare staff’s perceptions of the security threat or risk according to their perceived severity and susceptibility, which then significantly influence their further security behavior intentions.

Perceived benefit (six studies) and perceived barriers (three studies) are also adopted from HBM constructs. A previous study [ 71 ] that adopted PMT used different terms to reflect perceived benefits and perceived barriers: response efficacy and response cost, respectively. Other words with similar meanings to perceived benefit and perceived barriers are safeguard effectiveness [ 63 ] and safeguard cost [ 63 , 65 ], respectively. Different studies [ 70 , 81 ] that adopted the TAM used the perceived usefulness construct but adopted a similar definition of perceived benefit in the context of security behavior.

The TPB, as the dominant foundational theory in the selected studies, also contributes to frequent factors—namely, attitudes (seven studies), subjective norms (seven studies), and perceived behavioral control (four studies). Attitude is commonly used as a mediating variable to predict health staff’s DSB based on individual and organizational factors. Perceived trust is frequently related to behavioral intentions in TPB studies [ 1 , 51 , 61 , 74 ].

Security awareness (seven studies) is adopted from the variable GDT [ 87 ] as a factor that deters people from engaging in undesirable behavior. Some studies used the general term information security awareness as a research variable [ 57 , 58 , 62 , 67 ], while others used health information security awareness, consisting of general and health-related issues, regulations, and relevant consequences [ 64 , 77 ].

Perceived responsibility (two studies) and personal norms (two studies) are individual factors that appeared more than once in studies related to DSB and USB. Perceived responsibility emphasizes that it is one’s job to achieve professional goals [ 79 ]. Meanwhile, personal norms define health staff’s values, such as perceiving an information security policy violation as inappropriate and unacceptable [ 58 ]. This value negatively influences the intention to disclose information [ 77 ] and positively influences attitudes toward information security policy compliance [ 58 ].

In examining HIS users who participated in the selected studies, we found that individual factors from patients have not yet been explored. One study that took patients as participants [ 69 ] only investigated organizational factors (i.e., data collection processes, secondary use, and system error) that can influence their security behavior. There are three factors that significantly influence information security behavior among both clinical and non-clinical staff of healthcare organizations and medical students: perceived severity, perceived susceptibility, and information security awareness. The other individual factors significantly influence one or two user types. Therefore, those factors can be explored in future research.

3.4.2. Organizational Factors

Organizational factors investigate organizational issues—such as procedures, programs, work environment, and security culture—that can influence employees’ security behavior [ 50 ]. There were 26 distinct organizational factors ( Table 9 ) that empirically affect information security behaviors in the selected studies. Six factors were identified in more than one study; three appeared in both USB and DSB studies. Fourteen factors were only examined in DSB studies, while seven were examined only in USB studies.

Organizational factors as antecedents of security behavior.

Notes: DSB = desirable security behavior (such as compliance behavior, protection behavior, etc.); USB = undesirable security behavior (such as risk-taking behavior, non-compliance, etc.); N/A = not applicable (no selected studies using the factor); HS = hospital; AHF = academic healthcare facilities; NHF = non-specific healthcare facilities (e.g., clinics, health centers, etc.).

The most frequent organizational factor was management/organizational support (four studies). Previous studies [ 1 , 26 , 61 , 74 ] found that management support indirectly influences users’ behavior through various individual factors, such as perceived benefit, severity, self-efficacy, and trust. Management support can be measured through information security policy implementation, security training, and leadership from the top-level management [ 74 ].

Cues to action (three studies) are derived from the HBM construct. In selected studies [ 62 , 72 , 75 ], cues to action had a positive and significant influence on security behavior intention—mainly for security protection and compliance. None of the selected studies examined the effects of cues to action on the desire to commit a security violation or human error. A survey by Kessler et al. [ 66 ] measured organizational culture through practice, importance, and laxness, while Dong et al. [ 58 ] examined organizational culture in terms of top-level management beliefs and organizational control of information security issues.

The following factors appeared in two studies: Perceived certainty is derived from GDT, which can examine different acts or processes, such as detection [ 80 ] and punishment [ 73 ]. Two selected studies evaluated the impacts of peer influence and superior influence on different types of security behavior: protection intention [ 70 ] and non-compliance intention [ 82 ]. Both studies revealed that peer and superior influences significantly affect security behavior intentions through individual factors as mediating variables, such as subjective norms [ 70 ] and neutralization techniques [ 82 ].

Importantly, most of the selected studies took place in hospitals, and organizational factors mostly influence security behavior in a hospital context. Management support is the only factor that impacts all types of healthcare organizations. These results support the findings of previous studies [ 1 , 26 , 61 , 74 ], illustrating that support from management—such as information security policymaking—is the most important thing for all types of health organizations. However, in the selected studies, management support to deter undesirable security behavior was not investigated.

4. Discussion

Studies on information security behavior in healthcare organizations are still dominated by investigations into why people intend to comply with an organization’s information security policy or health security regulation, such as HIPAA. The most frequently adopted theory is the TPB, but the most frequent significant factors are derived from PMT as an improvement from the HBM. Attitudes, subjective norms, and perceived behavioral control as the constructs of the TPB were only investigated in DSB studies and were mostly combined with other theories, such as PMT and GDT. It is possible to explain human errors and violations by examining the staff’s attitudes toward information security behaviors [ 95 ]. However, the attitude was not a research variable in the selected studies related to USB.

The results empirically reveal that more individual (32 factors) than organizational (26 factors) aspects significantly affect information security behavior in the healthcare context. Those factors might positively (i.e., promoting) or negatively (i.e., preventing) affect the related behavior. This is consistent with the most frequently adopted foundational theories, the TPB and PMT, which focus on individual aspects of behavior. Although only two selected studies [ 50 , 82 ] explicitly segregated individual and organizational factors, many (16 studies) also examined both factors. Ten studies only used individual factors, while four studies only used organizational factors as significant antecedents to predict users’ security behavior. Hence, organizational aspects remain underexplored in this research field. However, most studies indicated that organizational factors significantly impact security behavior, mediated by individual factors.

Self-efficacy is the most significant individual factor that is only important in influencing DSB. A USB study [ 64 ] and a combined USB–DSB study [ 76 ] examined this factor. However, self-efficacy was not significant in predicting insecure behavior, such as the intention to disclose information and violate security controls. The other frequent individual factors were from PMT and the HBM: perceived severity, perceived susceptibility, perceived benefit, and perceived barriers. Perceived severity and perceived susceptibility can be influenced by the security awareness of healthcare staff [ 76 ], which reflects their knowledge and understanding of potential security issues and their consequences—both general and health-information-specific [ 77 ]. Together with perceived benefits and perceived barriers, self-efficacy compiles a construct known as coping appraisal, which affects information security intention [ 78 ]. Many studies measured the benefits of security protection using various terms, including perceived benefit, perceived usefulness, and response efficacy. Although they used different names for the variables in different contexts, they referred to the same definitions.

Management support, as the most significant organizational factor, is derived from GDT’s constructs. None of the selected studies examined management support as an antecedent factor of USB. Management support, such as providing security training to improve staff’s security awareness, can also influence self-efficacy [ 1 , 64 , 74 , 76 ]. Therefore, security managers in healthcare organizations can design some security policies and programs that facilitate the staff’s adoption of security practices and increase their confidence. Strengthening employee self-efficacy may increase the likelihood of effective security compliance. The next most significant organizational factor was cues to action from the HBM. The selected empirical studies showed that health staff’s security behavior could be predicted directly by cues to action, such as security campaigns and the influence of peers and superiors, which can promote security protections and compliance.

