This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT 1
Exploring the Adoption of the International
Information Security Management System
Standard ISO/IEC 27001:
A Web Mining-Based Analysis
Mona Mirtsch , Jan Kinne , and Knut Blind
Abstract—In the light of digitalization and recent EU policy
initiatives, information is an important asset that organizations
of all sizes and from all sectors should secure. However, in or-
der to provide common requirements for the implementation of
an information security management system, the internationally
well-accepted ISO/IEC 27001 standard has not shown the ex-
pected growth rate since its publication more than a decade ago.
In this article, we apply web mining to explore the adoption of
ISO/IEC 27001 through a series of 2664 out of more than 900 000
German ﬁrms from the Mannheim Enterprise Panel dataset that
refers to this standard on their websites. As a result, we present
a “landscape” of ISO/IEC 27001 in Germany, which shows that
ﬁrms not only seek certiﬁcations themselves but often refer on their
websites to partners who are certiﬁed instead. Consequently, we
estimate a probit model and ﬁnd that larger and more innovative
ﬁrms are more likely to be certiﬁed to ISO/IEC 27001 and that
almost half of all certiﬁed ﬁrms belong to the information and
communications technology (ICT) service sector. Based on our
ﬁndings, we derive implications for policy makers and management
and critically assess the suitability of web mining to explore the
adoption of management system standards.
Index Terms—Adoption, information security, management
system standards, standards, web mining.
IN ADDITION to the advantages of digitalization, the grow-
ing connectivity also entails risk with regard to information
security –. Security breaches have, therefore, become a
Manuscript received September 2, 2019; revisedDecember 20, 2019; accepted
January 29, 2020. This work was supported in part by the European Commission
under Grant Agreement 778420—EURITO and in part by the German Federal
Ministry of Education and Research project TOBI under Grant 16IFI001. Review
of this manuscript was arranged by Department Editor E. Viardot. (Correspond-
ing author: Mona Mirtsch.)
Mona Mirtsch is with the Bundesanstalt für Materialforschung und -prüfung
(Federal Institute for Materials Research and-Testing— BAM), 12489 Berlin,
Germany, and also with the Technische Universität Berlin, 10587 Berlin, Ger-
many (e-mail: firstname.lastname@example.org).
Jan Kinne is with the ZEW—Leibniz Centre for European Economic Re-
search, 68161 Mannheim, Germany, and with the istari.ai UG (haftungs-
beschränkt), 68199 Mannheim, Germany, and also with the Department of
Geoinformatics—Z_GIS, University of Salzburg, 5020 Salzburg, Austria
Knut Blind is with the Fraunhofer Institute of Systems and Innovation
Research, 76139 Karlsruhe, Germany, and also with the Chair of Innovation
Economics, Technische Universität Berlin, 10587 Berlin, Germany (e-mail:
Digital Object Identiﬁer 10.1109/TEM.2020.2977815
global concern, with a value at risk arising from direct and
indirect attacks of USD 5.2 trillion between 2019 and 2023 .
To achieve information security and reduce the risk of security
breaches, organizations must take appropriate measures to pro-
tect their information assets and ensure business continuity .
The international management system standard ISO/IEC 27001
assists organizations in developing and maintaining an informa-
tion security management system (ISMS) on the organizational
level  and “remains one of the most effective risk management
tools for ﬁghting off the billions of attacks that occur each year”
After implementing this management system, ﬁrms can ad-
ditionally seek certiﬁcation to ISO/IEC 27001 to provide con-
ﬁdence to stakeholders that risks are adequately managed .
Certiﬁcation against (preferably international) standards, such
as ISO/IEC 27001, is increasingly moving into the focus of
policy makers in the light of recent European initiatives. While
the Directive on security of network and information systems
(NIS-Directive EU 2016/1148) targets operators of essential
services in critical infrastructures and digital service providers,
the Regulation on information and communications technology
(ICT) cybersecurity certiﬁcation (EU 2019/881 - Cybersecurity
Act) sets up a European cybersecurity certiﬁcation framework
for ICT products, ICT services, and ICT processes.
However, apart from the number of valid certiﬁcates, which
are published in the context of the annual ISO Survey (2018), sur-
prisingly little is known about the adoption of ISO/IEC 27001.
According to Castka and Corbett , research is often neglected
in the early stages of management system standards, probably
due to the limited data available. While initial studies often
focus on the motives and impacts of adoption, usually based
on ﬁrm-level data and interviews or surveys, later studies on
diffusion often determine diffusion patterns based on macrolevel
data . According to Rogers , adoption is the decision of an
adopting unit (such as ﬁrms) “to make full use of an innovation as
the best course of action available.” Diffusion, on the other hand,
being the aggregation of individual (in our case ﬁrm) decisions,
involves a time aspect and is deﬁned as “the process in which an
innovation is communicated through certain channels over time
among the members of a social system” .
