ArticlePDF Available

Abstract and Figures

In the light of digitalization and recent EU policy initiatives, information is an important asset that organizations of all sizes and from all sectors should secure. However, in order to provide common requirements for the implementation of an information security management system, the internationally well-accepted ISO/IEC 27001 standard has not shown the expected growth rate since its publication more than a decade ago. In this article, we apply web mining to explore the adoption of ISO/IEC 27001 through a series of 2664 out of more than 900 000 German firms from the Mannheim Enterprise Panel dataset that refers to this standard on their websites. As a result, we present a ‘‘landscape’’ of ISO/IEC 27001 in Germany, which shows that firms not only seek certifications themselves but often refer on their websites to partners who are certified instead. Consequently, we estimate a probit model and find that larger and more innovative firms are more likely to be certified to ISO/IEC 27001 and that almost half of all certified firms belong to the information and communications technology (ICT) service sector. Based on our findings, we derive implications for policy makers and management and critically assess the suitability of web mining to explore the adoption of management system standards.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT 1
Exploring the Adoption of the International
Information Security Management System
Standard ISO/IEC 27001:
A Web Mining-Based Analysis
Mona Mirtsch , Jan Kinne , and Knut Blind
Abstract—In the light of digitalization and recent EU policy
initiatives, information is an important asset that organizations
of all sizes and from all sectors should secure. However, in or-
der to provide common requirements for the implementation of
an information security management system, the internationally
well-accepted ISO/IEC 27001 standard has not shown the ex-
pected growth rate since its publication more than a decade ago.
In this article, we apply web mining to explore the adoption of
ISO/IEC 27001 through a series of 2664 out of more than 900 000
German firms from the Mannheim Enterprise Panel dataset that
refers to this standard on their websites. As a result, we present
a “landscape” of ISO/IEC 27001 in Germany, which shows that
firms not only seek certifications themselves but often refer on their
websites to partners who are certified instead. Consequently, we
estimate a probit model and find that larger and more innovative
firms are more likely to be certified to ISO/IEC 27001 and that
almost half of all certified firms belong to the information and
communications technology (ICT) service sector. Based on our
findings, we derive implications for policy makers and management
and critically assess the suitability of web mining to explore the
adoption of management system standards.
Index Terms—Adoption, information security, management
system standards, standards, web mining.
I. INTRODUCTION
IN ADDITION to the advantages of digitalization, the grow-
ing connectivity also entails risk with regard to information
security [1]–[3]. Security breaches have, therefore, become a
Manuscript received September 2, 2019; revisedDecember 20, 2019; accepted
January 29, 2020. This work was supported in part by the European Commission
under Grant Agreement 778420—EURITO and in part by the German Federal
Ministry of Education and Research project TOBI under Grant 16IFI001. Review
of this manuscript was arranged by Department Editor E. Viardot. (Correspond-
ing author: Mona Mirtsch.)
Mona Mirtsch is with the Bundesanstalt für Materialforschung und -prüfung
(Federal Institute for Materials Research and-Testing— BAM), 12489 Berlin,
Germany, and also with the Technische Universität Berlin, 10587 Berlin, Ger-
many (e-mail: mona.mirtsch@bam.de).
Jan Kinne is with the ZEW—Leibniz Centre for European Economic Re-
search, 68161 Mannheim, Germany, and with the istari.ai UG (haftungs-
beschränkt), 68199 Mannheim, Germany, and also with the Department of
Geoinformatics—Z_GIS, University of Salzburg, 5020 Salzburg, Austria
(e-mail: jan.kinne@zew.de).
Knut Blind is with the Fraunhofer Institute of Systems and Innovation
Research, 76139 Karlsruhe, Germany, and also with the Chair of Innovation
Economics, Technische Universität Berlin, 10587 Berlin, Germany (e-mail:
knut.blind@tu-berlin.de).
Digital Object Identifier 10.1109/TEM.2020.2977815
global concern, with a value at risk arising from direct and
indirect attacks of USD 5.2 trillion between 2019 and 2023 [4].
To achieve information security and reduce the risk of security
breaches, organizations must take appropriate measures to pro-
tect their information assets and ensure business continuity [5].
The international management system standard ISO/IEC 27001
assists organizations in developing and maintaining an informa-
tion security management system (ISMS) on the organizational
level [6] and “remains one of the most effective risk management
tools for fighting off the billions of attacks that occur each year”
[1].
After implementing this management system, firms can ad-
ditionally seek certification to ISO/IEC 27001 to provide con-
fidence to stakeholders that risks are adequately managed [7].
Certification against (preferably international) standards, such
as ISO/IEC 27001, is increasingly moving into the focus of
policy makers in the light of recent European initiatives. While
the Directive on security of network and information systems
(NIS-Directive EU 2016/1148) targets operators of essential
services in critical infrastructures and digital service providers,
the Regulation on information and communications technology
(ICT) cybersecurity certification (EU 2019/881 - Cybersecurity
Act) sets up a European cybersecurity certification framework
for ICT products, ICT services, and ICT processes.
However, apart from the number of valid certificates, which
are published in the context of the annual ISO Survey (2018), sur-
prisingly little is known about the adoption of ISO/IEC 27001.
According to Castka and Corbett [8], research is often neglected
in the early stages of management system standards, probably
due to the limited data available. While initial studies often
focus on the motives and impacts of adoption, usually based
on firm-level data and interviews or surveys, later studies on
diffusion often determine diffusion patterns based on macrolevel
data [8]. According to Rogers [9], adoption is the decision of an
adopting unit (such as firms) “to make full use of an innovation as
the best course of action available.” Diffusion, on the other hand,
being the aggregation of individual (in our case firm) decisions,
involves a time aspect and is defined as “the process in which an
innovation is communicated through certain channels over time
among the members of a social system” [9].
Existing studies on ISO/IEC 27001 analyze the adoption
mainly from a theoretical perspective [10]–[12], based on
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
surveys with the pitfalls of low response rates [13]–[17] or
based on case studies [18]. To the best of our knowledge,
no studies have empirically investigated the adoption of
ISO/IEC 27001 at the national level.
To help fill this gap, the aim of our article is twofold. First, to
explore the adoption of ISO/IEC 27001 in Germany, not only by
taking into account firms certified to ISO/IEC 27001, but also
adopting this standard in other ways. Second, to identify drivers
for the certification to ISO/IEC 27001 in Germany. Therefore,
we introduce a new method to analyze the adoption of manage-
ment system standards using web scraping and web mining. Web
mining describes the application of data mining techniques to
uncover relevant data characteristics and relationships (e.g., data
patterns, trends, and correlations) from previously web scraped
unstructured web data [19]. We do so by using data from the
Mannheim Enterprise Panel (MUP) as the firm database, and
then categorize web scraped firms using their website texts
and conduct multivariate analyses based on firm characteris-
tics and a deep-learning-based product innovator probability
indicator [20].
The remainder of this article is structured as follows. Section II
discusses the literature on ISO 9001 and ISO 14001 as well
as existing studies on ISO/IEC 27001. Based on the assump-
tion that management system standards are organizational in-
novations [21]–[23], we present the Technology-Organization-
Environment (TOE) framework as an applicable innovation
adoption model [24] for firms adopting ISO/IEC 27001.
Section III describes the research methodology starting with
web mining as a data collection process. Section IV presents
the results of the manual categorization of firms that refer to
ISO/IEC 27001 on their websites. Using a probit model, we
estimate determinants of firm-specific characteristics (firm size,
age, innovativeness, and sector affiliation) for the certification to
ISO/IEC 27001. In Section V, we discuss our findings and derive
a number of managerial implications and recommendations for
standards development organizations and policy makers. In our
conclusion, we summarize our findings, outline the limitations
of our article, and discuss the suitability of web mining to
explore the adoption of ISO/IEC 27001 and management system
standards in general, including the need for further research.
II. LITERATURE BACKGROUND
A. Literature Review on the Adoption of Management System
Standards
Management system standards, also referred to as meta
standards [25], “help organizations improve their performance
by specifying repeatable steps that organizations consciously
implement to achieve their goals and objectives […]” [26].
Thereby, organizations can decide whether to implement a
management system standard or additionally seek certification
through the attestation by an independent third party, also some-
times referred to as registration [27].
Certificates can help organizations signal attributes [28], [29],
and hence decrease information asymmetries, one aspect of
market failures according to Akerlof [30]. As shown by Terlaak
and King [31], the certification to management system standards,
such as ISO 9001, is particularly beneficial when there is a high
information asymmetry between producers and buyers.
As highlighted by Castka and Corbett [8], in their review
of the adoption and diffusion of management system standards
(focusing on ISO 9001 and ISO 14001), many studies emphasize
on who adopts a standard, why, how and when. The decision to
adopt a management system standard is driven by internal or
external reasons [8]. The benefits of certification include reg-
ulatory compliance [32], meeting customer requirements [33],
internal improvements [34], [35], access to markets [36], and
innovation performance [37]. Although the motives for seeking
certification to ISO 9001 and ISO 14001 are quite similar, the
adoption of the latter is often determined by the regulatory
environment [38].
DiMaggio and Powell [39] argued that firms are driven by
coercive, mimetic, and normative isomorphism, which make
organizations similar over time. The desire to improve per-
formance drives the first movers, whereas the second movers
are more driven to improve their image [40]. Therefore, ac-
cording to Naveh et al. [40], first movers benefit more from
implementing a managerial practice, such as ISO 9001, from
their own experience, whereas second movers can benefit by
learning from the experiences of others. In this context, the later
adoption can be explained by the “bandwagon effect,” where
previous adopters either reveal information about the value of
the adoption or increase the value of the adoption and thereby
set off bandwagons [41].
In the case of ISO 14001, Delmas and Montes-Sancho [42]
noted that mandatory forces (e.g., derived from regulation) dom-
inate in the early adoption phase, whereas normative pressures
and trade-related aspects are more prevalent in the later phase.
This effect is evidenced by Arimura et al. [43] in relation
to ISO 14001, who also recommended government assistance
programs to encourage the adoption of ISO 14001 for addressing
public objectives.
The motivation to seek certification may also depend on the
sector in which the firm operates. Singh et al. [44] found that
manufacturers are more likely to focus on developing export
potential and reducing costs, whereas service providers tend to
meet external expectations, such as from customers or govern-
ment agencies. In addition, internationally active firms are more
likely to adopt standards and be certified [45], especially when
export markets are affected by EU regulations [33].
However, the adoption of a management system standard
and particularly seeking certification is time consuming and
costly, especially regarding the costs for external auditors [46].
These costs involve the setting up of a management system,
the involvement of consultants, and, in the case of additional
certification, the cost of external auditing [47]. These costs
vary by firm size and sector, ranging from $10000 to $200 000
for ISO 14001 [48]. In terms of time invested, the average
duration of certification to ISO 9001 is 12 months [44]. Since
these investments could outweigh the benefits [49], firms might
adopt a management system standard but not seek a third-party
attestation (certification).
Once firms have already invested in the adoption of a standard,
this can also change their decision-making process when adopt-
ing an additional standard [50]. Therefore, a firm’s experience
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 3
in implementing a management system standard could spur the
implementation of another management system standard [32],
[51], [52]. However, the implementation of a previous manage-
ment system standard could also hinder the adoption of another
management system standard, if it is not fully complementary
to the previously adopted standard [32]. Tuczek et al. [52], who
also referred to Castka and Corbett [8], pointed out that this
“coupling effect” is not sufficiently investigated in the context
of the adoption of standards.