Some studies used demographic characteristics as differentiating factors, such as gender [ 66 , 72 , 80 , 81 ], age [ 25 , 66 ], occupation type [ 25 , 61 , 66 ], organization type [ 61 , 81 ], education [ 25 ], working duration [ 74 , 78 , 80 ]. However, these demographic differences were only found in DSB studies. Organizational and occupational characteristics can influence the self-efficacy of healthcare professionals in complying with privacy and security rules due to their different work environments [ 61 ]. Figure 4 depicts a summary of the antecedent factors of security behavior based on the selected studies.

Antecedent factors of information security behavior in healthcare organizations.

The theoretical contributions of our research complement prior studies by adding and mapping previous inquiries to understand related factors, actors, providers, and behavior types. A systematic literature review by Yeng et al. [ 49 ] examined psychological, social, and cultural aspects of information security behavior. The study did not define individual and organizational factors as predictors of information security behavior. Moreover, the study only investigated general healthcare professionals’ perspectives as HIS users without including patients and other stakeholders among the healthcare providers. The COVID-19 pandemic has driven healthcare facilities to develop digital health approaches, such as telehealth, mobile health applications, and the Internet of Medical Things (IoMT). These initiatives can accelerate the exchange of health information by empowering patients to manage and share their medical information with various healthcare organizations. Patient-centered information exchange also requires the patient to play an active role in information security and privacy protection [ 97 ]. A previous study [ 69 ] investigating patient behavior did not examine individual factors.

The practical implications of our research provide lessons for decision-makers in healthcare organizations and governments to encourage the expected security behavior. The most frequent information security hazards in healthcare organizations are improper usage, insider impersonation, and human error when handling information. By considering specific elements such as self-efficacy, perceived severity, and information security knowledge, healthcare organizations may build security policies to reduce the occurrence and effects of these risks. For instance, educating users about the threats to information security and enhancing their technical skills to defend information security are only two examples of how to do this. For information security protection to be successful, it is also necessary to enhance organizational factors that can promote information security behavior, such as support and commitment from top-level management, peer and superior influence, and a positive corporate culture.

A limitation of this review is that we only analyzed the empirical studies to define significant antecedent factors and classify them as an individual or organizational factors. The most frequent factors were measured not by their appearance as research variables in the selected studies but by how many studies identified those factors as predictors of security behavior. Since the research methods of the empirical studies varied, this review could not determine the influence of each factor on the dependent variables. Therefore, the most frequent factors do not necessarily represent the most significant factors in evaluating health staff’s information security behavior. Previous studies revealed no established general model for information security behavior in healthcare. This study does not propose a specific model but, rather, shows the research gap for further investigation. Further research is necessary to learn more about the influencing factors among user groups in various healthcare organizations. Patients should be involved as research objects to determine how healthcare facilities should involve them in controlling information security.

5. Conclusions

Healthcare providers other than hospitals are understudied. Studies related to both DSB and USB show that the factors preventing protection can differ from those that promote information security violations. Therefore, future studies should investigate both types of security behavior. The development of technological solutions used by health facilities since the COVID-19 outbreak, such as telemedicine and mobile health applications, has expanded HIS coverage. Protecting health information security relies on healthcare professionals and patients participating in managing their data. Information security risks come not only from internal users at the healthcare provider but also from external users who have access rights to the system. Therefore, studies on information security behavior in healthcare organizations need to understand the patient’s perspective, which is still rarely studied.

Supplementary Materials

The following supporting information can be downloaded at: https://www.mdpi.com/article/10.3390/healthcare10122531/s1 , Table S1: PRISMA 2020 Checklist; Table S2: Summary of selected studies.

Funding Statement

This research and APC were funded by the Republic of Indonesia’s Ministry of Research, Technology, and Higher Education under Hibah Penelitian Dasar Unggulan Perguruan Tinggi (PDUPT), grant number NKB-788/UN2.RST/HKP.05.00/2022.

Author Contributions

Conceptualization, P.K.S. and P.W.H.; methodology, P.K.S.; software, R.F.A.; validation, P.W.H., A.N.H. and S.Y.; formal analysis, P.K.S.; investigation, P.K.S.; resources, P.K.S.; data curation, P.K.S. and P.W.H.; writing—original draft preparation, P.K.S.; writing—review and editing, P.W.H. and S.Y.; visualization, P.K.S.; supervision, A.N.H.; project administration, R.F.A.; funding acquisition, P.W.H. All authors have read and agreed to the published version of the manuscript.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Data availability statement, conflicts of interest.

The authors declare no conflict of interest.

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

• Corpus ID: 110222707

A Short Literature Review In Information Systems Security Management Approaches

• Ioannis V. Koskosas
• Published 2013
• Computer Science

Tables from this paper

One Citation

It security management in small and medium enterprises, 52 references, managing information systems security: a soft approach, designing information systems security, information security management (1): why information security is so important, information systems security design methods: implications for information systems development, risk analysis: an interpretive feasibility tool in justifying information systems security, an analysis of the recent is security development approaches: descriptive and prescriptive implications.

• Highly Influential

The use of business process modelling in information systems security analysis and design

Risk analysis for information systems, structures of responsibility and security of information systems, cultural and organisational commitment in the context of e-banking, related papers.

Showing 1 through 3 of 0 Related Papers

IEEE Account

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Advertisement

A systematic literature review for network intrusion detection system (IDS)

• Regular Contribution
• Published: 27 March 2023
• Volume 22 , pages 1125–1162, ( 2023 )

Cite this article

• Oluwadamilare Harazeem Abdulganiyu 1 ,
• Taha Ait Tchakoucht 1 &
• Yakub Kayode Saheed 2  

3596 Accesses

29 Citations

Explore all metrics

With the recent increase in internet usage, the number of important, sensitive, confidential individual and corporate data passing through internet has increasingly grown. With gaps in the security systems, attackers have attempted to intrude the network, thereby gaining access to essential and confidential information, which may cause harm to the operation of the systems, and also affect the confidentiality of the data. To counter these possible attacks, intrusion detection systems (IDSs), which is an essential branch of cybersecurity, were employed to monitor and analyze network traffic thereby detects and reports malicious activities. A large number of review papers have covered different approaches for intrusion detection in networks, most of which follow a non-systematic approach, merely made a comparison of the existing techniques without reflecting an in-depth analytical synthesis of the methodologies and performances of the approaches to give a complete understanding of the state of IDS. Nonetheless, many of these reviews investigated more about the anomaly-based IDS with more emphasis on deep-learning models, while signature, hybrid-based (signature + anomaly-based) have received minimal focus. Hence, by adhering to the principles of Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA), this work reviewed existing contributions on anomaly-, signature-, and hybrid-based approaches to provide a comprehensive overview of network IDS's state of the art. The articles were retrieved from seven databases (ScienceDirect, SpringerNature, IEEE, MDPI, Hindawi, PeerJ, and Taylor & Francis) which cut across various reputable journals and conference Proceedings. Among the 776 pieces of the literature identified, 71 were selected for analysis and synthesis to answer the research questions. Based on the research findings, we identified unexplored study areas and unresolved research challenges. In order to create a better IDS model, we conclude by presenting promising, high-impact future research areas.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save.

• Get 10 units per month
• Download Article/Chapter or eBook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Similar content being viewed by others

Deep learning based network intrusion detection system: a systematic literature review and future scopes

Towards an efficient model for network intrusion detection system (IDS): systematic literature review

A Systematic Literature Review of Network Intrusion Detection System Models

Explore related subjects.

• Artificial Intelligence

Data availability

Not Applicable.