Existing studies on ISO/IEC 27001 analyze the adoption
mainly from a theoretical perspective –, based on
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
surveys with the pitfalls of low response rates – or
based on case studies . To the best of our knowledge,
no studies have empirically investigated the adoption of
ISO/IEC 27001 at the national level.
To help ﬁll this gap, the aim of our article is twofold. First, to
explore the adoption of ISO/IEC 27001 in Germany, not only by
taking into account ﬁrms certiﬁed to ISO/IEC 27001, but also
adopting this standard in other ways. Second, to identify drivers
for the certiﬁcation to ISO/IEC 27001 in Germany. Therefore,
we introduce a new method to analyze the adoption of manage-
ment system standards using web scraping and web mining. Web
mining describes the application of data mining techniques to
uncover relevant data characteristics and relationships (e.g., data
patterns, trends, and correlations) from previously web scraped
unstructured web data . We do so by using data from the
Mannheim Enterprise Panel (MUP) as the ﬁrm database, and
then categorize web scraped ﬁrms using their website texts
and conduct multivariate analyses based on ﬁrm characteris-
tics and a deep-learning-based product innovator probability
The remainder of this article is structured as follows. Section II
discusses the literature on ISO 9001 and ISO 14001 as well
as existing studies on ISO/IEC 27001. Based on the assump-
tion that management system standards are organizational in-
novations –, we present the Technology-Organization-
Environment (TOE) framework as an applicable innovation
adoption model  for ﬁrms adopting ISO/IEC 27001.
Section III describes the research methodology starting with
web mining as a data collection process. Section IV presents
the results of the manual categorization of ﬁrms that refer to
ISO/IEC 27001 on their websites. Using a probit model, we
estimate determinants of ﬁrm-speciﬁc characteristics (ﬁrm size,
age, innovativeness, and sector afﬁliation) for the certiﬁcation to
ISO/IEC 27001. In Section V, we discuss our ﬁndings and derive
a number of managerial implications and recommendations for
standards development organizations and policy makers. In our
conclusion, we summarize our ﬁndings, outline the limitations
of our article, and discuss the suitability of web mining to
explore the adoption of ISO/IEC 27001 and management system
standards in general, including the need for further research.
II. LITERATURE BACKGROUND
A. Literature Review on the Adoption of Management System
Management system standards, also referred to as meta
standards , “help organizations improve their performance
by specifying repeatable steps that organizations consciously
implement to achieve their goals and objectives […]” .
Thereby, organizations can decide whether to implement a
management system standard or additionally seek certiﬁcation
through the attestation by an independent third party, also some-
times referred to as registration .
Certiﬁcates can help organizations signal attributes , ,
and hence decrease information asymmetries, one aspect of
market failures according to Akerlof . As shown by Terlaak
and King , the certiﬁcation to management system standards,
such as ISO 9001, is particularly beneﬁcial when there is a high
information asymmetry between producers and buyers.
As highlighted by Castka and Corbett , in their review
of the adoption and diffusion of management system standards
(focusing on ISO 9001 and ISO 14001), many studies emphasize
on who adopts a standard, why, how and when. The decision to
adopt a management system standard is driven by internal or
external reasons . The beneﬁts of certiﬁcation include reg-
ulatory compliance , meeting customer requirements ,
internal improvements , , access to markets , and
innovation performance . Although the motives for seeking
certiﬁcation to ISO 9001 and ISO 14001 are quite similar, the
adoption of the latter is often determined by the regulatory
DiMaggio and Powell  argued that ﬁrms are driven by
coercive, mimetic, and normative isomorphism, which make
organizations similar over time. The desire to improve per-
formance drives the ﬁrst movers, whereas the second movers
are more driven to improve their image . Therefore, ac-
cording to Naveh et al. , ﬁrst movers beneﬁt more from
implementing a managerial practice, such as ISO 9001, from
their own experience, whereas second movers can beneﬁt by
learning from the experiences of others. In this context, the later
adoption can be explained by the “bandwagon effect,” where
previous adopters either reveal information about the value of
the adoption or increase the value of the adoption and thereby
set off bandwagons .
In the case of ISO 14001, Delmas and Montes-Sancho 
noted that mandatory forces (e.g., derived from regulation) dom-
inate in the early adoption phase, whereas normative pressures
and trade-related aspects are more prevalent in the later phase.
This effect is evidenced by Arimura et al.  in relation
to ISO 14001, who also recommended government assistance
programs to encourage the adoption of ISO 14001 for addressing
The motivation to seek certiﬁcation may also depend on the
sector in which the ﬁrm operates. Singh et al.  found that
manufacturers are more likely to focus on developing export
potential and reducing costs, whereas service providers tend to
meet external expectations, such as from customers or govern-
ment agencies. In addition, internationally active ﬁrms are more
likely to adopt standards and be certiﬁed , especially when
export markets are affected by EU regulations .
However, the adoption of a management system standard
and particularly seeking certiﬁcation is time consuming and
costly, especially regarding the costs for external auditors .
