Computers & Security 92 (2020) 101747

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

A comprehensive model of information security factors for

decision-makers
Rainer Diesch a,b,∗, Matthias Pfaff a,b, Helmut Krcmar b
a
fortiss GmbH, Guerickestr. 25, 80805 Munich, Germany
b
Technical University of Munich, Boltzmannstr. 3, 85748 Garching, Germany

a r t i c l e i n f o a b s t r a c t

Article history: Decision-making in the context of organizational information security is highly dependent on various in-
Received 9 January 2019 formation. For information security managers, not only relevant information has to be clarified but also
Revised 9 December 2019
their interdependencies have to be taken into account. Thus, the purpose of this research is to develop
Accepted 4 February 2020
a comprehensive model of relevant management success factors (MSF) for organizational information se-
Available online 4 February 2020
curity. First, a literature survey with an open-axial-selective analysis of 136 articles was performed to
Keywords: identify factors influencing information security. These factors were categorized into 12 areas: physical
Key Security Indicators security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA,
Security Success continuity, security management, compliance & policy. Second, an interview series with 19 experts from
Security Model the industry was used to evaluate the relevance of these factors in practice and explore interdependen-
Security Management Decision-Making cies between them. Third, a comprehensive model was developed. The model shows that there are key-
Expert Interview
security-indicators, which directly impact the security-status of an organization while other indicators
are only indirectly connected. Based on these results, information security managers should be aware of
direct and indirect MSFs to make appropriate decisions.
© 2020 The Authors. Published by Elsevier Ltd.
This is an open access article under the CC BY license. (http://creativecommons.org/licenses/by/4.0/)

1. Introduction to a management responsibility and a more business-focused view

protecting information (Ashenden, 2008; Ransbotham and Mitra,
Today, most businesses are based or even fully dependent on 20 09; Yeh and Chang, 20 07). Nowadays, security managers are
information such as financial data for banks to stay at the market fully responsible to consider and respond to information security
and be competitive (Knapp et al., 2006). According to thycotic, 62 issues (Abu-Musa, 2010; Soomro et al., 2016). Various cases like
% of all cyber-attacks are hitting small- and mid-sized businesses the “Equifax breach” had shown the consequences for the top man-
of which 60 % are going out of businesses six months after such agement in case of information security disregards. There, over 146
an attack (Thycopic Software Ltd., 2017). 53 % of the attacks are million personal information were stolen because of an unpatched
causing $50 0.0 0 0 or more (Cisco Systems Inc., 2018) while the av- system, which was a technical shortcoming. This causes, that the
erage cost of a data breach was $3.86 million (Ponemon Institute company gets rid of their CEO, CIO, and CSO by the “retirement” of
LLC, 2018). Not just financial losses are a risk but also legal and them right after the breach (Bernard and Cowley, 2017). The tech-
reputation repercussions (Tu and Yuan, 2014). Therefore, it is nec- nical personal was not affected. This goes further in manifesting
essary for organizations to keep their information and the under- the management responsibility within laws like the German Stock
lying technology secure against business-harming attacks. Corporation Act (§91 Section 2) which also requires an active risk
In the past, information security was purely a technical con- management within companies.
cern and therefore, technical employees were responsible for infor- Because of the shift from a technical to a management per-
mation security issues within an organization (Willison and Back- spective, the research focus also changed from studies in a tech-
house, 2006). This perspective fails when it comes to a comprehen- nical context to exploring the management role (Soomro et al.,
sive and holistic view and the overall security strategy. Thus, in the 2016). Managers must be able to take technical threats as well as
past years, there was a shift from the executive technology expert other factors like human behavior into account to take the right
and effective actions to mitigate threats (Coronado et al., 2009).
∗
To provide necessary funds, make good decisions and argue to
Corresponding author at: Guerickestr. 25, 80805 Munich, Germany.
the business, it is necessary for information security managers to
E-mail address: [email protected] (R. Diesch).

https://doi.org/10.1016/j.cose.2020.101747
0167-4048/© 2020 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license. (http://creativecommons.org/licenses/by/4.0/)
2 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

understand the complexity of information security (Willison and Information security management certificates do provide a ba-
Backhouse, 2006) and have a comprehensive view on the topic sic assurance level and show that some security measures are
(Soomro et al., 2016). This comprehensive view with specific fac- available. But in practice, experts are skeptical about certificates.
tors and their interdependencies as well as the impact on the secu- Experts mentioned, that standards do help with compliance but
rity status of an organization is still a gap in research (Diesch et al., not always help to reduce risk or improve security (Johnson and
2018; Horne et al., 2017; Kraemer et al., 2009; Norman and Yasin, Goetz, 2007). Lee et al. (2016) show, that a higher security standard
2013; Soomro et al., 2016). Therefore, this study has the purpose does not necessarily lead to a higher security level. The following
to identify the key factors, evaluate them and explore interdepen- shortcomings of standards were highlighted in the past literature:
dencies to finally generate a comprehensive model to understand
(1) Well known standards are very generic in scope and tend
the information security complexity and thus provide good infor-
to be very abstract (Siponen and Willison, 2009). For these
mation security management decisions.
standards, concrete countermeasures and combinations of
The remaining research article is structured as follows. In
them are missing, which leads to inefficient or even mislead-
Section 2, previous work on management practices and manage-
ing risk mitigation strategies (Fenz et al., 2013).
ment success factors (MSF) in information security is described
(2) Standards consists of a huge amount of information. For ex-
and the need for a comprehensive information security model
ample, the ISO 270 0 0-series consists of 450 items with 9
with current shortcomings is shown. In Section 3, the three-
focus areas. This complexity and the fact, that there are
step methodology which contains the literature survey, the lit-
rarely fully implemented standards in small- and medium-
erature analysis, and the expert interview series is presented. In
sized businesses in place, leads to a fall back to ad-hoc
Section 4, the evaluated MSFs are provided. The MSFs in con-
implementations. An easy to understand toolkit is missing
junction with interdependencies are proposed as a comprehensive
(Mijnhardt et al., 2016).
model in Section 5. In Section 6, a critical discussion of the results
(3) The defined controls and countermeasures of the frame-
and areas for future research are highlighted. A conclusion is given
works are often implemented without sufficient considera-
in Section 7.
tion of the daily work or their need (Hedström et al., 2011).
This is because the organization usually do not consider
2. Background and motivation the relationships between the security concepts (Fenz et al.,
2013) and do not check whether a control is really necessary
This chapter is divided into three sections. In Section 2.1, stan- or less critical (Bayuk and Mostashari, 2013; Tu and Yuan,
dards and best practices in information security management for 2014).
practitioners and their shortcomings are described. In Section 2.2, (4) Rigorous empirical studies which consider different factors
the term MSF and the current state of the art in research regarding which may affect the decisions and validate the standards
this topic is introduced. In Section 2.3 the need for practitioners, as and best practices are missing in literature (Diesch et al.,
well as the gap in the literature, are highlighted to motivate this 2018; Siponen and Willison, 2009).
research. (5) There are regional differences in the use and contexts of
frameworks. For example, the NIST SP800-series is “devel-
oped to address and support the security and privacy needs
2.1. Standards and best practices
of U.S. Federal Government information and information sys-
tems” (NIST, 2018b) while the current standard in Australia
Information security management is often build based on in-
is the IS0/IEC 270 0 0-series (Smith et al., 2010). Therefore the
ternational standards or best practices (Hedström et al., 2011). The
NIST SP800 framework “is individually useful but (outside of
terms “standard” and “best practice” are often used as synonyms
the U.S.) do not provide a cohesive and explicit framework
but “standards” are usually checked by an international standard-
to manage information security” (Smith et al., 2010).
ization organization while “best practices” and other frameworks
are published independently.
2.2. Information security success
The most common standard from such an organization is the
ISO/IEC 270 0 0-series (ISO/IEC, 2018). This standard is widely ac-
Besides standards and best practices which were described be-
cepted, play an important role and it is possible to certify the or-
fore, there are theories and concepts in the literature which help
ganizational information security based on it (Siponen and Willi-
decision-makers in information security. Managers need to know
son, 20 09). The ISO/IEC 270 0 0-series defines basic requirements
the current information security status of their organizational as-
in order to implement an information security management sys-
sets to make decisions. If there are not well protected, they need
tem. Also, control guidance, implementation guidance, manage-
possible sets of controls with the consideration of the related costs
ment measures, and the risk management approach is specified.
to improve the information security situation (Diesch et al., 2018;
Special sub-norms are also included in the series, for example, the
Horne et al., 2017; Johnson and Goetz, 2007; Tu and Yuan, 2014;
ISO/IEC 27011 which deals especially with telecommunication or-
von Solms et al., 1994).
ganizations.
The literature deals with MSFs to describe the state of informa-
In addition to the information security management standard,
tion security which is needed in practice. The term was used first
there are frameworks or best practices like the NIST SP800-series
in 1987 to describe factors which take into account as “catalysts
(NIST, 2018b), the Standard of Good Practices from the Informa-
to generate new and more effective systems security activities” in
tion Security Forum (ISF) (ISF, 2018) or the COBIT framework
the security context (Wood, 1987). After that the theory of infor-
(ISACA, 2012). These best practices are used to implement an in-
mation systems success of DeLone and McLean (1992) deals with
formation security management system (ISMS), define and de-
different dependent and independent variables, which are indicat-
velop controls and address the most pressing problems regard-
ing a successful information systems strategy and that they can be
ing information security with an overview for their risk mitiga-
categorized into dimensions. Recent studies used other terms in
tion strategy (Mijnhardt et al., 2016). All in all, security standards
the context of information security:
provide a common basis for organizations to help reducing risks
by developing, implementing and measuring security management 1. “Information systems security management success factors” are
(Ernest Chang and Ho, 2006). factors to show the state of elements, which has to anticipate
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 3

preventing information security failure in the e-commerce con- 2009; von Solms et al., 1994; Willison and Backhouse, 2006). This
text (Norman and Yasin, 2013). causes in the fact, that managers do not make decisions based on
2. “Critical success factors” describe factors, which influence the data but on their experience, judgment and their best knowledge
successful implementation of an information security manage- (Chai et al., 2011). Therefore, current research asks for a compre-
ment system (Tu and Yuan, 2014). hensive approach to information security management (Abu-Musa,
3. “Critical success factors are described as key areas in the firm 2010; Nazareth and Choi, 2015; Savola, 20 07; 20 09; 2013; Soomro
that, if they are satisfactory, will assure successful performance et al., 2016; Tu and Yuan, 2014) which captures the definition of
for the organization” (Tu et al., 2018). “factors that have a significant impact on the information secu-
rity” (Bayuk, 2013; Leon and Saxena, 2010; Ransbotham and Mitra,
In this research, management success factors (MSF) are defined 2009; Soomro et al., 2016) and the established relationships be-
as factors to show the state of elements, which has to take into tween these fundamental objectives (Dhillon and Torkzadeh, 2006;
account in order to make appropriate management decisions in Hu et al., 2012; Soomro et al., 2016). This research addresses the
the information security context of an organization. If the security described needs with the development of the first theory of inter-
decisions are appropriate, it assures a successful security perfor- related MSFs, which give a basis for decision-makers to understand
mance for the organization. the complexity of information security on an abstract level and
Current literature mostly looks on factors which influence se- also could be the basis of multiple future needs also described in
curity separately. To highlight just a view studies, they separately literature like the goal based security metrics development (Bayuk,
deal with organizational factors (Ernest Chang and Ho, 2006; Hall 2013; Boss et al., 2009; Diesch et al., 2018; Hayden, 2010; Ja-
et al., 2011; Kankanhalli et al., 2003; Kraemer et al., 2009; Mijn- fari et al., 2010; Johnson and Goetz, 2007; Pendleton et al., 2017;
hardt et al., 2016; Narain Singh et al., 2014), policy compliance is- Savola, 2007; Zalewski et al., 2014).
sues (Boss et al., 2009; Goel and Chengalur-Smith, 2010; Höne and
Eloff, 2002; Ifinedo, 2012; Johnston et al., 2016; Lowry and Moody, 3. Methodology
2015a) or human factors (Alavi et al., 2016; AlHogail, 2015; Ashen-
den, 2008; Gonzalez and Sawicka, 2002; Kraemer et al., 2009). The To develop a comprehensive model of information security fac-
reason for the separation is, that security is managed in a sepa- tors for decision makers the methodology of this work consists of
rate manner in different departments which includes information two steps. Fig. 1 illustrates the steps. The first step is to find rel-
security, risk management, business continuity, operational secu- evant literature with the help of a literature search process de-
rity (Tashi and Ghernaouti-Hélie, 2008). This shows that various scribed in Section 3.1. The second step is to analyze the relevant
studies are available which do discuss different factors in great de- literature for factors which have an influence on information se-
tail but do not include a integral view on them. There are just a curity decisions. The results are categorized and high-level impact
view attempts to consolidate the body of knowledge in compre- factors which are derived from literature. This step is illustrated in
hensive MSFs. The information systems success theory explains six Section 3.2. The third step contains a semi-structured expert in-
factors which are contributing to the systems success (DeLone and terview in order to evaluate the relevance of the impact factors
McLean, 1992). This view does not include specific security con- in practice and explore interdependencies between them. The re-
siderations including the costs and available countermeasures that sults are evaluated and relevant MSFs in practice as well as inter-
a manager must consider. The authors self-criticized the proposed dependencies which results in the comprehensive model of MSFs
theory because of the missing evaluation. The only other success for decision-makers. In Section 3.3 the description of the expert
factor model was a model of factors, influencing the successful interview methodology is shown.
implementation of an information security management system
(Norman and Yasin, 2013) and not the security decisions of man- 3.1. Literature search
agers itself.
The search process is performed based on the method of
2.3. Shortcomings in literature and practice Webster and Watson (2002). The literature search consists of the
search scope followed by a keyword-search which ends in a for-
As the Sections 2.1 and 2.2 suggest, there are a view shortcom- ward and backward search. To provide high-quality articles, the
ings in literature for supporting decisions on the security man- scope is set to highly ranked journals within the information se-
agement level. A recent survey of McKinsey & Company with curity domain and the information systems management domain
1125 managers involved in 2017 identified three main problems, because of the relation to the management view. Journals of the
managers face in order to deal with information security issues management domain were selected from the Senior Scholars’ Bas-
(Boehm et al., 2017). These are the lack of structure within reports ket of Journals (AIS Members, 2011). The journals of the security
with dozens of indicators with inconsistent and too-high levels of domain were selected from the Scimago Journal & Country Rank
details. The lack of clarity because of reports, which are too techni- (SJR) (SJR, 2018) with the condition that they need to be part
cal which a manager typically not understand. A lack of consistent of the following categories: security, safety, risk or reliability. To
real-time data. not limit the search only to Journals, the scope was extended to
The lack of clarity within reports is not just present in prac- several databases. These are ScienceDirect, OpacPlus and Google
tice. Managers do not know all technical details and do not need Scholar. OpacPlus is a wrapper of multiple databases including Sco-
them because of their teams and experts (Fenz et al., 2013; May, pus, Elsevier, Wiley, and ACM Digital Library. The results of Google
1997). But they have to establish a security establishment and Scholar were limited by 100 hits because the most relevant arti-
have to improve the security status by using a security dash- cles can be found within the first sites (Silic and Back, 2014). Af-
board (Dogaheh, 2010). The reports and dashboards have to be ter the scope definition, the following search string was used to
on the need for information security managers (Wilkin and Chen- find articles: “(it OR information OR cyber)AND (resilience OR se-
hall, 2010) but there are no standards for the content of such curity)AND (factors OR kpi OR measures OR metrics OR measure-
dashboards (Bayuk and Mostashari, 2013). The lack of structure ment OR indicator OR management)”. Because the management
is related to the first problem and causes in the high diversity literature is not information security specific, the search string of
and complexity of the information security problem which causes these journals was adjusted to the first two parts: “(it OR informa-
uncertainty and confusion among top managers (Savola, 2007; tion OR cyber)AND (resilience OR security)”. Another adjustment
4 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

Fig. 1. Methodology of theory development.