Patel, A., Alhussian, H., Pedersen, J.M., Bounabat, B., Júnior, J.C., Katsikas, S.: A nifty collaborative intrusion detection and prevention architecture for smart grid ecosystems. Comput. Secur. 64 , 92–109 (2017). https://doi.org/10.1016/j.cose.2016.07.002

Article   Google Scholar  

Bridges, R.A., Glass-Vanderlan, T.R., Iannacone, M.D., Vincent, M.S., Chen, Q.: A survey of intrusion detection systems leveraging host data. ACM Comput. Surv. 52 (6), 1–35 (2020). https://doi.org/10.1145/3344382

Aldweesh, A., Derhab, A., Emam, A.Z.: Deep learning approaches for anomaly-based intrusion detection systems: a survey, taxonomy, and open issues. Knowl. Based Syst. 189 , 105124 (2020). https://doi.org/10.1016/j.knosys.2019.105124

Masdari, M., Khezri, H.: A survey and taxonomy of the fuzzy signature-based intrusion detection systems. Appl. Soft Comput. 92 , 106301 (2020). https://doi.org/10.1016/j.asoc.2020.106301

Masdari, M., Khezri, H.: Towards fuzzy anomaly detection-based security: a comprehensive review. Fuzzy Optim. Decis. Mak. 20 (1), 1–49 (2021). https://doi.org/10.1007/s10700-020-09332-x

Article   MathSciNet   MATH   Google Scholar  

Ashfaq, R.A.R., Wang, X.-Z., Huang, J.Z., Abbas, H., He, Y.-L.: Fuzziness based semi-supervised learning approach for intrusion detection system. Inf. Sci. 378 , 484–497 (2017). https://doi.org/10.1016/j.ins.2016.04.019

Gu, J., Wang, L., Wang, H., Wang, S.: A novel approach to intrusion detection using SVM ensemble with feature augmentation. Comput. Secur. 86 , 53–62 (2019). https://doi.org/10.1016/j.cose.2019.05.022

Nazir, A., Khan, R.A.: A novel combinatorial optimization based feature selection method for network intrusion detection. Comput. Secur. 102 , 102164 (2021). https://doi.org/10.1016/j.cose.2020.102164

Sohi, S.M., Seifert, J.-P., Ganji, F.: RNNIDS: enhancing network intrusion detection systems through deep learning. Comput. Secur. 102 , 102151 (2021). https://doi.org/10.1016/j.cose.2020.102151

Zhang, J., Ling, Y., Fu, X., Yang, X., Xiong, G., Zhang, R.: Model of the intrusion detection system based on the integration of spatial-temporal features. Comput. Secur. 89 , 101681 (2020). https://doi.org/10.1016/j.cose.2019.101681

Liu, J., Gao, Y., Hu, F.: A fast network intrusion detection system using adaptive synthetic oversampling and LightGBM. Comput. Secur. 106 , 102289 (2021). https://doi.org/10.1016/j.cose.2021.102289

Mebawondu, J.O., Alowolodu, O.D., Mebawondu, J.O., Adetunmbi, A.O.: Network intrusion detection system using supervised learning paradigm. Sci. Afr. 9 , e00497 (2020). https://doi.org/10.1016/j.sciaf.2020.e00497

Wang, Z., Liu, Y., He, D., Chan, S.: Intrusion detection methods based on integrated deep learning model. Comput. Secur. 103 , 102177 (2021). https://doi.org/10.1016/j.cose.2021.102177

Selvakumar, B., Muneeswaran, K.: Firefly algorithm based feature selection for network intrusion detection. Comput. Secur. 81 , 148–155 (2019). https://doi.org/10.1016/j.cose.2018.11.005

Ashiku, L., Dagli, C.: Network intrusion detection system using deep learning. Procedia Comput. Sci. 185 , 239–247 (2021). https://doi.org/10.1016/j.procs.2021.05.025

Gu, J., Lu, S.: An effective intrusion detection approach using SVM with naïve Bayes feature embedding. Comput. Secur. 103 , 102158 (2021). https://doi.org/10.1016/j.cose.2020.102158

Bhati, B.S., Rai, C.S., Balamurugan, B., Al-Turjman, F.: An intrusion detection scheme based on the ensemble of discriminant classifiers. Comput. Electr. Eng. 86 , 106742 (2020). https://doi.org/10.1016/j.compeleceng.2020.106742

Ozkan-Okay, M., Samet, R., Aslan, Ö., Gupta, D.: A comprehensive systematic literature review on intrusion detection systems. IEEE Access 9 , 157727–157760 (2021). https://doi.org/10.1109/ACCESS.2021.3129336

Maseno, E.M., Wang, Z., Xing, H.: A systematic review on hybrid intrusion detection system. Secur. Commun. Netw. 2022 , 9663052 (2022). https://doi.org/10.1155/2022/9663052

Luo, G., Chen, Z., Mohammed, B.O.: A systematic literature review of intrusion detection systems in the cloud-based IoT environments. Concurr. Comput. Pract. Exp. 34 (10), e6822 (2022). https://doi.org/10.1002/cpe.6822

Ayyagari, M.R., Kesswani, N., Kumar, M., Kumar, K.: Intrusion detection techniques in network environment: a systematic review. Wirel. Netw. 27 (2), 1269–1285 (2021). https://doi.org/10.1007/s11276-020-02529-3

Alsoufi, M.A., et al.: Anomaly-based intrusion detection systems in IoT Using deep learning: a systematic literature review. Appl. Sci. (2021). https://doi.org/10.3390/app11188383

Article   MATH   Google Scholar  

Yang, Z., et al.: A systematic literature review of methods and datasets for anomaly-based network intrusion detection. Comput. Secur. 116 , 102675 (2022). https://doi.org/10.1016/j.cose.2022.102675

Liberati, A., et al.: The PRISMA statement for reporting systematic reviews and meta-analyses of studies that evaluate healthcare interventions: explanation and elaboration. BMJ 339 , b2700 (2009). https://doi.org/10.1136/bmj.b2700

Kitchenham, B., Brereton, P.: A systematic review of systematic review process research in software engineering. Inf. Softw. Technol. 55 (12), 2049–2075 (2013). https://doi.org/10.1016/j.infsof.2013.07.010

Kitchenham B.A., Stuart C.: Guidelines for performing systematic literature reviews in software engineering. In: EBSE Technical Report, Keele University and Durham University Joint Report, Report EBSE 2007-001 (2007). https://www.elsevier.com/__data/promis_misc/525444systematicreviewsguide.pdf

Gupta, N., Jindal, V., Bedi, P.: LIO-IDS: Handling class imbalance using LSTM and improved one-vs-one technique in intrusion detection system. Comput. Netw. 192 , 108076 (2021). https://doi.org/10.1016/j.comnet.2021.108076

Nguyen, M.T., Kim, K.: Genetic convolutional neural network for intrusion detection systems. Future Gener. Comput. Syst. 113 , 418–427 (2020). https://doi.org/10.1016/j.future.2020.07.042

Wu, Z., Wang, J., Hu, L., Zhang, Z., Wu, H.: A network intrusion detection method based on semantic re-encoding and deep learning. J. Netw. Comput. Appl. 164 , 102688 (2020). https://doi.org/10.1016/j.jnca.2020.102688

Kim, J., Kim, J., Kim, H., Shim, M., Choi, E.: CNN-based network intrusion detection against denial-of-service attacks. Electronics (2020). https://doi.org/10.3390/electronics9060916