These costs involve the setting up of a management system,
the involvement of consultants, and, in the case of additional
certiﬁcation, the cost of external auditing . These costs
vary by ﬁrm size and sector, ranging from $10000 to $200 000
for ISO 14001 . In terms of time invested, the average
duration of certiﬁcation to ISO 9001 is 12 months . Since
these investments could outweigh the beneﬁts , ﬁrms might
adopt a management system standard but not seek a third-party
Once ﬁrms have already invested in the adoption of a standard,
this can also change their decision-making process when adopt-
ing an additional standard . Therefore, a ﬁrm’s experience
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 3
in implementing a management system standard could spur the
implementation of another management system standard ,
, . However, the implementation of a previous manage-
ment system standard could also hinder the adoption of another
management system standard, if it is not fully complementary
to the previously adopted standard . Tuczek et al. , who
also referred to Castka and Corbett , pointed out that this
“coupling effect” is not sufﬁciently investigated in the context
of the adoption of standards.
Firms are increasingly making use of integrated management
systems that cover the aspects of quality (ISO 9001), environ-
ment (ISO 14001), energy (ISO 50001), occupational health and
safety (OHSAS 18001 or ISO 45001), and, also, information
security (ISO/IEC 27001) . The aim of integrating compat-
ible management system standards is to reduce administrative
burden  and costs, e.g., when combined audits and multiple
certiﬁcations can be obtained. Furthermore, organizations can
use the meta structuring of standards similar to the structuring of
technologies as a way to deal with the multiplicity of standards,
as Gey and Fried  showed in the case of a software company.
Previous studies have investigated the adoption of interna-
tional standards, e.g., by counting valid certiﬁcates. However,
little attention has been paid to the various forms of adoption
(i.e., implementation versus certiﬁcation)  and to the actors
and activities to promote the diffusion of organizational stan-
dards, which Stamm  has recently termed as diffusion work.
By introducing four modes of standard diffusion along the di-
mensions direct/indirect and explicit/implicit, namely concrete
diffusion (I), broad diffusion (II), selective diffusion (III), and
ideational diffusion (IV), Stamm  emphasized on the role of
consultants to connect activities of standards developing organi-
zations, governments, business associations, and academics. The
analysis of this diffusion work is particularly suitable for earlier
stages, in which the mimetic behavior is not largely evident ,
and from the perspective of the policy stage, since the adoption
of the standard does not necessarily immediately follow the
creation of the standard.
B. Literature Review on ISO/IEC 27001
Spurred by the success of ISO 9001 and ISO 14001,
ISO/IEC 27001 was initially published at the end of 2005
by the International Organization of Standardization (ISO)
together with the International Electrotechnical Commission
(IEC) and technically revised with the second edition of
ISO/IEC 27001:2013. This standard was reviewed and con-
ﬁrmed in 2019, and hence this version remains current.
The underlying ISO/IEC 27000 series is based on the
British Code of Practice BS 7799 (see Disterer  for the
development of this standard), which currently comprises
over 40 international standards, including information security
controls (ISO/IEC 27002), cloud security (ISO/IEC 27017
and ISO/IEC 27018), and investigation of incidents
(ISO/IEC 27043) (ISO, 2019). As the best-known standard
within this family, ISO/IEC 27001  “provide[s] requirements
for establishing, implementing, maintaining, and continually
improving an information security management system” .
Within the ISO/IEC 27000 series, information security is
Fig. 1. Evolution of ISO 9001, ISO 14001, and ISO/IEC 27001 over time in
terms of valid certiﬁcates worldwide. Source: .
deﬁned as “preservation of conﬁdentiality […], integrity […]
and availability […] of information” .
Information security, therefore, differs from concepts such
as ICT security (limited to information stored or transmitted
using ICT) and cybersecurity (extending information security
by including noninformation-based assets), although these terms
are often used interchangeably (though indeed overlap—see 
Fig. 1 shows the diffusion of the three common management
system standards with ISO 9001 and ISO 14001 (bars with
the left y-axis) and ISO/IEC 27001 (dashed lines with the
right y-axis) from the year in which they became certiﬁable or
corresponding data from the ISO survey  are available.
Looking at the number of valid certiﬁcates according to the
annual ISO survey, ISO/IEC 27001 has shown high growth rates
in recent years (e.g., +19% in 2017), but still remains on a
comparatively low absolute level (with less than 40 000 valid
certiﬁcates at the end of 2017), especially compared to other
common management system standards, such as ISO 9001 with
more than one million valid certiﬁcates and ISO 14001 with
roughly 360 000 valid certiﬁcates in 2017 . This also applies
to these management system standards in the early years, when
more than 660 000 certiﬁcates for ISO 9001 and almost 240000
certiﬁcates for ISO 14001 were valid a decade after their publica-
tion . Furthermore, digitalization has been expected to spur
the adoption of ISO/IEC 27001. Since ﬁrms increasingly store
their information based on ICT and governments and suppliers
more and more require ﬁrms to ensure information security, it
has been expected that ISO/IEC 27001 would also be adopted
apart from the IT sector . These aspects led to expectations
for a higher adoption rate of ISO/IEC 27001 globally .