was done by searching just for the title and abstract within infor- Döring, 1995) to combine the advantages of structured and open
mation security specific sources because of the underlying diverse interviews. The interviewer is able to give room for explanations
topic. The selection of relevant articles out of the first keyword but also ensures, that all answers are given. With these considera-
search was done based on the title and abstract. Including crite- tions, the expert interview itself consists of three steps which are
ria was, that there are factors described or mentioned which are the operationalization of the described goals (chapter 3.3.1), the se-
influencing information security decisions. The forward and back- lection of experts (Section 3.3.2) and the analysis of the expert in-
ward search was applied to all selected articles while the forward terviews (Section 3.3.3).
search was based on the “cited by” function of Google Scholar.
The literature identification methodology results in 136 articles.
3.3.1. Operationalization
The complete search matrix with the applied source, the keyword-
The interview guide gives the interviewer an orientation and
search hits and the selected relevant article numbers is shown in
an analysis is more comparable than without any structure. To de-
Appendix A.
velop the survey instrument, the rules of good expert interviews
were considered (Bortz and Döring, 1995). The beginning of the
3.2. Literature analysis
interview was done with an open question on the most important
factor, the interviewee considers for the information security in the
The analysis was done based on the “open-axial-selective” ap-
organization (Q0). The following areas were discussed with the ex-
proach of Corbin and Strauss, 1990 which is a grounded theory ap-
perts to support the given goals and control as well as confirm the
proach based on Glaser and Strauss (1967) and was recommended
validity of the factors:
as a rigorous method for analyzing literature (Wolfswinkel et al.,
2013). This approach has the advantage, that the whole context of • Evaluationof factors:
an article can be analyzed in order to extract factors. Webster and A discussion about the meaning of each factor from a practi-
Watson (2002) also support a literature analysis but with the cate- cal perspective was done in order to evaluate the content of
gorization of a whole article in order to identify gaps in the litera- the factors (Q1.1). The practical relevance was tested by asking
ture, pointing out the state of the art and explaining past research. about the importance of each factor for the information secu-
To extract specific knowledge and categorize this, the coding on a rity of the organization (Q1.2).
textual level of articles is more appropriate in this case. The coding • Exploration of interdependencies:
follows the following steps: To explore the interdependencies between the factors and get
insights into them, a discussion about the practical usage and
(1) Assignment of text segments to a “first-order code”. For ex-
how the experts deal with each factor was done (Q2.1). To
ample, the text segment those organizations that have had
crosscheck the given statements, experts were asked for each
a systems security function for some time should use these
factor, if the factor has a direct impact on the information se-
assessment methods to validate the results of other methods
curity of the organization (Q2.2).
and to cross-check that they have not overlooked some im-
• Control questions:
portant vulnerability” (Wood, 1987) was assigned the cluster
Questions about the absence of not mentioned important fac-
“vulnerability assessment” as a factor which influences infor-
tors (Q3.1) and if the experts consider a factor which was dis-
mation security.
cussed to be unimportant (Q3.2) are used to control the com-
(2) Combines synonymous and their meanings to a “second-
pleteness of the given factors and further confirm the explored
order code”.
results.
(3) Categorize the “second order codes” to clusters based on
overlapping meanings (infrastructure overview and asset
knowledge), overlapping functions (management support 3.3.2. Expert selection
and management standards) or theoretical constructs (con- An expert is a person with specific practical or experimental
fidentiality, integrity, and availability). knowledge about a particular problem area or subject area and
is able to structure this knowledge in a meaningful and action-
3.3. Expert interview guiding way for others (Bogner et al., 2014). The selection of inter-
viewees was derived by this definition. Therefore, an expert should
Previous research has been criticized in order of missing sup- have several years of experience in the field of information secu-
port of reliability and validity by empirical studies (Siponen and rity which points to specific practical knowledge in the field of
Willison, 2009; Tu and Yuan, 2014). The first goal of the expert in- information security. The expert should have a leading position
terview was to evaluate the factors of the literature and thus gen- within the organization which testifies the ability to the mean-
erate MSFs which are relevant in practice. The second and main ingful and action-guiding structuring of the information for oth-
goal is the exploration of interdependencies between MSFs to de- ers. Also, a leading position supports the underlying comprehen-
velop the comprehensive model of MSFs. sive view which is required for the goal of this research. The se-
There are various ways to design an expert interview. This lection results in 19 participants. They were mainly chief informa-
study is designed as a semi-structured interview (Bortz and tion security officers (12) and information security officers (4). The
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 5

others were one chief executive officer, one chief information of- organization structures, global governance, regulation regimes,
ficer, and a technical delivery manager. All experts had 5 years of awareness programs and thus provide a more detailed frame-
experience at minimum, 16 years at average and 30 years at maxi- work”. This result directly in the corresponding list of first
mum. This shows, that the selected interviewees meet the require- order codes. Most of these direct codes appear in enumera-
ments and are suitable for this approach. The participants worked tions within the introduction or future work sections of the
in the following industries at this point in time: finance, automo- analyzed literature and are not further explained.
tive, diversified, aircraft, metal and electrical, services, hardware (2) The first order codes are part of a theory. The first order
and software, and others. All but one organization had more than codes are part of a hypothesis construct with a underlying
20 0 0 employees. This was the result of the requirements for ex- theory and are tested with quantitative or qualitative stud-
perts which mean, that the organization has to had at minimum ies. A example work is Kankanhalli et al. (2003) which de-
an information security team, which is typically not available in scribes the impact of the organizational size, the top man-
small businesses. agement support and the industry type on the information
systems security effectiveness. This example results in the
3.3.3. Interview analysis corresponding first-order codes.
The interviews were analyzed according to Mayring (2015). The (3) Indirectly within the articles or because of their focus.
basis for each question was a full transcript of the interview. The These appearances are derived from the overall classification
process contains of the following steps: of the articles or some descriptions within the text which
are not directly mention the first order code but the mean-
1. Paraphrasing
ing was chosen to name it. The article with the title “design
• Painting of components that do not contribute or have little
and validation of information security culture framework”
content.
(AlHogail, 2015) is named “security culture” as a first-order
• Standardize language level.
code. A other example for indirect mentions is those organi-
• Generate grammatical short forms.
zations that have had a systems security function for some
2. Generalization
time should use these assessment methods to validate the
• Generalize paraphrases on an abstract level.
results of other methods and to cross-check that they have
• Generalize predicates in an equal form.
not overlooked some important vulnerability” (Wood, 1987)
• Generate assumptions in case of doubt.
which is “vulnerability assessment” as a first-order code.
3. Reduction (can be done multiple times)
• Delete phrases which have the same meaning. The aggregation of the 188 first-order codes results in 44
• Combine phrases of similar meaning. second-order codes. The following aggregation criteria were iden-
• Select phrases that are very content-bearing. tified:
• Generate assumptions in case of doubt. (1) Articles describe often, that the codes have the same mean-
To analyze quantitative aspects or interdependencies, ing. An example is given by Jafari et al. (2010) which de-
Mayring (2015) also suggests two methods which are called scribed “Safeguards: Protective measures prescribed to meet
“valence or intensity analysis” (V) and “contingency or interrela- the security requirements [...], synonymous with counter-
tion analysis” (I) and used to analyze the interviews. Both methods measures”. This in conjunction with “improving the over-
contain mainly the same steps: all information security state by selecting the best security
countermeasures (controls) to protect their information as-
1. Formulate a question. sets” (Yulianto et al., 2016) are safeguards, countermeasures,
2. Determine the material sample. and controls a second-order code.
3. Define the variables (V) / text modules for interrelation (I) (2) Certain first-order codes are part of or included in other
4. Define the scale (V) / rules for interrelation (I) first-order codes which results in a second-order code. Ex-
5. Coding amples in literature are “Value delivery (i.e. cost opti-
6. Analysis mization and proving the value of information security)”
7. Presentation and interpretation (Yaokumah, 2014), “aside from the personnel measures
which focus on human behavior” (Sowa and Gabriel, 2009)
4. Management success factors or “threats, which form part of such risk” (Willison and
Backhouse, 2006). This indicates, that threats are part of
The prerequisite for a comprehensive model of MSFs is evalu- risks.
ated MSFs, which have an influence on information security de- (3) First-order codes are aggregated in order of their underlying
cisions. In Section 4.1, the results of the literature analysis are object. An example is “organizational size”, “industry type”
shown. These are factors which have an influence on information and “organizational structure” which are all features of an
security decisions from the literature perspective. After that, the organization and thus are aggregated to the second-order
factors have to be evaluated and proved for their relevance in prac- code “organizational factors”.
tice which results in evaluated MSFs. These results are shown in
The aggregation of the second-order codes to clusters and thus
Section 4.2.
the overall factors, influencing security decisions, is based on com-
mon theories in literature. An example is the theory of the protec-
4.1. Factors derived from the literature
tion goals of information security which is supported by various
authors: “with a goal to compromise Confidentiality, Integrity, and
The analysis of 136 relevant articles from the search methodol-
Availability (CIA)” or “it also coincides with the Confidentiality-
ogy resulted in 188 first-order codes. A code is a tuple of “factor in
Integrity-Availability (CIA) framework” (Goldstein et al., 2011) or
literature”-“author”. So for each author, the different impact factors
“one view, which gained especially wide popularity, is called C-I-A
were coded. These codes appear in the following situations:
triad” (Zalewski et al., 2014). This theory results in the consolida-
(1) They appear directly within the literature. An example is the tion of protection goals in the factor “CIA”.
following sentence of Atoum et al. (2014) “enrich the frame- The result of the literature analysis is 12 factors influencing
work in other related dimensions such as human resource, security decisions, namely: “Vulnerability”, “Compliance & Policy”,
6 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

“Risk”, “Physical security”, “Continuity”, “Infrastructure”, “CIA”, “Se- which is detected on systems. Patching and the elimination
curity management”, “Awareness”, “Resources”, “Access control” of vulnerabilities are done based on the given assessment
and “Organizational factors”. The detailed codes and the aggrega- methods.
tion steps are available in Appendix B. 3. Challenges: A problem is, that the vulnerabilities have to
The literature analysis confirms the assertions made in be known first. Not just the knowledge of the vulnerabili-
Section 2.3 which say that various individual factors are men- ties is a problem but also the knowledge of the assets and
tioned, enumerated or examined. However, up to now, there has the whole infrastructure of an organization is a challenge in
been no comprehensive view on them, a discussion of the practi- practice. Just if an organization knows the whole assets and
cal relevance is missing and the interdependencies of the factors infrastructure, it is possible to determine, if there are known
among each other are not described. The result of this chapter vulnerabilities or not.
gives an abstract view of current factors in literature, influencing • Infrastructure
information security decisions. 1. Literature: Infrastructure does have different aspects. Com-
ponents are technical systems which itself try to protect
4.2. Evaluation of Factors the underlying assets or are there to identify attacks. Ex-
amples are firewalls, intrusion detection systems, informa-
The explored factors of the last Section 4.1 are the basis for the tion visibility, compromise detection, defense modeling, and
following evaluation and therefore to transform these factors to other solutions. A second important concern is the preven-
MSFs for information security decision-makers. In Section 4.2.1 the tion of attacks without any known vulnerabilities. This in-
practical view of experts on the factors is compared to the lit- cludes architectural decisions to segment the network, limit
erature view which is derived out of the literature analysis in open access points or external connections, harden the sys-
Section 4.1. In addition, challenges of practitioners are supported tems, encrypt the communication or clean configuration is-
for each factor. The result of the relevance validation is present in sues. Since these are no specific vulnerabilities but consid-
Section 4.2.2. Section 4.2.3 contains the result of the control ques- ered as weaknesses, this topic is a stand-alone factor.
tions and thus confirm the validity and relevance of the explored 2. Practice: Some of the experts see this factor as a
factors. vulnerability-topic but most of them associate more than
that with the infrastructure factor. It is about knowing all
4.2.1. Content validation of MSFs systems and software as well as the connections between
The relevance of the factors in practice and their validity makes them and if they are secured or not. It is also about the
them to MSFs. The general context analysis (Section 3.3) was used “hardening” of all available systems, make threat models
to determine the practical usage and meaning of the different fac- and secure the infrastructure in each network layer. To ac-
tors out of the literature. To analyze them, the scope was set to complish that, the experts use hardening-guidelines, secure
the whole interview transcripts while the main answers are given deployment, installation routines, design reviews and con-
by the guiding question Q1.1 of the interview guide. Because of the figuration management databases.
methodology design of a semi-structured interview, the challenges 3. Challenges: Problems are the complexity of the activity, that
and problems of each factor in practice is a side-result and also re- it is difficult to check the wright implementation of the
ported here. The following itemization shows each MSF with a de- hardening guidelines and the above-mentioned problem of
scription of the literature view, a consolidated practical view and the difficulty to know all available systems and their con-
the challenges practitioners face regarding each MSF. The literature nections.
view is a consolidation of definitions and opinions out of the lit- • Compliance & Policy
erature analysis 3.3.3. The practical view and the descriptions of 1. Literature: Security policies are an “aggregate of directives,
the challenges are a consolidation of the main opinion of all 19 regulations, rules, and practices that prescribes how an or-
experts. ganization manages, protects, and distributes information”
• Vulnerability (NIST, 2013). All activities concerning compliance and poli-
1. Literature: The definition of a vulnerability in literature is cies like policy deployment, policy effectiveness, legal com-
generally a “weakness of an asset or control that can be ex- pliance, and regulatory requirements are subsumed in this
ploited by one or more threats” (ISO/IEC, 2018). This defi- factor. The literature describes also multiple characteristics
nition is very generic and can be technical as well as non- for good and bad policies and controls which have an influ-
technical. NIST gives a more detailed definition as a “weak- ence on the information security of organizations.
ness in an information system, system security procedures, 2. Practice: This factor means the implementation of require-
internal controls, or implementation that could be exploited ments which are given from external and internal. These
or triggered by a threat source” (NIST, 2018a). Common us- include laws, policies from the management and require-
age of the term in the analyzed literature is, that vulnerabil- ments from standards to get certificates. Practitioners use
ities are technical in nature. More specifically, “a vulnerabil- frameworks to implement them and audits as well as self-
ity is a software defect or weakness in the security system assessments to check them. This frameworks and policies
which might be exploited by a malicious user causing loss help organizations which have not the common knowledge
or harm” (Joh and Malaiya, 2011). to consider all aspects of security.
2. Practice: Vulnerabilities from the management perspective 3. Challenges: 100% compliance does not mean 100% secure.
are always technical in nature. Specifically, known vulner- This factor alone does not help in case of security but with-
abilities within systems and software are meant by them. out, it is not possible to make audits or push measures
The common understanding of the experts was that vul- through.
nerability is a topic of patch management and a prob- • Security management
lem of not patched systems. All organizations do have 1. Literature: This factor subsumes all process activities within
patch management in place and try to minimize the vul- the information security management system and opera-
nerabilities in the infrastructure. The assessment of them tional tasks like change management, incident management,
is done with vulnerability-scanners, penetration-tests, au- process effectiveness measurement and the implementation
tomatic scans, audits and the definition of toxic software of security standards. All aspects of the Plan-Do-Check-Act
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 7