Firms are increasingly making use of integrated management
systems that cover the aspects of quality (ISO 9001), environ-
ment (ISO 14001), energy (ISO 50001), occupational health and
safety (OHSAS 18001 or ISO 45001), and, also, information
security (ISO/IEC 27001) [53]. The aim of integrating compat-
ible management system standards is to reduce administrative
burden [54] and costs, e.g., when combined audits and multiple
certifications can be obtained. Furthermore, organizations can
use the meta structuring of standards similar to the structuring of
technologies as a way to deal with the multiplicity of standards,
as Gey and Fried [55] showed in the case of a software company.
Previous studies have investigated the adoption of interna-
tional standards, e.g., by counting valid certificates. However,
little attention has been paid to the various forms of adoption
(i.e., implementation versus certification) [56] and to the actors
and activities to promote the diffusion of organizational stan-
dards, which Stamm [57] has recently termed as diffusion work.
By introducing four modes of standard diffusion along the di-
mensions direct/indirect and explicit/implicit, namely concrete
diffusion (I), broad diffusion (II), selective diffusion (III), and
ideational diffusion (IV), Stamm [57] emphasized on the role of
consultants to connect activities of standards developing organi-
zations, governments, business associations, and academics. The
analysis of this diffusion work is particularly suitable for earlier
stages, in which the mimetic behavior is not largely evident [57],
and from the perspective of the policy stage, since the adoption
of the standard does not necessarily immediately follow the
creation of the standard.
B. Literature Review on ISO/IEC 27001
Spurred by the success of ISO 9001 and ISO 14001,
ISO/IEC 27001 was initially published at the end of 2005
by the International Organization of Standardization (ISO)
together with the International Electrotechnical Commission
(IEC) and technically revised with the second edition of
ISO/IEC 27001:2013. This standard was reviewed and con-
firmed in 2019, and hence this version remains current.
The underlying ISO/IEC 27000 series is based on the
British Code of Practice BS 7799 (see Disterer [6] for the
development of this standard), which currently comprises
over 40 international standards, including information security
controls (ISO/IEC 27002), cloud security (ISO/IEC 27017
and ISO/IEC 27018), and investigation of incidents
(ISO/IEC 27043) (ISO, 2019). As the best-known standard
within this family, ISO/IEC 27001 [1] “provide[s] requirements
for establishing, implementing, maintaining, and continually
improving an information security management system” [7].
Within the ISO/IEC 27000 series, information security is
Fig. 1. Evolution of ISO 9001, ISO 14001, and ISO/IEC 27001 over time in
terms of valid certificates worldwide. Source: [60].
defined as “preservation of confidentiality […], integrity […]
and availability […] of information” [58].
Information security, therefore, differs from concepts such
as ICT security (limited to information stored or transmitted
using ICT) and cybersecurity (extending information security
by including noninformation-based assets), although these terms
are often used interchangeably (though indeed overlap—see [59]
for details).
Fig. 1 shows the diffusion of the three common management
system standards with ISO 9001 and ISO 14001 (bars with
the left y-axis) and ISO/IEC 27001 (dashed lines with the
right y-axis) from the year in which they became certifiable or
corresponding data from the ISO survey [60] are available.
Looking at the number of valid certificates according to the
annual ISO survey, ISO/IEC 27001 has shown high growth rates
in recent years (e.g., +19% in 2017), but still remains on a
comparatively low absolute level (with less than 40 000 valid
certificates at the end of 2017), especially compared to other
common management system standards, such as ISO 9001 with
more than one million valid certificates and ISO 14001 with
roughly 360 000 valid certificates in 2017 [60]. This also applies
to these management system standards in the early years, when
more than 660 000 certificates for ISO 9001 and almost 240000
certificates for ISO 14001 were valid a decade after their publica-
tion [61]. Furthermore, digitalization has been expected to spur
the adoption of ISO/IEC 27001. Since firms increasingly store
their information based on ICT and governments and suppliers
more and more require firms to ensure information security, it
has been expected that ISO/IEC 27001 would also be adopted
apart from the IT sector [10]. These aspects led to expectations
for a higher adoption rate of ISO/IEC 27001 globally [11].
Therefore, previous studies on ISO/IEC 27001 often focused
on the reasons for the (low) adoption of ISO/IEC 27001 by firms,
alongside the impact of this management system standard as
well as the means to increase adoption [10], [11]. Based on
case studies in the U.K. and in the Netherlands, Van Wessel
and de Vries [18] found that firms adopt ISO/IEC 27001 and
ISO/IEC 27002 both for internal reasons (quality enhancement,
cost reductions, and increasing the company’s risk profile) and
for external reasons (meeting legal or customer requirements
and improving image). However, firms, especially small and
medium-sized enterprises (SMEs) [12], often do not imple-
ment information security standards due to high costs and the
lack of evidence that the benefits outweigh the costs [62].
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
Existing studies show that the adoption of ISO/IEC 27001 or
other ISMS standards neither leads to less frequent or severe
security breaches nor to positive economic impacts through
certification against ISO/IEC 27001 [11], [63]–[65]. Therefore,
the motives for adopting this standard differ significantly from
those for adopting other management system standards such as
ISO 9001, the positive economic impact of which has been
demonstrated in several studies [8]. However, Barlette and
Fomin [11] point out that it is difficult to quantify the benefits
of the adoption since ISO/IEC 27001 can be considered as a
means to avoid potential losses rather than gaining immedi-
ate profits. As a specific positive economic effect, the imple-
mentation of ISO/IEC 27001 might result in lower insurance
premiums [5].
Other possible reasons for the low adoption include the con-
sideration of competing ISMS standards [11] and the fact that
firms outsource their “information-related business” to other
countries, e.g., the Far East [10]. However, Fomin et al. [10]
found no statistical evidence for the latter, as the number of
valid certificates in India, for example, was no higher than in the
U.K., which is still the case [60]. Fomin et al. [10] also concluded
(inter alia) that it is worth investigating the need perceived by
firms to seek certification instead of just adopting this standard.
Benslimane et al. [66] examined the role of certification of
IT personnel and ISMS standards, such as ISO/IEC 27001.
Looking at online job postings, they found that organizations
value work experience and personnel certifications related to IT
security more than knowledge of IT security standards. These
findings indicate that firms can implement ISMS requirements
[66] without fully complying with or being certified to the
management system standard.
A limited number of studies conducted surveys investigating
motives, obstacles, and impact of ISO/IEC 27001 [14]–[17].
However, the number of respondents were comparably low
ranging from 4 and 20 firms per survey also due to the limited
number of valid certificates in countries such as Finland, Saudi
Arabia, and Bosnia and Herzegovina, where the surveys were
conducted. A recent study among Portuguese firms (with 25
participating companies) showed that more than half of these
certified firms belong to the IT sector [67]. As regards the
implementation and certification process, it took between 6 and
12 months for the firms to obtain ISO/IEC 27001 certification,
which in most cases cost more than 50 000 (including costs for
personnel, technical equipment, and external consultancy [67]).
In order to increase the adoption of ISO/IEC 27001, most
scholars place focus on the legal environment [10], [68]. From
an institutional perspective, governmental intervention may be
necessary, as a standard requires a certain adoption rate that
triggers further adoption across other organizations, i.e., the
bandwagon effect, which is not (yet) evident for ISO/IEC 27001
[68].
C. Theoretical Framework to Analyze Drivers for
Certification to ISO/IEC 27001
The Schumpeterian definition of innovation [69] already goes
beyond the narrow focus on technical innovations. One type of
Fig. 2. Conceptual model based on [23] and [24].
innovation is organizational innovation such as the implemen-
tation of management system standards as intraorganizational
procedural innovation according to Armbruster et al. [22]. This
approach is supported by Hashem and Tann [23] who stated
that the introduction of ISO 9001 is an innovation and applied
the TOE framework of Tornatzky et al. [24] to investigate key
determinants of the adoption of the ISO 9000 standard series of
Egyptian manufacturers [23].
The TOE framework describes how the adoption of innova-
tions is influenced by three aspects in the context of firms. It
comprises the following.
1) The Technological context, which includes both internal
and external technologies relevant to the firm.
2) The Organizational context, which features firm-specific
factors, such as scope, size, and the managerial structure.
3) The Environmental context, which comprises surrounding
factors, such as industry, competitors, and governmental
influence.
According to Oliveira and Martins [70], the TOE framework
has already been used to empirically validate factors that in-
fluence the adoption, such as electronic data interchange (EDI)
[71], radio frequency identification (RFID) [72], and enterprise
resource planning (ERP) systems [73].
For our article, we therefore examine the influence of selected
factors on the adoption of ISO/IEC 27001 on firm level, as shown
in our conceptual model in Fig. 2 based on the TOE model. As
the depth or quality of implementation of management system
standards may vary [8], [74], we focus on firms that have imple-
mented this ISO/IEC 27001 standard and additionally received
a certificate. We consider this as an indicator of making full use
of ISO/IEC 27001.
We have chosen firm size, firm age, and firm innovativeness as
organizational factors, as these factors were identified in previ-
ous studies as relevant factors for the analysis of the certification
to management system standards [8], [23], [33], [43], [75], [76]
or IS innovation adoption on firm level in general [70], [77].
In the technological context, “current practices” can deter-
mine the adoption of innovations [70], especially in terms of
their compatibility with the new practice [77]. We, therefore,
consider certified to other management system standards a
“current practice” since certification to one management system
standard is often linked to the certification to other management
system standards [32], [51].
Taking into account that ISO/IEC 27001 is strongly associated
with the IT sector [60], [61], we selected the sector as an external
environmental factor for our study.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 5
III. METHODOLOGY
A. Web Mining for Innovation Indicators
Web mining based on previously web scraped websites has
proven itself to be applicable in many research areas [78],
[79]. In economic research, firm websites are a particularly
interesting area of the World Wide Web. Firms use their websites
to present themselves as well as their products and services.
The information found on these websites can be used to assess
firms’ products, services, credibility, achievements, key person-
nel decisions, strategies, and relationships with other firms [80].
Surveying firms through their websites, rather than conducting
interviews, questionnaires, or using other traditional methods,
offer clear advantages (coverage, granularity, cost, and time-
liness), but it is also associated with its own challenges (data
collection, harmonization, and data quality) [19].
There are only a few existing studies that analyze the usability
of web-based innovation indicators. These studies either use
web content mining or web structure mining [81]. The latter
is the analysis of connections between entities (e.g., firms)
via the hyperlink structure of websites. Katz and Cothey [82]
used this approach in a case study on European and Canadian
education institutions. They find that their method is suitable for
measuring the degree of recognition of a nation’s or province’s
web presence they receive from other nations and provinces. The
authors emphasize the importance of reproducible and accurate
indicators capable of dealing with the constantly changing prop-
erties of the Internet.
In web content analyses, texts and other website contents are
analyzed. This approach is taken by the following studies: Youtie
et al. [83] used web mining to explore the transitions from dis-
covery to commercialization of 30 nanotechnology SMEs. Arora
et al. [84] used a similar approach to analyze entry strategies of
SMEs commercializing emerging graphene technologies. Both
study approaches are capable of identifying different innovation
stages. Applying a keyword technique to explore the R&D
activities of 296 UK-based enterprises, Gök et al. [80] found
that web-based indicators provide additional insights compared
to patent and literature-based innovation indicators. In addition,
they emphasize that web mining has another advantage as a
research method. The act of surveying a subject using web
scraping and web mining does not cause particular problems,
such as altering the behavior of the study object in response
to being studied. The authors conclude “[ …] that web mining
is a significant and useful complement to current methods, as
well as offering novel insights not easily obtained from other
unobtrusive sources” [80]. However, they raise the criticism that
obtaining information from website data is more difficult and
that caution is required when generating web-based indicators.