Therefore, previous studies on ISO/IEC 27001 often focused
on the reasons for the (low) adoption of ISO/IEC 27001 by ﬁrms,
alongside the impact of this management system standard as
well as the means to increase adoption , . Based on
case studies in the U.K. and in the Netherlands, Van Wessel
and de Vries  found that ﬁrms adopt ISO/IEC 27001 and
ISO/IEC 27002 both for internal reasons (quality enhancement,
cost reductions, and increasing the company’s risk proﬁle) and
for external reasons (meeting legal or customer requirements
and improving image). However, ﬁrms, especially small and
medium-sized enterprises (SMEs) , often do not imple-
ment information security standards due to high costs and the
lack of evidence that the beneﬁts outweigh the costs .
4IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
Existing studies show that the adoption of ISO/IEC 27001 or
other ISMS standards neither leads to less frequent or severe
security breaches nor to positive economic impacts through
certiﬁcation against ISO/IEC 27001 , –. Therefore,
the motives for adopting this standard differ signiﬁcantly from
those for adopting other management system standards such as
ISO 9001, the positive economic impact of which has been
demonstrated in several studies . However, Barlette and
Fomin  point out that it is difﬁcult to quantify the beneﬁts
of the adoption since ISO/IEC 27001 can be considered as a
means to avoid potential losses rather than gaining immedi-
ate proﬁts. As a speciﬁc positive economic effect, the imple-
mentation of ISO/IEC 27001 might result in lower insurance
Other possible reasons for the low adoption include the con-
sideration of competing ISMS standards  and the fact that
ﬁrms outsource their “information-related business” to other
countries, e.g., the Far East . However, Fomin et al. 
found no statistical evidence for the latter, as the number of
valid certiﬁcates in India, for example, was no higher than in the
U.K., which is still the case . Fomin et al.  also concluded
(inter alia) that it is worth investigating the need perceived by
ﬁrms to seek certiﬁcation instead of just adopting this standard.
Benslimane et al.  examined the role of certiﬁcation of
IT personnel and ISMS standards, such as ISO/IEC 27001.
Looking at online job postings, they found that organizations
value work experience and personnel certiﬁcations related to IT
security more than knowledge of IT security standards. These
ﬁndings indicate that ﬁrms can implement ISMS requirements
 without fully complying with or being certiﬁed to the
management system standard.
A limited number of studies conducted surveys investigating
motives, obstacles, and impact of ISO/IEC 27001 –.
However, the number of respondents were comparably low
ranging from 4 and 20 ﬁrms per survey also due to the limited
number of valid certiﬁcates in countries such as Finland, Saudi
Arabia, and Bosnia and Herzegovina, where the surveys were
conducted. A recent study among Portuguese ﬁrms (with 25
participating companies) showed that more than half of these
certiﬁed ﬁrms belong to the IT sector . As regards the
implementation and certiﬁcation process, it took between 6 and
12 months for the ﬁrms to obtain ISO/IEC 27001 certiﬁcation,
which in most cases cost more than €50 000 (including costs for
personnel, technical equipment, and external consultancy ).
In order to increase the adoption of ISO/IEC 27001, most
scholars place focus on the legal environment , . From
an institutional perspective, governmental intervention may be
necessary, as a standard requires a certain adoption rate that
triggers further adoption across other organizations, i.e., the
bandwagon effect, which is not (yet) evident for ISO/IEC 27001
C. Theoretical Framework to Analyze Drivers for
Certiﬁcation to ISO/IEC 27001
The Schumpeterian deﬁnition of innovation  already goes
beyond the narrow focus on technical innovations. One type of
Fig. 2. Conceptual model based on  and .
innovation is organizational innovation such as the implemen-
tation of management system standards as intraorganizational
procedural innovation according to Armbruster et al. . This
approach is supported by Hashem and Tann  who stated
that the introduction of ISO 9001 is an innovation and applied
the TOE framework of Tornatzky et al.  to investigate key
determinants of the adoption of the ISO 9000 standard series of
Egyptian manufacturers .
The TOE framework describes how the adoption of innova-
tions is inﬂuenced by three aspects in the context of ﬁrms. It
comprises the following.
1) The Technological context, which includes both internal
and external technologies relevant to the ﬁrm.
2) The Organizational context, which features ﬁrm-speciﬁc
factors, such as scope, size, and the managerial structure.
3) The Environmental context, which comprises surrounding
factors, such as industry, competitors, and governmental
According to Oliveira and Martins , the TOE framework
has already been used to empirically validate factors that in-
ﬂuence the adoption, such as electronic data interchange (EDI)
, radio frequency identiﬁcation (RFID) , and enterprise
resource planning (ERP) systems .