approach of the ISO/IEC 270 0 0 (ISO/IEC, 2018) are part of of: (i) the adverse impacts that would arise if the circum-
the security management factor. The other part are strategic stance or event occurs; and (ii) the likelihood of occurrence”
topics like goal definition, top management support, gover- (NIST, 2018a).
nance, and strategic alignment as well as the documentation 2. Practice: Experts use the same definition and understand-
of these activities. Also, an important aspect in literature is ing of risk as in literature. A risk is a severity and likelihood
the communication with employees and the top manage- combined with an issue. Information security is the applied
ment. The ISO/IEC 270 0 0 defines security management as risk management because it is used to prioritize and de-
a “systematic approach for establishing, implementing, op- fine countermeasures. Therefore, all of the experts have risk
erating, monitoring, reviewing, maintaining and improving management based on certain standards like ISO/IEC 270 0 0
an organization’s information security to achieve business or NIST in place.
objectives” (ISO/IEC, 2018). This definition shows that the 3. Challenges: Not all risks can be mitigated, because of miss-
monitoring part is also established within this factor. There ing resources or other restrictions. Some managers also have
are different methods and processes described to continu- problems to define risks which are understandable for tech-
ously improve the information security of an organization. nical employees or even for the top management. Also, the
This covers the implementation of metrics and the topic of availability of the underlying data is a challenge in prac-
compromise detection. tice. An example of this is the consolidated view on possible
2. Practice: There are two management approaches in place. threats. There are various technical solutions like threat in-
The risk-based and the control-based approach. There are telligence platforms available on the market which helps to
various processes in place to support the two different consolidate these data. The problem comes with the combi-
approaches. Therefore the experts control their manage- nation of the different factors to define the risk. A possible
ment processes with audits and using the Plan-Do-Check- threat alone is not important for the information security
Act framework from the ISO/IEC 270 0 0 (ISO/IEC, 2018). The management. The challenge is to analyze the underlying as-
next important aspect for the interviewees was the business sets and their vulnerabilities and check if the threat can ex-
(top) management support and their understanding of the ploit one of these. After this combination, the risk can be
risks the organization is facing. defined and is useful for an information security manager.
3. Challenges: A problem is the missing knowledge of con- • Access control
cepts behind the security processes and also the lack of 1. Literature: Access control is not mentioned as a part of
knowledge of available actions for improvements. The secu- countermeasures. This topic is such important that it often
rity management does not have an impact on the security emerges as an independent and important factor for secu-
of an organization without this knowledge. rity. Access control contains account management, software
• Awareness access control as well as access rights. It means “to ensure
1. Literature: The definition of awareness in literature is to be that access to assets is authorized and restricted based on
aware of security concerns (NIST, 2013). Awareness in aca- business and security requirements” (ISO/IEC, 2018).
demic literature is discussed in different subjects. Including 2. Practice: Access control is the management and regulation
in this factor are behavioral topics like employee behavior, of access to systems, applications, data, and infrastructure.
user activities, user interaction but also user reaction, user It is not just about the access but also the key management,
errors, and faults. All parts depending on knowledge like role administration, classification of data and the manage-
skills, education, training, and competence are also including ment of the identities within organizations. Therefore the
in the awareness factor. Awareness in literature is not just experts have procedures per applications, try to implement
about peoples behavior but also the personal needs of them, the common principles like the need-to-know- or the least-
privacy issues, trust concerns as well as cultural thoughts privilege-principle. They check the available accesses, have
and the social environment. identity and access management in place and use tools to
2. Practice: All topics that concerning people and can not monitor them.
be treated with technology are subsumed by awareness. 3. Challenges: Challenges occur in case of on-, off-boarding
Typical understanding is the employee as a vulnerability and department changes as well as the more and more open
with human errors, human behavior or not enough knowl- culture of organizations with “bring your own device” and
edge. A typical countermeasure is web-based and conven- “cloud infrastructure”. Not just the open culture but also
tional training. Practitioners test their employees with own technologies and trends like the “internet of things” and
phishing-campaigns or check click-rates on their proxy- “mobile devices” are increasingly a problem for this factor
servers. Cultural and privacy concerns are not often taken because each of these devices also has an identity. This in-
into consideration. creases the complexity of managing access control and has
3. Challenges: Challenge in practice is, that awareness activ- to be considered by choosing such technologies.
ities are very resource heavy and the effects are not that • CIA
huge. Countermeasures often do not lead to measurable ef- 1. Literature: This factor is based on the overall theoretical
fects, they lead to annoyed employees and therefore, em- construct of the protection goals of information security.
ployees more often fail the same tests. Therefore the codings confidentiality, integrity, availability,
• Risk as well as underlying goals like the non-repudiation, are
1. Literature: The risk factor is discussed as an overall risk subsumed in this factor. Articles about security metrics and
management concern with possible threats, the likelihood security success are mostly based on this factor and plays a
of their occurrence and the possible impact on the orga- huge role in the security discussion.
nization. Literature mostly discusses the risk management 2. Practice: In practice, this factor is a theoretical construct
process and the possible handling of present risks like pre- with the same definition as in literature. It is used to com-
vention, tolerance, exposure, prediction, and perception. A municate with the business management, to classify the
comprehensive definition is given by the NIST SP800-37: “A need for protection or is not used in practice at all.
measure of the extent to which an entity is threatened by 3. Challenges: The problem in practice is that these classes can
a potential circumstance or event, and typically a function not be uniquely assigned to countermeasures. Many experts
8 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

consider this factor as an academic construct, which is out- Table 1

Importance of MSFs for the information security of organizations (number of
dated and not really practicable.
experts).
• Organizational factors
1. Literature: The organizational factor itself means the prop- MSF not imp rather not imp rather imp imp
erties of an organization which has an influence on the se- Vulnerability 0 0 7 12
curity of this organization. There are multiple authors which Resources 0 0 7 12
mentioned the influence of several factors like the organiza- Awareness 1 0 6 12
Access Control 0 1 8 10
tional size, the industry type or the internal and external
Physical Security 1 0 11 7
structure of the organization. Infrastructure 0 1 12 6
2. Practice: These factor has the same meaning in practice like Risk 0 1 12 6
in literature. Most of the experts are not dealing with it be- Continuity 1 1 13 4
Security Management 3 1 8 7
cause there are no possibilities to change the characteristic
Organizational 3 4 11 1
of the organization from their perspective. But it is consid- CIA Triad 7 1 8 3
ered in other factors like risks or in consideration of the Compliance & Policy 6 3 7 3
implementation countermeasures. Practitioners say, that it
might influence the possibilities of an organization.
3. Challenges: A challenge is, that some attack surfaces are not nology” (NIST, 2013). The literature describes this factor as a
influenced by any type of character an organization could limitation and mostly in a negative way. The perspective is
have. A good example of this is ransomware which does not given that, if you do not have enough resources, the organi-
even look at the victim they attack. zation is not able to implement security which as a negative
• Physical security influence. A second part is the cost-effectiveness of counter-
1. Literature: This factor have influence in reducing the oppor- measures and the return on security investments (ROSI).
tunity to access assets physically in form of physical entry 2. Practice: In practice, this factor is mostly addicted to bud-
controls, the protection of the environment, building secu- get, which has to be given by business management. A small
rity with fences or other countermeasures, travel security part is also the number of employees with good knowl-
and all activities around this. The literature does not men- edge and a appropriate education. Therefore, experts have
tion this factor very often but consider it as really important applied budget-processes and recruitment campaigns. Cost-
for organizations and their management. effectiveness and ROSI is not mentioned by the practitioners.
2. Practice: Physical security is the physical protection of 3. Challenges: Problems are often in place of buying expensive
buildings, offices, servers, and hardware. It also contains the tools and equipment in the security field and the argumen-
protection of the environment, persons, traveling and en- tation of their adding value. It is often a tension between
vironmental disasters. Interviewees do work together with business management and security management.
other departments dealing with this factor. It is mainly not
the part of the security department of an organization. Partial aspects of individual factors are not covered by the lit-
3. Challenges: The topic gets less important in times of the erature or are not considered in practice. However, the contents
changing environment like mobile offices, roaming-users, and the understanding of the factors from the literature analysis
home offices and cloud computing. This change brings with agree with those of the experts. The challenges are not supported
it other challenges. by all of the experts, because this was no explicit question. Thus,
• Continuity they were just included, if there are more than 2 mentions of the
1. Literature: Continuity is split in business continuity and IT same challenge. The challenges further indicate, that a comprehen-
continuity. In case of cyber security, the term “refers to the sive model of them could help, improving the understanding of in-
ability to continuously deliver the intended outcome despite formation security within organizations and also to help, improv-
adverse cyber events” (Björck et al., 2015). The business con- ing specific factors.
tinuity is on a more abstract level than cyber or it continu-
itiy and is defined as a “predetermined set of instructions 4.2.2. Relevance validation of MSFs
or procedures that describe how an organization’s mission- The “valence or intensity analysis” (Section 3.3) was used to not
essential functions will be sustained [...] before returning to just validate the factors concerning their content but also to deter-
normal operations” (NIST, 2013). Resilience is not often rep- mine their relevance in practice to the information security of an
resented in the literature and has already been identified as organization. Therefore, the scope of the analysis was also set to
a research gap (Diesch et al., 2018). the whole interview transcripts but the main question supporting
2. Practice: This factor is understood as the goal of the busi- this validation is Q1.2. A 4-point Likert-scale which points out the
ness as well as a partial goal of information security. Im- importance of the factor for the information security of the organi-
portant is a continuous IT and a disaster and recovery plan zation is used. The coding of the scale is from not important (not
which should be tested from time to time. There are oppo- imp) to important (imp). Table 1 shows an assorted view of the re-
site opinions in relation to business continuity management sult. The assortion is based on the sum of the codings for “not im-
(BCM). Some experts say, that requirements come from the portant” and “rather not important” in conjunction with the sum
BCM to the information security management and others of the coding “rather important” and “important”, descending by
say, that they are being submitted to the BCM. the importance of the MSFs.
3. Challenges: A challenge is finding a common understanding This result support, that all factors are relevant in practice. The
and effective communication between BCM and IT continu- last three factors are “Organizational factors”, “CIA” and “Compli-
ity. ance & Policy”. For all of them, the experts do have an explana-
• Resources tion, why they are less important than the other factors. “Com-
1. Literature: Resources are not just money but also the avail- pliance & Policy” are not important for the information security of
ability of good skilled and well-educated employees. More the organization itself but are necessary to comply with the law, to
general resources are “information and related resources, enforce countermeasures and to align the top management of the
such as personnel, equipment, funds, and information tech- organization. The “CIA” factor is a goal factor and is useful to com-
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 9

Connuity CIA

goal
considered in
Informaon
Security

direct impact

Access
Vulnerability
Physical control part of
security Risk
Infrastructure Awareness

improve priorize

Counter-
enforce measure

define and influence

implement
Compliance define Security
& Policy influence management

considered in

Organizaonal
Resources
factors

Fig. 2. A comprehensive model of MSFs for information security decision-makers.

municate and explain different risks or attacks and their impacts. The interdependencies were explored with the help of the “contin-
“Organizational factors” are less important because there are cases, gency or interrelation analysis” method (Section 3.3). The scope is
in which these factors are important but there are also attack sce- the whole interview which was analyzed. The following text mod-
narios in which this factor is not important. The management has ules are examples to identify interrelations:
to consider all the factors in order to make good decisions. The
proposed factors are valid in their context as well as relevant in • ...have a direct impact on...
practice for decision-makers and thus are now called management • ...is a basis to...
success factors (MSFs). • ...is essential for...
• ...is the goal from...
• ...is considered in...
4.2.3. Control questions
The main control questions Q3.1 and Q3.2 are used to ask for
Fig. 2 shows all MSFs with their interrelations based on the ex-
factors, which are important to make decisions and are not present
pert interview. Solid ovals are representatives for the MSFs. Dotted
in the interview guide as well as a consideration of the most unim-
ovals are representatives of concepts necessary to explain certain
portant factor. The most experts (12) do not have a factor, which is
interdependencies. In this case, “Information security” is the rep-
really unimportant. The only mentions of factors were the “Com-
resentative for the information security status of an organization.
pliance & Policy” as well as “CIA” which agree with the ranking
The statement behind this is, that certain factors do have a di-
on the previous result. The question of missing factors results in
rect impact on the information security status of the organization.
a similar situation like before. 10 experts do not mention miss-
The dotted oval “Countermeasures” is a part of the factor “Security
ing factors. The other factors which are missing are “management
management” but have important interdependencies which are ex-
support”, “external interfaces”, “threat landscape” and “strategy”
plained by the experts. Thus, the security management itself does
which are part of the coding and thus included in the aggregation
not have a huge impact on other factors, but they define and im-
of the literature analysis.
plement countermeasures which do have an influence on the MSFs
given in the figure. Rectangles within the picture clusters multiple
5. A comprehensive model of MSFs MSFs with the same interdependency to other MSFs. The dotted
line within the rectangles indicates, that all MSFs which are left of
The purpose of this research was the development of a com- this line, are not the primary part of the information security de-
prehensive model of MSFs for information security decision mak- partment of an organization. They are from other departments like
ers. This result section combines the previous results with evalu- the cooperate-security in the case of “Physical security” and the
ated and relevant MSFs and adds interdependencies between them. business continuity in case of “Continuity”. However, the collabo-
10 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

ration between the departments is very close and the MSFs must The proposed model does support an abstract and comprehensive
certainly be considered in information security as well. view of the complex topic of information security from the man-
Key security indicators. The term key security indicator is not agement perspective. The different MSFs are not explained in great
present in literature but is mentioned by practitioners. Key secu- detail but the interdependencies between them and the overall
rity indicators are MSFs, which have a direct impact on the secu- decision-making process are present in this research. The model
rity status of the organization. Therefore, the rectangle which in- gives a basis to decision-makers, which with information security
cludes the MSFs “Physical security”, “Vulnerability”, “Access con- management and help to decide if certain countermeasures are
trol”, “Awareness” and “Infrastructure” are key security indicators. necessary or even useful. It is not just a basis for security man-
Because of the direct connection to the information security con- agers but also for the business management as well as technical
cept, these factors are considered as indicators of the actual in- employees. With the help of this model, they are able to under-
formation security status of an organization. Security management stand the difficulties and retrace certain decisions better. A better
has to implement countermeasures to actively improve these fac- understanding also leads to better alignment and awareness.
tors. These are the most important factors because of their direct The results are related to several other studies. Past literature
impact. does support a great explanation and study of different factors in
Security goals. The MSFs “Continuity” and “CIA” are the protec- detail and stated the importance of them. Studies also deal with
tion goals of information security. This cluster is considered in the models of different factors like awareness and their components.
“Risk” MSF by data classification as well as a communication in- This research supports a comprehensive overview of high-level fac-
strument which describes the impact of certain risks to top man- tors (MSFs) and a validation of them as well as a discussion of
agers or technical employees. Disasters and continuity thoughts are the relevance of these factors which has been criticized as missing
also considered as risks which are the basis for recovery plans. The in past articles. The research adds value to the research commu-
security goals are considered as the least important part of the nity by exploring interdependencies between the evaluated MSFs
MSF model by experts (Section 4.2.2) because they do not actively and propose a comprehensive model from the perspective of infor-
improve the security status and just help by prioritizing risks and mation security decision-makers. Best practices and standards are
communicate them to the business management. very generic and mostly describe processes. But, a complete im-
Risk. The MSF “Risk” have the most interrelations and is the plementation does not necessarily lead to better security and the
basic input for “security management”. It uses security goals like standards have been criticized, also by experts in the interview,
described before. A prerequisite and a part of risks are key secu- that they are just frameworks to be compliant. The interdependen-
rity indicators. They show the current information security status cies of the comprehensive model in this research help to decide
of which weaknesses were deriving. This, in combination with pos- which countermeasures are appropriate and which are not neces-
sible threats, the impact on the organization, and the likelihood of sary. The standards and best practices give action proposals for im-
occurrence is a risk. Risks are influencing the “Security manage- provements of the MSFs and thus complete this research with the
ment” and is a basis to prioritize and define “Countermeasures”. next step after the decision was made.
The management mostly uses standards and best practices like the Current standards and best practices, for example, the ISO/IEC
ISO/IEC 270 0 0 (ISO/IEC, 2018), NIST SP80 0-30 (NIST, 2015), NIST 270 0 0-series, the NIST SP80 0-series or the ISF are important to
SP800-37 (NIST, 2018a) or others to deal with risks and derive structure the processes of improving the information security of
countermeasures in a structured way. an organization. These documents either describe processes based
Security management. The cluster with “Organizational factors” on a risk management approach to implement countermeasures or
as well as “Resources” are MSFs which cannot be directly influ- define controls which have to be implemented to comply with the
enced by the experts. They are either given in case of “Organi- standard. The most experts in the interviews said that they com-
zational factors” or are set by the business management in case bine two or more of them and uses the concepts they need or
of “Resources”. They are considered in the “Security management” are appropriate for them to improve the information security sta-
in conjunction with the “Risk” MSF which are the basis to de- tus of the organization. The proposed model in this research con-
velop and implement countermeasures which should improve the tributes to these standards by improving the overall understanding
key security indicators. “Compliance & Policy” are aids which help and the interdependencies between the concepts described in the
to enforce countermeasures with employees and are necessary to standards. Also, the model is a possibility to report the informa-
comply with laws. “Compliance & Policy” is split into external and tion security status based on the MSFs. Such a reporting is missing
internal rules which causes the interdependency in both ways to in the current standards and best practices as well as in research
and from the “Security management” MSF. “Security management” articles. The missing reporting standard or suggestions for that is a
define rules and external rules are influencing the “Security man- need which all of the interviewed experts have. Experts also strug-
agement”. These rules are considered as the least important by the gle to report the information security decisions and status to the
experts (Section 4.2.2) because they are not actively improving the business management in an abstract and understandable way. The
security situation but are helpful to enforce countermeasures and current solution of the interviewed experts is that they develop
help to deal with the topic. their own reporting standard. These reports do not contain aspects
which can be compared with other businesses or even business
6. Discussion and future research units. The results of this research support these needs and can be
used as a basis for such a reporting standard. Experts also look-
The results of this research propose a comprehensive model ing for dedicated technical solutions like threat intelligence plat-
of MSFs with their interdependencies for information security forms, security incident management systems and information on
decision-makers. The MSFs were supposed based on the literature indicators of compromise to mention just three. These technologies
and are evaluated by experts from practice. These interviews also help to consolidate various information and present them to the
support interdependencies between the MSFs. The combination of management. Each technology is useful for a specific area. This re-
these results in the development of the comprehensive model of search can help to argue the implementation of specific technolo-
MSFs. gies, to illustrate their role in the overall security context and to
Practitioners, as well as the literature, stated the need for a identify gaps within the security landscape of an organization in
comprehensive view of the information security of organizations. which technologies could help.
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 11