Kanimozhi, V., Jacob, T.P.: Artificial intelligence based network intrusion detection with hyper-parameter optimization tuning on the realistic cyber dataset CSE-CIC-IDS2018 using cloud computing. ICT Express 5 (3), 211–214 (2019). https://doi.org/10.1016/j.icte.2019.03.003

Swarna Priya, R.M., et al.: An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in IoMT architecture. Comput. Commun. 160 , 139–149 (2020). https://doi.org/10.1016/j.comcom.2020.05.048

Jia, H., Liu, J., Zhang, M., He, X., Sun, W.: Network intrusion detection based on IE-DBN model. Comput. Commun. 178 , 131–140 (2021). https://doi.org/10.1016/j.comcom.2021.07.016

Onah, J.O., Abdulhamid, Si.M., Abdullahi, M., Hassan, I.H., Al-Ghusham, A.: Genetic algorithm based feature selection and Naïve Bayes for anomaly detection in fog computing environment. Mach. Learn. Appl. 6 , 100156 (2021). https://doi.org/10.1016/j.mlwa.2021.100156

Hajisalem, V., Babaie, S.: A hybrid intrusion detection system based on ABC-AFS algorithm for misuse and anomaly detection. Comput. Netw. 136 , 37–50 (2018). https://doi.org/10.1016/j.comnet.2018.02.028

Elmasry, W., Akbulut, A., Zaim, A.H.: Evolving deep learning architectures for network intrusion detection using a double PSO metaheuristic. Comput. Netw. 168 , 107042 (2020). https://doi.org/10.1016/j.comnet.2019.107042

Vijayanand, R., Devaraj, D., Kannapiran, B.: Intrusion detection system for wireless mesh network using multiple support vector machine classifiers with genetic-algorithm-based feature selection. Comput. Secur. 77 , 304–314 (2018). https://doi.org/10.1016/j.cose.2018.04.010

Li, X., Chen, W., Zhang, Q., Wu, L.: Building Auto-Encoder Intrusion Detection System based on random forest feature selection. Comput. Secur. 95 , 101851 (2020). https://doi.org/10.1016/j.cose.2020.101851

Shahraki, A., Abbasi, M., Haugen, Ø.: Boosting algorithms for network intrusion detection: a comparative evaluation of real AdaBoost, gentle AdaBoost and modest AdaBoost. Eng. Appl. Artif. Intell. 94 , 103770 (2020). https://doi.org/10.1016/j.engappai.2020.103770

Alazzam, H., Sharieh, A., Sabri, K.E.: A feature selection algorithm for intrusion detection system based on pigeon inspired optimizer. Expert Syst. Appl. 148 , 113249 (2020). https://doi.org/10.1016/j.eswa.2020.113249

Zhou, Y., Mazzuchi, T.A., Sarkani, S.: M-AdaBoost-A based ensemble system for network intrusion detection. Expert Syst. Appl. 162 , 113864 (2020). https://doi.org/10.1016/j.eswa.2020.113864

Thilagam, T., Aruna, R.: Intrusion detection for network based cloud computing by custom RC-NN and optimization. ICT Express 7 (4), 512–520 (2021). https://doi.org/10.1016/j.icte.2021.04.006

Zhao, H., Li, M., Zhao, H.: Artificial intelligence based ensemble approach for intrusion detection systems. J. Vis. Commun. Image Represent. 71 , 102736 (2020). https://doi.org/10.1016/j.jvcir.2019.102736

Rajesh Kanna, P., Santhi, P.: Unified deep learning approach for efficient intrusion detection system using integrated spatial-temporal features. Knowl. Based Syst. 226 , 107132 (2021). https://doi.org/10.1016/j.knosys.2021.107132

Sona, A.S., Sasirekha, N.: Kulczynski indexed dragonfly feature optimization based Polytomous Adaptive Base classifier for anomaly intrusion detection. Mater. Today Proc. (2021). https://doi.org/10.1016/j.matpr.2021.01.765

Alazzam, H., Sharieh, A., Sabri, K.E.: A lightweight intelligent network intrusion detection system using OCSVM and pigeon inspired optimizer. Appl. Intell. 52 (4), 3527–3544 (2022). https://doi.org/10.1007/s10489-021-02621-x

Disha, R.A., Waheed, S.: Performance analysis of machine learning models for intrusion detection system using Gini impurity-based weighted random forest (GIWRF) feature selection technique. Cybersecurity 5 (1), 1 (2022). https://doi.org/10.1186/s42400-021-00103-8

Yerriswamy, T., Murtugudde, G.: An efficient algorithm for anomaly intrusion detection in a network. Glob. Trans. Proc. 2 (2), 255–260 (2021). https://doi.org/10.1016/j.gltp.2021.08.066

Narayana Rao, K., Venkata Rao, K., Prasad Reddy, P.V.G.D.: A hybrid intrusion detection system based on sparse autoencoder and deep neural network. Comput. Commun. 180 , 77–88 (2021). https://doi.org/10.1016/j.comcom.2021.08.026

Sharma, N.V., Yadav, N.S.: An optimal intrusion detection system using recursive feature elimination and ensemble of classifiers. Microprocess. Microsyst 85 , 104293 (2021). https://doi.org/10.1016/j.micpro.2021.104293

Halim, Z., et al.: An effective genetic algorithm-based feature selection method for intrusion detection systems. Comput. Secur. 110 , 102448 (2021). https://doi.org/10.1016/j.cose.2021.102448

Mazini, M., Shirazi, B., Mahdavi, I.: Anomaly network-based intrusion detection system using a reliable hybrid artificial bee colony and AdaBoost algorithms. J. King Saud Univ. Comput. Inf. Sci. 31 (4), 541–553 (2019). https://doi.org/10.1016/j.jksuci.2018.03.011

Souhail, M., et al.: Network based intrusion detection using the UNSW-NB15 dataset. Int. J. Comput. Digit. Syst. 8 , 477 (2019)

Hafiza Anisa, A., Anum, H., Narmeen Zakaria, B.: Network intrusion detection using oversampling technique and machine learning algorithms. PeerJ Comput. Sci. (2022). https://doi.org/10.7717/peerj-cs.820

Aljawarneh, S., Aldwairi, M., Yassein, M.B.: Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J. Comput. Sci. 25 , 152–160 (2018). https://doi.org/10.1016/j.jocs.2017.03.006

Tama, B.A., Comuzzi, M., Rhee, K.: TSE-IDS: a two-stage classifier ensemble for intelligent anomaly-based intrusion detection system. IEEE Access 7 , 94497–94507 (2019). https://doi.org/10.1109/ACCESS.2019.2928048

Dwivedi, S., Vardhan, M., Tripathi, S., Shukla, A.K.: Implementation of adaptive scheme in evolutionary technique for anomaly-based intrusion detection. Evol. Intell. 13 (1), 103–117 (2020). https://doi.org/10.1007/s12065-019-00293-8

Devan, P., Khare, N.: An efficient XGBoost–DNN-based classification model for network intrusion detection system. Neural Comput. Appl. 32 (16), 12499–12514 (2020). https://doi.org/10.1007/s00521-020-04708-x

Yang, Y., Zheng, K., Wu, C., Yang, Y.: Improving the classification effectiveness of intrusion detection by using improved conditional variational autoencoder and deep neural network. Sensors (2019). https://doi.org/10.3390/s19112528

Krishnaveni, S., Vigneshwar, P., Kishore, S., Jothi, B., Sivamohan, S.: Anomaly-based intrusion detection system using support vector machine. In: Dash, S.S., Lakshmi, C., Das, S., Panigrahi, B.K. (eds.) Artificial Intelligence and Evolutionary Computations in Engineering Systems, pp. 723–731. Springer Singapore, Singapore (2020)