For our article, we therefore examine the inﬂuence of selected
factors on the adoption of ISO/IEC 27001 on ﬁrm level, as shown
in our conceptual model in Fig. 2 based on the TOE model. As
the depth or quality of implementation of management system
standards may vary , , we focus on ﬁrms that have imple-
mented this ISO/IEC 27001 standard and additionally received
a certiﬁcate. We consider this as an indicator of making full use
of ISO/IEC 27001.
We have chosen ﬁrm size, ﬁrm age, and ﬁrm innovativeness as
organizational factors, as these factors were identiﬁed in previ-
ous studies as relevant factors for the analysis of the certiﬁcation
to management system standards , , , , , 
or IS innovation adoption on ﬁrm level in general , .
In the technological context, “current practices” can deter-
mine the adoption of innovations , especially in terms of
their compatibility with the new practice . We, therefore,
consider certiﬁed to other management system standards a
“current practice” since certiﬁcation to one management system
standard is often linked to the certiﬁcation to other management
system standards , .
Taking into account that ISO/IEC 27001 is strongly associated
with the IT sector , , we selected the sector as an external
environmental factor for our study.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 5
A. Web Mining for Innovation Indicators
Web mining based on previously web scraped websites has
proven itself to be applicable in many research areas ,
. In economic research, ﬁrm websites are a particularly
interesting area of the World Wide Web. Firms use their websites
to present themselves as well as their products and services.
The information found on these websites can be used to assess
ﬁrms’ products, services, credibility, achievements, key person-
nel decisions, strategies, and relationships with other ﬁrms .
Surveying ﬁrms through their websites, rather than conducting
interviews, questionnaires, or using other traditional methods,
offer clear advantages (coverage, granularity, cost, and time-
liness), but it is also associated with its own challenges (data
collection, harmonization, and data quality) .
There are only a few existing studies that analyze the usability
of web-based innovation indicators. These studies either use
web content mining or web structure mining . The latter
is the analysis of connections between entities (e.g., ﬁrms)
via the hyperlink structure of websites. Katz and Cothey 
used this approach in a case study on European and Canadian
education institutions. They ﬁnd that their method is suitable for
measuring the degree of recognition of a nation’s or province’s
web presence they receive from other nations and provinces. The
authors emphasize the importance of reproducible and accurate
indicators capable of dealing with the constantly changing prop-
erties of the Internet.
In web content analyses, texts and other website contents are
analyzed. This approach is taken by the following studies: Youtie
et al.  used web mining to explore the transitions from dis-
covery to commercialization of 30 nanotechnology SMEs. Arora
et al.  used a similar approach to analyze entry strategies of
SMEs commercializing emerging graphene technologies. Both
study approaches are capable of identifying different innovation
stages. Applying a keyword technique to explore the R&D
activities of 296 UK-based enterprises, Gök et al.  found
that web-based indicators provide additional insights compared
to patent and literature-based innovation indicators. In addition,
they emphasize that web mining has another advantage as a
research method. The act of surveying a subject using web
scraping and web mining does not cause particular problems,
such as altering the behavior of the study object in response
to being studied. The authors conclude “[ …] that web mining
is a signiﬁcant and useful complement to current methods, as
well as offering novel insights not easily obtained from other
unobtrusive sources” . However, they raise the criticism that
obtaining information from website data is more difﬁcult and
that caution is required when generating web-based indicators.
Information on websites is generally more related to innovation
output than to input. In addition, websites are self-reported, and
ﬁrms do not publish any new information on their websites at
equal frequencies. Beaudry et al.  used a keyword technique
to generate innovation indicators of Canadian aeronautic, space,
and defense as well as nanotechnology-related ﬁrms based on
the text on their websites. They found a signiﬁcant correlation
between their web-based and traditional innovation indicators.
Fig. 3. General analysis framework for generating web-based innovation
indicators. Source: .
Nathan and Rosso  combined the UK administrative mi-
crodata, media, and website content to develop experimental
measures for innovation in SMEs. The authors used proprietary
data gathered by a data ﬁrm that uses website and media content
to model lifecycle events of ﬁrms such as new product and
service launches. They were able to identify three times more
product/service launches than patent applications from SMEs.
Nathan and Rosso  concluded that web-based indicators
are a useful complementary measure to existing metrics as
they reveal additional information. Moreover, they found that
previous patent activities are related to a ﬁrm’s current launch
activities and that tech SMEs are much more likely to launch new
products or services than nontech SMEs. Studies on web-based
innovation indicators have thus conﬁrmed that ﬁrm websites are
an interesting and rich data source for examining the innovation
activity of ﬁrms and science, technology, and innovation systems
B. Data Collection and Sample
Kinne and Axenbeck  proposed a generally applicable
framework for studying ﬁrm websites based on established
ﬁrm databases (see Fig. 3). Starting from the ﬁrms’ website
addresses, a web scraper queries the websites and downloads
their content (e.g., texts). In a subsequent data mining step,
which can be enriched with available ﬁrm metadata (e.g., for data
mining model preselection), the so-called innovation-related
information is extracted and transferred to ﬁrm-level innovation
indicators. In the ﬁnal step, these new innovation indicators are
matched back to the ﬁrm database at the ﬁrm level. This last
step also established a link between the new indicators and the
traditional ones (e.g., patents) that can be used for validation.