The result can also be interpreted from the perspective of the 7. Conclusion
information security status of an organization. From this perspec-
tive, the model indicates, that the key security indicators are im- This research is suggesting a comprehensive model of man-
portant to improve the information security status of the organi- agement success factors (MSFs) for information security decision-
zation. This interpretation in mind, small- and medium-sized busi- makers. Therefore, a literature analysis with an open-axial-selective
nesses with fewer resources and not that much competence could approach of 136 articles is used to identify factors which have an
implement light-weight countermeasures, which focus on the key influence on the information security decisions of managers. A val-
security indicators. It could be a quick-win for the decisions in idation of these factors, as well as the check for their relevance,
those organizations to focus on the key security indicators. This was supported by conducting an interview series of 19 experts
does not mean, that the standards and best practices or even from practice. This results in 12 MSFs. To finally develop the com-
the other factors of the model should be ignored by small- and prehensive model, the interviews are the basis to explore interde-
medium-sized business. To continuously improve and monitor the pendencies between the MSFs.
information security status in a structured way, the processes and This research suggests that “Physical security”, “Vulnerability”,
concepts of these standards have to be implemented and used. The “Access control”, “Infrastructure” and “Awareness” are key security
proposed model can help these businesses and their management indicators which have a direct impact on the information security
with less expertise in the field of security to understand the inter- status of an organization. The “Security management” have to con-
dependencies between relevant concepts, understand which factors sider “Risks”, “Organizational factors” and available “Resources” in
are influential and also which factors a manager has to consider order to generate countermeasures, which have an influence on the
by making decisions. Even which factors have to keep in mind to key security indicators. “Compliance & Policy” is an aid to enforce
make well-informed decisions. countermeasures and be compliant with laws. The well discussed
This study uses a mixed method approach with a literature MSF “Risk” is considering the security goals “CIA” and “Continuity”
analysis followed by a semi-structured interview to generate the and also is using key security indicators to determine a risk level
results. Although a rigorous methodology was used, the study has which is used to prioritize countermeasures.
several limitations. Despite the validation and the discussion with This research offers a high-level view of the complex topic of
experts, a bias in the interpretation of the texts and the creation of information security decision-making from the perspective of secu-
the codes cannot be excluded. Surveyed experts are mainly active rity management experts. The comprehensive model of MSFs helps
in large organizations. Some of them were previously employed in them and other employees as well as the business management to
smaller businesses, but the inclusion of opinions from managers of better understand the security needs and certain decisions in this
smaller organizations could change the outcomes and importance context and thus improve their awareness. Future development of
of individual factors. goal-oriented metrics and methods to quantify the status of infor-
The results give many opportunities for future research. The mation security as well as methods to aggregate them based on
proposed model is based on interdependencies, which are explored the key security indicators are not just interesting in research but
by a qualitative study. The interdependencies should be further also asked by practitioners.
tested with quantitative approaches to ensure their validity. Cer-
tain MSFs were clustered into rectangles. There could be interde- Declaration of Competing Interests
pendencies between the containing MSFs on deeper levels, which
are not be explored in this study. Also, a look deeper within the The authors declare that they have no known competing finan-
certain proposed MSFs would be a possibility for future research. cial interests or personal relationships that could have appeared to
Open question from past literature could be solved with a more fo- influence the work reported in this paper.
cused approach based on this results. Leon and Saxena (2010) iden-
tified a gap of the security metrics approach, which was not goal- Appendix A
focused in the past and suggested the development of a goal-list
which could improve further security metrics development. This
Table 2
comprehensive model and their MSFs could be considered as a
Literature search matrix.
list of security goals from the management perspective and thus
can be the basis of such research. Also, past metric approaches are Resource Hits Relevant
mainly based on the individual security processes and thus is not MIS Quarterly 7 1
appropriate for cross-organizational comparisons (Bayuk, 2013). A European Journal of Information Systems 20 3
metrics approach based on a comprehensive model could be suit- Information Systems Journal 27 4
Information Systems Research 22 5
able for this. Also, the interview partner requested a dashboard Journal of AIS 11 5
and reporting standard for key security indicators which is not Journal of Information Technology 25 0
present in standards, best practices or research articles. To reduce Journal of Management Information Systems 1 0
the shortcomings, a future study is possible, which includes small- Journal of Strategic Information Systems 14 5
Journal of Management Information Systems 26 2
and medium-sized businesses and integrate them in the proposed
Decision Sciences 18 2
model. Information & Management 53 5
Information security managers should consider all the explored Information and Computer Security 99 10
MSFs by taking decisions. The countermeasures and processes IEEE Trans. on Dependable & Secure Computing 8 1
should not only be adopted because of their appearance in stan- IEEE Trans. on Information Forensics and Security 7 0
Computers & Security 84 15
dards and best practices, but they should appropriate in the given Google Scholar 100 11
situation. A common practice is also the fallback to risk acceptance ScienceDirect 41 6
(Bayuk, 2013) which do not improve the security status at all but is OpacPlus 110 19
very easy to implement. The results of this study facilitate the un- Backward 10
Forward 32
derstanding of the complex topic of information security and en-
SUM 673 136
able more people to make appropriate decisions and take the right
actions within their current situation.
12 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

Appendix B

Table 3
Vulnerability.

First-order code Second-order code Cluster

technical vulnerabilities (Arora et al., 2010; Boss et al., 2009; Dzazali et al., 2009; Kraemer et al., technical vulnerabilities Vulnerability
2009; NIST, 2008; Premaratne et al., 2008; Sowa and Gabriel, 2009; Straub and Welke, 1998; Sunyaev
et al., 2009; Tashi and Ghernaouti-Hélie, 2008; Yeh and Chang, 2007)
vulnerability assessment (Coronado et al., 2009; Gosavi and Bagade, 2015; Jafari et al., 2010; Siponen
and Willison, 2009; Wood, 1987)
network vulnerability (Gao and Zhong, 2015; Geer et al., 2003; Idika and Bhargava, 2012)
system vulnerability (Boyer and McQueen, 2007; Dogaheh, 2010; Goldstein et al., 2011; Hayden, 2010;
Holm and Afridi, 2015; Jean Camp and Wolfram, 2004; Lee and Larsen, 2009; Norman and Yasin,
2013; Pendleton et al., 2017; Pudar et al., 2009)
vulnerability disclosure (Ransbotham and Mitra, 2009)
host vulnerability (Idika and Bhargava, 2012)
security problem (Straub and Welke, 1998)
vulnerability(Alavi et al., 2016; Alqahtani, 2015; Ashenden, 2008; Azuwa et al., 2017; Bayuk and
Mostashari, 2013; Bayuk, 2013; Ben-Aissa et al., 2012; Crossler and Belanger, 2012; Fenz et al., 2014;
2013; Hajdarevic and Allen, 2013; Hajdarevic et al., 2012; Herzog et al., 2007; Hua and Bapna, 2013;
Ifinedo, 2012; Johnson and Goetz, 2007; Leon and Saxena, 2010; Mazur et al., 2015; Mermigas et al.,
2013; Muthukrishnan and Palaniappan, 2016; Nazareth and Choi, 2015; Posey et al., 2015; Savola and
Heinonen, 2011; Tanna et al., 2005; Vaughn et al., 2003; Verendel, 2009; von Solms and van Niekerk,
2013; Wang et al., 2013; Yeh and Chang, 2007; Young et al., 2016; Zalewski et al., 2014)
it security (Björck et al., 2015; Manhart and Thalmann, 2015; Willison and Backhouse, 2006) technical security
technology (AlHogail, 2015; Ashenden, 2008; Goel and Chengalur-Smith, 2010; Goldstein et al., 2011;
Gonzalez and Sawicka, 2002; Hall et al., 2011; Herrera, 2005; Jafari et al., 2010; Katos and Adams,
2005; Kraemer et al., 2009; Leon and Saxena, 2010; Merete Hagen et al., 2008; Nazareth and Choi,
2015; Norman and Yasin, 2013; Trèek, 2003; Yulianto et al., 2016)
technical security (Azuwa et al., 2017; Coronado et al., 2009; Crossler et al., 2013; Dinev et al., 2009;
Fenz et al., 2014; Gao and Zhong, 2015; Gosavi and Bagade, 2015; Hajdarevic et al., 2012; Hedström
et al., 2011; Ifinedo, 2012; Manhart and Thalmann, 2015; Montesdioca and Maçada, 2015; Savola,
2007; Savola and Heinonen, 2011; Soomro et al., 2016; Sowa and Gabriel, 2009; Tu and Yuan, 2014;
Uffen and Breitner, 2013; Vaughn et al., 2003; Veiga and Eloff, 2007; von Solms and von Solms, 2004;
von Solms et al., 1994)
application defect (Geer et al., 2003) application security
application security (Anderson and Moore, 2006; Bayuk, 2013; Dzazali et al., 2009; Fenz et al., 2014;
Goel and Chengalur-Smith, 2010; Hajdarevic and Allen, 2013; Hajdarevic et al., 2012; Joh and Malaiya,
2011; Mazur et al., 2015; Mijnhardt et al., 2016; Muthukrishnan and Palaniappan, 2016; Yeh and
Chang, 2007)
feature security (Ransbotham and Mitra, 2009)
patch coverage (Arora et al., 2010; Bayuk, 2013; Crossler and Belanger, 2012; Geer et al., 2003; Joh and
Malaiya, 2011; Muthukrishnan and Palaniappan, 2016; Pendleton et al., 2017; Ransbotham and Mitra,
2009)
software problem (Gupta and Hammond, 2005)

Table 4
Physical security.

First-order code Second-order code Cluster

physical security (Collier et al., 2016; Dzazali et al., 2009; Ernest Chang and Ho, 2006; Fenz et al., physical security Physical security
2014; Goldstein et al., 2011; Gosavi and Bagade, 2015; Hajdarevic and Allen, 2013; Hajdarevic et al.,
2012; Hong et al., 2003; Kankanhalli et al., 2003; Mazur et al., 2015; Mijnhardt et al., 2016; Narain
Singh et al., 2014; Norman and Yasin, 2013; Pudar et al., 2009; Sowa and Gabriel, 2009; Trèek, 2003;
Tu and Yuan, 2014; von Solms et al., 1994; Wang and Wulf, 1997; Willison and Backhouse, 2006)
physical access (LeMay et al., 2011; Trèek, 2003)
physical environment (Jafari et al., 2010; Smith et al., 2010; Veiga and Eloff, 2007; Yeh and Chang,
2007)
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 13

Table 5
Compliance & Policy.
First-order code Second-order code Cluster
organizational compliance (Jean Camp and Wolfram, 2004) policy Compliance &
policy compliance (Crossler et al., 2013; Hall et al., 2011; Hong et al., 2003; Hu et al., 2012; Ifinedo, 2012; Policy
Johnston et al., 2016; Smith et al., 2010; Trèek, 2003)
policy (Abu-Musa, 2010; Alavi et al., 2016; Ashenden, 2008; Bayuk and Mostashari, 2013; Boss et al., 2009;
Cavusoglu et al., 2004; Dzazali et al., 2009; Ernest Chang and Ho, 2006; Goel and Chengalur-Smith, 2010;
Hayden, 2010; Hedström et al., 2011; Herath and Rao, 2009; Herrera, 2005; Hong et al., 2003; Horne et al.,
2017; Idika and Bhargava, 2012; Jafari et al., 2010; Johnson and Goetz, 2007; Katos and Adams, 2005; Knapp
et al., 2009; Kotenko and Bogdanov, 2009; Kotulic and Clark, 2004; Kraemer et al., 2009; Lowry and Moody,
2015a; 2015b; Merete Hagen et al., 2008; Mijnhardt et al., 2016; Mishra and Chasalow, 2011; Montesdioca and
Maçada, 2015; Narain Singh et al., 2014; Nazareth and Choi, 2015; Norman and Yasin, 2013; Ransbotham and
Mitra, 2009; Sharman et al., 2004; Soomro et al., 2016; Straub and Welke, 1998; Tashi and Ghernaouti-Hélie,
2008; Tsiakis and Stephanides, 2005; Tu and Yuan, 2014; Uffen and Breitner, 2013; Vaughn et al., 2003; Veiga
and Eloff, 2007; von Solms and von Solms, 2004; von Solms et al., 1994; Wang et al., 2013; Willison and
Backhouse, 2006; Wood, 1987; Yeh and Chang, 2007)
security compliance (Crossler et al., 2013; Dzazali et al., 2009; Ernest Chang and Ho, 2006; Fenz et al., 2014;
2013; Hayden, 2010; Herath and Rao, 2009; Ifinedo, 2012; Karjalainen and Siponen, 2011; Kraemer et al., 2009;
Lowry and Moody, 2015a; Mijnhardt et al., 2016; Narain Singh et al., 2014; Sharman et al., 2004; Soomro et al.,
2016; Tu and Yuan, 2014; Willison and Backhouse, 2006; Yulianto et al., 2016)
legal requirements (Alavi et al., 2016; Dzazali et al., 2009; Knapp et al., 2009; Kraemer et al., 2009; Manhart and compliance
Thalmann, 2015; Savola and Heinonen, 2011; Sunyaev et al., 2009; Uffen and Breitner, 2013; von Solms and von
Solms, 2004)
law compliance (Hall et al., 2011; Hong et al., 2003; Johnson and Goetz, 2007; Leon and Saxena, 2010; Merete
Hagen et al., 2008; Tariq, 2012; Veiga and Eloff, 2007; Yeh and Chang, 2007)
legislation (Tashi and Ghernaouti-Hélie, 2008; Trèek, 2003)
regulatory requirements (Abu-Musa, 2010; Atoum et al., 2014; Bayuk and Mostashari, 2013; Fenz et al., 2013;
Norman and Yasin, 2013)
regulatory compliance (Horne et al., 2017; Narain Singh et al., 2014)

Table 6
Risk.
First-order code Second-order code Cluster
risk management (Ashenden, 2008; Bayuk and Mostashari, 2013; Bayuk, 2013; Beresnevichiene et al., 2010; risk management Risk
Collier et al., 2016; Coronado et al., 2009; Ernest Chang and Ho, 2006; Fenz et al., 2014; 2013; Gao and Zhong,
2015; Geer et al., 2003; Hajdarevic and Allen, 2013; Hajdarevic et al., 2012; Hall et al., 2011; Horne et al., 2017;
Kotulic and Clark, 2004; Leon and Saxena, 2010; Lowry and Moody, 2015a; Manhart and Thalmann, 2015;
Mazur et al., 2015; Merete Hagen et al., 2008; Mijnhardt et al., 2016; Nazareth and Choi, 2015; NIST, 2008;
Norman and Yasin, 2013; Ransbotham and Mitra, 2009; Savola, 2007; 2009; Savola and Heinonen, 2011; Sowa
and Gabriel, 2009; Straub and Welke, 1998; Tu and Yuan, 2014; von Solms et al., 1994; Wang et al., 2013;
Wilkin and Chenhall, 2010; Yaokumah, 2014; Yeh and Chang, 2007)
risk prevention (Hall et al., 2011; Veiga and Eloff, 2007)
risk tolerance (Liang and Xue, 2009)
risk exposure (Mermigas et al., 2013)
risk prediction (Fenz et al., 2014)
software risk (Boss et al., 2009; Tanna et al., 2005)
system risk (Chai et al., 2011; Pendleton et al., 2017; Willison and Backhouse, 2006)
risk perception (Vance et al., 2014)
risk assessment (Abu-Musa, 2010; Alavi et al., 2016; Azuwa et al., 2017; Cavusoglu et al., 2004; Chai et al., 2011;
Dogaheh, 2010; Fenz et al., 2014; Goldstein et al., 2011; Gonzalez and Sawicka, 2002; Gosavi and Bagade, 2015;
Hayden, 2010; Hong et al., 2003; Jean Camp and Wolfram, 2004; Joh and Malaiya, 2011; Johnson and Goetz,
2007; Knapp et al., 2009; Siponen and Willison, 2009; Straub and Welke, 1998; Sunyaev et al., 2009; Tashi and
Ghernaouti-Hélie, 2008; Veiga and Eloff, 2007; Verendel, 2009; von Solms et al., 1994)
risk analysis (Goel and Chengalur-Smith, 2010; Hua and Bapna, 2013; Kumar et al., 2008; Pudar et al., 2009;
Sunyaev et al., 2009; Tsiakis and Stephanides, 2005; Young et al., 2016; Zobel and Khansa, 2012)
local threats (Willison and Backhouse, 2006) threats
threat impact (Alqahtani, 2015; Holm and Afridi, 2015)
available exploits (Holm and Afridi, 2015; Premaratne et al., 2008)
possible threats (Abu-Musa, 2010; Alqahtani, 2015; Azuwa et al., 2017; Bayuk and Mostashari, 2013; Bayuk, 2013;
Ben-Aissa et al., 2012; Boss et al., 2009; Collier et al., 2016; Coronado et al., 2009; Crossler and Belanger, 2012;
Crossler et al., 2013; Dogaheh, 2010; Fenz et al., 2014; 2013; Gao and Zhong, 2015; Gosavi and Bagade, 2015;
Gupta and Hammond, 2005; Hajdarevic and Allen, 2013; Hajdarevic et al., 2012; Hall et al., 2011; Herath et al.,
2014; Herzog et al., 2007; Hu et al., 2012; Hua and Bapna, 2013; Ifinedo, 2012; Jafari et al., 2010; Johnston
et al., 2016; Jones and Horowitz, 2012; Knapp et al., 2009; Lee and Larsen, 2009; Mazur et al., 2015;
Muthukrishnan and Palaniappan, 2016; Nazareth and Choi, 2015; Norman and Yasin, 2013; Pendleton et al.,
2017; Posey et al., 2015; Purboyo et al., 2011; Sowa and Gabriel, 2009; Sunyaev et al., 2009; Tariq, 2012; Tran
et al., 2016; Trèek, 2003; Tsiakis and Stephanides, 2005; Tu and Yuan, 2014; Uffen and Breitner, 2013; Verendel,
2009; von Solms and van Niekerk, 2013; Young et al., 2016; Zobel and Khansa, 2012)
14 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

Table 7
Continuity.