Chapter   Google Scholar  

Ahmad, I., Ul Haq, Q.E., Imran, M., Alassafi, M.O., AlGhamdi, R.A.: An efficient network intrusion detection and classification system. Mathematics (2022). https://doi.org/10.3390/math10030530

Qureshi A.U.H., Larijani H., Ahmad J., Mtetwa N.: A novel random neural network based approach for intrusion detection systems. In 2018 10th Computer Science and Electronic Engineering (CEEC), 19–21 Sept 2018, pp. 50–55. (2018). https://doi.org/10.1109/CEEC.2018.8674228

Gao, X., Shan, C., Hu, C., Niu, Z., Liu, Z.: An adaptive ensemble machine learning model for intrusion detection. IEEE Access 7 , 82512–82521 (2019). https://doi.org/10.1109/ACCESS.2019.2923640

Xiao, Y., Xing, C., Zhang, T., Zhao, Z.: An intrusion detection model based on feature reduction and convolutional neural networks. IEEE Access 7 , 42210–42219 (2019). https://doi.org/10.1109/ACCESS.2019.2904620

Zhou, Y., Cheng, G., Jiang, S., Dai, M.: Building an efficient intrusion detection system based on feature selection and ensemble classifier. Comput. Netw. 174 , 107247 (2020). https://doi.org/10.1016/j.comnet.2020.107247

Li, X., Yi, P., Wei, W., Jiang, Y., Tian, L.: LNNLS-KH: a feature selection method for network intrusion detection. Secur. Commun. Netw. 2021 , 8830431 (2021). https://doi.org/10.1155/2021/8830431

Chiche, A., Meshesha, M.: Towards a Scalable and Adaptive Learning Approach for Network Intrusion Detection. J. Comput. Netw. Commun. 2021 , 8845540 (2021). https://doi.org/10.1155/2021/8845540

Lv, L., Wang, W., Zhang, Z., Liu, X.: A novel intrusion detection system based on an optimal hybrid kernel extreme learning machine. Knowl. Based Syst. 195 , 105648 (2020). https://doi.org/10.1016/j.knosys.2020.105648

Jiang, K., Wang, W., Wang, A., Wu, H.: Network intrusion detection combined hybrid sampling with deep hierarchical network. IEEE Access 8 , 32464–32476 (2020). https://doi.org/10.1109/ACCESS.2020.2973730

Kumar, V., Sinha, D., Das, A.K., Pandey, S.C., Goswami, R.T.: An integrated rule based intrusion detection system: analysis on UNSW-NB15 data set and the real time online dataset. Clust. Comput. 23 (2), 1397–1418 (2020). https://doi.org/10.1007/s10586-019-03008-x

Kanimozhi, V., Jacob, T.P.: Artificial intelligence outflanks all other machine learning classifiers in network intrusion detection system on the realistic cyber dataset CSE-CIC-IDS2018 using cloud computing. ICT Express 7 (3), 366–370 (2021). https://doi.org/10.1016/j.icte.2020.12.004

Hadem, P., Saikia, D.K., Moulik, S.: An SDN-based intrusion detection system using SVM with selective logging for IP traceback. Comput. Netw. 191 , 108015 (2021). https://doi.org/10.1016/j.comnet.2021.108015

Abbasi, J.S., Bashir, F., Qureshi, K.N., Najam ul Islam, M., Jeon, G.: Deep learning-based feature extraction and optimizing pattern matching for intrusion detection using finite state machine. Comput. Electr. Eng. 92 , 107094 (2021). https://doi.org/10.1016/j.compeleceng.2021.107094

Kayode Saheed, Y., Idris Abiodun, A., Misra, S., Kristiansen Holone, M., Colomo-Palacios, R.: A machine learning-based intrusion detection for detecting internet of things network attacks. Alex. Eng. J. 61 (12), 9395–9409 (2022). https://doi.org/10.1016/j.aej.2022.02.063

D’Agostini, G.: A multidimensional unfolding method based on Bayes’ theorem. Nucl. Instrum. Methods Phys. Res. Sect. A Accel. Spectrom. Detect. Assoc. Equip. 362 (2), 487–498 (1995). https://doi.org/10.1016/0168-9002(95)00274-X

Box, G.E.P., Tiao, G.C.: Bayesian inference in statistical analysis. Int. Stat. Rev. 43 , 242 (1973)

MATH   Google Scholar  

Ng A., Jordan M.I.: On discriminative versus generative classifiers: a comparison of logistic regression and naive Bayes. In: NIPS. (2001)

Soucy P., Mineau G. W.: A simple KNN algorithm for text categorization. In: Proceedings 2001 IEEE International Conference on Data Mining, 29 Nov-2 Dec 2001, pp. 647–648. (2001). https://doi.org/10.1109/ICDM.2001.989592 .

Li, W.-C., Yi, P., Wu, Y., Pan, L., Li, J.: A new intrusion detection system based on knn classification algorithm in wireless sensor network. J. Electr. Comput. Eng. 2014 , 240217 (2014)

Google Scholar  

Kotsiantis S.B.: Supervised machine learning: a review of classification techniques. In: Presented at the Proceedings of the 2007 Conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies. (2007)

Du W., Zhan Z.: Building decision tree classifier on private data. In: Presented at the Proceedings of the IEEE International Conference on Privacy, Security and Data Mining, vol. 14, Maebashi City, Japan. (2002)

Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1 (1), 81–106 (1986). https://doi.org/10.1007/BF00116251

Kotsiantis, S.B.: Decision trees: a recent overview. Artif. Intell. Rev. 39 (4), 261–283 (2013). https://doi.org/10.1007/s10462-011-9272-4

Loh, W.-Y.: Classification and regression trees. WIREs Data Min. Knowl. Discovery 1 (1), 14–23 (2011). https://doi.org/10.1002/widm.8

Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41 (4), 1690–1700 (2014). https://doi.org/10.1016/j.eswa.2013.08.066

Article   MathSciNet   Google Scholar  

Goeschel, K.: Reducing false positives in intrusion detection systems using data-mining techniques utilizing support vector machines, decision trees, and naive Bayes for off-line analysis. SoutheastCon 2016 , 1–6 (2016)

Deng, H., Runger, G., Tuv, E.: Bias of importance measures for multi-valued attributes and solutions. In: Honkela, T., Duch, W., Girolami, M., Kaski, S. (eds.) Artificial Neural Networks and Machine Learning—ICANN 2011, pp. 293–300. Springer Berlin Heidelberg, Berlin, Heidelberg (2011)

Tong, S., Koller, D.: Support vector machine active learning with applications to text classification. J. Mach. Learn. Res. 2 , 45–66 (2001)

Miranda, C., Kaddoum, G., Bou-Harb, E., Garg, S., Kaur, K.: A collaborative security framework for software-defined wireless sensor networks. IEEE Trans. Inf. Forensics Secur. 15 , 2602–2615 (2020). https://doi.org/10.1109/TIFS.2020.2973875

Liu, Y., Pi, D.: A novel kernel SVM algorithm with game theory for network intrusion detection. KSII Trans. Internet Inf. Syst. 11 , 4043–4060 (2017)

Hu W., Liao Y., Vemuri V.R.: Robust support vector machines for anomaly detection in computer security. In: ICMLA. (2003)

Cutler, D.R., et al.: Random forests for classification in ecology. Ecology 88 (11), 2783–2792 (2007). https://doi.org/10.1890/07-0539.1

Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor 18 , 1153–1176 (2016)

R. Doshi, N. Apthorpe, and N. Feamster, “Machine Learning DDoS Detection for Consumer Internet of Things Devices,” in 2018 IEEE Security and Privacy Workshops (SPW) , 24–24 May 2018 2018, pp. 29–35, https://doi.org/10.1109/SPW.2018.00013

Pal, N.R., Pal, K., Keller, J.M., Bezdek, J.C.: A possibilistic fuzzy c-means clustering algorithm. IEEE Trans. Fuzzy Syst. 13 , 517–530 (2005)

Moustafa N., Ahmed M., Ahmed S.: Data analytics-enabled intrusion detection: evaluations of ToN_IoT Linux datasets. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 29 Dec–1 Jan 2021, pp. 727–735. (2020). https://doi.org/10.1109/TrustCom50675.2020.00100 .