Information on websites is generally more related to innovation
output than to input. In addition, websites are self-reported, and
firms do not publish any new information on their websites at
equal frequencies. Beaudry et al. [85] used a keyword technique
to generate innovation indicators of Canadian aeronautic, space,
and defense as well as nanotechnology-related firms based on
the text on their websites. They found a significant correlation
between their web-based and traditional innovation indicators.
Fig. 3. General analysis framework for generating web-based innovation
indicators. Source: [19].
Nathan and Rosso [86] combined the UK administrative mi-
crodata, media, and website content to develop experimental
measures for innovation in SMEs. The authors used proprietary
data gathered by a data firm that uses website and media content
to model lifecycle events of firms such as new product and
service launches. They were able to identify three times more
product/service launches than patent applications from SMEs.
Nathan and Rosso [86] concluded that web-based indicators
are a useful complementary measure to existing metrics as
they reveal additional information. Moreover, they found that
previous patent activities are related to a firm’s current launch
activities and that tech SMEs are much more likely to launch new
products or services than nontech SMEs. Studies on web-based
innovation indicators have thus confirmed that firm websites are
an interesting and rich data source for examining the innovation
activity of firms and science, technology, and innovation systems
in general.
B. Data Collection and Sample
Kinne and Axenbeck [19] proposed a generally applicable
framework for studying firm websites based on established
firm databases (see Fig. 3). Starting from the firms’ website
addresses, a web scraper queries the websites and downloads
their content (e.g., texts). In a subsequent data mining step,
which can be enriched with available firm metadata (e.g., for data
mining model preselection), the so-called innovation-related
information is extracted and transferred to firm-level innovation
indicators. In the final step, these new innovation indicators are
matched back to the firm database at the firm level. This last
step also established a link between the new indicators and the
traditional ones (e.g., patents) that can be used for validation.
In this article, we apply the web mining approach as described
in Fig. 3 to identify and analyze German companies that mention
the ISO/IEC 27001 standard on their websites.
Therefore, we use the Mannheim Enterprise Panel
(Mannheimer Unternehmenspanel—MUP) from 2019 as a basic
dataset. The MUP is based on a firm data pool of Germany’s
largest credit rating agency (Creditreform e.V.) and, as a panel
firm database, comprises all economically active firms located
in Germany and the associated metadata (e.g., sector, firm size,
and location) [87].
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
In the beginning of 2019, the MUP comprised 2497 412
firms that were definitely economically active at that time and
1155 867 corresponding website addresses (URLs). With these
1 155 867 URLs, we were able to successfully scrape texts
from 912850 firm websites using the open-source ARGUS
web scraping tool [19]. Referring to the findings of Kinne and
Axenbeck [19], we downloaded a maximum of 25 webpages
per website (the median number of webpages per firm website
in Germany is 15). We also used ARGUS’ options to download
preferably German language webpages and those with shorter
URLs. The latter follows the idea that the most general infor-
mation about a firm can be found on its top-level webpages
(e.g., “firm-name.com/about-us”). Based on the results of a
comprehensive study performed by Kinne and Axenbeck [19],
it can be expected that the coverage of our sample of scraped
website texts will differ systematically between sectors and firm
types; only a small fraction of very young and very small firms
(smaller than five employees and younger than two years) will be
included. Sparsely populated regions and certain sectors, such
as agriculture, are also less well covered. Medium-sized and
larger firms are expected to be almost fully covered, especially
in technology-intensive sectors, such as mechanical engineering
[19].
The web scraping process described above resulted in ap-
proximately 47 GB of raw text data for the 912 850 firms. To
identify firms that mention ISO/IEC 27001 on their websites, we
used a simple keyword search. Taking into account the possible
writing options for the individual management system standard,
we have included all combinations of DIN (the German Institute
for Standardization), ISO and IEC with 27000 and 27001 and
tagged all firm websites with at least one occurrence of at least
one of the search string combinations.
C. Methodology to Analyze the Adoption of ISO/IEC 27001 in
Germany
The first step of the analysis focused on the number of firms
that refer to ISO/IEC 27001 on their websites. In a subsequent
step, we categorized the firms according to the reason why they
refer to ISO/IEC 27001 on their website, assuming that not all
firms are certified, but refer to this management system standard
for other reasons. To ensure a correct manual categorization
of the firms in this sample, the webpages of these firms were
analyzed in detail per firm using predefined codes (e.g., firm
is certified, adopts a standard without certification, offers con-
sulting or certification services, and any other reference) and
two additional codes derived during the coding process (firms
employing certified IT specialists and firms that are not certified
themselves but refer to certified business partners). This coding
was conducted by three persons and all certified firms were
independently validated by another person to ensure consistent
results.
D. Methodology to Analyze Driving Factors for
ISO/IEC 27001 Certification in Germany
For our following statistical analysis, we use the variables as
described in Table I. We rely on the firm data in the MUP, which
TAB L E I
DESCRIPTION OF VARIABLES
are available to 50% in terms of firm size, to 94% in terms of
firm age, and to 99% in terms of affiliation to the sector of all
web scraped firms. Furthermore, a firm-level product innovator
probability is available for 82% of all web scraped firms.
This prediction is based on the firm’s website text and a deep
learning model trained on the websites of firms surveyed in
the German Community Innovation Survey (CIS) (see [20] for
more details). In particular, traditional firm-level indicators from
a questionnaire-based innovation survey (German CIS) were
used to train an artificial neural network classification model
on labeled (product innovator/no product innovator) web texts
of surveyed firms. Subsequently, this classification model was
applied to the web texts of hundreds of thousands of firms in
Germany to predict whether they are product innovators or not.
The authors compared these predictions to firm-level patent
statistics, survey extrapolation benchmark data, and regional
innovation indicators. The results showed that this approach
produces reliable predictions and has the potential to be a
valuable and highly cost-efficient addition to the existing set of
innovation indicators, especially due to its coverage and regional
granularity [20].
IV. RESULTS
A. Results of the Adoption Analysis of ISO/IEC 27001 in
Germany
Out of the 1.15 million web scraped firms, a total of 47 919
firms refer to one of the management system standards, which
corresponds to about 4.15% of all scraped firms. Most firms
refer to ISO 9001, followed by ISO 14001, ISO 50001, and
ISO/IEC 27001. This also corresponds to the ranking of valid
ISO certificates published in Germany in 2017 as part of the ISO
survey (see Table II).
As a first finding, only in the case of ISO/IEC 27001, the
number of firms referring to this standard on their website is
larger than the number of valid certificates according to the ISO
survey [60]. Since firms can obtain more than one certificate
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 7
TAB L E II
COMPARING CERTIFIED FIRMS OF MUP SAMPLE WITH VALID
CERTIFICATES IN GERMANY
Source: [60].
Fig. 4. Firm categorization of 2664 firms referring to ISO/IEC 27001 on their
websites.
per management system standard (e.g., for different branches
or organizational units within one firm), our comparison can,
however, only serve as a rough proxy. Furthermore, firms can
refer to the management system standards on their websites for
other reasons than being certified.
Fig. 4 shows the results of manually categorizing the reasons
why firms refer to ISO/IEC 27001 on their websites. In general,
it should be noted that firms can belong to several categories,
e.g., a consulting firm offering services in connection with
ISO/IEC 27001 can also be certified to ISO/IEC 27001.
In total, 29.7% of the firms refer to ISO/IEC 27001 on their
websites because they are ISO/IEC 27001 certified. A relatively
small proportion (5.4%) stated that they have adopted a standard,
but are not officially certified, although they often claim on
their websites to seek certification in the future. Total 6.7% of
firms employ certified IT personnel without having obtained a
certificate for the firm’s ISMS. However, the highest proportion
of 29.8% of firms was not certified themselves but referred to a
certified partner. Many firms referring to ISO/IEC 27001 offer
consultancy (25.8%) or certification services (2.4%) related to
ISO/IEC 27001. Overall 4.3% of all firms have referred to
ISO/IEC 27001 for other reasons, e.g., to provide news about
this management system standard.
For the companies certified to ISO/IEC 27001, we have also
investigated the likelihood that firms will be certified to other
international management system standards as technological
context factor (see Fig. 2). Therefore, we have manually visited
their websites and have searched for a different management
system certificate. As a finding, a large proportion of firms
TABLE III
OBSERVED CO-OCCURRENCES OF REFERENCES TO MANAGEMENT SYSTEM
STANDARDS IN ABSOLUTE AND RELATIVE TERMS
TAB L E IV
SECTOR AFFILIATION OF ISO/IEC 27001 CERTIFIED FIRMS VERSUS
NONCERTIFIED MUP FIRMS
certified to ISO/IEC 27001 is also certified to ISO 9001, followed
by ISO 14001 and ISO 50001, as shown in Table III.
Out of the 792 ISO/IEC 27001 certified firms, 30% are certi-
fied to one additional standard, 9% against two further standards,
and 5% against all three other management system standards.
B. Results on the Analysis of Driving Factors for
ISO/IEC 27001 Certification in Germany
1) Descriptive Statistics: In terms of sector affiliation, al-
most half (43%) of all ISO/IEC 27001 certified firms offer ICT
services, which is significantly higher than approximately 4%
of all firms in the MUP data sample offering ICT services (see
Table IV). ISO/IEC 27001 certified firms providing consultancy
and financial services are also overrepresented as well as public
utilities compared to noncertified firms in the MUP database.
The results also show that ISO/IEC 27001 certification is not
very common in “traditional” sectors, such as construction,
retail, or manufacturing.
To differentiate between firms providing ICT services and
other firms, we present the following descriptive statistics for
all firms (all sectors), and in a second step, we focus just on
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
8IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
TAB L E V
FIRM CHARACTERISTICS OF ISO/IEC 27001 CERTIFIED FIRMS VERSUS
NONCERTIFIED MUP FIRMS
Notes: Standard deviation in parentheses. N=Number of observations. Significance from
the t-test: p<0.10; ∗∗ p<0.05; and ∗∗∗ p<0.01.
the companies that are attributed to ICT services, as they are
responsible for almost half of all certifications. In both cases,
the results of the descriptive statistics on firm size, firm age, and
innovation probability presented in Table V reveal significant
differences between the firms certified to ISO/IEC 27001 and
noncertified firms.
Taking into account firms of all sectors, first, the certified
firms with 76 employees are more than three times as large as the
average noncertified firm in the MUP. Second, and in contrast,
certified firms aged 17 years are on average seven years younger
than the average of noncertified firms. Third, the innovation
probability of 57% is twice as high as the average innovation
probability of noncertified firms.
Surprisingly, when focusing on firms attributed to ICT ser-
vices, the average age is the same as for all ISO/IEC 27001
certified companies. Certified ICT service firms are still larger
than noncertified ICT service firms with 61 employees com-
pared to 15 employees. Aged 17 years, however, they are also
older than noncertified firms in the ICT service sector aged 14
years. After all, firms in the ICT service sector have a product
innovation probability of almost 50%, i.e., almost twice the prob-
ability of all noncertified firms. However, certified firms in the
ICT sector have an even higher product innovation probability
with 62%.