First-order code Second-order code Cluster

business continuity (Dzazali et al., 2009; Hong et al., 2003; Horne et al., 2017; Narain Singh business continuity Continuity
et al., 2014; Smith et al., 2010; Sowa and Gabriel, 2009; Tashi and Ghernaouti-Hélie, 2008;
Trèek, 2003; Veiga and Eloff, 2007)
business continuity plan (Ernest Chang and Ho, 2006; Mijnhardt et al., 2016; Tariq, 2012)
resilience (Björck et al., 2015; Collier et al., 2016; Fenz et al., 2013; Johnson and Goetz, 2007; it continuity
Tran et al., 2016; Zalewski et al., 2014; Zobel and Khansa, 2012)
survivability (Katos and Adams, 2005; Vaughn et al., 2003)
contingency plan (Abu-Musa, 2010; von Solms et al., 1994; Wood, 1987)
power failure (Gupta and Hammond, 2005)
acts of god (Björck et al., 2015; Willison and Backhouse, 2006)
natural disaster (Gupta and Hammond, 2005)
restorability (Bayuk and Mostashari, 2013; Boyer and McQueen, 2007) recovery
disaster recovery (Crossler and Belanger, 2012; Hall et al., 2011; Kumar et al., 2008; Savola,
2009; Tariq, 2012; von Solms et al., 1994; Wilkin and Chenhall, 2010)

Table 8
Infrastructure.

First-order code Second-order code Cluster

infrastructure administration (Hua and Bapna, 2013; Savola and Heinonen, 2011; Wood, 1987) infrastructure Infrastructure
secure environment (Abu-Musa, 2010; AlHogail, 2015; Ernest Chang and Ho, 2006; Gonzalez and overview
Sawicka, 2002; Herath and Rao, 2009; Herrera, 2005; Liang and Xue, 2009; Mijnhardt et al., 2016;
Narain Singh et al., 2014; Norman and Yasin, 2013; Posey et al., 2015; Trèek, 2003; von Solms et al.,
1994; Wood, 1987)
infrastructure security (Crossler and Belanger, 2012; Hong et al., 2003; Katos and Adams, 2005; Trèek,
2003)
ict infrastructure (Cavusoglu et al., 2004; Fenz et al., 2013; Horne et al., 2017; Soomro et al., 2016)
equipment (Sharman et al., 2004)
hardware security (Yeh and Chang, 2007)
network security (Azuwa et al., 2017; Bayuk and Mostashari, 2013; Bayuk, 2013; Gosavi and Bagade, network security
2015; Kotenko and Bogdanov, 2009; Mazur et al., 2015)
secure network communication (Azuwa et al., 2017; Fenz et al., 2014; Herzog et al., 2007; Premaratne
et al., 2008; Ransbotham and Mitra, 2009; Smith et al., 2010; Yeh and Chang, 2007)
cryptography (Geer et al., 2003; Herzog et al., 2007; Trèek, 2003; Wang and Wulf, 1997)
encryption (Chai et al., 2011; Gosavi and Bagade, 2015; Gupta and Hammond, 2005; Ifinedo, 2012)
network hardening (Idika and Bhargava, 2012)
secure protocol (Ransbotham and Mitra, 2009)
asset identification (Bayuk and Mostashari, 2013; Ernest Chang and Ho, 2006; Fenz et al., 2014; Jafari asset knowledge
et al., 2010; Merete Hagen et al., 2008; NIST, 2008; Sharman et al., 2004; Trèek, 2003; von Solms and
van Niekerk, 2013)
asset assessment (Boyer and McQueen, 2007; Gao and Zhong, 2015; Hajdarevic et al., 2012; Herzog
et al., 2007; Jafari et al., 2010; Kraemer et al., 2009; Montesdioca and Maçada, 2015; Purboyo et al.,
2011; Smith et al., 2010)
asset management (Crossler et al., 2013; Hall et al., 2011; Hong et al., 2003; Horne et al., 2017;
Ifinedo, 2012; Mijnhardt et al., 2016; Smith et al., 2010; Soomro et al., 2016; Veiga and Eloff, 2007)
asset classification (Narain Singh et al., 2014)
system configuration (Alavi et al., 2016; Bayuk, 2013; Geer et al., 2003; Hua and Bapna, 2013; Jafari system hardening
et al., 2010; Jones and Horowitz, 2012; Kotenko and Bogdanov, 2009; Kraemer et al., 2009; Leon and
Saxena, 2010; Muthukrishnan and Palaniappan, 2016)
system maintenance (Alavi et al., 2016; Ernest Chang and Ho, 2006; Hong et al., 2003; Ifinedo, 2012;
Narain Singh et al., 2014; Nazareth and Choi, 2015; NIST, 2008; Smith et al., 2010; Sowa and Gabriel,
2009; Trèek, 2003; Veiga and Eloff, 2007; Wood, 1987)
system weakness (Goldstein et al., 2011; LeMay et al., 2011; Purboyo et al., 2011; Vaughn et al., 2003)
technology architecture (Björck et al., 2015; Cavusoglu et al., 2004; Johnson and Goetz, 2007; Knapp architectural
et al., 2009; Mijnhardt et al., 2016) factors
firewall architecture (Sharman et al., 2004)
system architecture (Jones and Horowitz, 2012; Soomro et al., 2016; Yeh and Chang, 2007)
connections with public network (Johnson and Goetz, 2007; Sharman et al., 2004) external
access points (NIST, 2008) connections
external system connections (Pudar et al., 2009; von Solms and van Niekerk, 2013)
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 15

Table 9
Access control.
First-order code Second-order code Cluster
identity (Gosavi and Bagade, 2015; Mijnhardt et al., 2016; Savola and Heinonen, 2011; Wang and Wulf, 1997) identity Access control
account management (Anderson and Moore, 2006; Osvaldo De Sordi et al., 2014) management access
access control (Abu-Musa, 2010; Azuwa et al., 2017; Bayuk and Mostashari, 2013; Beresnevichiene et al., 2010; control
Boyer and McQueen, 2007; Chai et al., 2011; Crossler and Belanger, 2012; Dhillon and Torkzadeh, 2006;
Dogaheh, 2010; Dzazali et al., 2009; Ernest Chang and Ho, 2006; Geer et al., 2003; Herzog et al., 2007; Holm
and Afridi, 2015; Hong et al., 2003; Ifinedo, 2012; Jafari et al., 2010; Mijnhardt et al., 2016; Narain Singh et al.,
2014; Ransbotham and Mitra, 2009; Trèek, 2003; Veiga and Eloff, 2007; Willison and Backhouse, 2006)
access rights (Sharman et al., 2004)
software access control (LeMay et al., 2011; Smith et al., 2010; Wang and Wulf, 1997)

Table 10
Awareness.
First-order code Second-order code Cluster
personnel security (Ernest Chang and Ho, 2006; Goel and Chengalur-Smith, 2010; Herath and Rao, 2009; awareness Awareness
Herrera, 2005; Kankanhalli et al., 2003; Narain Singh et al., 2014; Ransbotham and Mitra, 2009; Smith
et al., 2010; Sowa and Gabriel, 2009; Trèek, 2003; Uffen and Breitner, 2013; Vaughn et al., 2003; von Solms
and von Solms, 2004; von Solms et al., 1994; Yeh and Chang, 2007)
awareness (Abu-Musa, 2010; Alavi et al., 2016; Alqahtani, 2015; Ashenden, 2008; Atoum et al., 2014;
Coronado et al., 2009; Dhillon and Torkzadeh, 2006; Dinev et al., 2009; Dzazali et al., 2009; Gao and
Zhong, 2015; Hall et al., 2011; Hong et al., 2003; Jafari et al., 2010; Johnson and Goetz, 2007; Kankanhalli
et al., 2003; Karjalainen and Siponen, 2011; Knapp et al., 2009; Kraemer et al., 2009; Manhart and
Thalmann, 2015; Merete Hagen et al., 2008; Narain Singh et al., 2014; Norman and Yasin, 2013; Pendleton
et al., 2017; Sharman et al., 2004; Soomro et al., 2016; Sowa and Gabriel, 2009; Straub and Welke, 1998;
Tran et al., 2016; Tu and Yuan, 2014; Veiga and Eloff, 2007; Velki et al., 2014; von Solms and von Solms,
2004; Wang et al., 2013; Wilkin and Chenhall, 2010; Willison and Backhouse, 2006; Yeh and Chang, 2007;
Zobel and Khansa, 2012)
people (AlHogail, 2015; Gonzalez and Sawicka, 2002; Hall et al., 2011; Horne et al., 2017; Sharman et al.,
2004; Yulianto et al., 2016)
technology awareness (Dinev and Hu, 2007; Herath et al., 2014)
training (AlHogail, 2015; Ashenden, 2008; Dogaheh, 2010; Karjalainen and Siponen, 2011; Lowry and Moody, user knowledge
2015a; Merete Hagen et al., 2008; NIST, 2008; Posey et al., 2015; Sharman et al., 2004; Tran et al., 2016)
skills (Alavi et al., 2016)
user knowledge (Abu-Musa, 2010; Alqahtani, 2015; Fenz et al., 2014; Hajdarevic et al., 2012; Horne et al.,
2017; Johnson and Goetz, 2007; Lowry and Moody, 2015b; Manhart and Thalmann, 2015; Nazareth and
Choi, 2015; Posey et al., 2015; Veiga and Eloff, 2007; Wood, 1987)
education (Kraemer et al., 2009; Willison and Backhouse, 2006)
it competence (Ernest Chang and Ho, 2006; Tu and Yuan, 2014)
user activities (Björck et al., 2015; Geer et al., 2003; Vance et al., 2014) behavior
human interaction (Kotenko and Bogdanov, 2009; Trèek, 2003)
human error (Alavi et al., 2016; Kraemer et al., 2009; Vaughn et al., 2003)
user error (Gupta and Hammond, 2005)
user/human behavior (Boss et al., 2009; Crossler et al., 2013; Dinev et al., 2009; Dinev and Hu, 2007;
Dogaheh, 2010; Gonzalez and Sawicka, 2002; Hedström et al., 2011; Herath and Rao, 2009; Hua and Bapna,
2013; Ifinedo, 2012; Johnston et al., 2016; Karjalainen and Siponen, 2011; Kraemer et al., 2009; Liang and
Xue, 2009; Lowry and Moody, 2015a; Merete Hagen et al., 2008; Montesdioca and Maçada, 2015; Narain
Singh et al., 2014; Soomro et al., 2016; Sowa and Gabriel, 2009; Uffen and Breitner, 2013; Vance et al.,
2014; Veiga and Eloff, 2007; Velki et al., 2014; von Solms and van Niekerk, 2013)
criminal behavior (Kankanhalli et al., 2003)
attack behavior (Gao and Zhong, 2015; Pudar et al., 2009)
ethical dimension (von Solms and von Solms, 2004) ethical factors
work ethic (Dhillon and Torkzadeh, 2006)
ethical environment (Dhillon and Torkzadeh, 2006; Veiga and Eloff, 2007)
work situation (Dhillon and Torkzadeh, 2006)
security culture (Alavi et al., 2016; AlHogail, 2015; Ashenden, 2008; Boss et al., 2009; Collier et al., 2016; culture
Dinev et al., 2009; Herath and Rao, 2009; Hu et al., 2012; Johnson and Goetz, 2007; Knapp et al., 2009;
Kraemer et al., 2009; Merete Hagen et al., 2008; Narain Singh et al., 2014; Norman and Yasin, 2013; Tu and
Yuan, 2014; Veiga and Eloff, 2007)
philosophical culture (Yulianto et al., 2016)
personal privacy (Ben-Aissa et al., 2012; Boss et al., 2009; Coronado et al., 2009; Dhillon and Torkzadeh, personal security
2006; Dogaheh, 2010; Fenz et al., 2013; Savola, 2009; Tariq, 2012; Wilkin and Chenhall, 2010)
trust (Boss et al., 2009; Coronado et al., 2009; Dhillon and Torkzadeh, 2006; Dogaheh, 2010; Dzazali et al.,
2009; Gao and Zhong, 2015; Horne et al., 2017; Johnston et al., 2016; Lowry and Moody, 2015b; Sowa and
Gabriel, 2009; Tariq, 2012; Veiga and Eloff, 2007)
personal needs (Dhillon and Torkzadeh, 2006)
individual belief (Hu et al., 2012)
individual impact (Norman and Yasin, 2013)
usefulness / easy to use (Dinev et al., 2009; Dinev and Hu, 2007; Osvaldo De Sordi et al., 2014) usability
usability (Bayuk, 2013; Dinev and Hu, 2007; Lee and Larsen, 2009; Verendel, 2009)
16 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

Table 11
CIA.

