Understanding Information Technology Security Standards Diffusion - An Institutional Perspective

Sylvestre Uwizeyemungu, Placide Poba-Nzaou


Organizations' dependency on information technology (IT) resources raises concerns over IT confidentiality, integrity, and availability. IT security standards (ITSS) which play a key role in IT security governance, are meant to address those concerns. It is then important for researchers, managers, and policy-makers to understand the reasons for the low levels of ITSS diffusion in organizations. Building on institutional perspective, this study shows that none of the ITSS has yet reached the stage of legitimation that would prompt a widespread diffusion across organizations. Of particular focus is the benchmarking of ISO/IEC 27000 against other more diffused ISO generic standards. Three methodological approaches were used: structured documentation analysis, public secondary data analysis, and informal interviews of experts. This study sensitizes managers and policy-makers to the key role of institutional mechanisms in shaping ITSS diffusion.


  1. Abrahamson, E., & Rosenkopf, L. 1993. Institutional and competitive bandwagons: Using mathematical modeling as a tool to explore innovation diffusion. The Academy of Management Review, 18(3), 487-517.
  2. Abu-Musa, A. A. 2002. Security of computerized accounting information systems: An integrated evaluation approach. Journal of American Academy of Business, 2(1), 141-149.
  3. Backhouse, J., Hsu, C. W., & Silva, L. 2006. Circuits of power in creating de jure standards: Shaping an international information systems security standard. MIS Quarterly, 30(Special Issue), 413-438.
  4. Barlette, Y., & Fomin, V. V. (2008, 7-10 January). Exploring the suitability of IS security management standards for SMEs. Paper presented at the 41st Hawaii International Conference on System Sciences (HICSS), Los Alamitos, Hawaii.
  5. Björk, F. (2004). Institutional theory: A new perspective for research into IS/IT security in organisations. Paper presented at the 37th Hawaii International Conference on System Sciences (HICSS), Big Island, Hawaii.
  6. Bodas Freitas, I. M., & Iizuka, M. 2012. Openness to international markets and the diffusion of standards compliance in Latin America: A multi level analysis. Research Policy, 41(1), 201-215.
  7. Brooks, W. J., Warren, M. J., & Hutchinson, W. 2002. A security evaluation criteria. Logistics Information Management, 15(5/6), 377-384.
  8. Caceres, G. H. R., & Teshigawara, Y. 2010. Security guideline tool for home users based on international standards. Information Management & Computer Security, 18(2), 101-123.
  9. Chang, E. S., Jain, A. K., Slade, D. M., & Tsao, S. L. 1999. Managing cyber security vulnerabilities in large networks. Bell Labs Technical Journal, 4(4), 252-272.
  10. Cousins, K. C., & Robey, D. 2005. The social shaping of electroninc metals exchanges: An institutional theory perspective. Information Technology & People, 18(3), 212-229.
  11. DiMaggio, P. J., & Powell, W. W. 1983. The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields. American Sociological Review, 48(2), 147-160.
  12. Disterer, G. 2013. ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security, 4(2), 92-100.
  13. Enrione, A., Mazza, C., & Zerboni, F. 2006. Institutionalizing codes of governance. American Behavioral Scientist, 49(7), 961-973.
  14. Fomin, V. V., de Vries, H. J., & Barlette, Y. (2008, September 17-19). ISO/IEC 27001 information systems security management standard: Exploring the reasons for low adoption. Paper presented at the third European Conference on Management of Technology (EUROMOT), Nice, France.
  15. Franceschini, F., Galetto, M., & Cecconi, P. 2006. A worldwide analysis of ISO 9000 standard diffusion. Considerations and future development. Benchmarking: An International Journal, 13(4), 523- 541.
  16. Franceschini, F., Galetto, M., & Gianni, G. 2004. A new forecasting model for the diffusion of ISO 9000 standard certifications in European countries. International Journal of Quality & Reliability Management, 21(1), 32-50.
  17. Gillies, A. 2011. Improving the quality of information security management systems with ISO27000. TQM Journal, 23(4), 367-376.
  18. Greenwood, R., Suddaby, R., & Hinings, C. R. 2002. Theorizing change: The role of professional associations in the transformation of institutionalized fields. Academy of Management Journal, 45(1), 58-80.
  19. Heras-Saizarbitoria, I., & Boiral, O. 2013. Symbolic adoption of ISO 9000 in small and medium-sized enterprises: The role of internal contingencies. International Small Business Journal, (Forthcoming), 1-22.
  20. Hone, K., & Eloff, J. H. P. 2002. Information security policy - What do international information security standards say? Computers & Security, 21(5), 402-409.