Abdi, H., Williams, L.J.: Principal component analysis. WIREs Comput. Stat. 2 (4), 433–459 (2010). https://doi.org/10.1002/wics.101

Huang, G.-B., Zhu, Q.-Y., Siew, C.-K.: Extreme learning machine: theory and applications. Neurocomputing 70 (1), 489–501 (2006). https://doi.org/10.1016/j.neucom.2005.12.126

LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521 (7553), 436–444 (2015). https://doi.org/10.1038/nature14539

Chen, X.W., Lin, X.: Big data deep learning: challenges and perspectives. IEEE Access 2 , 514–525 (2014). https://doi.org/10.1109/ACCESS.2014.2325029

Ciresan D.C., Meier U., Masci J., Gambardella L.M., Schmidhuber J.: Flexible, high performance convolutional neural networks for image classification. In: International Joint Conference on Artificial Intelligence. (2011)

Chen Y., Zhang Y., Maharjan S.: Deep learning for secure mobile edge computing. arXiv:1709.08025 (2017)

Hermans M., Schrauwen B.: Training and analyzing deep recurrent neural networks. In: NIPS 2013. (2013)

Pascanu R., Gülçehre Ç., Cho K., Bengio Y.: How to construct deep recurrent neural networks. In: CoRR. arXiv:1312.6026 (2014)

Nweke, H.F., Teh, Y.W., Al-garadi, M.A., Alo, U.R.: Deep learning algorithms for human activity recognition using mobile and wearable sensor networks: state of the art and research challenges. Expert Syst. Appl. 105 , 233–261 (2018). https://doi.org/10.1016/j.eswa.2018.03.056

Tang T.A., Mhamdi L., McLernon D., Zaidi S.A.R., Ghogho M.: Deep recurrent neural network for intrusion detection in sdn-based networks. In: 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), 25–29 June 2018, pp. 202–206. https://doi.org/10.1109/NETSOFT.2018.8460090

Yu, Y., Si, X., Hu, C., Zhang, J.: A review of recurrent neural networks: LSTM cells and network architectures. Neural Comput. 31 (7), 1235–1270 (2019). https://doi.org/10.1162/neco_a_01199

Gers F.A., Schmidhuber J., Cummins F.: Learning to forget: continual prediction with LSTM. In: 1999 Ninth International Conference on Artificial Neural Networks ICANN 99. (Conf. Publ. No. 470), 7–10 Sept. 1999, vol. 2, pp. 850–855. https://doi.org/10.1049/cp:19991218 .

Bai S., Kolter J.Z., Koltun V.: An empirical evaluation of generic convolutional and recurrent networks for sequence modeling. arXiv:1803.01271 (2018)

Tschannen M., Bachem O., Lucic M.: Recent advances in autoencoder-based representation learning. arXiv:1812.05069 (2018)

Hinton, G.E.: A practical guide to training restricted Boltzmann machines. In: Montavon, G., Orr, G.B., Müller, K.-R. (eds.) Neural Networks: Tricks of the Trade, 2nd edn., pp. 599–619. Springer Berlin Heidelberg, Berlin, Heidelberg (2012)

Mayuranathan, M., Murugan, M., Dhanakoti, V.: Best features based intrusion detection system by RBM model for detecting DDoS in cloud environment. J. Ambient Intell. Humaniz. Comput. 12 , 3609–3619 (2021)

Fiore, U., Palmieri, F., Castiglione, A., Santis, A.D.: Network anomaly detection with the restricted Boltzmann machine. Neurocomput. 122 , 13–23 (2013). https://doi.org/10.1016/j.neucom.2012.11.050

Keyvanrad M.A., Homayounpour M.M.: A brief survey on deep belief networks and introducing a new object oriented MATLAB toolbox (DeeBNet). arXiv:1408.3264 (2014)

Dietterich, T.G.: Ensemble methods in machine learning. In: Goos, G., Hartmanis, J., van Leeuwen, J. (eds.) Multiple Classifier Systems, pp. 1–15. Springer Berlin Heidelberg, Berlin, Heidelberg (2000)

Woniak, M., Graña, M., Corchado, E.: A survey of multiple classifier systems as hybrid systems. Inf. Fusion 16 , 3–17 (2014). https://doi.org/10.1016/j.inffus.2013.04.006

Illy P., Kaddoum G., Moreira C.M., Kaur K., Garg S.: securing fog-to-things environment using intrusion detection system based on ensemble learning. In: 2019 IEEE Wireless Communications and Networking Conference (WCNC), pp. 1–7. (2019)

Domingos, P.M.: A few useful things to know about machine learning. Commun. ACM 55 , 78–87 (2012)

Breiman, L.: Bagging predictors. Mach. Learn. 24 (2), 123–140 (1996). https://doi.org/10.1007/BF00058655

Baba, N.M., Makhtar, M., Fadzli, S.A., Awang, M.K.: Current issues in ensemble methods and its applicaTIONS. J. Theor. Appl. Inf. Technol. 8 , 1 (2015)

Santana L.E.A., Silva L., Canuto A.M.P., Pintro F., Vale K.M.O.: A comparative analysis of genetic algorithm and ant colony optimization to select attributes for an heterogeneous ensemble of classifiers. In: IEEE Congress on Evolutionary Computation, pp. 1–8. (2010)

Bosman, H.H.W.J., Iacca, G., Tejada, A., Wörtche, H.J., Liotta, A.: Ensembles of incremental learners to detect anomalies in ad hoc sensor networks. Ad Hoc Netw. 35 , 14–36 (2015)

Chen T., Guestrin C.: XGBoost: a scalable tree boosting system. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. (2016)

Kumar, P., Gupta, G.P., Tripathi, R.: A distributed ensemble design based intrusion detection system using fog computing to protect the internet of things networks. J. Ambient Intell. Humaniz. Comput. 12 (10), 9555–9572 (2021). https://doi.org/10.1007/s12652-020-02696-3

Ke G., et al.: LightGBM: a highly efficient gradient boosting decision tree. In: NIPS. (2017)

Aldwairi M., Alshboul M. A., Seyam A.: Characterizing realistic signature-based intrusion detection benchmarks. In: Presented at the Proceedings of the 6th International Conference on Information Technology: IoT and Smart City, Hong Kong. (2018). Available at https://doi.org/10.1145/3301551.3301591

ManoharNaik, S., Geethanjali, N.: A multi-fusion pattern matching algorithm for signature-based network intrusion detection system. Preprints 2016 , 1–8 (2016). https://doi.org/10.20944/preprints201608.0197.v1

Folorunso, O., Ayo, F.E., Babalola, Y.E.: Ca-NIDS: a network intrusion detection system using combinatorial algorithm approach. J. Inf. Priv. Secur. 12 (4), 181–196 (2016). https://doi.org/10.1080/15536548.2016.1257680