First-order code Second-order code Cluster

reliability (Ben-Aissa et al., 2012; Savola and Heinonen, 2011; Verendel, 2009; Wang and Wulf, 1997; protection goals CIA
Zalewski et al., 2014)
authenticity (Azuwa et al., 2017; Ben-Aissa et al., 2012; Gosavi and Bagade, 2015; Holm and Afridi,
2015; Jafari et al., 2010; Katos and Adams, 2005; Savola, 2009; Savola and Heinonen, 2011; Trèek,
2003; Tsiakis and Stephanides, 2005; Wang and Wulf, 1997)
accountability (Dhillon and Torkzadeh, 2006; Leon and Saxena, 2010; Wood, 1987)
non-repudiation (Ben-Aissa et al., 2012; Jafari et al., 2010; Purboyo et al., 2011; Savola, 2009; Trèek,
2003; Tsiakis and Stephanides, 2005; Wang and Wulf, 1997)
data integrity (Boyer and McQueen, 2007; Dhillon and Torkzadeh, 2006; Gupta and Hammond, 2005; integrity
Tariq, 2012)
transaction integrity (Gupta and Hammond, 2005)
process/organizational integrity (Dhillon and Torkzadeh, 2006)
integrity (Abu-Musa, 2010; Ashenden, 2008; Bayuk and Mostashari, 2013; Ben-Aissa et al., 2012;
Beresnevichiene et al., 2010; Cavusoglu et al., 2004; Dzazali et al., 2009; Ernest Chang and Ho, 2006;
Goel and Chengalur-Smith, 2010; Goldstein et al., 2011; Hajdarevic and Allen, 2013; Hall et al., 2011;
Hedström et al., 2011; Herath et al., 2014; Holm and Afridi, 2015; Hong et al., 2003; Horne et al.,
2017; Hu et al., 2012; Hua and Bapna, 2013; Jafari et al., 2010; Joh and Malaiya, 2011; Knapp et al.,
2009; Leon and Saxena, 2010; Mijnhardt et al., 2016; Mishra and Chasalow, 2011; Muthukrishnan and
Palaniappan, 2016; Nazareth and Choi, 2015; Posey et al., 2015; Pudar et al., 2009; Purboyo et al.,
2011; Savola, 2009; Savola and Heinonen, 2011; Sowa and Gabriel, 2009; Tariq, 2012; Tashi and
Ghernaouti-Hélie, 2008; Trèek, 2003; Tsiakis and Stephanides, 2005; Tu and Yuan, 2014; Uffen and
Breitner, 2013; von Solms and van Niekerk, 2013; Wang and Wulf, 1997; Wilkin and Chenhall, 2010;
Yaokumah, 2014; Zalewski et al., 2014)
available information (Dhillon and Torkzadeh, 2006) availability
availability (Abu-Musa, 2010; Ashenden, 2008; Bayuk and Mostashari, 2013; Ben-Aissa et al., 2012;
Beresnevichiene et al., 2010; Cavusoglu et al., 2004; Dogaheh, 2010; Dzazali et al., 2009; Ernest Chang
and Ho, 2006; Goel and Chengalur-Smith, 2010; Goldstein et al., 2011; Gupta and Hammond, 2005;
Hajdarevic and Allen, 2013; Hall et al., 2011; Hedström et al., 2011; Herath et al., 2014; Holm and
Afridi, 2015; Horne et al., 2017; Hu et al., 2012; Jafari et al., 2010; Joh and Malaiya, 2011; Knapp
et al., 2009; Kraemer et al., 2009; Leon and Saxena, 2010; Mijnhardt et al., 2016; Mishra and
Chasalow, 2011; Muthukrishnan and Palaniappan, 2016; Nazareth and Choi, 2015; Norman and Yasin,
2013; Posey et al., 2015; Pudar et al., 2009; Purboyo et al., 2011; Savola, 2009; Sowa and Gabriel,
2009; Tashi and Ghernaouti-Hélie, 2008; Tu and Yuan, 2014; Uffen and Breitner, 2013; von Solms and
van Niekerk, 2013; Wang and Wulf, 1997; Zalewski et al., 2014)
confidentiality (Abu-Musa, 2010; Ashenden, 2008; Bayuk and Mostashari, 2013; Ben-Aissa et al., 2012; confidentiality
Beresnevichiene et al., 2010; Cavusoglu et al., 2004; Dogaheh, 2010; Dzazali et al., 2009; Ernest Chang
and Ho, 2006; Goel and Chengalur-Smith, 2010; Goldstein et al., 2011; Hajdarevic and Allen, 2013;
Hall et al., 2011; Hedström et al., 2011; Herath et al., 2014; Holm and Afridi, 2015; Hong et al., 2003;
Horne et al., 2017; Hu et al., 2012; Jafari et al., 2010; Joh and Malaiya, 2011; Knapp et al., 2009; Leon
and Saxena, 2010; Mijnhardt et al., 2016; Mishra and Chasalow, 2011; Muthukrishnan and
Palaniappan, 2016; Nazareth and Choi, 2015; Osvaldo De Sordi et al., 2014; Posey et al., 2015; Pudar
et al., 2009; Purboyo et al., 2011; Savola, 2009; Sowa and Gabriel, 2009; Tashi and Ghernaouti-Hélie,
2008; Trèek, 2003; Tsiakis and Stephanides, 2005; Tu and Yuan, 2014; Uffen and Breitner, 2013; von
Solms and van Niekerk, 2013; Wang and Wulf, 1997; Yaokumah, 2014; Zalewski et al., 2014)

Table 12
Organizational factors.

First-order code Second-order code Cluster

organization size (Coronado et al., 2009; Ernest Chang and Ho, 2006; Kankanhalli et al., 2003; organizational Organizational
Kotulic and Clark, 2004; Lee and Larsen, 2009; Lowry and Moody, 2015b; Narain Singh et al., factors factors
2014; Norman and Yasin, 2013)
organizational factors (AlHogail, 2015; Fenz et al., 2014; Herath and Rao, 2009; Hong et al.,
2003; Kraemer et al., 2009; Leon and Saxena, 2010; Manhart and Thalmann, 2015; Savola,
2007; Soomro et al., 2016; Sowa and Gabriel, 2009; Sunyaev et al., 2009; Trèek, 2003; Tu and
Yuan, 2014; Vaughn et al., 2003; Veiga and Eloff, 2007; von Solms and von Solms, 2004)
organization structure (Abu-Musa, 2010; Atoum et al., 2014; Kotulic and Clark, 2004; Tu and
Yuan, 2014; Yeh and Chang, 2007)
industry type (Coronado et al., 2009; Dzazali et al., 2009; Ernest Chang and Ho, 2006;
Kankanhalli et al., 2003; Narain Singh et al., 2014; Norman and Yasin, 2013; Yeh and Chang,
2007)
external conditions (Sharman et al., 2004) external factor
reputation (Gao and Zhong, 2015; Osvaldo De Sordi et al., 2014; Tu and Yuan, 2014)
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 17

Table 13
Security management.

First-order code Second-order code Cluster

countermeasures (measures) (Alavi et al., 2016; Crossler et al., 2013; Fenz et al., 2014; 2013; control Security
Herzog et al., 2007; Kotulic and Clark, 2004; Kumar et al., 2008; Leon and Saxena, 2010; development management
Mermigas et al., 2013; Pendleton et al., 2017; Pudar et al., 2009; Ransbotham and Mitra,
2009; Tashi and Ghernaouti-Hélie, 2008)
security control (Alavi et al., 2016; Ashenden, 2008; Atoum et al., 2014; Azuwa et al., 2017;
Bayuk and Mostashari, 2013; Cavusoglu et al., 2004; Collier et al., 2016; Fenz et al., 2013;
Goldstein et al., 2011; Hajdarevic and Allen, 2013; Hedström et al., 2011; Hong et al., 2003;
Horne et al., 2017; Johnson and Goetz, 2007; Jones and Horowitz, 2012; Knapp et al., 2009;
Leon and Saxena, 2010; Lowry and Moody, 2015a; 2015b; Mazur et al., 2015; Narain Singh
et al., 2014; Savola, 2007; Savola and Heinonen, 2011; Siponen and Willison, 2009; Sowa and
Gabriel, 2009; Sunyaev et al., 2009; Tsiakis and Stephanides, 2005; Young et al., 2016;
Zalewski et al., 2014; Zobel and Khansa, 2012)
control recommendation/implementation (Wood, 1987)
safeguards (Dzazali et al., 2009; Fenz et al., 2014; Ifinedo, 2012; Liang and Xue, 2009; Tashi and
Ghernaouti-Hélie, 2008; Willison and Backhouse, 2006; Yulianto et al., 2016)
incident response (Abu-Musa, 2010; Alavi et al., 2016; Alqahtani, 2015; Bayuk and Mostashari, incident
2013; Hajdarevic et al., 2012; Hall et al., 2011; Ifinedo, 2012; Jafari et al., 2010; Jean Camp management
and Wolfram, 2004; Sowa and Gabriel, 2009; Veiga and Eloff, 2007)
incident handling (Johnson and Goetz, 2007; Sharman et al., 2004)
compromise detection (Boyer and McQueen, 2007; Ransbotham and Mitra, 2009; Savola, 2007)
breach investigation (Wood, 1987)
incident management (Mijnhardt et al., 2016; Muthukrishnan and Palaniappan, 2016; Narain
Singh et al., 2014; Tran et al., 2016)
fraud detection (Goldstein et al., 2011; Tran et al., 2016)
compliance check (Wood, 1987) monitor and check
evaluation (measurement) (Azuwa et al., 2017; Gosavi and Bagade, 2015; Pendleton et al.,
2017; Savola, 2013; Tu and Yuan, 2014; Wood, 1987; Yaokumah, 2014; Zalewski et al., 2014)
surveillance (Sharman et al., 2004)
monitoring (Bayuk and Mostashari, 2013; Mazur et al., 2015; Nazareth and Choi, 2015; Savola,
2013; Sharman et al., 2004)
auditing (Ashenden, 2008; Atoum et al., 2014; Azuwa et al., 2017; Bayuk and Mostashari, 2013;
Jafari et al., 2010; Katos and Adams, 2005; Knapp et al., 2009; Leon and Saxena, 2010; Mishra
and Chasalow, 2011; Narain Singh et al., 2014; Ransbotham and Mitra, 2009; Savola, 2009;
Sharman et al., 2004; Trèek, 2003; von Solms and von Solms, 2004)
certification (Savola, 2007; Sowa and Gabriel, 2009; Veiga and Eloff, 2007; von Solms and von
Solms, 2004)
operational processes (Ashenden, 2008; Hayden, 2010; Jafari et al., 2010; Johnson and Goetz, operational rules
2007; Sowa and Gabriel, 2009; Trèek, 2003)
administrative security (Kankanhalli et al., 2003; Yeh and Chang, 2007)
procedures (Boss et al., 2009; Cavusoglu et al., 2004; Dzazali et al., 2009; Hedström et al., 2011;
Herath and Rao, 2009; Hong et al., 2003; Karjalainen and Siponen, 2011; Kotulic and Clark,
2004; Merete Hagen et al., 2008; Montesdioca and Maçada, 2015; Osvaldo De Sordi et al.,
2014; Tashi and Ghernaouti-Hélie, 2008; Tsiakis and Stephanides, 2005; Veiga and Eloff, 2007)
processes (Abu-Musa, 2010; Bayuk and Mostashari, 2013; Goel and Chengalur-Smith, 2010;
Goldstein et al., 2011; Hajdarevic et al., 2012; Hall et al., 2011; Horne et al., 2017; Kotulic and
Clark, 2004; Mazur et al., 2015; Montesdioca and Maçada, 2015; Norman and Yasin, 2013;
Purboyo et al., 2011; Ransbotham and Mitra, 2009; Tsiakis and Stephanides, 2005; Vaughn
et al., 2003; Yulianto et al., 2016; Zalewski et al., 2014)
operational readiness(Vaughn et al., 2003)
process documentation (Sowa and Gabriel, 2009; Yulianto et al., 2016)
standards (best practices) (Abu-Musa, 2010; Azuwa et al., 2017; Fenz et al., 2013; Goldstein standards
et al., 2011; Hajdarevic and Allen, 2013; Hajdarevic et al., 2012; Knapp et al., 2009; Leon and
Saxena, 2010; Mermigas et al., 2013; Mijnhardt et al., 2016; Norman and Yasin, 2013; Smith
et al., 2010; Sunyaev et al., 2009; Tu and Yuan, 2014; Uffen and Breitner, 2013; von Solms
and von Solms, 2004; Wang et al., 2013; Yulianto et al., 2016)
ISMS (Azuwa et al., 2017; Hajdarevic and Allen, 2013; Hajdarevic et al., 2012; Herrera, 2005;
Mijnhardt et al., 2016; Savola, 2007)
management implementation (Ernest Chang and Ho, 2006)
management system (Ashenden, 2008)
governance (Abu-Musa, 2010; Atoum et al., 2014; Horne et al., 2017; Knapp et al., 2009; Kotulic
and Clark, 2004; Norman and Yasin, 2013; von Solms and von Solms, 2004; Yaokumah, 2014)
communication management (Alavi et al., 2016; AlHogail, 2015; Dhillon and Torkzadeh, 2006; communication
Johnson and Goetz, 2007; Kraemer et al., 2009; Narain Singh et al., 2014; Norman and Yasin,
2013; Smith et al., 2010; Trèek, 2003; Veiga and Eloff, 2007)
security enforcement (Savola, 2009)
deterrence (Johnston et al., 2016; Mishra and Chasalow, 2011)
sanctions (Johnston et al., 2016; Lowry and Moody, 2015b)
responsibility (Abu-Musa, 2010; Dhillon and Torkzadeh, 2006; Dzazali et al., 2009; Horne et al., responsibility
2017; Kraemer et al., 2009; Posey et al., 2015; Sowa and Gabriel, 2009; Wood, 1987)
ownership (AlHogail, 2015; Dhillon and Torkzadeh, 2006; Sharman et al., 2004)
18 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

Table 14
Resources.

First-order code Second-order code Cluster

cost (Alavi et al., 2016; Arora et al., 2010; Ben-Aissa et al., 2012; Geer et al., 2003; Hayden, 2010; investment balance Resources
Ifinedo, 2012; Jafari et al., 2010; Lee and Larsen, 2009; LeMay et al., 2011; Liang and Xue, 2009;
Mishra and Chasalow, 2011; Nazareth and Choi, 2015; Tariq, 2012; Tashi and Ghernaouti-Hélie,
2008; Verendel, 2009; Zobel and Khansa, 2012)
cost-benefit/effectiveness (Cavusoglu et al., 2004; Gonzalez and Sawicka, 2002; Ransbotham and
Mitra, 2009; Savola, 2007; Sowa and Gabriel, 2009)
possible cost (Trèek, 2003)
ROSI (Alavi et al., 2016; Cavusoglu et al., 2004; Chai et al., 2011; Coronado et al., 2009; Dzazali
et al., 2009; Fenz et al., 2013; Gao and Zhong, 2015; Goldstein et al., 2011; Hayden, 2010; Hua
and Bapna, 2013; Leon and Saxena, 2010; Lowry and Moody, 2015b; Merete Hagen et al., 2008;
Muthukrishnan and Palaniappan, 2016; Nazareth and Choi, 2015; Posey et al., 2015; Pudar et al.,
2009; Tashi and Ghernaouti-Hélie, 2008; Tsiakis and Stephanides, 2005; Veiga and Eloff, 2007;
Wang et al., 2013; Young et al., 2016)
human resources (Atoum et al., 2014; Dhillon and Torkzadeh, 2006; Kankanhalli et al., 2003; human resources
Kraemer et al., 2009; Mijnhardt et al., 2016; Savola, 2007; Soomro et al., 2016; Veiga and Eloff,
2007; Willison and Backhouse, 2006)
financial resources (Kankanhalli et al., 2003; Muthukrishnan and Palaniappan, 2016; Sowa and financial resources
Gabriel, 2009; Tu and Yuan, 2014)
cost control (Anderson and Moore, 2006)
financial aspect (Dogaheh, 2010; Ernest Chang and Ho, 2006)
security budget (Alavi et al., 2016; Beresnevichiene et al., 2010; Horne et al., 2017; Johnson and
Goetz, 2007; Kraemer et al., 2009; Lee and Larsen, 2009; Montesdioca and Maçada, 2015; NIST,
2008; Smith et al., 2010; Willison and Backhouse, 2006)
resource support (Abu-Musa, 2010; AlHogail, 2015; Ransbotham and Mitra, 2009; Sowa and resource strategy
Gabriel, 2009; Vaughn et al., 2003; Wilkin and Chenhall, 2010; Zalewski et al., 2014)
economic factors (Coronado et al., 2009; Fenz et al., 2013; Horne et al., 2017; Hua and Bapna,
2013; Sunyaev et al., 2009; Verendel, 2009)
resource strategy and value delivery (Yaokumah, 2014)

