Exploring the suitability of IS security management standards for SMEs

Proceedings of the Annual Hawaii International Conference on System Sciences

Volumn , Issue , 2008, Pages

  Barlette, Yves ^a   Fomin, Vladislav V ^b  

^a MONTPELLIER BUSINESS SCHOOL   (France)

^b VYTAUTAS MAGNUS UNIVERSITY   (Lithuania)

Author keywords

[No Author keywords available]

Indexed keywords

IS SECURITY MANAGEMENT; ISO 9000 STANDARD; LITERATURE REVIEWS; SECURITY STANDARDS;

SYSTEMS SCIENCE;

EID: 51449119466     PISSN: 15301605     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/HICSS.2008.167     Document Type: Conference Paper

References (70)

1. Arnott S., (2002), Strategy paper, Computing, (Feb).
2. Axelrod, R. M. and Cohen, M. D. (1999), Harnessing complexity: organizational implications of a scientific frontier, Free Press, New York
3. Augustyn M. M., and Pheby J.D., (2000), "ISO 9000 and performance of small tourism enterprises: a focus on Westons Cider Company", Managing service quality, Vol. 10 (6), 2000, pp. 374-388.
4. Barlette Y., (2006), Les comportements sécuritaires des acteurs dans les systèmes d'information des PME. Thèse de doctorat en sciences de gestion, université de Montpellier I.
5. Baskerville, R. (1993), "Information systems security design methods: implications for information systems development", ACM Computing Surveys, Vol. 25 No.4, pp.375-414.
6. Brenner J., (2007), "ISO 27001: Risk management and compliance", Risk Management Magazine, Vol. 54 (1), pp. 24-29;
7. Brown A., Van der Wiele T., Loughton K., (1998), "Smaller enterprises' experiences with ISO 9000", International journal of Quality & reliability management, Vol. 15 (3), 1998, pp. 273-285.
8. Brousseau, E., (2002), "Globalization and E-commerce: The French Environment and Policy", Center for Research on Information Technology and Organizations (CRITO), University of California, Irvine. http://www.crito.uci. edu/publications/pdf/GEC2_France.pdf
9. Castells, M. (1996), The Rise of the Network Society, Blackwell Publishers, Ltd, Oxford
10. Chapman D., Smalov L., (2004), "On information security guidelines for small/medium enterprises", ICEIS 2004 - Information analysis and specification, 2004, pp. 3-9.
11. CERT, (2007), "CERT/CC: Statistics 1988-2007", Computer Emergency Response Team, www.cert.org, USA;
12. CIGREF, (2002), Sécurité des systèmes d'information: quelle politique globale de gestion des risques?, September, www.cigref.fr, Paris
13. CLUSIF, (2004; 2006), "Politiques de sécurité des systèmes d'information et sinistralité en France", Club de la sécurité des informations français (French information systems security club), Paris.
14. CNRS, (2002), "La certification des critères communs: le point de vue du developpeur", Securité informatique, No 42, pp. 5-6.
15. Conway T., (1994), "BS 5750 - a logical step", The TQM magazine, Vol. 6 (5), pp. 38-40.
16. DCSSI, (2007), Direction centrale de la sécurité des systèmes d'information (Information systems security central agency), http://www.ssi.gouv.fr/fr/dcssi/;
17. Davenport, T. H., (2005), "The coming commoditization of processes," Harvard Business Review (June), pp. 100-108.
18. David J., (2002), "Policy enforcement in the workplace", Computers & Security, Vol. 21 (6), pp. 506-513;
19. DeLone W.H., (1988), "Determinants of success for computer usage in small businesses", MIS Quarterly, Vol. 5 (4), pp. 51-61;
20. Dhillon G., Backhouse J., (2001), "Current directions in IS security research: towards socio-organizational perspectives", Information Systems Journal, 11, pp. 127-153;
21. Doherty N.F., Fulford H., (2005), "Do information security policies reduce the incidence of security breaches: an exploratory analysis", Information resources management journal; 18 (4), Oct-Dec, pp. 21-39;