Summarizing the findings from the analysis of the descriptive
statistics, we can see a positive relationship between firm size
and the probability of certification. A positive correlation with
firm age can only be observed within the ICT service sector.
Furthermore, innovativeness increases the likelihood of certifi-
cation, while the high proportion of certified firms belonging to
the ICT service sector (see Table V) indicates that this sector is
strongly linked to certification against ISO/IEC 27001.
TAB L E VI
PROBIT ESTIMATION RESULTS
Notes: The table displays the coefficients of all observations in the MUP and ICT service
sectors and the marginal effects of each in brackets. A correlation matrix of the variables is
provided in Table VIII and the probit estimation results for the sector dummies in Table X
p<0.10.∗∗ p<0.05.∗∗∗p<0.01.
TAB L E VII
SECTOR AFFILIATION OF TÜV RHEINLAND ISO/IEC 27001 CERTIFIED FIRMS
2) Probit Model: Finally, we run a probit model. Our probit
models test the probability of the event (=certification to
ISO/IEC 27001) as a dependent variable and the independent
variables as shown in Table I.
The results of our two probit models are shown in Table VI. In
the general model, which covers all MUP firms, significant re-
sults are shown for all explanatory variables. First, the likelihood
to be certified to ISO/IEC 27001 increases significantly with
firm size. Second, older firms are significantly less likely to be
certified to ISO/IEC 27001. Third, firms with a higher innovation
probability are more likely to be certified to ISO/IEC 27001.
Finally, firms operating in the ICT service sector are more likely
to be ISO/IEC 27001 certified than firms operating in any other
sector as shown in Tables VII and X.
Consequently, we run a second probit regression model just
for the firms active in the ICT service sector. Here, too, the firm
size is significantly positively associated with the likelihood of
being certified to ISO/IEC 27001. However, the age of firms
in this sector does not significantly explain the likelihood of
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 9
certification. Finally, firms in the ICT service sector with a
higher innovation probability are more likely to be certified to
ISO/IEC 27001. In addition, this relationship is stronger than in
the sample of all firms based on the marginal effects shown in
brackets.
Since only a very small proportion of the firms in the MUP
sample are ISO/IEC 27001 certified (less than 0.1%), we en-
counter the problem of a small sample bias. In our search for rare
events, we, therefore, apply the method proposed by King and
Zeng [89] and run a corrected logit estimate for our independent
variables firm size, firm age, and innovation probability. The
corrected logit estimates provided in Table IX confirm the results
of our probit models.
C. Validation
To validate our findings and to avoid a single source bias,
we relied on another independent dataset. Therefore, we have
manually analyzed the ISO/IEC 27001 certified firms of the
German certification body TÜV Rheinland, which publishes
their valid certification1. In this certification database, we have
identified 358 valid certificates of 261 German firms that are
certified to ISO/IEC 27001.
First, we examined which sector these firms belong to. Sec-
ond, we analyzed whether these firms publish their certificates
on their websites, and if not, whether they publish a logo instead.
Third, we analyzed how many certified firms would have been
identified using our web scraping.
We found a similar sector breakdown (see Table VII) as our
web mining results (see Table IV), which confirms that most
ISO/IEC 27001 certified firms offer ICT services, followed
by other services. Firms belonging to the public utility sector
(e.g., energy providers) rank higher in this sample compared to
our web mining sample, but this could also indicate a certain
affiliation of this sector to this particular certification body.
Out of the 261 ISO/IEC 27001 certified firms, 39 firms
(equaling 15%) did not publish a written reference to an ISO/IEC
certification on their websites, one-third of them offering ICT
services. Out of these 39 firms, 5 firms displayed a logo instead,
representing less than 2% of the 261 firms.
Since our web scraper only searched for the top 25 webpages
per firm, our web scraper would have identified 44% of these
certified firms that are included in the MUP. This finding shows
that the remaining ISO/IEC 27001 certified firms would have
only be identified with a higher scraping effort, i.e., more web-
pages per company. Our manual analysis, furthermore, revealed
that especially larger firms do not display their certificates on
the top 25 webpages, but at lower level webpages—e.g., on the
webpages of specific products or news pages.
V. DISCUSSION
A. Discussion on the Adoption of ISO/IEC 27001 in Germany
The initial finding of our web mining revealed that double
the number of firms refer to ISO/IEC 27001 on their websites
1[Online]. Available: www.certipedia.com
Fig. 5. ISO/IEC 27001 “landscape” of German firms.
as valid certificates according to ISO (2018) are available in
Germany. Our manual categorization, however, showed that out
of the 2664 firms identified, only 792 firms are certified to
ISO/IEC 27001, which now represents roughly 60% of all valid
certificates. This finding shows that many firms refer to this
management system standard in relation to ISO/IEC 27001 for
reasons other than being certified. Therefore, the manual catego-
rization of all firm websites in our ISO/IEC 27001 analysis has
helped to create a “landscape” of the adoption of ISO/IEC 27001
(see Fig. 5) including a demand side and a supply side to
gain a better understanding of the ISO/IEC 27001 adoption in
Germany.
On the demand side, the landscape does not only include cer-
tified firms, which is often the case with previous studies about
management system standards using ISO survey data. Firms can
also adopt this management system standard without seeking
certification for themselves, which we refer to as implementing
firms. The results show a comparatively small number of firms
that have not (yet) received a certificate but have only adopted the
standard. Referring to a study by Irish managers, which stated
that 12% of firms use standards, such as ISO/IEC 27001, but
only 2% are certified [90], it could have been expected that more
firms had implemented the standard instead of being additionally
certified. However, it may not be worthwhile to communicate
on the website, if firms have implemented a standard without a
formal attestation.
The landscape also shows the important role of IT personnel,
as discussed above by Benslimane et al. [66], as it also imple-
ments security practices in firms according to the ISO/IEC 27001
standard, which can also serve as a signal to stakeholders. For ex-
ample, IT personnel may have obtained certificates such as Infor-
mation Security Officer or Auditor according to ISO/IEC 27001
(e.g., [91] as an example).
A key finding of our explorative research is the possibility
to refer to partners (such as cloud computing providers or data
centers) that are certified. This option shows the main difference
between ISO/IEC 27001 and the other management system
standards, as it is possible to outsource information security to
some extent, which is unlikely for quality, environmental, and
energy management. It is, therefore, possible that outsourcing
will not take place in the Far East, for example, as discussed by
Fomin et al. [10], but to IT service providers within Germany
or Europe. This could also be spurred by the General Data
Protection Regulation (GDPR), which entered into force in May
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
2018. Although ISO/IEC 27001 certification should not be seen
as a tool to signal GDPR compliance, ISO/IEC 27001 can help
to comply with the GDPR [92]. In order to elaborate this effect
of “indirect certification” theoretically, one can apply theories
about networking and, in particular, brand leveraging and co-
branding, concepts that traditionally originate from marketing
and, in particular, consumer research [93]. In our case, firms can
be “embedded” in a network and gain reputation and trust by
claiming an alliance with a partner who is certified, as shown by
Hu et al. [94], in the case of technical standard alliances.
The “landscape” (see Fig. 5) also includes the supply side
of ISO/IEC 27001, by involving certification bodies and con-
sultants as important actors in the diffusion work [57] of this
management system standard. The large number of consultants
active in the field of ISO/IEC 27001 and providing knowledge
of this standard indicates, first, a need for firms to use consulting
firms for the implementation of ISO/IEC 27001. Second, it
indicates that firms may implement this standard with the help
of consultants rather than to be officially certified. This can also
help explain the low adoption of ISO/IEC 27001 in Germany
given the low number of valid certificates [60], although on
average almost 30% of all German companies claim to have
a formally defined ICT security policy that takes into account
the confidentiality, integrity, and availability of their data and
ICT systems [95].
B. Discussion on Driving Factors for ISO/IEC 27001
Certification in Germany
Our regression analysis revealed that larger and more inno-
vative firms, most of them belonging to the ICT service sector,
are more prone to ISO/IEC 27001 certification.
The significant size effect supports the findings of previous
studies on other management system standards [33], both for
all firms and for ICT service providers. Obviously, certification
costs present a problem for smaller companies that may not
be compensated by the benefits of achieving certification to
ISO/IEC 27001 [12]. Since the firm size is often correlated
with firm age [96], we expected a positive effect that is only the
case for ICT service firms (see Table V), though not significant
(see Table VI). Therefore, different organizational factors and
IT skills may lead to differences in the perception of firms in
terms of information security and related investments, apart from
size, age, and innovativeness, which should be subject to future
research.
Our findings have several implications for managers, pol-
icy makers, and standard development organizations. From a
managerial perspective, it shows that firms can make use of
ISO/IEC 27001 either in terms of implementation versus cer-
tification (1), the use of certified IT personnel (2), and the
reference to a certified partner (indirect certification) (3) without
having to bear the time and cost for certification. Therefore,
depending on their individual objectives, firms should critically
examine whether it is worthwhile to seek certification (e.g., as a
competitive advantage or because stakeholders require an inde-
pendent attestation) or not. In some cases, the implementation of
ISO/IEC 27001 might be a good start to increase the overall level
of information security, including employee awareness, without
bearing the immediate costs for certification.
From a policy perspective, our findings have an impact when
policy makers decide to make use of ISO/IEC 27001 to increase
the overall level of information security in firms. First, the sig-
nificant firm size effect may require action. Policy makers could,
for example, spur the diffusion of ISO/IEC 27001 among SMEs
by providing incentives to firms that seek services, e.g., from
consultants, to implement an ISMS according to ISO/IEC 27001.
Second, the benefits for smaller firms implementing an ISMS
according to ISO/IEC 27001 may not be sufficiently known or
measurable for smaller companies. Therefore, standards devel-
opment organizations could publish practical guidance docu-
ments, in particular, to help SMEs apply the ISO/IEC 27000
series, as proposed by the European Commission in its recent
rolling plan for ICT standardization [98]. Third, it is worth
investigating whether independent third-party certification is
required or whether a self-declaration of conformity might be
useful to achieve the respective goal. Finally, looking closely at
the ISO/IEC 27001 certified firms, they most often belong to
the ICT service sector. Hence, the question arises as to whether
the concentration of certifications among ICT service firms is
sufficient for an overall adequate level of information security
because they provide services to companies throughout the entire
economy, or whether we have a significant gap here. This might
be true, in particular, for manufacturing firms, particularly in
view of the increasing connectivity related to Industry 4.0, which
may require further actions from policy makers.
VI. CONCLUSION
For the first time, we used web mining as a data source and
method to examine German firms in the MUP database with a
website with reference to ISO/IEC 27001 in this article.
A manual categorization of all firms with ISO/IEC 27001
reference on their websites enabled the development of an
ISO/IEC 27001 “landscape”, as outlined in Fig. 5, covering
both the demand side (firms making use of this management
system standard) and the supply side of this management system
standard (firms providing services related to ISO/IEC 27001).
The implications of our findings can lead to a better under-
standing of the reasons for the (low) adoption of ISO/IEC 27001.
First, the small number of valid certificates reported in the ISO
survey is not necessarily due to the low adoption rate of the
standard. Firms can also benefit from either implementing the
management system standard without seeking certification or by
using certified IT personnel. Second, firms make use of certified
partners to which they refer on their websites, a phenomenon that
we term “indirect certification.” These partners (mostly cloud
suppliers and data centers), therefore, have a multiplier effect
by providing information security to a larger number of firms.