References Boehm, J., Merrath, P., Poppensieker, T., Riemenschnitter, R., Stähle, T., 2017.
Cyber risk measurement and the holistic cybersecurity approach. URL:
https://www.mckinsey.com/business- functions/risk/our- insights/cyber-
Abu-Musa, A., 2010. Information security governance in saudi organizations: an
risk- measurement- and- the- holistic- cybersecurity- approach Last checked:
empirical study. Inf. Manag. Comput. Secur. 18 (4), 226–276. doi:10.1108/
03.12.2018.
09685221011079180.
Bogner, A., Littig, B., Menz, W., 2014. Interviews mit Experten: Eine praxisorientierte
AIS Members, 2011. Senior scholars’ basket of journals. URL: https://aisnet.org/page/
Einführung. Qualitative Sozialforschung. Springer Fachmedien Wiesbaden.
SeniorScholarBasket Last checked: 04.12.2018.
Bortz, J., Döring, N., 1995. Forschungsmethoden und Evaluation. Springer-Lehrbuch,
Alavi, R., Islam, S., Mouratidis, H., 2016. An information security risk-driven invest-
Springer Berlin Heidelberg.
ment model for analysing human factors. Inf. Comput. Secur. 24 (2), 205–227.
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W., 2009. If someone is
doi:10.1108/ICS- 01- 2016- 0 0 06.
watching, i’ll do what i’m asked: Mandatoriness, control, and information secu-
AlHogail, A., 2015. Design and validation of information security culture framework.
rity. Eur. J. Inf. Syst. 18 (2), 151–164. doi:10.1057/ejis.2009.8.
Comput. Human Behav. 49, 567–575. doi:10.1016/j.chb.2015.03.054.
Boyer, W., McQueen, M., 2007. Ideal based cyber security technical metrics for
Alqahtani, A., 2015. Towards a framework for the potential cyber-terrorist threat to
control systems. In: Critical information infrastructures security, pp. 246–260.
critical national infrastructure. Inf. Comput. Secur. 23 (5), 532–569. doi:10.1108/
doi:10.1007/978- 3- 540- 89173- 421.
ICS- 09- 2014- 0060.
Cavusoglu, H., Mishra, B., Raghunathan, S., 2004. A model for evaluating it security
Anderson, R., Moore, T., 2006. The economics of information security. Science (New
investments. Commun. ACM 47 (7), 87–92. doi:10.1145/1005817.1005828.
York, N.Y.) 314, 610–613. doi:10.1126/science.1130992.
Chai, S., Kim, M., Rao, H.R., 2011. Firms’ information security investment decisions:
Arora, A., Krishnan, R., Telang, R., Yang, Y., 2010. An empirical analysis of software
Stock market evidence of investors’ behavior. Decis. Support Syst. 50 (4), 651–
vendors’ patch release behavior: impact of vulnerability disclosure. Inf. Syst. Res.
661. doi:10.1016/j.dss.2010.08.017.
21 (1), 115–132. doi:10.1287/isre.1080.0226.
Cisco Systems Inc., 2018. Cisco 2018: annual cybersecurity report. Technical Report.
Ashenden, D., 2008. Information security management: a human challenge? Inf. Se-
Cisco Systems Inc.
cur. Tech. Rep. 13 (4), 195–201. doi:10.1016/j.istr.2008.10.006.
Collier, Z.A., Panwar, M., Ganin, A.A., Kott, A., Linkov, I., 2016. Security metrics in
Atoum, I., Otoom, A., Abu Ali, A., 2014. A holistic cyber security implemen-
industrial control systems. In: Colbert, E.J.M., Kott, A. (Eds.), Cyber-Security of
tation framework. Inf. Manag. Comput. Secur. 22 (3), 251–264. doi:10.1108/
SCADA and Other Industrial Control Systems. In: Advances in Information Secu-
IMCS- 02- 2013- 0014.
rity. Springer, Switzerland, pp. 167–185. doi:10.1007/978- 3- 319- 32125- 7_9.
Azuwa, M.P., Sahib, S., Shamsuddin, S., 2017. Technical security metrics model in
Corbin, J., Strauss, A., 1990. Grounded theory research: procedures, canons and
compliance with iso/iec 27001 standard. Int. J. Cyber-Secur. Digital Forens.
evaluative criteria. Zeitschrift für Soziologie 19 (6), 418–427 doi:10.1515/
(IJCSDF) 1 (4), 280–288.
zfsoz- 1990- 0602.
Bayuk, J., Mostashari, A., 2013. Measuring systems security. Syst. Eng. 16 (1), 1–14.
Coronado, A.S., Mahmood, M.A., Pahnila, S., Luciano, E.M., 2009. Measuring effec-
doi:10.1002/sys.21211.
tiveness of information systems security: an empirical research. In: 15th Amer-
Bayuk, J.L., 2013. Security as a theoretical attribute construct. Comput. Secur. 37,
icas Conference on Information Systems, pp. 282–290.
155–175. doi:10.1016/j.cose.2013.03.006.
Crossler, R., Belanger, F., 2012. The quest for complete security protection: an em-
Ben-Aissa, A., Abercrombie, R.K., Sheldon, F.T., Mili, A., 2012. Defining and comput-
pirical analysis of an individual’s 360 degree protection from file and data loss.
ing a value based cyber-security measure. Inf. Syst. e-Business Manag. 10 (4),
In: 18th Americas Conference on Information Systems, pp. 1–6.
433–453. doi:10.1007/s10257- 011- 0177- 1.
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R., 2013.
Beresnevichiene, Y., Pym, D., Shiu, S., 2010. Decision support for systems security in-
Future directions for behavioral information security research. Comput. Secur.
vestment. In: 2010 IEEE/IFIP Network Operations and Management Symposium
32, 90–101. doi:10.1016/j.cose.2012.09.010.
workshops, pp. 118–125. doi:10.1109/NOMSW.2010.5486590.
DeLone, W.H., McLean, E.R., 1992. Information systems success: the quest for the
Bernard, T. S., Cowley, S., 2017. Equifax breach caused by lone employee’s er-
dependent variable. Inf. Syst. Res. 3 (1), 60–95. doi:10.1287/isre.3.1.60.
ror, former c.e.o. says. URL: https://www.nytimes.com/2017/10/03/business/
Dhillon, G., Torkzadeh, G., 2006. Value-focused assessment of information system
equifax- congress- data- breach:html, Last checked: 01.12.2018.
security in organizations. Inf. Syst. J. 16 (3), 293–314. doi:10.1111/j.1365-2575.
Björck, F., Henkel, M., Stirna, J., Zdravkovic, J., 2015. Cyber resilience – fundamentals
20 06.0 0219.x.
for a definition. In: Rocha, A., Correia, A.M., Costanzo, S., Reis, L.P. (Eds.), New
Diesch, R., Pfaff, M., Krcmar, H., 2018. Prerequisite to measure information secu-
Contributions in Information Systems and Technologies. In: Advances in Intel-
rity: a state of the art literature review. In: 4th International Conference on
ligent Systems and Computing, 353. Springer International Publishing, Cham,
pp. 311–316. doi:10.1007/978- 3- 319- 16486- 1_31.
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 19

Information Systems Security and Privacy (ICISSP), pp. 207–215. doi:10.5220/ Hua, J., Bapna, S., 2013. The economic impact of cyber terrorism. J. Strateg. Inf. Syst.
0 0 06545602070215. 22 (2), 175–186. doi:10.1016/j.jsis.2012.10.004.
Dinev, T., Goo, J., Hu, Q., Nam, K., 2009. User behaviour towards protective infor- Idika, N., Bhargava, B., 2012. Extending attack graph-based security metrics and ag-
mation technologies: the role of national cultural differences. Inf. Syst. J. 19 (4), gregating their application. IEEE Trans. Depend. Secure Comput. 9 (1), 75–85.
391–412. doi:10.1111/j.1365-2575.20 07.0 0289.x. doi:10.1109/TDSC.2010.61.
Dinev, T., Hu, Q., 2007. The centrality of awareness in the formation of user behav- Ifinedo, P., 2012. Understanding information systems security policy compliance: an
ioral intention toward protective information technologies. J. Assoc. Inf. Syst. 8 integration of the theory of planned behavior and the protection motivation
(7), 386–408. theory. Comput. Secur. 31 (1), 83–95. doi:10.1016/j.cose.2011.10.007.
Dogaheh, M.A., 2010. Introducing a framework for security measurements. In: ISACA, 2012. COBIT 5: A Business Framework for the Governance and Management
IEEE International Conference on Information Theory and Information Security, of Enterprise IT. ISACA.
pp. 638–641. doi:10.1109/ICITIS.2010.5689505. ISF, 2018. Standard of good practice for information security. Technical Report. In-
Dzazali, S., Sulaiman, A., Zolait, A.H., 2009. Information security landscape and ma- formation Security Forum Limited. (ISF).
turity level: case study of malaysian public service (mps) organizations. Gov. Inf. ISO/IEC, 2018. ISO/IEC 270 0 0:2018(E): Information technology - Security techniques
Q. 26 (4), 584–593. doi:10.1016/j.giq.20 09.04.0 04. - Information security management systems - Overview and vocabulary. Stan-
Ernest Chang, S., Ho, C.B., 2006. Organizational factors to the effectiveness of im- dard. ISO/IEC, Switzerland.
plementing information security management. Indus. Manag. Data Syst. 106 (3), Jafari, S., Mtenzi, F., Fitzpatrick, R., O’Shea, B., 2010. Security metrics for e-health-
345–361. doi:10.1108/02635570610653498. care information systems: a domain specific metrics approach. Int. J. Digital Soc.
Fenz, S., Heurix, J., Neubauer, T., Pechstein, F., 2014. Current challenges in infor- (IJDS) 1 (4), 238–245.
mation security risk management. Inf. Manag. Comput. Secur. 22 (5), 410–430. Jean Camp, L., Wolfram, C., 2004. Pricing security: vulnerabilities as externalities.
doi:10.1108/IMCS- 07- 2013- 0053. Econ. Inf. Secur. 12, 17–34. doi:10.1007/1- 4020- 8090- 5_2.
Fenz, S., Neubauer, T., Accorsi, R., Koslowski, T., 2013. Forisk: formalizing information Joh, H., Malaiya, Y.K., 2011. Defining and assessing quantitative security risk mea-
security risk and compliance management. In: 43rd Annual IEEE/IFIP Conference sures using vulnerability lifecycle and cvss metrics. In: The 2011 International
on Dependable Systems and Networks Workshop, pp. 1–4. doi:10.1109/DSNW. Conference on Security and Management, pp. 10–16.
2013.6615533. Johnson, M.E., Goetz, E., 2007. Embedding information security into the organiza-
Gao, X., Zhong, W., 2015. Information security investment for competitive firms with tion. IEEE Secur. Privacy Mag. 5 (3), 16–24. doi:10.1109/MSP.2007.59.
hacker behavior and security requirements. Annal. Oper. Res. 235 (1), 277–300. Johnston, A.C., Warkentin, M., McBride, M., Carter, L., 2016. Dispositional and situ-
doi:10.1007/s10479-015-1925-2. ational factors: influences on information security policy violations. Eur. J. Inf.
Geer, D., Hoo, K.S., Jaquith, A., 2003. Information security: why the future belongs Syst. 25 (3), 231–251. doi:10.1057/ejis.2015.15.
to the quants. IEEE Secur. Privacy Mag. 1 (4), 24–32. doi:10.1109/MSECP.2003. Jones, R.A., Horowitz, B., 2012. A system-aware cyber security architecture. Syst. Eng.
1219053. 15 (2), 225–240. doi:10.1002/sys.21206.
Glaser, B.G., Strauss, A.L., 1967. The discovery of grounded theory: strategies for Kankanhalli, A., Teo, H.-H., Tan, B.C., Wei, K.-K., 2003. An integrative study of in-
qualitative research. AldineTransaction, New Brunswick. formation systems security effectiveness. Int. J. Inf. Manag. 23 (2), 139–154.
Goel, S., Chengalur-Smith, I.N., 2010. Metrics for characterizing the form of security doi:10.1016/S0268-4012(02)00105-6.
policies. J. Strategic Inf. Syst. 19 (4), 281–295. doi:10.1016/j.jsis.2010.10.002. Karjalainen, M., Siponen, M., 2011. Toward a new meta-theory for designing in-
Goldstein, J., Chernobai, A., Benaroch, M., 2011. An event study analysis of the eco- formation systems (is) security training approaches. J. Assoc. Inf. Syst. 12 (8),
nomic impact of it operational risk and its subcategories. J. Assoc. Inf. Syst. 11 518–555.
(9), 606–631. Katos, V., Adams, C., 2005. Modelling corporate wireless security and privacy. J.
Gonzalez, J.J., Sawicka, A., 2002. A framework for human factors in information se- Strateg. Inf. Syst. 14 (3), 307–321. doi:10.1016/j.jsis.20 05.07.0 06.
curity. In: 2002 WSEAS International Conference on Information Security, Hard- Knapp, K., Marshall, T., Rainer, R.K., Morrow, D., 2006. The top information security
ware/Software Codesign, E-Commerce and Computer Networks, pp. 1871–1877. issues facing organizations: what can government do to help? Inf. Syst. Secur.
Gosavi, H.R., Bagade, A.M., 2015. A review on zero day attack safety using different 15 (4), 51–58. doi:10.1201/1086.1065898X/46353.15.4.20060901/95124.6.
scenarios. Eur. J. Adv. Eng. Technol. 2 (1), 30–34. Knapp, K.J., Franklin Morris, R., Marshall, T.E., Byrd, T.A., 2009. Information security
Gupta, A., Hammond, R., 2005. Information systems security issues and decisions policy: an organizational-level process model. Comput. Secur. 28 (7), 493–508.
for small businesses. Inf. Manag. Comput. Secur. 13 (4), 297–310. doi:10.1108/ doi:10.1016/j.cose.20 09.07.0 01.
09685220510614425. Kotenko, I., Bogdanov, V., 2009. Proactive monitoring of security policy accomplish-
Hajdarevic, K., Allen, P., 2013. A new method for the identification of proactive in- ment in computer networks. In: Proceedings of the 5th IEEE International Work-
formation security management system metrics. In: 36th International Conven- shop on Intelligent Data Acquisition and Advanced Computing Systems, Tech-
tion on Information & Communication Technology, Electronics & Microelectron- nology and Applications, pp. 364–369. doi:10.1109/IDAACS.2009.5342961.
ics, pp. 1121–1126. Kotulic, A.G., Clark, J.G., 2004. Why there aren’t more information security research
Hajdarevic, K., Pattinson, C., Kozaric, K., Hadzic, A., 2012. Information security mea- studies. Inf. Manag. 41 (5), 597–607. doi:10.1016/j.im.20 03.08.0 01.
surement infrastructure for kpi visualization. In: Proceedings of the 35th Inter- Kraemer, S., Carayon, P., Clem, J., 2009. Human and organizational factors in com-
national Convention MIPRO, pp. 1543–1548. puter and information security: pathways to vulnerabilities. Comput. Secur. 28
Hall, J.H., Sarkani, S., Mazzuchi, T.A., 2011. Impacts of organizational capabilities in (7), 509–520. doi:10.1016/j.cose.20 09.04.0 06.
information security. Inf. Manag. Comput. Secur. 19 (3), 155–176. doi:10.1108/ Kumar, R.L., Park, S., Subramaniam, C., 2008. Understanding the value of counter-
09685221111153546. measure portfolios in information systems security. J. Manag. Inf. Syst. 25 (2),
Hayden, L., 2010. IT security metrics: a practical framework for measuring security 241–280. doi:10.2753/MIS0742-1222250210.
& protecting data. McGraw Hill, New York. Lee, C.H., Geng, X., Raghunathan, S., 2016. Mandatory standards and organizational
Hedström, K., Kolkowska, E., Karlsson, F., Allen, J.P., 2011. Value conflicts for infor- information security. Inf. Syst. Res. 27 (1), 70–86. doi:10.1287/isre.2015.0607.
mation security management. J. Strateg. Inf. Syst. 20 (4), 373–384. doi:10.1016/ Lee, Y., Larsen, K.R., 2009. Threat or coping appraisal: determinants of smb execu-
j.jsis.2011.06.001. tives’ decision to adopt anti-malware software. Eur. J. Inf. Syst. 18 (2), 177–187.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., Rao, H.R., 2014. Security services doi:10.1057/ejis.2009.11.
as coping mechanisms: an investigation into user intention to adopt an email LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C., 2011. Model-based
authentication service. Inf. Syst. J. 24 (1), 61–84. doi:10.1111/j.1365-2575.2012. security metrics using adversary view security evaluation (advise). In: Eighth
00420.x. International Conference on Quantitative Evaluation of SysTems, pp. 191–200.
Herath, T., Rao, H.R., 2009. Protection motivation and deterrence: a framework for doi:10.1109/QEST.2011.34.
security policy compliance in organisations. Eur. J. Inf. Syst. 18 (2), 106–125. Leon, P.G., Saxena, A., 2010. An approach to quantitatively measure information se-
doi:10.1057/ejis.2009.6. curity. In: 3rd India Software Engineering Conference.
Herrera, S., 2005. Information security management metrics development. In: 39th Liang, H., Xue, Y., 2009. Avoidance of information technology threats: a theoretical
Annual 2005 International Carnahan Conference on Security Technology, pp. 51– perspective. MIS Q. 33 (1), 71–90.
56. doi:10.1109/CCST.2005.1594818. Lowry, P.B., Moody, G.D., 2015. Proposing the control-reactance compliance model
Herzog, A., Shahmehri, N., Duma, C., 2007. An ontology of information security. Int. (crcm) to explain opposing motivations to comply with organisational informa-
J. Inf. Secur. Privacy 1 (4), 1–23. doi:10.4018/jisp.2007100101. tion security policies. Inf. Syst. J. 25 (5), 433–463. doi:10.1111/isj.12043.
Holm, H., Afridi, K.K., 2015. An expert-based investigation of the common vulnera- Lowry, P.B., Moody, G.D., 2015. Proposing the control-reactance compliance model
bility scoring system. Comput. Secur. 53, 18–30. doi:10.1016/j.cose.2015.04.012. (crcm) to explain opposing motivations to comply with organisational informa-
Höne, K., Eloff, J., 2002. Information security policy — what do international in- tion security policies. Inf. Syst. J. 25 (5), 433–463. doi:10.1111/isj.12043.
formation security standards say? Comput. Secur. 21 (5), 402–409. doi:10.1016/ Manhart, M., Thalmann, S., 2015. Protecting organizational knowledge: a struc-
S0167-4048(02)00504-7. tured literature review. J. Know. Manag. 19 (2), 190–211. doi:10.1108/
Hong, K.-S., Chi, Y.-P., Chao, L.R., Tang, J.-H., 2003. An integrated system theory of JKM- 05- 2014- 0198.
information security management. Inf. Manag. Comput. Secur. 11 (5), 243–248. May, T.A., 1997. The death of roi: re–thinking it value measurement. Inf. Manag.
doi:10.1108/09685220310500153. Comput. Secur. 5 (3), 90–92. doi:10.1108/09685229710175756.
Horne, C.A., Maynard, S.B., Ahmad, A., 2017. Information security strategy in organi- Mayring, P., 2015. Qualitative Inhaltsanalyse: Grundlagen und Techniken. Beltz Päd-
sations: review, discussion and future research. Aust. J. Inf. Syst. 21. doi:10.3127/ agogik. Beltz.
ajis.v21i0.1427. Mazur, K., Ksiezopolski, B., Kotulski, Z., 2015. The robust measurement method for
Hu, Q., Dinev, T., Hart, P., Cooke, D., 2012. Managing employee compliance with in- security metrics generation. Comput. J. 58 (10), 2280–2296. doi:10.1093/comjnl/
formation security policies: the critical role of top management and organiza- bxu100.
tional culture. Decis. Sci. 43 (4), 615–660. doi:10.1111/j.1540-5915.2012.00361.x.
20 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747

