Information Security Management in ICT and non-ICT Sector Companies: A Preventive Innovation Perspective

By Mona Mirtsch, Knut Blind, Claudia Koch and Gabriele Dudek

Companies are increasingly relying on information and communication technology (ICT), but then they also become more and more vulnerable to cyber-attacks. As with many “public goods” (such as clean air), the costs in the event of security breaches are borne not only by companies but also by consumers and society – especially when personal data is involved. Furthermore, cybersecurity can also be a prerequisite for the safety of products, services, and processes, especially if they are connected to the internet, as in the case of autonomous vehicles or a “Smart Factory.”

European policymakers have picked up this issue, releasing and adopting a variety of privacy and cybersecurity-related initiatives, including the General Data Protection Regulation (GDPR) and the EU Cybersecurity Act. Internationally recognized standards and related certification, therefore, play an important role and help to provide solutions on a global scale. The most prominent system standard in the context of information security management is
ISO/IEC 27001, developed and regularly updated by experts in this field and published by the International Organization for Standardization (ISO) together with the International Electrotechnical Commission (IEC).

In this recent paper, BCCP Fellow Mona Mirtsch and BCCP Senior Fellow Knut Blind, who both conduct research for the WP3: Algorithms, Privacy, and Security, along with their co-authors Claudia Koch and Gabriele Dudek from the Bundesanstalt für Materialforschung und -prüfung (BAM), argue that, unlike other management system standards, the (immediate) benefits are not recognizable at first glance. They, therefore, categorize the adoption of this standard as a preventive organizational innovation and investigate why companies adopted this standard, what problems they encountered, and how they perceived the benefits of this standard for their company.

To identify ISO/IEC 27001 certified companies (since no publicly available database exists in Germany), they used a web-mining approach (results are published here from Mirtsch et al. 2021) and contacted over 800 German companies directly, 125 of which agreed to participate in the online survey. The authors compare the results between companies within and outside the ICT sector and find that ICT sector companies are often motivated to adopt this standard because it is required by their customers and to improve their image. Non-ICT sector companies, however, are less motivated by market considerations but instead seek to ensure legal compliance.

What are policy implications? The authors argue that companies often face high barriers since implementing this standard and seeking certification is time- and cost-consuming, and this effort may not (measurably) pay off for companies, which also explains the low diffusion of this standard. Policymakers might help by providing incentives (such as subsidies or tax reliefs) or guidance documents. They should, however, also consider making the adoption of a management system according to ISO/IEC 27001 mandatory, especially if sectors and applications with high risks to society in the event of security breaches are concerned.

The full text “Information security management in ICT and non-ICT sector companies: A preventive innovation perspective” is published at Computers & Security.