In this article, we apply the web mining approach as described
in Fig. 3 to identify and analyze German companies that mention
the ISO/IEC 27001 standard on their websites.
Therefore, we use the Mannheim Enterprise Panel
(Mannheimer Unternehmenspanel—MUP) from 2019 as a basic
dataset. The MUP is based on a ﬁrm data pool of Germany’s
largest credit rating agency (Creditreform e.V.) and, as a panel
ﬁrm database, comprises all economically active ﬁrms located
in Germany and the associated metadata (e.g., sector, ﬁrm size,
and location) .
6IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
In the beginning of 2019, the MUP comprised 2497 412
ﬁrms that were deﬁnitely economically active at that time and
1155 867 corresponding website addresses (URLs). With these
1 155 867 URLs, we were able to successfully scrape texts
from 912850 ﬁrm websites using the open-source ARGUS
web scraping tool . Referring to the ﬁndings of Kinne and
Axenbeck , we downloaded a maximum of 25 webpages
per website (the median number of webpages per ﬁrm website
in Germany is 15). We also used ARGUS’ options to download
preferably German language webpages and those with shorter
URLs. The latter follows the idea that the most general infor-
mation about a ﬁrm can be found on its top-level webpages
(e.g., “ﬁrm-name.com/about-us”). Based on the results of a
comprehensive study performed by Kinne and Axenbeck ,
it can be expected that the coverage of our sample of scraped
website texts will differ systematically between sectors and ﬁrm
types; only a small fraction of very young and very small ﬁrms
(smaller than ﬁve employees and younger than two years) will be
included. Sparsely populated regions and certain sectors, such
as agriculture, are also less well covered. Medium-sized and
larger ﬁrms are expected to be almost fully covered, especially
in technology-intensive sectors, such as mechanical engineering
The web scraping process described above resulted in ap-
proximately 47 GB of raw text data for the 912 850 ﬁrms. To
identify ﬁrms that mention ISO/IEC 27001 on their websites, we
used a simple keyword search. Taking into account the possible
writing options for the individual management system standard,
we have included all combinations of DIN (the German Institute
for Standardization), ISO and IEC with 27000 and 27001 and
tagged all ﬁrm websites with at least one occurrence of at least
one of the search string combinations.
C. Methodology to Analyze the Adoption of ISO/IEC 27001 in
The ﬁrst step of the analysis focused on the number of ﬁrms
that refer to ISO/IEC 27001 on their websites. In a subsequent
step, we categorized the ﬁrms according to the reason why they
refer to ISO/IEC 27001 on their website, assuming that not all
ﬁrms are certiﬁed, but refer to this management system standard
for other reasons. To ensure a correct manual categorization
of the ﬁrms in this sample, the webpages of these ﬁrms were
analyzed in detail per ﬁrm using predeﬁned codes (e.g., ﬁrm
is certiﬁed, adopts a standard without certiﬁcation, offers con-
sulting or certiﬁcation services, and any other reference) and
two additional codes derived during the coding process (ﬁrms
employing certiﬁed IT specialists and ﬁrms that are not certiﬁed
themselves but refer to certiﬁed business partners). This coding
was conducted by three persons and all certiﬁed ﬁrms were
independently validated by another person to ensure consistent
D. Methodology to Analyze Driving Factors for
ISO/IEC 27001 Certiﬁcation in Germany
For our following statistical analysis, we use the variables as
described in Table I. We rely on the ﬁrm data in the MUP, which
TAB L E I
DESCRIPTION OF VARIABLES
are available to 50% in terms of ﬁrm size, to 94% in terms of
ﬁrm age, and to 99% in terms of afﬁliation to the sector of all
web scraped ﬁrms. Furthermore, a ﬁrm-level product innovator
probability is available for 82% of all web scraped ﬁrms.
This prediction is based on the ﬁrm’s website text and a deep
learning model trained on the websites of ﬁrms surveyed in
the German Community Innovation Survey (CIS) (see  for
more details). In particular, traditional ﬁrm-level indicators from
a questionnaire-based innovation survey (German CIS) were
used to train an artiﬁcial neural network classiﬁcation model
on labeled (product innovator/no product innovator) web texts
of surveyed ﬁrms. Subsequently, this classiﬁcation model was
applied to the web texts of hundreds of thousands of ﬁrms in
Germany to predict whether they are product innovators or not.