  21. Hu, Q., Xu, Z., Dinev, T., & Ling, H. 2011. Does Deterrence Work in Reducing Information Security Policy Abuse by Employees? Communications of the ACM, 54(6), 54-60.
  22. Lawrence, T. B., Winn, M. I., & Jennings, P. D. 2001. The temporal dynamics of institutionalization. The Academy of Management Review, 26(4), 624-644.
  23. Marimon, F., Casadesús, M., & Heras, I. 2010. Certification intensity level of the leading nations in ISO 9000 and ISO 14000 standards. International Journal of Quality & Reliability Management, 27(9), 1002-1020.
  24. Marimon, F., Llach, J., & Bernardo, M. 2011. Comparative analysis of diffusion of the ISO 14001 standard by sector of activity. Journal of Cleaner Production, 19(15), 1734-1744.
  25. Orlowski, S. 1997. Government initiatives in information technology security. Information Management & Computer Security, 5(3), 111-118.
  26. Pekovic, S. 2010. The determinants of ISO 9000 certification: A comparison of the manufacturing and service sectors. Journal of Economics Issues, XLIV(4), 895-914.
  27. Poore, R. S. 1999. Generally accepted system security principles. Information Systems Security, Fall, 27-77.
  28. PwC. (2013). Key findings from the 2013 US state of cybercrime survey Retrieved from https://www.pwc.com/en_US/us/increasing-iteffectiveness/publications/assets/us-state-ofcybercrime.pdf.
  29. Sarker, S., & Lee, A. S. 2002. Using a positivist case research methodology to test three competing theoriesin-use of business process redesign. Journal of the Association for Information Systems, 2(Article 7), 1- 72.
  30. Scott, W. R. 1987. The adolescence of institutional theory. Administrative Science Quarterly, 32(4), 493-511.
  31. Singleton, T. (2013). The top 5 cybercrimes. Retrieved from http://www.aicpa.org/interestareas/forensicand valuation/resources/electronicdataanalysis/downloadab ledocuments/top-5-cybercrimes.pdf.
  32. Siponen, M. 2006a. Information security standards focus on the existence of process, not its content. Communications of the ACM, 49(8), 97-100.
  33. Siponen, M., & Willison, R. 2009. Information security management standards: Problems and solutions. Information & Management, 46(5), 267-270.
  34. Siponen, M. T. 2006b. Secure-system design methods: Evolution and future directions. IT Professional Magazine, 8(3), 40-44.
  35. Smith, S., Winchester, D., Bunker, D., & Jamieson, R. 2010. Circuits of power: A study of mandated compliance to an information systems security de jure standard in a government organization. MIS Quarterly, 34(3), 463-486.
  36. Tejay, G. P. S., & Shoraka, B. 2011. Reducing cyber harassment through de jure standards: a study on the lack of the information security management standard adoption in the USA. International Journal of Management & Decision Making, 11(5-6), 324-343.
  37. Tsohou, A., Kokolakis, S., Lambrinoudakis, C., & Gritzalis, S. 2010. A security standards' framework to facilitate best practices' awareness and conformity. Information Management & Computer Security, 18(5), 350-365.
  38. van Wessel, R., Yang, X., & de Vries, H. J. 2011. Implementing international standards for Information Security Management in China and Europe: A comparative multi-case study. Technology Analysis & Strategic Management, 23(8), 865-879.
  39. von Solms, R. 1997. Driving safely on the information superhighway. Information Management & Computer Security, 5(1), 20-22.
  40. von Solms, R. 1999. Information security management: Why standards are important. Information Management & Computer Security, 7(1), 50-57.
  41. von Solms, S. H. 2005. Information security governance: Compliance management vs operational management. Computers & Security, 24(6), 443-447.
  42. Webster, J., & Watson, R. T. 2002. Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly, 26(2), xiii-xxiii.
  43. Whitmore, J. J. 2001. A method for designing secure solutions. IBM Systems Journal, 40(3), 747-768.
  44. Wood, T., & Caldas, M. P. 2001. Reductionism and complex thinking during ERP implementations. Business Process Management Journal, 7(5), 387-393.

Paper Citation

in Harvard Style

Uwizeyemungu S. and Poba-Nzaou P. (2015). Understanding Information Technology Security Standards Diffusion - An Institutional Perspective . In Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-081-9, pages 5-16. DOI: 10.5220/0005227200050016

in Bibtex Style

author={Sylvestre Uwizeyemungu and Placide Poba-Nzaou},
title={Understanding Information Technology Security Standards Diffusion - An Institutional Perspective},
booktitle={Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Understanding Information Technology Security Standards Diffusion - An Institutional Perspective
SN - 978-989-758-081-9
AU - Uwizeyemungu S.
AU - Poba-Nzaou P.
PY - 2015
SP - 5
EP - 16
DO - 10.5220/0005227200050016