Our web mining based analysis of firms that refer to
ISO/IEC 27001 on their websites showed that this method can
be used in combination with a manual firm-by-firm evaluation
to gain a better understanding of the drivers for certification to
ISO/IEC 27001. We have shown that firm size, innovativeness,
and affiliation to the ICT service sectors are potential drivers
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 11
for ISO/IEC 27001 certification. In particular, smaller firms
seek less certification than larger firms, which may call for the
need for supporting SMEs in implementing ISO/IEC 27001 and
seeking certification.
From a legal perspective, certification against ISO/IEC 27001
is voluntary for firms per se. However, this could change in the
near future not only in the light of the NIS-Directive but also
of the latest EU Cybersecurity Act. In addition, firms can adopt
ISO/IEC 27001 to demonstrate compliance with the principles
of technical and organizational measures to protect information
for the purpose of the GDPR [99]. Thereby, the results of this
article can help to derive more substantial recommendations
for the application of this management system standard, e.g.,
if a mandatory certification for firms in specific sectors or
alternative measures to increase the adoption of ISO/IEC 27001
are discussed.
From a methodological perspective, web mining of firm web-
sites supplements the traditional methods of standard adoption
research, which are often based on surveys and are qualitative
in nature, or in the case of diffusion research based on national
macrodata.
However, web mining and this article are not without limi-
tations. As far as the applicability of the method is concerned,
our web scraping first covered only the top 25 webpages per
website. A previous study showed that the median number of
subweb pages per website of German firms is 15, but this number
of webpages is also strongly correlated with the size of the firm
[19]. This suggests that our rather low per-website scraping limit
can induce a bias against larger firms, which we also found in
our validation, indicating that German ISO/IEC 27001 certified
firms may be even larger than our empirical results suggest. For
future web mining studies, we therefore suggest either using a
higher scraping limit for all firms or adjusting the scraping limit
according to the available firm size information.
Second, our analysis assumes that all firms certified to
ISO/IEC 27001 would announce this on their websites. How-
ever, firms are not obliged to do so, and some sectors, such as ICT
services or electronics, may be more prone to the presentation
of their certificates on their websites than other sectors [67].
Therefore, firms active in the health or tourism sector may see
a lower value for their goal of publishing their certificates and
hence there may be a distortion in certain sectors.
Third, our web mining (by keywords only) cannot distinguish
whether firms are certified or otherwise refer to this management
system standard. Therefore, only a combination of web mining
and manual analysis allowed a suitable categorization. In order to
make use of this method to a greater extent, further automation
would be needed using a web scraper. This could include the
recognition of images to identify certificates, or the use of neural
networks to predict whether a firm is certified to a particular
management system standard.
Finally, the positive relationship of firm drivers for
ISO/IEC 27001 certification does not necessarily imply causal-
ity. Further research is needed to examine the drivers and barriers
to the adoption of ISO/IEC 27001. As a first step, our catego-
rized firms that are certified to ISO/IEC 27001 or have adopted
this standard (without certification) can be used to analyze the
context in which firms refer to the use of ISO/IEC 27001 on their
website as a motive for adoption and further sector segmentation.
This analysis could also be extended to firms that refer to certified
partner firms to examine the drivers for this type of “indirect
certification”. Additional methodological approaches, such as
interviews and surveys, are needed to theoretically support
these correlations and to identify further drivers and barriers
in connection with ISO/IEC 27001 certification. Our identified
firms can therefore serve as a sample.
Our approach of defining certifications based on management
system standards as organizational innovation itself opens up a
new research field to investigate the relationship between prod-
uct innovation and certifications in the context of international
management system standards as organizational innovations
[22]. This raises the question of timing, i.e., whether product in-
novations trigger certification to management system standards
as organizational innovations [97] or vice versa. However, this
question cannot be answered by the available cross-sectional
data but requires time-series data.
APPENDIX
See Tables VIII–Table X
TABLE VIII
CORRELATION MATRI X O F T HE VARIABLES
Notes: The table shows the pairwise correlation coefficients of all observations in the MUP.
ICT sector service coefficients are in brackets.
p<0.01.
TAB L E IX
CORRECTED LOGIT ESTIMATES
Notes: The table displays the coefficients of all observations in the MUP and ICT service
sectors applying rare event logistic regression.
p<0.10. ∗∗ p<0.05. ∗∗∗ p<0.01.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
12 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
TAB L E X
PROBIT ESTIMATION RESULTS FOR SECTOR DUMMIES
Notes: The table displays the coefficients and marginal effects based on the ICT service
sector. p<0.10. ∗∗ p<0.05. ∗∗∗ p<0.01.
ACKNOWLEDGMENT
M. Mirtsch would like to thank G. Dudek for valuable insights,
S. Mareschow and G. Miklis for assisting in categorizing web
scraped firms, M. Franke for IT support, and S. Stobbe for the
language editing and proofreading. Finally, the authors grate-
fully acknowledge the valuable suggestions of three anonymous
reviewers.
REFERENCES
[1] ISOfocus, “The cyber secrets,” Jan./Feb. 2019. [Online]. Available: https:
//www.iso.org/files/live/sites/isoorg/files/news/magazine/ISOfocus%
20(2013-NOW)/en/2019/ISOfocus_132/ISOfocus_132_en.pdf
[2] S.-Y. Peng, “‘Private’ cybersecurity standards? Cyberspace governance,
multistakeholderism, and the (Ir) relevance of the TBT regime,Cornell
Int. Law J., vol. 51, no. 2, pp. 445–469, 2018.
[3] S. Shackelford and S. O. Bradner, “Have you updated your toaster?
Transatlantic approaches to governing the internet of everything,” Kelley
School Bus. Res. Paper No. 18-60, pp. 1–31. 2018. [Online]. Available:
https://ssrn.com/abstract = 3208018
[4] Accenture, “The cost of cybercrime,” Ninth Annual Cost of
Cybercrime Study, Independently Conducted by Ponemon Institute
LLC and Jointly Developed by Accenture, 2019. [Online] Available:
https://www.accenture.com/_acnmedia/pdf-96/accenture-2019- cost-of-
cybercrime-study-final.pdf
[5] R. Saint-Germain, “Information security management best practice based
on ISO/IEC 17799,” Inf. Manage. J., vol. 39, no. 4, pp. 60–66, 2005.
[6] G. Disterer, “ISO/IEC 27000, 27001 and 27002 for information security
management,” J. Inf. Secur., vol. 4, no. 2, pp. 92–100, 2013.
[7] Information Security Management Systems, ISO/IEC 27001:2013 (EN),
2013.
[8] P. Castka and C. J. Corbett, “Management systems standards: Diffusion,
impact and governance of ISO 9000, ISO 14000, and other management
standards,” Foundations Trends Technol. Inf. Oper. Manage., vol. 7, no.
3/4, pp. 161–379, 2013.
[9] E.M.Rogers,Diffusion of Innovations, 5th ed. New York, USA: Free
Press, 2003.
[10] V. Fomin, H. Vries, and Y. Barlette, “ISO/IEC 27001 information systems
security management standard: Exploring the reasons for low adoption,”
in Proc. 3rd Eur. Conf. Manage. Technol., 2008, pp. 1–13.
[11] Y. Barlette and V. Fomin, “The adoption of information security man-
agement standards: A literature review,” in Proc. Inf. Resour. Manage.:
Concepts, Methodologies, Tools Appl., 2010, pp. 69–90.
[12] Y. Barlette and V. V. Fomin, “Exploring the suitability of IS security
management standards for SMEs,” in Proc. 41st Annu. Hawaii Int. Conf.
Syst. Sci., 2008, pp. 308–317.
[13] Z. Abu Bakar, N. A. Yaacob, Z. M. Udin, J. R. Hanaysha, and L. K. Loon,
“The adoption of business continuity management best practices among
malaysian organizations,” Adv. Sci. Lett., vol. 23, no. 9, pp. 8484–8491,
Sep. 2017.
[14] A. Skopak and S. Sakanovic, “Adoption of standard for information
security ISO/IEC 27001 in Bosnia and Herzegovina,” in Proc. Int. Conf.
Econ. Social Stud. Sarajevo, 2016, pp. 35–42.
[15] C. Candiwan, “Analysis of ISO27001 implementation for enterprises and
SMEs in Indonesia,” in Proc. Int. Conf. Cyber-Crime Investigation Cyber
Secur., 2014, pp. 50–58.
[16] K. I. Alshitri and A. N. Abanumy, “Exploring the reasons behind the low
ISO 27001 adoption in public organizations in Saudi Arabia,” in Proc. Int.
Conf. Inf. Sci. Appl., 2014, pp. 1–4.
[17] B. AbuSaad, F. A. Saeed, K. Alghathbar, and B. Khan, “Implementation
of ISO 27001 in Saudi Arabia—Obstacles, motivations, outcomes, and
lessons learned,” in Proc. Australian Inf. Secur. Manage. Conf., 2011, pp.
1–9.
[18] R. Van Wessel and H. J. de Vries, “Business impact of international
standards for information security management. Lessons from case com-
panies,” J. Inf. Commun. Technol. Standardization, vol.1, pp. 25–40, 2013.
[19] J. Kinne and J. Axenbeck, “Web mining of firm websites: A framework
for Web scraping and a pilot study for Germany,” Leibniz Assoc., Berlin,
Germany, ZEW Discussion Paper 18-033, 2019.
[20] J. Kinne and D. Lenz, “Predicting innovative firms using web mining and
deep learning,” Leibniz Assoc., Berlin, Germany, ZEW Discussion Paper
19-001, 2019.
[21] K. Blind, “Certifications based on international management system stan-
dards as innovation indicators: An explorativefeasibility analysis,” in Proc.
24th EURAS Annu. Standardisation Conf., Standards, Bio-Based Econ.,
2019, pp. 51–69.
[22] H. Armbruster, A. Bikfalvi, S. Kinkel, and G. Lay, “Organizational inno-
vation: The challenge of measuring non-technical innovation in large-scale
surveys,Technovation, vol. 28, no. 10, pp. 644–657, 2008.
[23] G. Hashem and J. Tann, “The adoption of ISO 9000 standards within
the Egyptian context: A diffusion of innovation approach,Total Qual.
Manage. Bus. Excellence, vol. 18, no. 6, pp. 631–652, 2007.
[24] L. G. Tornatzky, M. Fleischer, and A. Chakrabarti, TheProcessesofTech-
nological Innovation (Issues in Organization and Management Series).
Lexington, MA, USA: Lexington Books, 1990.
[25] M. V. Uzumeri, “ISO 9000 and other metastandards: principles for man-
agement practice?” Acad. Manage. Perspectives, vol. 11, no. 1, pp. 21–36,
1997.
[26] ISO, “Management system standards.” Accessed on: Mar. 1, 2019. [On-
line]. Available: https://www.iso.org/management-system- standards.html
[27] Conformity AssessmentVocabulary and General Principles,EN
ISO/IEC 17000:2004, 2004.
[28] M. Spence, “Job market signaling,Quart. J. Econ., vol. 87, no. 3, pp.
355–374, 1973.
[29] W. K. Viscusi, “A note on “lemons” markets with quality certification,
Bell J. Econ., vol. 9, no. 1, pp. 277–279, 1978.
[30] G. A. Akerlof, “The market for “lemons”: Quality uncertainty and the
market mechanism,” Quart. J. Econ., vol. 84, no. 3, pp. 488–500, 1970.