The authors compared these predictions to ﬁrm-level patent
statistics, survey extrapolation benchmark data, and regional
innovation indicators. The results showed that this approach
produces reliable predictions and has the potential to be a
valuable and highly cost-efﬁcient addition to the existing set of
innovation indicators, especially due to its coverage and regional
A. Results of the Adoption Analysis of ISO/IEC 27001 in
Out of the 1.15 million web scraped ﬁrms, a total of 47 919
ﬁrms refer to one of the management system standards, which
corresponds to about 4.15% of all scraped ﬁrms. Most ﬁrms
refer to ISO 9001, followed by ISO 14001, ISO 50001, and
ISO/IEC 27001. This also corresponds to the ranking of valid
ISO certiﬁcates published in Germany in 2017 as part of the ISO
survey (see Table II).
As a ﬁrst ﬁnding, only in the case of ISO/IEC 27001, the
number of ﬁrms referring to this standard on their website is
larger than the number of valid certiﬁcates according to the ISO
survey . Since ﬁrms can obtain more than one certiﬁcate
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 7
TAB L E II
COMPARING CERTIFIED FIRMS OF MUP SAMPLE WITH VALID
CERTIFICATES IN GERMANY
Fig. 4. Firm categorization of 2664 ﬁrms referring to ISO/IEC 27001 on their
per management system standard (e.g., for different branches
or organizational units within one ﬁrm), our comparison can,
however, only serve as a rough proxy. Furthermore, ﬁrms can
refer to the management system standards on their websites for
other reasons than being certiﬁed.
Fig. 4 shows the results of manually categorizing the reasons
why ﬁrms refer to ISO/IEC 27001 on their websites. In general,
it should be noted that ﬁrms can belong to several categories,
e.g., a consulting ﬁrm offering services in connection with
ISO/IEC 27001 can also be certiﬁed to ISO/IEC 27001.
In total, 29.7% of the ﬁrms refer to ISO/IEC 27001 on their
websites because they are ISO/IEC 27001 certiﬁed. A relatively
small proportion (5.4%) stated that they have adopted a standard,
but are not ofﬁcially certiﬁed, although they often claim on
their websites to seek certiﬁcation in the future. Total 6.7% of
ﬁrms employ certiﬁed IT personnel without having obtained a
certiﬁcate for the ﬁrm’s ISMS. However, the highest proportion
of 29.8% of ﬁrms was not certiﬁed themselves but referred to a
certiﬁed partner. Many ﬁrms referring to ISO/IEC 27001 offer
consultancy (25.8%) or certiﬁcation services (2.4%) related to
ISO/IEC 27001. Overall 4.3% of all ﬁrms have referred to
ISO/IEC 27001 for other reasons, e.g., to provide news about
this management system standard.
For the companies certiﬁed to ISO/IEC 27001, we have also
investigated the likelihood that ﬁrms will be certiﬁed to other
international management system standards as technological
context factor (see Fig. 2). Therefore, we have manually visited
their websites and have searched for a different management
system certiﬁcate. As a ﬁnding, a large proportion of ﬁrms
OBSERVED CO-OCCURRENCES OF REFERENCES TO MANAGEMENT SYSTEM
STANDARDS IN ABSOLUTE AND RELATIVE TERMS
TAB L E IV
SECTOR AFFILIATION OF ISO/IEC 27001 CERTIFIED FIRMS VERSUS
NONCERTIFIED MUP FIRMS
certiﬁed to ISO/IEC 27001 is also certiﬁed to ISO 9001, followed
by ISO 14001 and ISO 50001, as shown in Table III.
Out of the 792 ISO/IEC 27001 certiﬁed ﬁrms, 30% are certi-
ﬁed to one additional standard, 9% against two further standards,
and 5% against all three other management system standards.
B. Results on the Analysis of Driving Factors for
ISO/IEC 27001 Certiﬁcation in Germany
1) Descriptive Statistics: In terms of sector afﬁliation, al-
most half (43%) of all ISO/IEC 27001 certiﬁed ﬁrms offer ICT
services, which is signiﬁcantly higher than approximately 4%
of all ﬁrms in the MUP data sample offering ICT services (see
Table IV). ISO/IEC 27001 certiﬁed ﬁrms providing consultancy
and ﬁnancial services are also overrepresented as well as public
utilities compared to noncertiﬁed ﬁrms in the MUP database.
The results also show that ISO/IEC 27001 certiﬁcation is not
very common in “traditional” sectors, such as construction,
retail, or manufacturing.
To differentiate between ﬁrms providing ICT services and
other ﬁrms, we present the following descriptive statistics for
all ﬁrms (all sectors), and in a second step, we focus just on
8IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
TAB L E V
FIRM CHARACTERISTICS OF ISO/IEC 27001 CERTIFIED FIRMS VERSUS
NONCERTIFIED MUP FIRMS
Notes: Standard deviation in parentheses. N=Number of observations. Signiﬁcance from
the t-test: ∗p<0.10; ∗∗ p<0.05; and ∗∗∗ p<0.01.
the companies that are attributed to ICT services, as they are
responsible for almost half of all certiﬁcations. In both cases,
the results of the descriptive statistics on ﬁrm size, ﬁrm age, and
innovation probability presented in Table V reveal signiﬁcant
differences between the ﬁrms certiﬁed to ISO/IEC 27001 and
Taking into account ﬁrms of all sectors, ﬁrst, the certiﬁed
ﬁrms with 76 employees are more than three times as large as the
average noncertiﬁed ﬁrm in the MUP. Second, and in contrast,
certiﬁed ﬁrms aged 17 years are on average seven years younger
than the average of noncertiﬁed ﬁrms. Third, the innovation
probability of 57% is twice as high as the average innovation
probability of noncertiﬁed ﬁrms.