22. Doherty N.F., Fulford H., (2006), "Aligning the information security policy with the strategic information systems plan", Computers & Security; 25, pp. 55-63;
23. ENISA, (2006), "Risk management implementation principles and inventories for risk management / risk assessment methods and tools", June;
24. ENISA, (2007), "ENISA deliverable: Information Package for SMEs", February;
25. Ernst & Young, (2005), "La gestion des risques dans l'actualité du contrôle interne : pratiques et tendances", mai 2005;
26. Franceschini F., Galetto M., Gianni G., (2004), "A new forecasting model for the diffusion of ISO 9000 standards certifications in European countries", International journal of Quality & reliability management, Vol. 21 (1), pp. 32-50.
27. Franceschini F., Galetto M., Cecconi P., (2006), "A worldwide analysis of ISO 9000 standard diffusion: Considerations and future development", Benchmarking: An international journal, Vol. 13 (4), pp. 523-541.
28. Gable G.G., (1991), "consultant engagement for first time computerization: A proactive client role in small businesses", Information & Management, Vol. 20, pp. 83-93;
29. Gupta A., Hammond R., (2005), "Information systems security issues and decisions for small businesses: an empirical examination", Information Management and Computer Security, Vol. 13 No 4, pp. 297-310;
30. Hone K., Eloff J.H.P., (2002a), "What makes an effective information security policy", Network Security, Vol. 20 (6), pp. 14-16;
31. Hone K., Eloff J.H.P., (2002b), "Information security policy: what do international security standards say", Computers & Security, Vol. 21 (5), pp. 402-409;
32. INSEE, (2007), Caractéristiques des entreprises industrielles de 20 salariés ou plus, www.insee.fr (French national institute of statistics and economic surveys);
33. ISMS User Group, (2007), http://www.iso27001certificates.com/.
34. ISO, (2000), Information Technology. Code of practice for information security management, ISO 17799. International standards organization;
35. ISO, (2002), "The ISO survey of ISO 9001:2000 and ISO 14001 Certificates", Twelfth cycle, Geneva.
36. ISO (2003, 2004, 2005), "The ISO survey of ISO 9001:2000 and ISO 14001 Certificates", Geneva.
37. Julien P.A., Marchesnay M., (1988), La petite entreprise, Vuibert, Paris;
38. Kahin, B. (1997), "The U.S. National Information Infrastructure Initiative: The Market, the Net, and the Virtual Project", in Kahin, B. and Wilson, E. (Eds), National Information Infrastructure Initiatives: Vision and Policy Design, MIT Press, Cambridge, Mass.
39. Martins, A., Eloff, J.H.P., (2001), "Measuring Information Security", Proceedings of Workshop on Information Security - System Rating and Ranking, Virginia;
40. Mc Lachlan V.N., (1996), "In praise of ISO 9000", The TQM magazine, Vol. 8 (3), pp. 21-23.
41. Mitchell R.C., Marcella R., Baxter G., (1999), "Corporate information security management", New Library World, Vol. 100, no 1150, pp. 213-227, MCB University press;
42. Monnoyer M.C., (2003), Le dirigeant confronté à la décision d'investissement en T.I.C., in Boutary, TIC et PME: des usages aux stratégies, l'Harmattan, Paris;
43. Moule B., Giavara L., (1995), "Policies, procedures and standards: an approach for implementation", Information Management & Computer Security, Vol. 3 (3), pp. 7-16;
44. Nicolau J.L., Sellers R., (2002), "The stock market's reaction to quality certification: empirical evidence from Spain", European journal of operations research, Vol. 142, pp. 632-41;
45. Noteboom B., (1988), "The facts about small business and the real values of its 'life world'", American journal of economics and sociology (47:3), July 1988, pp. 299-314;
46. OECD, (2002), "OECD Guidelines for the Security of Information Systems and Networks", 30p;