[31] A. Terlaak and A. A. King, “The effect of certification with the ISO 9000
quality management standard: A signaling approach,”J. Econ. Behav. Org.,
vol. 60, no. 4, pp. 579–602, 2006.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 13
[32] M. Delmas and I. Montiel, “The diffusion of voluntary international
management standards: Responsible Care, ISO 9000, and ISO 14001 in
the chemical industry,Policy Stud. J., vol. 36, no. 1, pp. 65–93, 2008.
[33] S. W. Anderson, J. D. Daly, and M. F. Johnson, “Why firms seek ISO 9000
certification: regulatory compliance or competitive advantage?” Prod.
Oper. Manage., vol. 8, no. 1, pp. 28–43, 1999.
[34] K. D. Gotzamani and G. D. Tsiotras, “An empirical study of the ISO 9000
standards’ contribution towards total quality management,Int. J. Oper.
Prod. Manage., vol. 21, no. 10, pp. 1326–1342, 2001.
[35] M. Terziovski, D. Power, and A. S. Sohal, “The longitudinal effects of
the ISO 9000 certification process on business performance,” Eur. J. Oper.
Res., vol. 146, no. 3, pp. 580–595, 2003.
[36] M. Potoski and A. Prakash, “Information asymmetries as trade barriers:
ISO 9000 increases international commerce,” J. Policy Anal. Manage. vol.
28, no. 2, pp. 221–238, 2009.
[37] B. Manders, H. J. de Vries, and K. Blind, “ISO 9001 and product innova-
tion: A literature review and research framework,Technovation, vol. 48,
pp. 41–55, 2016.
[38] H. A. Quazi, Y.-K. Khoo, C.-M. Tan, and P.-S. Wong, “Motivation for ISO
14000 certification: development of a predictive model, Omega, vol. 29,
no. 6, pp. 525–542, 2001.
[39] P. DiMaggio and W. W. Powell, “The iron cage revisited: Collective
rationality and institutional isomorphism in organizational fields,” Amer.
Sociol. Rev., vol. 48, no. 2, pp. 147–160, 1983.
[40] E. Naveh, A. Marcus, and H. Koo Moon, “Implementing ISO 9000:
Performance improvement by first or second movers,Int. J. Prod. Res.,
vol. 42, no. 9, pp. 1843–1863, May 2004.
[41] A. Terlaak and A. A. King, “Follow the small? Information-revealing
adoption bandwagons when observers expect larger firms to benefit more
from adoption,” Strategic Manage. J., vol. 28, no. 12, pp. 1167–1185,
Dec. 2007.
[42] M. A. Delmas and M. Montes-Sancho, “An institutional perspective on
the diffusion of international management system standards: The case of
the environmental management standard ISO 14001,Bus. Ethics Quart.,
vol. 21, no. 1, pp. 103–132, 2011.
[43] T. H. Arimura, N. Darnall, and H. Katayama, “Is ISO 14001 a gateway
to more advanced voluntary action? The case of green supply chain
management,” J. Environ. Econ. Manage., vol. 61, no. 2, pp. 170–182,
2011.
[44] P. J. Singh, M. Feng, and A. Smith, “ISO 9000 series of standards:
comparison of manufacturing and service organisations,Int. J. Qual. Rel.
Manage., vol. 23, no. 2, pp. 122–142, 2006.
[45] G. M. P. Swann, “The economics of standardization: An update,” Innov.
Econ. Limited, London, U.K., Rep. U.K. Dept. Bus., Innov. Skills, 2010.
[46] X. Cao and A. Prakash, “Growing exports by signaling product quality:
Trade competition and the cross-national diffusion of ISO 9000 quality
standards,” J. Policy Anal. Manage., vol. 30, no. 1, pp. 111–135, 2011.
[47] B. Manders, “Implementation and impact of ISO 9001,” Ph.D. dissertation,
Erasmus Res. Inst. Manage. Rotterdam, The Netherlands, 2015.
[48] P. Bansal and W. C. Bogner, “Deciding on ISO 14001: Economics, insti-
tutions, and context,” Long Range Planning, vol. 35, no. 3, pp. 269–290,
2002.
[49] K. Blind and A. Mangelsdorf, “Zertifizierung in deutschen Unternehmen–
zwischen Wettbewerbsvorteil und Kostenfaktor,” in Zertifizierung als Er-
folgsfaktor. Berlin, Germany: Springer, 2016, pp. 23–32.
[50] M. L. Katz and C. Shapiro, “Network externalities, competition, and
compatibility,Amer. Econ. Rev., vol. 75, no. 3, pp. 424–440, 1985.
[51] C. J. Corbett and D. A. Kirsch, “International diffusion of ISO 14000
certification,” Prod. Oper. Manage., vol. 10, no. 3, pp. 327–342, 2001.
[52] F. Tuczek, P. Castka, and T. Wakolbinger, “A review of management
theories in the context of quality, environmental and social responsibility
voluntary standards,” J. Cleaner Prod., vol. 176, pp. 399–416, 2018.
[53] D. Maier, A. M. Vadastreanu, T. Keppler, T. Eidenmuller, and A. Maier,
“Innovation as a part of an existing integrated management system,
Procedia Econ. Finance, vol. 26, pp. 1060–1067, 2015.
[54] T. H. Jørgensen, A. Remmen, and M. D. Mellado, “Integrated management
systems—Three different levels of integration,J. Cleaner Prod., vol. 14,
no. 8, pp. 713–722, 2006.
[55] R. Gey and A. Fried, “Metastructuring for standards: How organizations
respond to the multiplicity of standards,” in Corporate and Global Stan-
dardization Initiatives in Contemporary Society. Hershey, PA, USA: IGI
Global, 2018, pp. 252–276.
[56] H. J. de Vries and F. El Osrouti, “Impact studies on standards and standard-
isation - Looking back and moving forward,” in Proc. 24th EURAS Annu.
Standardisation Conf., Standards, Bio-Based Econ., 2019, pp. 131–142.
[57] C. B. Stamm, “ISO 26000 gets taken around: Diffusion work as crucial
link between standard creation and adoption,” in Corporate Social Re-
sponsibility and Corporate Change. Berlin, Germany: Springer, 2019, pp.
135–158.
[58] Information Technology—Security Techniques—Information Security
Management Systems—Overview and Vocabulary, ISO/IEC 27000:2018
(en), 2018.
[59] R. Von Solms and J. Van Niekerk, “From information security to cyber
security,” Comput. Secur., vol. 38, pp. 97–102, 2013.
[60] ISO, “The ISO survey of management system standard certifications
2017,” 2018. [Online]. Available: https://www.iso.org/the-iso- survey.
html, Accessed on: Feb. 2, 2019.
[61] D. Tunçalp, “Diffusion and adoption of information security management
standards across countries and industries,”J. Global Inf. Technol. Manage.,
vol. 17, no. 4, pp. 221–227, 2014.
[62] T. Neubauer, A. Ekelhart, and S. Fenz, Interactive Selection of ISO 27001
Controls Under Multiple Objectives. Boston, MA, USA: Springer, 2008,
pp. 477–492.
[63] N. F. Doherty and H. Fulford, “Do information security policies reduce
the incidence of security breaches: an exploratory analysis,” Inf. Resour.
Manage. J., vol. 18, no. 4, pp. 21–39, 2005.
[64] C. Hsu, T. Wang and A. Lu, “The impact of ISO 27001 certification on
firm performance,” in Proc. 49th Hawaii Int. Conf. Syst. Sci., 2016, pp.
4842–4848.
[65] G. P. Tejay and B. Shoraka, “Reducing cyber harassment through de jure
standards: A study on the lack of the information security management
standard adoption in the USA,” Int. J. Manage. Decis. Making, vol. 11,
no. 5/6, pp. 324–343, 2011.
[66] Y. Benslimane, Z. Yang, and B. Bahli, “Information security between
standards, certifications and technologies: An empirical study,” in Proc.
Int. Conf. Inf. Sci. Secur., 2016, pp. 1–5.
[67] A. Longras, T. Pereira, P. Cameiro, and P. Pinto, “On the track of
ISO/IEC 27001: 2013 implementation difficulties in portuguese organi-
zations,” in Proc. Int. Conf. Intell. Syst., 2018, pp. 886–890.
[68] S. Uwizeyemungu and P. Poba-Nzaou, “Understanding information tech-
nology security standards diffusion: An institutional perspective,” in Proc.
Int. Conf. Inf. Syst. Secur. Privacy, 2015, pp. 5–16.
[69] J. A. Schumpeter, Theorie der wirtschaftlichen entwicklung. Leipzig:
Duncker & Humblot. English Translation Published in 1934 As the Theory
of Economic Development. Cambridge, MA, USA: Harvard Univ. Press,
1912.
[70] T. Oliveira and M. F. Martins, “Literature reviewof information technology
adoption models at firm level,Electron. J. Inf. Syst. Eval., vol. 14, no. 1,
pp. 110–121, 2011.
[71] K. K. Kuan and P. Y. Chau, “A perception-based model for EDI adoption
in small businesses using a technology–organization–environment frame-
work,” Inf. Manage., vol. 38, no. 8, pp. 507–521, 2001.
[72] Y.-M. Wang, Y.-S. Wang, and Y.-F. Yang, “Understanding the determinants
of RFID adoption in the manufacturing industry,” Technol. Forecasting
Social Change, vol. 77, no. 5, pp. 803–815, 2010.
[73] M.-J. Pan and W.-Y. Jang, “Determinants of the adoption of enterprise
resource planning within the technology-organization-environment frame-
work: Taiwan’s communications industry,” J. Comput. Inf. Syst., vol. 48,
no. 3, pp. 94–102, 2008.
[74] I. Heras-Saizarbitoria and O. Boiral, “ISO 9001 and ISO 14001: towards a
research agenda on management system standards,” Int. J. Manage. Rev.,
vol. 15, no. 1, pp. 47–65, 2013.
[75] J. Llach, R. D. Castro, A. Bikfalvi, and F. Marimon, “The relationship
between environmental management systems and organizational inno-
vations,Hum. Factors Ergonom. Manuf. Serv. Ind., vol. 22, no. 4, pp.
307–316, 2012.
[76] G. Mangiarotti and C. A. F. Riillo, “Determinants of ISO9000:2000
certification in services and manufacturing: An empirical analy-
sis for luxembourg,” in Proc. 4ème Colloque Luxembourgeois sur
l’économie de la Connaissance Dans une Perspective Européenne, 2010,
pp. 7–9.
[77] E. Hoti, “The technological, organizational and environmental framework
of IS innovation adaption in small and medium enterprises. Evidence from
research over the last 10 years,Int. J. Bus. Man age., vol.3, no. 4, pp. 1–14,
2015.
[78] N. Askitas and K. F. Zimmermann, “The internet as a data source for
advancement in social sciences,” Int. J. Manpower, vol. 36, no. 1, pp.
2–12, 2015.
[79] R. Kosala and H. Blockeel, “Web mining research: A survey,” ACM
SIGKDD Explorations Newslett., vol. 2, no. 1, pp. 1–15, 2000.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
14 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
[80] A. Gök, A. Waterworth, and P. Shapira, “Use of web mining in studying
innovation,Scientometrics, vol. 102, no. 1, pp. 653–671, 2015.
[81] G. Miner, J. Elder IV, A. Fast, T. Hill, R. Nisbet, and D. Delen, Prac-
tical Text Mining and Statistical Analysis for Non-Structured Text Data
Applications. Cambridge, MA, USA: Academic, 2012.