Rao, C.S., Raju, K.B.: MapReduce accelerated signature-based intrusion detection mechanism (IDM) with pattern matching mechanism. In: Nayak, J., Abraham, A., Krishna, B.M., Chandra Sekhar, G.T., Das, A.K. (eds.) Soft Computing in Data Analytics, pp. 157–164. Springer Singapore, Singapore (2019)

Aho, A.V., Corasick, M.J.: Efficient string matching. Commun. ACM 18 , 333–340 (1975)

Alicherry, M., Muthuprasanna, M., Kumar, V.P.: High speed pattern matching for network IDS/IPS. In: Proceedings of the 2006 IEEE International Conference on Network Protocols , pp. 187–196. (2006)

Knuth, D.E., Morris, J.H., Pratt, V.R.: Fast pattern matching in strings. SIAM J. Comput. 6 , 323–350 (1977)

Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. (1999)

Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Commun. ACM 20 (10), 762–772 (1977). https://doi.org/10.1145/359842.359859

Kaur, S., Singh, M.: Hybrid intrusion detection and signature generation using deep recurrent neural networks. Neural Comput. Appl. 32 (12), 7859–7877 (2020). https://doi.org/10.1007/s00521-019-04187-9

Liu, J., et al.: Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection. Expert Syst. Appl. 139 , 112845 (2020). https://doi.org/10.1016/j.eswa.2019.112845

Kalavadekar, P.N., Sane, S.S.: Building an effective intrusion detection system using combined signature and anomaly detection techniques. Int. J. Innov. Technol. Explor. Eng. 8 (10), 429 (2019)

Ugtakhbayar, N., Usukhbayar, B., Baigaltugs, S.: A Hybrid model for anomaly-based intrusion detection system. In: Pan, J.-S., Li, J., Tsai, P.-W., Jain, L.C. (eds.) Advances in Intelligent Information Hiding and Multimedia Signal Processing, pp. 419–431. Springer Singapore, Singapore (2020)

Asharf, J., Moustafa, N., Khurshid, H., Debie, E., Haider, W., Wahab, A.: A review of intrusion detection systems using machine and deep learning in internet of things: challenges, solutions and future directions. Electronics 9 (7), 1177 (2020). https://doi.org/10.3390/electronics9071177

Bhati, N.S., Khari, M., García-Díaz, V., Verdú, E.: A Review on Intrusion Detection Systems and Techniques. Int. J. Uncertain. Fuzziness Knowl. Based Syst. 28 (Supp 02), 65–91 (2020). https://doi.org/10.1142/s0218488520400140

Patel, A., Taghavi, M., Bakhtiyari, K., Celestino Júnior, J.: An intrusion detection and prevention system in cloud computing: a systematic review. J. Netw. Comput. Appl. 36 (1), 25–41 (2013). https://doi.org/10.1016/j.jnca.2012.08.007

Hwang, R.H., Peng, M.C., Huang, C.W., Lin, P.C., Nguyen, V.L.: An unsupervised deep learning model for early network traffic anomaly detection. IEEE Access 8 , 30387–30399 (2020). https://doi.org/10.1109/ACCESS.2020.2973023

Nagaraju, S., Shanmugham, B., Baskaran, K.: High throughput token driven FSM based regex pattern matching for network intrusion detection system. Mater. Today Proc. 47 , 139–143 (2021). https://doi.org/10.1016/j.matpr.2021.04.028 . Accessed 1 Jan 2021

AlYousef, M.Y., Abdelmajeed, N.T.: Dynamically detecting security threats and updating a signature-based intrusion detection system’s database. Procedia Comput. Sci. 159 , 1507–1516 (2019). https://doi.org/10.1016/j.procs.2019.09.321

Almutairi A.H., Abdelmajeed N.T.: Innovative signature based intrusion detection system: parallel processing and minimized database. In: 2017 International Conference on the Frontiers and Advances in Data Science (FADS), 23–25 Oct 2017, pp. 114–119. (2017). https://doi.org/10.1109/FADS.2017.8253208 .

Download references

The author did not receive any support from any organization for the submitted work.

Author information

Authors and affiliations.

EuroMed Research Center, School of Digital Engineering and Artificial Intelligence, Euro-Mediterranean University of Fes, Fes, 30030, Morocco

Oluwadamilare Harazeem Abdulganiyu & Taha Ait Tchakoucht

School of IT and Computing, American University of Nigeria, Yola, Nigeria

Yakub Kayode Saheed

You can also search for this author in PubMed   Google Scholar

Contributions

OHA came up with the idea for the article, he also performed the literature search and the drafting, while the data analysis and synthesis were carried out by OHA, TA-T, and SYK. TA-T critically revised the work and make inputs where necessary.

Corresponding author

Correspondence to Oluwadamilare Harazeem Abdulganiyu .

Ethics declarations

Conflict of interest.

The authors declare that there is no conflict of interest in this paper.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Abdulganiyu, O.H., Ait Tchakoucht, T. & Saheed, Y.K. A systematic literature review for network intrusion detection system (IDS). Int. J. Inf. Secur. 22 , 1125–1162 (2023). https://doi.org/10.1007/s10207-023-00682-2

Download citation

Accepted : 08 March 2023

Published : 27 March 2023

Issue Date : October 2023

DOI : https://doi.org/10.1007/s10207-023-00682-2

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Network intrusion detection system
• Signature-based
• Anomaly-based
• Artificial intelligence
• Pattern matching
• Find a journal
• Publish with us
• Track your research

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to  upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

• We're Hiring!
• Help Center

Factors Affecting the Security of Information Systems: A Literature Review

-Information System Security is critical to all modern computer users (individuals and organizations). To insure that information remain secure, many organizations implemented various security structure to protect IS security from malicious incidents by establishing security procedures, processes, policies and information system security organization structures. However, despite of all the measures, information security is still a catastrophe. Poor understanding of information security key factor seem to be the main problem. The difference in ICT infrastructure and implementations as well as usage results into different security problems in different organizations. Its eminent that common problem which challenge information security system to all organizations are identified and analysed. Through literature synthesis, this paper discuss common factors affecting the security of information system to modern computer users, which include organizations and individuals. Therefore, helping in saving time and money by focusing the limited resources on elements that really distress IS security.

Related Papers

Lecture Notes in Computer Science

shyamasundar R.K.

International Journal for Research in Applied Science and Engineering Technology IJRASET

IJRASET Publication

Internet has become the integral part of today's generation and network security is one of the important aspects to protect communication. This research paper mainly gives basic knowledge of the information security. Main objective of the research paper is it explains about the different types cyber-attacks that can be taken place and about the E-mail phishing and how firewalls can be used to manage the information security.

Research paper

Shahrazad Al Marhoon , Shamma Al Harizi

The aim of this research is to identify the availability levels of fear, neutralization, and Information Systems Security (ISS) and determining the impacts of Fear, and Neutralization on ISS. The primary data of the study collected using manual distributed questionnaire. By using appropriate statistical test, the collected data has been analyzed. The reliability and hypotheses tested using several statistical methods such as multiple and linear regression test. While validity tested using Cronbach's alpha. The findings of the study shown there is a significant statistical effect of fear and neutralization on the information system security which explains (40.3%) of the variation in ISS. Also, ISS availability level is high as the mean is (3.49) and the responses are very close as the Standard Deviation is (0.98). the research suggested to Study more variables that may affect ISS and increase restrictive procedures of information security and make sure that everyone in organizations are understand the sequences of violating them.