Merete Hagen, J., Albrechtsen, E., Hovden, J., 2008. Implementation and effectiveness Soomro, Z.A., Shah, M.H., Ahmed, J., 2016. Information security management needs
of organizational information security measures. Inf. Manag. Comput. Secur. 16 more holistic approach: a literature review. Int. J. Inf. Manag. 36 (2), 215–225.
(4), 377–397. doi:10.1108/09685220810908796. doi:10.1016/j.ijinfomgt.2015.11.009.
Mermigas, D., Patsakis, C., Pirounias, S., 2013. Quantification of information systems Sowa, S., Gabriel, R., 2009. Multidimensional management of information security:
security with stochastic calculus. In: Proceedings of the Eighth Annual Cyber a metrics based approach merging business and information security topics. In:
Security and Information Intelligence Research Workshop, pp. 1–9. doi:10.1145/ International Conference on Availability, Reliability and Security. IEEE, pp. 750–
2459976.2460030. 755. doi:10.1109/ARES.2009.26.
Mijnhardt, F., Baars, T., Spruit, M., 2016. Organizational characteristics influencing Straub, D.W., Welke, R.J., 1998. Coping with systems risk: security planning models
sme information security maturity. J. Comput. Inf. Syst. 56 (2), 106–115. doi:10. for management decision making. MIS Q. 22 (4), 441. doi:10.2307/249551.
1080/08874417.2016.1117369. Sunyaev, A., Tremmel, F., Mauro, C., LeimeisterJ. M. & Krcmar, H., 2009. A re-clas-
Mishra, S., Chasalow, L., 2011. Information security effectiveness: a research frame- sification of is security analysis approaches. In: 15th Americas Conference on
work. Iss. Inf. Syst. 7 (1), 246–255. Information Systems, pp. 1–10.
Montesdioca, G.P.Z., Maçada, A.C.G., 2015. Measuring user satisfaction with informa- Tanna, G.B., Gupta, M., Rao, H.R., Upadhyaya, S., 2005. Information assurance metric
tion security practices. Comput. Secur. 48, 267–280. doi:10.1016/j.cose.2014.10. development framework for electronic bill presentment and payment systems
015. using transaction and workflow analysis. Decis. Support Syst. 41 (1), 242–261.
Muthukrishnan, S.M., Palaniappan, S., 2016. Security metrics maturity model for op- doi:10.1016/j.dss.2004.06.013.
erational security. In: IEEE Symposium on Computer Applications and Industrial Tariq, M.I., 2012. Towards information security metrics framework for cloud com-
Electronics, pp. 101–106. doi:10.1109/ISCAIE.2016.7575045. puting. Int. J. Cloud Comput. Serv. Sci. (IJ-CLOSER) 1 (4). doi:10.11591/closer.
Narain Singh, A., Gupta, M.P., Ojha, A., 2014. Identifying factors of “organizational in- v1i4.1442.
formation security management”. J. Enterp. Inf. Manag. 27 (5), 644–667. doi:10. Tashi, I., Ghernaouti-Hélie, S., 2008. Efficient security measurements and metrics for
1108/JEIM- 07- 2013- 0052. risk assessment. In: The Third International Conference on Internet Monitoring
Nazareth, D.L., Choi, J., 2015. A system dynamics model for information security and Protection, pp. 131–138. doi:10.1109/ICIMP.2008.34.
management. Inf. Manag. 52 (1), 123–134. doi:10.1016/j.im.2014.10.009. Thycopic Software Ltd., 2017. The 2017 state of cybersecurity metrics annual report.
NIST, 2008. NIST SP 800-55r1: performance measurement guide for information se- Technical Report. Thycopic Software Ltd.
curity. Technical Report. National Institute of Standards and Technology. Tran, H., Campos-Nanez, E., Fomin, P., Wasek, J., 2016. Cyber resilience recovery
NIST, 2013. NISTIR 7298r2: glossary of key information security terms. Technical model to combat zero-day malware attacks. Comput. Secur. 61, 19–31. doi:10.
Report. National Institute of Standards and Technology. 1016/j.cose.2016.05.001.
NIST, 2015. NIST SP 800-30r1: risk management guide for information technology Trèek, D., 2003. An integral framework for information systems security manage-
systems. Technical Report. National Institute of Standards and Technology. ment. Comput. Secur. 22 (4), 337–360. doi:10.1016/S0167-4048(03)00413-9.
NIST, 2018. NIST SP 800-37r2: risk management framework for information systems Tsiakis, T., Stephanides, G., 2005. The economic approach of information security.
and organizations. Technical Report. National Institute of Standards and Tech- Comput. Secur. 24 (2), 105–108. doi:10.1016/j.cose.20 05.02.0 01.
nology. Tu, C.Z., Yuan, Y., Archer, N., Connelly, C.E., 2018. Strategic value alignment for in-
NIST, 2018b. Nist special publication 800-series general information. URL: https: formation security management: a critical success factor analysis. Inf. Comput.
//www.nist.gov/itl/nist- special- publication- 800- series- general- information Last Secur. 26 (2), 150–170. doi:10.1108/ICS- 06- 2017- 0042.
checked: 07.05.2019. Tu, Z., Yuan, Y., 2014. Critical success factors analysis on effective information se-
Norman, A.A., Yasin, N.M., 2013. Information systems security management (issm) curity management: a literature review. In: 20th Americas Conference on Infor-
success factor: retrospection from the scholars. African J. Bus. Manag. 7 (27), mation Systems, pp. 1874–1886.
2646–2656. doi:10.5897/AJBM11.2479. Uffen, J., Breitner, M.H., 2013. Management of technical security measures: an em-
Osvaldo De Sordi, J., Meireles, M., Carvalho de Azevedo, M., 2014. Information se- pirical examination of personality traits and behavioral intentions. In: 46th
lection by managers: priorities and values attributed to the dimensions of in- Hawaii International Conference on System Sciences, pp. 4551–4560. doi:10.
formation. Online Inf. Rev. 38 (5), 661–679. doi:10.1108/OIR- 01- 2014- 0 0 06. 1109/HICSS.2013.388.
Pendleton, M., Garcia-Lebron, R., Cho, J.-H., Xu, S., 2017. A survey on systems secu- Vance, A., Eargle, D., Anderson, B.B., Kirwan, C.B., 2014. Using measures of risk
rity metrics. ACM Comput. Surv. 49 (4), 1–35. doi:10.1145/3005714. perception to predict information security behavior: insights from electroen-
Ponemon Institute LLC, 2018. 2018 cost of a data breach study: global overview. cephalography (eeg). J. Assoc. Inf. Syst. 15, 679–722.
Technical Report. Ponemon Institute LLC. Vaughn, R.B., Henning, R., Siraj, A., 2003. Information assurance measures and met-
Posey, C., Roberts, T.L., Lowry, P.B., 2015. The impact of organizational commitment rics - state of practice and proposed taxonomy. In: Proceedings of the 36th
on insiders’ motivation to protect organizational information assets. J. Manag. Annual Hawaii International Conference on System Sciences doi:10.1109/HICSS.
Inf. Syst. 32 (4), 179–214. doi:10.1080/07421222.2015.1138374. 2003.1174904.
Premaratne, U., Samarabandu, J., Sidhu, T., Beresh, B., Tan, J.-C., 2008. Application Veiga, A.D., Eloff, J.H.P., 2007. An information security governance framework. Inf.
of security metrics in auditing computer network security: acase study. In: Syst. Manag. 24 (4), 361–372. doi:10.1080/10580530701586136.
4th International Conference on Information and Automation for Sustainability, Velki, T., Solic, K., Ocevcic, H., 2014. Development of users’ information security
pp. 200–205. doi:10.1109/ICIAFS.2008.4783996. awareness questionnaire (uisaq) – ongoing work. In: 37th International Conven-
Pudar, S., Manimaran, G., Liu, C.-C., 2009. Penet: a practical method and tool for tion on Information and Communication Technology, Electronics and Microelec-
integrated modeling of security attacks and countermeasures. Comput. Secur. tronics (MIPRO), pp. 1417–1421. doi:10.1109/MIPRO.2014.6859789.
28 (8), 754–771. doi:10.1016/j.cose.20 09.05.0 07. Verendel, V., 2009. Quantified security is a weak hypothesis: a critical survey of
Purboyo, T.W., Rahardjo, B., Kuspriyanto, 2011. Security metrics: a brief survey. results and assumptions. In: Proceedings of the 2009 workshop on New security
In: 2011 2nd International Conference on Instrumentation, Communications, paradigms workshop, pp. 37–50. doi:10.1145/1719030.1719036.
Information Technology and Biomedical Engineering, pp. 79–82. doi:10.1109/ von Solms, B., von Solms, R., 2004. The 10 deadly sins of information security man-
ICICI-BME.2011.6108598. agement. Comput. Secur. 23 (5), 371–376. doi:10.1016/j.cose.20 04.05.0 02.
Ransbotham, S., Mitra, S., 2009. Choice and chance: a conceptual model of paths to von Solms, R., van der Haar, H., von Solms, S.H., Caelli, W.J., 1994. A framework
information security compromise. Inf. Syst. Res. 20 (1), 121–139. doi:10.1287/ for information security evaluation. Inf. Manag. 26 (3), 143–153. doi:10.1016/
isre.1080.0174. 0378- 7206(94)90038- 8.
Savola, R., 2007. Towards a security metrics taxonomy for the information and com- von Solms, R., van Niekerk, J., 2013. From information security to cyber security.
munication technology industry. In: International Conference on Software Engi- Comput. Secur. 38, 97–102. doi:10.1016/j.cose.2013.04.004.
neering Advances (ICSEA), p. 60. doi:10.1109/ICSEA.2007.79. Wang, C., Wulf, W.A., 1997. Towards a framework for security measurement. In: 20th
Savola, R.M., 2009. A security metrics taxonomization model for software-intensive National Information Systems Security Conference, pp. 522–533.
systems. J. Inf. Process. Syst. 5 (4), 197–206. doi:10.3745/JIPS.2009.5.4.197. Wang, T., Kannan, K.N., Ulmer, J.R., 2013. The association between the disclosure
Savola, R.M., 2013. Quality of security metrics and measurements. Comput. Secur. and the realization of information security risk factors. Inf. Syst. Res. 24 (2),
37, 78–90. doi:10.1016/j.cose.2013.05.002. 201–218. doi:10.1287/isre.1120.0437.
Savola, R.M., Heinonen, P., 2011. A visualization and modeling tool for security met- Webster, J., Watson, R.T., 2002. Analyzing the past to prepare for the future: writing
rics and measurements management. In: 2011 Information Security for South a literature review. MIS Q. 26 (2), xiii–xxiii.
Africa, pp. 1–8. doi:10.1109/ISSA.2011.6027518. Wilkin, C.L., Chenhall, R.H., 2010. A review of it governance: a taxonomy to in-
Sharman, R., Rao, R., Upadhyaya, S., 2004. Metrics for information security: form accounting information systems. J. Inf. Syst. 24 (2), 107–146. doi:10.2308/
a literature review. In: 10th Americas Conference on Information Systems, jis.2010.24.2.107.
pp. 1437–1440. Willison, R., Backhouse, J., 2006. Opportunities for computer crime: considering sys-
Silic, M., Back, A., 2014. Information security: critical review and future direc- tems risk from a criminological perspective. Eur. J. Inf. Syst. 15 (4), 403–414.
tions for research. Inf. Manag. Comput. Secur. 22 (3), 279–308. doi:10.1108/ doi:10.1057/palgrave.ejis.30 0 0592.
IMCS- 05- 2013- 0041. Wolfswinkel, J.F., Furtmueller, E., Wilderom, C.P.M., 2013. Using grounded theory
Siponen, M., Willison, R., 2009. Information security management standards: prob- as a method for rigorously reviewing literature. Eur. J. Inf. Syst. 22 (1), 45–55.
lems and solutions. Inf. Manag. 46 (5), 267–270. doi:10.1016/j.im.20 08.12.0 07. doi:10.1057/ejis.2011.51.
SJR, 2018. Sjr: Scientific journal rankings. URL: https://www.scimagojr.com/ Wood, C.C., 1987. Information systems security: management success factors. Com-
journalrank.php Last checked: 04.12.2018. put. Secur. 6 (4), 314–320. doi:10.1016/0167-4048(87)90066-6.
Smith, S., Winchester, D., Bunker, D., Jaimeson, R., 2010. Circuits of power: a study Yaokumah, W., 2014. Information security governance implementation within
of mandated compliance to an information systems security de jure standard in ghanaian industry sectors. Inf. Manag. Comput. Secur. 22 (3), 235–250. doi:10.
a government organization. MIS Q. 34 (3), 463–486. 1108/IMCS- 06- 2013- 0044.
 R. Diesch, M. Pfaff and H. Krcmar / Computers & Security 92 (2020) 101747 21

Yeh, Q.-J., Chang, A.J.-T., 2007. Threats and countermeasures for information system rently doing his Ph.D. in Business Informatics at the Technical University of Munich
security: a cross-industry study. Inf. Manag. 44 (5), 480–491. doi:10.1016/j.im. on the Cair of Information Systems. His research interest includes information se-
20 07.05.0 03. curity management, security measurement and information management.
Young, D., Lopez, J., Rice, M., Ramsey, B., McTasney, R., 2016. A framework for in-
corporating insurance in critical infrastructure cyber risk strategies. Int. J. Crit. Matthias Pfaff received his PhD degree (Dr. rer nat.) in 2018 from the Technical
Infrastruct. Protect. 14, 43–57. doi:10.1016/j.ijcip.2016.04.001. University of Munich in the topic of semantic data integration. He previously stud-
Yulianto, S., Lim, C., Soewito, B., 2016. Information security maturity model: a best ied computer science at the Goethe University Frankfurt (degree Dipl.-Inf). Since
practice driven approach to pci dss compliance. In: 2016 IEEE Region 10 Sym- 2011 he is working at fortiss, he heads the competence field ǣbusiness model &
posium, pp. 65–70. doi:10.1109/TENCONSpring.2016.7519379. service engineeringǥ (BM&SE) and is responsible for the fortiss Application Center
Zalewski, J., Drager, S., McKeever, W., Kornecki, A.J., 2014. Measuring security: a for AI. His research interests include semantic technologies for data integration and
challenge for the generation. In: 2014 Federated Conference on Computer Sci- ontologies especially for business applications.
ence and Information Systems, pp. 131–140. doi:10.15439/2014F490.
Zobel, C.W., Khansa, L., 2012. Quantifying cyberinfrastructure resilience against
multi-event attacks. Decis. Sci. 43 (4), 687–710. doi:10.1111/j.1540-5915.2012. Helmut Krcmar studied business management in Saarbrÿucken and obtained his
00364.x. doctorate in 1983. He worked as a postdoctoral fellow at the IBM Los Angeles Sci-
entific Center and as assistant professor of information systems at the New York
University and the City University of New York. Since 2002 he holds the Chair for
Rainer Diesch received the degree of M.Sc. from the Ludwig-Maximilians-University
Information Systems at the Technical University of Munich. From 2010 to 2013, he
of Munich, 2016. At present, he is a member of a research team at the fortiss GmbH,
served as Dean of the Faculty of Computer Science.
an affiliated institute of the Technical University of Munich. Rainer Diesch is cur-