[82] J. S. Katz and V.Cothey, “Web indicators for complex innovationsystems,”
Res. Eval., vol. 15, no. 2, pp. 85–95, 2006.
[83] J. Youtie, D. Hicks, P. Shapira, and T. Horsley, “Pathways from discovery
to commercialisation: using web sources to track small and medium-sized
enterprise strategies in emerging nanotechnologies,Technol. Anal. Strate-
gic Manage., vol. 24, no. 10, pp. 981–995, 2012.
[84] S. K. Arora, J. Youtie, P. Shapira, L. Gao, and T. Ma, “Entry strategies
in an emerging technology: a pilot web-based study of graphene firms,”
Scientometrics, vol. 95, no. 3, pp. 1189–1207, 2013.
[85] C. Beaudry, M. Héroux-Vaillancourt, and C. Rietsch, “Validation of a
web mining technique to measure innovation in high technology Canadian
industries,” in Proc. 1st Int. Conf. Adv. Res. Methods Anal., 2016, pp. 1–25.
[86] M. Nathan and A. Rosso, “Innovative events, Centro Studi Luca
d’Agliano, Torino, Italy, Develop. Stud. Work. Paper 429, 2017.
[87] J. Bersch, S. Gottschalk, B. Müller, and M. Niefert, “The Mannheim
Enterprise Panel (MUP) and firm statistics for Germany,” Zentrum für
Europäische Wirtschaftsforschung (ZEW), Mannheim, Germany, ZEW
Discussion Paper 14-104, 2014.
[88] Eurostat, “Statistical classification of economic activities in the
european community,” NACE Rev. 2, 2008. Accessed on: Feb.
2, 2019. [Online]. Available: https://ec.europa.eu/eurostat/ramon/
nomenclatures/index.cfm?TargetUrl = LST_NOM_DTL&StrNom =
NACE_REV2&StrLanguageCode = EN&IntPcKey = &StrLayoutCode =
HIERARCHIC
[89] G. King and L. Zeng, “Logistic regression in rare events data,” Political
Anal., vol. 9, no. 2, pp. 137–163, 2001.
[90] O. Hogan, R. Jayasuriya, and C. Sheehy, “Economic Contribution of
Standards in Ireland: A report for the National Standards Authority of
Ireland,” Centre for Econ. Bus. Res. (CEBR), London, U.K., Dec. 2015.
[91] DEKRA, “Informationssicherheit.” [Online]. Available: https://www.
dekra-akademie.de/de/iso2700x-schulung/, Accessed on: March 7, 2019.
[92] I. M. Lopes, T. Guarda, and P. Oliveira, “How ISO 27001 can help achieve
GDPR compliance,” in Proc. 14th Iberian Conf. Inf. Syst. Technol., 2019,
pp. 1–6.
[93] K. L. Keller, “Brand synthesis: The multidimensionality of brand knowl-
edge,” J. Consum. Res., vol. 29, no. 4, pp. 595–600, 2003.
[94] J. Hu, Y. Zhang, and X. Fang, “Research on partner selection mechanism
of technological standard alliance: From the perspective of network em-
beddedness,” in Proc. Portland Int. Conf. Manage. Eng. Technol., 2015,
pp. 585–595.
[95] Eurostat. “ICT security in enterprises,” 2015. [Online].
Available: https://ec.europa.eu/eurostat/statistics-explained/index.php/
ICT_security_in_enterprises. Accessed on: Nov. 19, 2018.
[96] H. Mintzberg, S. Ghoshal, J. Lampel, and J. B. Quinn, The Strategy
Process: Concepts, Contexts, Cases. Harlow, UK: Pearson Educ., 2003.
[97] J. M. Utterback and W. J. Abernathy, “A dynamic model of process and
product innovation,Omega, vol. 3, no. 6, pp. 639–656, 1975.
[98] European Commission, “2019 Rolling plan for ICT standardisation,” DG
Internal Market, Ind., Entrepreneurship SMEs, Eur. Commission, Brus-
sels, Belgium, 2019.
[99] C. Tankard, “What the GDPR means for businesses,Netw. Secur.,vol.
2016, no. 6, pp. 5–8, 2016.
Mona Mirtsch received the M.Sc. degree in business
administration from the San Diego State University,
San Diego, CA, USA, in 2004, and the Diploma
in business administration from the European Uni-
versity Viadrina Frankfurt (Oder), Frankfurt (Oder),
Germany, in 2006. She is currently working toward
the Ph.D. degree in innovation economics with the
Technische Universität Berlin, Berlin, Germany, in
the field of cybersecurity and conformity assessment.
From 2006 to 2010, she was a Trainee and a Brand
Manager for a multinational fast-moving consumer
goods corporation in Hamburg, Germany. From 2010 to 2017, she was a Sales
Manager also responsible for quality management for a family-owned metal
forming company in Berlin, Germany. Since 2017, she has been working with the
Department for Accreditation and Conformity Assessment at the Bundesanstalt
für Materialforschung und -prüfung (Federal Institute for Materials Research
and Testing—BAM), Berlin, Germany, dealing with questions of quality infras-
tructure issues.
Jan Kinne received the master’s degree in geog-
raphy from the Heidelberg University, Heidelberg,
Germany, in 2016. He is currently working toward
the Ph.D. degree in applied geoinformatics at the Uni-
versity of Salzburg, Salzburg, Austria in the field of
microgeograhic innovation research using web data.
He was a Visiting Fellow with the Institute for
Quantitative Social Sciences, Harvard University in
2019. Since 2016, he has been working as a Re-
searcher with the Economics of Innovation Depart-
ment, ZEW Centre for European Economic Research.
Based on his Ph.D. research, he co-founded istari.ai (istari artificial intelligence),
a startup company for AI-driven web analysis of company websites. His main
areas of study were geoinformatics and spatial analysis (GIScience).
Knut Blind received the Bachelor’s degree of Arts
from Brock University, St. Catharines, ON, Canada,
in 1990 and the Diploma in economics and the Doc-
toral degree in economics from Freiburg University,
Freiburg, Germany in 1995. He studied economics,
political science, and psychology at Albert-Ludwigs-
Universität Freiburg, Freiburg, Germany.
In April 2006, he was appointed as a Professor of
Innovation Economics with the Faculty of Economics
and Management, Technische Universität Berlin. Be-
tween 2008 and 2016, he also held the endowed Chair
of Standardisation at the Rotterdam School of Management, Erasmus University.
Since 1996, he has been with the Fraunhofer Society (currently the Fraunhofer
Institute of Systems and Innovation Research).
... The acceleration of digital-first approaches in the wake of the COVID-19 health crisis has further increased the need for a better understanding by corporate decisionmakers (Hopkins, 2021;Boehm et al., 2020). This is also reflected in the increasing interest in both academia and practice in the ISO/IEC 27001 information security management standard (Culot et al., 2021(Culot et al., , 2019Mirtsch et al., 2021a). As other standards for management systems -e.g., ISO 9001, ISO 14001, OHSAS 18001/ISO 45001 -ISO/ IEC 27001 is a process-oriented management tool (Heras-Saizarbitoria and Boiral, 2013;Culot et al., 2021). ...
... Initially, the studies were mostly of a technical nature, i.e., methods for control implementation and harmonization with other standards (e.g., Simić-Draws et al., 2013;Pardo et al., 2012). Only recently the debate has been intensifying on non-technical outlets (e.g., Mirtsch et al., 2021a;Deane et al., 2019). This mirrors a new attitude towards IS. ...
... The literature has also debated iv) contextual factors mostly related to industry and geographical idiosyncrasies as well as to the technological profile and previous ISO experience of the certified companies. The studies of Mirtsch et al. (2021a), Gillies (2011), and Cots and Casadesús (2015), indicated that there are more certifications in technological industries and in countries where the government has pursued regulatory or promotion activities (as such companies value the benefits of ISO/IEC 27001 higher than firms outside these contexts - Mirtsch et al., 2021b). Finally, some studies have questioned the standard effectiveness in guaranteeing IS against more complex and innovative technological environments (e.g., those determined by cloud computing and the Internet of Things), suggesting the integration of other technology-specific standards (Leszczyna, 2019;Ku et al., 2009). ...
Article
Although protecting information is the key challenge in a business environment characterized by increasing digitalization and connectivity, the impact of firms' investments in information security on their financial performance is unclear. In this paper, we focus on ISO/IEC 27001 (i.e., the most renowned norm in the field and the fourth most widespread ISO standard) and analyze the relationship between the attainment of the certification and firms' financial performance. We developed a set of theory-grounded hypotheses and tested them through a long-term event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies. The results indicate that the ISO/IEC 27001 certification is associated with improvements in profitability, labor productivity, and (partially) sales performance. The impact appears affected by the level of internationalization of the certified firm. The study contributes to the scientific debate on information security and certifications by developing the first large-scale empirical investigation based on secondary data on the financial implications of ISO/IEC 27001. Moreover, we further deepen the current knowledge on the effects of international management standards on firms' performance thus enabling comparisons with other major management system standards.
... When users pay attention to privacy, there are two measurement dimensions of information risk: severity and susceptibility. Combined with the sensitive information protection and management standard [8], the influencing factor analysis model shown in Figure 1 is constructed. Use the model shown in Figure 1 to identify the risk categories of college sports fitness sensitive information in the cloud storage environment. ...
... When the number of experiments reaches more than 60, the recognition accuracy of Test group a reaches the highest value, which shows that under the support of the number of experiments, the method achieves the best stability and application performance. 8 Journal of Sensors ...
Article
Full-text available
In order to improve the security of college sports fitness sensitive information, this paper proposes a hybrid encryption algorithm for college sports fitness sensitive information in cloud storage environment. Build an analysis model of influencing factors of cloud storage environment to identify the risk value of sensitive information; Using Bloom filter data structure to eliminate redundant data of sensitive information; The transmission channel model of sensitive information and the security coding model of sensitive information are constructed. Combined with the fuzzy differential information fusion method, the complete key of sensitive information under the symmetric encryption protocol is obtained to realize the key optimization design. Through AES encryption and decryption algorithm, the anti encryption control and structural reorganization of college sports fitness sensitive information, and the iterative convergence control of hybrid encryption, so as to realize the hybrid encryption of college sports fitness sensitive information. The encryption time of the design algorithm under different attribute numbers is always kept below 0.2S, the maximum encryption time under different number of software packages is only 0.5 s, and the encryption accuracy can reach 1, which proves that the design algorithm has certain application value.
... Mirtsch et al [31] proposed the techniques for the ISO/IEC standards were not given the expected growth rate of page ranking factors. The standards like ISO/IEC 27000 for improving the growth of web content mining on large networks have not given the web page growth rate concerning the presence of data on web pages. ...
... This paper suggested a methodology for mining huge volume of data from data centers using LSTM in deep learning. Also suggested techniques for fake or duplicate data memory space will be wasted and the cost for configuring the data centers will also be avoided [31]. The Sequential LSTM will be the solution for the continuous monitoring of data status over the large network and will monitor the data position in parallel. ...
... These benefits will also turn out to be key in this study. In addition to simple keyword-based approaches, e.g. to measure the diffusion of standards [33], approaches with more sophisticated NLP and Machine Learning (ML) methods in particular, have been successfully used, to generate web-based firm-level innovation indicators [34,35], for instance. ...