47. Nosworthy J.D., (2000), "Implementing information security in the 21st century - Do you have the balancing factors?", Computers and security, Vol. 19 (4), pp. 337-347;
48. Pernul G., (1995), "Information Systems Security: Scope, State-of-the-art, and Evaluation of Techniques", International journal of information management, Vol. 15 (3), pp. 165-180; [47b]
49. [47b] Pipkin D., (2000), Sécurite des informations, Campus Press, Paris.
50. Rees J., Bandyopadhyay S., Spafford E.H., (2003), "PFIRES: A policy framework for information security", Communications of the ACM, Vol. 46 (7), pp. 101-106;
51. Rodriguez-Escobar J.A., Gonzalez-Benito J., Martinez-Lorente A.R., (2006), "An analysis of the degree of small companies' dissatisfaction with ISO 9000 certification", Total quality management, Vol. 17 (4), pp. 507-521.
52. Schlienger T., Teufel S., (2003), "Information security culture: from analysis to change", South African Computer Journal, Vol. 31, pp. 46-52;
53. Schweitzer, J.A. (1982), Managing Information Security: A Program for the Electronic Information Age, Butterworth-Heinemann, Boston, MA.
54. Siponen M.T., (2000), "Policies for construction of information systems' security guidelines" in proceedings of the 15ht information security conference (IFIP TC11/Sec 2000), Beijing, China, August, pp. 111-120;
55. Siponen M.T., (2006), "Information security standards focus on the existence of process, not its content", Communications of the ACM, Vol. 49 (8), pp. 97-100;
56. Siponen M.T., Iivari J., (2006), "Six design theories for IS security Policies and Guidelines", Journal of the Association for Information systems, Vol. 7 (7), pp. 445-472;
57. Soh C.P.P., Yap C.S., Raman K.S., (1992), "Impact of consultants on computerization success in small businesses", Information and Management, Vol. 22, pp. 309-319;
58. Spinellis D., Kokolakis S., Gritzalis S., (1999), "Security requirements, risks and recommendations for small enterprise and home-office environments", Information Management and Computer Security, Vol.7 No 3, pp. 121-128;
59. Subba R., Ragu-Nathan T.S., Solis L.E., (1997), "Does ISO 9000 have an effect on quality management practices? An international empirical study", Total quality management, Vol. 8 (6), pp. 335-346.
60. Thong J.Y.L, Yap C.S., Raman K.S., (1996), "Top management support, external expertise and information systems implementation in small businesses", Information systems research, Vol.7, No 2, pp 248-267;
61. Turner C., (1997), "SMEs and the evolution of the European information society: policy themes and initiatives", European Business Journal, Vol. 9, No 4, London; pp. 47-52;
62. Von Solms B., (2000), "information security- The third wave?", Computers & Security, Vol. 19 (7), pp. 615-620;
63. Von Solms R., Van de Haar, (2000), "From Trusted Information Security Controls to a Trusted Information Security Environment", proceeding of the 16th Annual Working Conference on Information Security, IFIP, August, Beijing, Chine, contribution no 4/52;
64. Von Solms B., Von Solms R., (2004), "From policies to culture", Computers & Security, Vol. 23, pp. 275-279;
65. Von Solms B., Von Solms R., (2005), "From information security to ... business security", Computers & Security, Vol. 24, pp. 271-273;
66. Vroom C., Von Solms R., (2004), "Towards information security behavioural compliance", Computers & Security, Vol.23, pp. 191-198;
67. Webster, J., & Watson, R. T. (2002). "Analyzing the Past to Prepare for the Future: Writing a Literature Review", MIS Quarterly, 26(2), xiii-xxiii.
68. Wood, C.C. (1999), Information Security Policies Made Easy, Baseline Software, San Rafael, CA.
69. Wood CC., (2000), "An unappreciated reason why information security policies fail", Computer fraud & Security, Vol. 2000 (10), pp. 13-14;
70. th annual Hawaii International conference on system sciences (HICSS'07)