Shahram Gilaninia

Today Security of digital space shows a new way of each country's national security. According to role of information as a valuable goods in business, it seems necessary to protect its. For achieve this goal, each organization depending on the level of information (in terms of economic value) is required to design the information security management system until in this way could to protect their information assets. Organizations whose existence dependent on significantly on information technology can be used all tools to protect data. However, security information is required to customers' cooperation, partners of organizations and government. In this regard, it is necessary to protect the valuable information that every organization is committed to a particular strategy and implement a security system based on it. Information Security Management System is part of a comprehensive management system that is based on estimates and risk analysis, to design, implement, adminis...

gaurav kumar , Shailesh Pandey , Sudeshna Dasmahapatra

The use of computerised information systems has become an integral part of our day to day life. Managing computer and network security programs has become an increasingly difficult and challenging job. One way of enlightening the risks to their computerised information systems is through a risk management programme. Therefore, the objective of this paper is to educate users on how to perform a risk management exercise for their computerised information systems in order to reduce or mitigate information security risks within their information systems and protect vital information assets. This study uses the Operationally Critical Threat, Asset, and Vulnerability Evaluation for small organisations (OCTAVE) , Open Source Security Information Management (OSSIM) system and commercially available software Event Horizon risk management methodology to address these information security risks in small scale industries and users .

teresa pereira

Journal of the Washington Institute of China Studies

Slawomir Wawak

Information security management systems are increasingly applied in a number of sectors of the new, global, interconnected economy. They are used by production and service companies, businesses that provide information technology and telecom services, state administration authorities and local governments. Specifically, they are used in case of crime groups or as a means of securing illegal transactions. Intelligence services and governmental agencies cannot be ignored here either. Information security and information technology are world’s fastest growing industry, and not surprisingly - one of China's fastest growing industries as well. In fact, the increasing computerization in both private and public sectors (despite heavy government control) makes China a market with huge potential for software development, outsourcing and security services, essential for economic growth and national security. China's rapidly developing software market however is yet to display its full potential.

Currently, companies are more into using distributed systems and relying on network and communication facilities for transmitting critical and important information that needs to be secured. Therefore, protecting companies information becomes more important, and information security is essential to maintain. Information security is defined as protecting the information, the system, and the hardware that use, store and transmit the information, to ensure integrity, confidentiality and availability of data and operation procedures are protected. In this paper, we illustrate the factors that impact information security in different fields; cyber security, Internet of Things and network security from various studies and outline the security requirements to reduce this impact. I. INTRODUCTION Nowadays, most of the companies are interested in technology system in order to achieve a quicker procedure than the old-fashioned way, and for this system to be more effective, it must be saved from threats and information security must be maintained. The main objectives of information security that must be implemented to ensure the protection of data in any corporation are: (i) confidentiality, (ii) integrity and (iii) availability. The companies structure should be protected from active and passive attacks, such as (illegal access, unauthorized improvement of data and interruption) [1]. Information security and cyber security are both global and exciting subject for many researchers. The international standard, ISO/IEC 27002 (2005), defines Information Security as: "The preservations of the confidentiality, integrity and availability of information, for any form (hard copy or soft copy, electronic store, transmitted by email, or any other format)". While, the International Telecommunications Union (ITU) defines cyber security as follows: "Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user's assets" [2]. Both cyber security and information technology security requires continuous assessment and newness because they are vastly developed fields. Reputation and compromise intellectual property of organization will be affected by cyber attacks. Cyber attackers face problems in system security that uses multi-layer firewalls, so they depend on social engineering [3]. Due to the rapid increase of using technologies, that provide some comfort to the user, such as saving time and effort. The Internet of Things (IoT) is considered the best technology, with its applications that facilitate our work and live by providing features (i.e. connectivity, active engagement) that help us to achieve improvement, increase evolution and knowledge exchange. IoT is defined as a group of people and devices interconnected with each other. In addition, it allows devices to communicate with each other without involvement of human, it includes interconnected sensors of real world, devices of electronics and systems to the Internet. The main support of the IoT is the Internet. So that, any security threats that target the Internet can affect the IoT [4]. According to the importance of network and technology for any application, the security of network should be taken very important. The design of network depends on Open System Interface (OSI) model that gives many benefits when designing network security (e.g. flexibility, standardization of protocols, and easy to use). Network is unprotected to attacks while transferring data into communication channels. The security requirements of network are confidentiality and integrity. In addition, it is better to confirm that the complete network is secure when considering with network security [5]. In this paper, we will illustrate the factors effect on the multiple domains (Information System IS, cyber space, IoT and Network security) from various studies, to show how these factors effect and what are security requirements that can be used to reduce this effect. The reminder of this paper is organized as follows. Section II illustrates studies of various topics IS, Cyber space, IoT, and Network. In Section III, we discuss about different attacks that effect on security of multiple fields and the security requirements to prevent the attacks. Section IV is devoted to represent some relevant comments and concluding remarks.

IAEME PUBLICATION

IAEME Publication

Data processing has significantly expanded virtual profession opportunities; regardless these subsidize have likewise assemble authentic insecurity pertaining to the data protection. Beforehand, issues of data protection were contemplated in a technological framing, yet evolving protection indigence have expanded researchers regard to examine the administration occupation in the data protection administration. various investigations have inspected distinctive administration occupation and activities; however no one has given thorough picture of these occupation and implementation to supervise the data protection satisfactorily. Therefore, it is necessary to accumulate information regarding various governmental occupation and implementation from scribbling to endow administrators to acquire above mentioned for a progressively all-encompassing style to dispense with the data protection administration. By using a systematic scribbling review technique in this paper, it combined literature identified with the roles of administration in the data protection to investigate explicit administrative exercises to improve the data protection administration. It found that various exercises of administration, especially improvement and accomplishment of the data protection strategy, acquiescence practice, IT framework administration, IT and business arrangement, awareness, human resources administration and improvement of efficient business information architecture significantly affected the nature of information security management. In this manner, this examination makes a novel commitment by contending that an increasingly all-encompassing way to deal with the information security is required and it propose the manners by which administrators can assume a compelling job in the information security. This examination likewise opens up numerous new roads for additional examination around there.

Jerzy Stanik

The article outlines a concept of maintaining the required level of security of assets of the information system in the organization (ISO) by making appropriate steering decisions, initiating the generation of the security configurations. The authors proposed and formulated the models of security subject and object as well as the model of the information system in the organization for controlling current level of information security (information recourses) and current performance properties of the operation subsystems, included in the ISO.

Loading Preview

Sorry, preview is currently unavailable. You can download the paper by clicking the button above.

RELATED PAPERS

Filipe de Sá-Soares

Journal of Emerging Technologies and Innovative Research

Humayoon Kabir , Beena AL

International Journal of Computer Applications

Syed Hamid Hasan

Mohamad Noorman Masrek

Iryna Chernysh

Olesea Rosca

Nhalyn Romances

Data Science: Journal of Computing and Applied Informatics

henny febriana

DANMARCK SUMAOANG

Purva Kirolikar

International Journal of Engineering and Advanced Technology

achmad daengs

Mohammed M Alhassan , Alexander Adjei-Quaye

Issues in Informing Science and Information Technology

pramod pandya

José Martins

Dusan Lesjak

international journal for research in applied science and engineering technology ijraset

Modern Applied Science

Boris Skorodumov

Assoc. Prof. Dr. Rashad Yazdanifard

Jeanne Schreurs

Research Papers Faculty of Materials Science and Technology Slovak University of Technology

Vanessa Prajová

Communications of the ACM

ubaiyadullah thameemulansari

Sándor Dombora

ecir uğur küçüksille

IJAERS Journal

•   We're Hiring!
•   Help Center
• Find new research papers in:
• Health Sciences
• Earth Sciences
• Cognitive Science
• Mathematics
• Computer Science
• Academia ©2024