Article
Full-text available
Usually, official and survey-based statistics guide policymakers in their choice of response instruments to economic crises. However, in an early phase, after a sudden and unforeseen shock has caused unexpected and fast-changing dynamics, data from traditional statistics are only available with non-negligible time delays. This leaves policymakers uncertain about how to most effectively manage their economic countermeasures to support businesses, especially when they need to respond quickly, as in the COVID-19 pandemic. Given this information deficit, we propose a framework that guided policymakers throughout all stages of this unforeseen economic shock by providing timely and reliable sources of firm-level data as a basis to make informed policy decisions. We do so by combining early stage ‘ad hoc’ web analyses, ‘follow-up’ business surveys, and ‘retrospective’ analyses of firm outcomes. A particular focus of our framework is on assessing the early effects of the pandemic, using highly dynamic and large-scale data from corporate websites. Most notably, we show that textual references to the coronavirus pandemic published on a large sample of company websites and state-of-the-art text analysis methods allowed to capture the heterogeneity of the pandemic’s effects at a very early stage and entailed a leading indication on later movements in firm credit ratings. While the proposed framework is specific to the COVID-19 pandemic, the integration of results obtained from real-time online sources in the design of subsequent surveys and their value in forecasting firm-level outcomes typically targeted by policy measures, is a first step towards a more timely and holistic approach for policy guidance in times of economic shocks.
... Correct supervision and audit of CH allow confirming that end users pay attention to computer systems' security details. ISO 27000 [25] is one of the most implement cybersecurity frameworks worldwide, and it is very suitable to implement in SG. Other best practice and IT governance frameworks are the Control Objectives for Information and related Technology (COBIT) [26], the Information Technology Infrastructure Library (ITIL) [27], the Mexican Norm for Cybersecurity and IT Governance (MAAGTICSI in Spanish acronym) [28], among others. ...
Article
Full-text available
Although smart grids offer multiple advantages over traditional grids, there are still challenges to overcome to ensure the quality of service and grid security. In particular, cybersecurity plays an essential role in ensuring grid operation reliability and resilience to external threats. The traditional approach to address cybersecurity issues generally does not consider the human factor as the main component. Recently, the concept of cyber hygiene has emerged, where social and human aspects are fundamental to reduce vulnerabilities and the risk of attacks and breaches. In a similar manner to personal hygiene, which greatly influences people’s health, considering the human factor (i.e., human behaviour, awareness, and training) as a critical cybersecurity component, can significantly improve human operator cybersecurity practices that in turn can result in improved cybersecurity performance. In this paper, the authors propose and test a methodology for implementing cyber hygiene practices in the context of Smart Grid systems, focused on smart metering systems. The results suggest that implementing cyber hygiene practices can improve smart meter cybersecurity and be suitable for implementing other sensitive Smart Grid components.
... This accumulation will provide scalability and flexibility of the PRMS in distributed environments where different healthcare organizations will collaborate for delivering perfect services by ensuring the privacy and security of the patients' sensitive data. Additionally, we plan to construct Security Incident Management (SIM) [94,95] for information security management as this is one of the critical information security controls for organizations recommended by ISO/IEC 27001 [96,97]. SIM will support the PRMS by notifying them of information security incidents or vulnerabilities. ...
Article
Full-text available
Privacy has become an increasingly significant apprehension in today’s rapidly changing economy primarily for personal and sensitive user data. The levels of personal data violation are increasing day by day however privacy-preserving frameworks are available. This paper conducted an in-depth analysis of contemporary frameworks to identify the key mechanisms to produce a sophisticated data privacy framework to reduce the rate of data breach particularly for the Patient Record Management System (PRMS). There are several studies available that stated healthcare data privacy, still, complete data protection solution with the application of privacy by design towards patients’ health data by ensuring privacy in each layer of the PRMS are quite limited, which is the focus of this study. PRMS manages personal and sensitive data while delivering healthcare services to the patients and as such, have also the potential to carry significant risks to the privacy of their data. A novel conceptual framework with three distinct and sequential phases is suggested in this research, each of which is defined in a distinct section. The first phase is defined as the planning to identify the key limitations of contemporary frameworks so these can be minimized to ensure privacy in each layer of data processing. The second phase incorporates the key components of data privacy to satisfy the efficiency and effectiveness of the proposed framework. Finally, the third phase is the implementation of the selected requirements of the assessment phase to prevent privacy incursion events in PRMS. The complete framework is anticipated to deliver a sophisticated resistance in contradiction to the continuous data breaches in the patients’ information domain.
... In Equation (12), the coefficient a ≥ 1. Combining the blockchain fuzzy constraint control method of accounting information [14], a regression analysis and constraint evolution model of accounting information association is constructed, which is expressed as ...
Article
Full-text available
At present, accounting information presents various and complex characteristics, which leads to the decline in the comprehensive scheduling level of accounting information security management system. For this problem, a blockchain-based accounting information security management information model is designed. This paper constructs the blockchain accounting information security association blockchain Big Data analysis model and processes the sample data, uses the semantic rough feature matching method to decompose the characteristics of blockchain accounting information, realizes the feature information fusion and autocorrelation feature matching and finally reorganizes and manages the blockchain accounting information security. The simulation results show that this method has better comprehensive scheduling ability, information fusion scheduling ability is greater than 92%, convergence is greater than 91.8%, feature recognition rate is greater than 90.1%, and management accuracy is greater than 95.6%. The design method can effectively improve the security and stability of accounting information storage and management.
... These benefits will also turn out to be key in this study. In addition to simple keyword-based approaches, e.g. to measure the diffusion of standards (Mirtsch et al. 2021), approaches with more sophisticated NLP methods in particular, have been successfully used, to generate web-based firm-level innovation indicators (Kinne & Lenz 2021), for instance. In this paper, we use corporate website data to capture and assess the dynamics of exogenous shock on the corporate sector. ...
Preprint
Full-text available
Usually, official and survey-based statistics guide policy makers in their choice of response instruments to economic crises. However, in an early phase, after a sudden and unforeseen shock has caused incalculable and fast-changing dynamics, data from traditional statistics are only available with non-negligible time delays. This leaves policy makers uncertain about how to most effectively manage their economic countermeasures to support businesses, especially when they need to respond quickly, as in the COVID-19 pandemic. Given this information deficit, we propose a framework that guides policy makers throughout all stages of an unforeseen economic shock by providing timely and reliable data as a basis to make informed decisions. We do so by combining early stage 'ad hoc' web analyses, 'follow-up' business surveys, and 'retrospective' analyses of firm outcomes. A particular focus of our framework is on assessing the early effects of the pandemic, using highly dynamic and large-scale data from corporate websites. Most notably, we show that textual references to the coronavirus pandemic published on a large sample of company websites and state-of-the-art text analysis methods allow to capture the heterogeneity of the crisis' effects at a very early stage and entail a leading indication on later movements in firm credit ratings.
Book
Full-text available
The ‘Web Intelligence for Drones’ initiative builds on previous research into web scraping of business information in the context of official statistics. The study was triggered by the absence of consolidated data on drones, the operation of drones or market size in the EU, despite the EU having one of the most advanced regulations on unmanned aircrafts in the world. In particular, research focusses on the development of a methodology and of the tools needed to retrieve information from the World Wide Web (www) concerning businesses based in EU countries that have their main activity in the civil drones sector. This scientific summary presents the chain-like methodology and the tools developed to identify drone companies through the www and to extract company-relevant information from their websites. The method was developed with a perspective of generalisation in mind (across countries and across economic sectors) wherever possible. It has already been fully applied to three European countries (Spain, Italy and Ireland).
Article
Full-text available
This report presents a framework for the systematic monitoring of the global hydrogen economy, suggesting data sources and indicators to systematically survey the most important trends and developments. Monitoring based on this framework could provide an important knowledge base for the continuous review of policy measures related to the German and European hydrogen policy.
Chapter
Full-text available
Transnational CSR standards are neither imposed nor do they automatically find their way to potential adopters. Instead, they get “taken around” by diffusion actors at the organizational field level. The article conceptualizes diffusion as part of institutionalization processes and mobilizes the concept of diffusion work to study people’s activities aimed at the dissemination of transnational CSR standards. Based on a case study on the early diffusion of ISO 26000 - Social Responsibility Guidance Standard in Germany and Canada, it shows the interplay of various types of actors committed to diffuse, and for some, to hinder the diffusion of the standard. By categorizing diffusion work on two axes (direct-indirect and explicit-implicit), this paper sheds light on the diffusion dynamics surrounding a newly released standard. The findings reveal that the standard setter must rely on external actors to diffuse its standard, that the national context matters and that some characteristics of ISO 26000 influence diffusion forms and trajectories.
Article
Full-text available
The objective of this study is to provide an overview of the level of BCM implementation among Malaysian organizations. Furthermore, this study will also present the initiatives undertaken by the respective government agencies to enhance the effectiveness of BCM and promote the adoption of best practices based on the international standards. For purpose of this study, the data was gathered through several methods of data collection which involved 147 organizations with the effective response rate of 55 percent. The population of this study covers public and private sectors’ organizations which have obtained ISO 27001 and ISO 22301 as these organizations are deemed to possess considerably higher sense of commitment towards embracing BCM best practices. The outcomes of this study revealed that majority of the participating organizations have already established a proper BCM program in place but there is still a need for further improvement in certain areas. The result of this study offers notable insights to policy makers, practitioners and researchers, which may help to elevate the take-up of BCM best practices among Malaysian organizations.
Chapter
This chapter focusses on the appearance and implementation of process standards in software development organizations. The authors are interested in the way organizations handle the plurality of process standards. Organizations respond by metastructuring (Orlikowski et al. 1995) to the increasing demand for standardizing their development processes. Standard Metastructuring summarizes all organizational mechanisms for facilitating the ongoing adaption of global standards to the organizational context. Based on an in-depth single case study of a software developing organization in the automotive technology sector, we found four areas of metastructuring, four roles for standard mediation, and four types of metastructuring activities as way how the organization copes with global standard requirements. With the case study, we encourage further research that proves standards in use and how organizations respond to the challenges of standardization.
Article
Management theories are an important backbone of scholarly work. Various areas of management such as purchasing, logistics and strategy have critically evaluated theories to move these fields of management forward. However, no such work exists in the area of voluntary standards. Voluntary standards, such as standards for quality, environmental management and social responsibility have been covered extensively in research studies and substantial knowledge exists in terms of their diffusion, adoption, impact and governance. The studies adopt different theoretical perspectives. A number of literature reviews on voluntary standards exist; however, none of the papers so far has critically scrutinized the theoretical underpinnings of these studies. This paper, therefore, fills an important gap in the literature by providing a critical review of theories that contribute to understanding the issues pertinent to voluntary standards. Inductive and deductive search methods are applied considering the ten most prominent voluntary standards (ISO 9001, ISO 14001, OHSAS, 18001, ISO 26000, EMAS, AA1000, SA8000, FSC, MSC, and FairTrade). Nine theories (clustered as Corporate Nature Theories, External (Stakeholder) Perspective Theories and Process and Attitude Perspective Theories) that have been previously employed are scrutinized. The paper analyses the evolution of theoretical underpinnings of 62 papers published in high ranked journals between 2001 and 2016. The analysis demonstrates a dominant use of Corporate Nature Theories and External (Stakeholder) Perspective Theories and shows the evolution of the field. The paper concludes by linking the theories to key research areas in voluntary standards and aids researchers by identifying theories that are promising in terms of their applicability to explore future research paths in this field of study.