Surprisingly, when focusing on ﬁrms attributed to ICT ser-
vices, the average age is the same as for all ISO/IEC 27001
certiﬁed companies. Certiﬁed ICT service ﬁrms are still larger
than noncertiﬁed ICT service ﬁrms with 61 employees com-
pared to 15 employees. Aged 17 years, however, they are also
older than noncertiﬁed ﬁrms in the ICT service sector aged 14
years. After all, ﬁrms in the ICT service sector have a product
innovation probability of almost 50%, i.e., almost twice the prob-
ability of all noncertiﬁed ﬁrms. However, certiﬁed ﬁrms in the
ICT sector have an even higher product innovation probability
Summarizing the ﬁndings from the analysis of the descriptive
statistics, we can see a positive relationship between ﬁrm size
and the probability of certiﬁcation. A positive correlation with
ﬁrm age can only be observed within the ICT service sector.
Furthermore, innovativeness increases the likelihood of certiﬁ-
cation, while the high proportion of certiﬁed ﬁrms belonging to
the ICT service sector (see Table V) indicates that this sector is
strongly linked to certiﬁcation against ISO/IEC 27001.
TAB L E VI
PROBIT ESTIMATION RESULTS
Notes: The table displays the coefﬁcients of all observations in the MUP and ICT service
sectors and the marginal effects of each in brackets. A correlation matrix of the variables is
provided in Table VIII and the probit estimation results for the sector dummies in Table X
TAB L E VII
SECTOR AFFILIATION OF TÜV RHEINLAND ISO/IEC 27001 CERTIFIED FIRMS
2) Probit Model: Finally, we run a probit model. Our probit
models test the probability of the event (=certiﬁcation to
ISO/IEC 27001) as a dependent variable and the independent
variables as shown in Table I.
The results of our two probit models are shown in Table VI. In
the general model, which covers all MUP ﬁrms, signiﬁcant re-
sults are shown for all explanatory variables. First, the likelihood
to be certiﬁed to ISO/IEC 27001 increases signiﬁcantly with
ﬁrm size. Second, older ﬁrms are signiﬁcantly less likely to be
certiﬁed to ISO/IEC 27001. Third, ﬁrms with a higher innovation
probability are more likely to be certiﬁed to ISO/IEC 27001.
Finally, ﬁrms operating in the ICT service sector are more likely
to be ISO/IEC 27001 certiﬁed than ﬁrms operating in any other
sector as shown in Tables VII and X.
Consequently, we run a second probit regression model just
for the ﬁrms active in the ICT service sector. Here, too, the ﬁrm
size is signiﬁcantly positively associated with the likelihood of
being certiﬁed to ISO/IEC 27001. However, the age of ﬁrms
in this sector does not signiﬁcantly explain the likelihood of
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 9
certiﬁcation. Finally, ﬁrms in the ICT service sector with a
higher innovation probability are more likely to be certiﬁed to
ISO/IEC 27001. In addition, this relationship is stronger than in
the sample of all ﬁrms based on the marginal effects shown in
Since only a very small proportion of the ﬁrms in the MUP
sample are ISO/IEC 27001 certiﬁed (less than 0.1%), we en-
counter the problem of a small sample bias. In our search for rare
events, we, therefore, apply the method proposed by King and
Zeng  and run a corrected logit estimate for our independent
variables ﬁrm size, ﬁrm age, and innovation probability. The
corrected logit estimates provided in Table IX conﬁrm the results
of our probit models.
To validate our ﬁndings and to avoid a single source bias,
we relied on another independent dataset. Therefore, we have
manually analyzed the ISO/IEC 27001 certiﬁed ﬁrms of the
German certiﬁcation body TÜV Rheinland, which publishes
their valid certiﬁcation1. In this certiﬁcation database, we have
identiﬁed 358 valid certiﬁcates of 261 German ﬁrms that are
certiﬁed to ISO/IEC 27001.
First, we examined which sector these ﬁrms belong to. Sec-
ond, we analyzed whether these ﬁrms publish their certiﬁcates
on their websites, and if not, whether they publish a logo instead.
Third, we analyzed how many certiﬁed ﬁrms would have been
identiﬁed using our web scraping.
We found a similar sector breakdown (see Table VII) as our
web mining results (see Table IV), which conﬁrms that most
ISO/IEC 27001 certiﬁed ﬁrms offer ICT services, followed
by other services. Firms belonging to the public utility sector
(e.g., energy providers) rank higher in this sample compared to
our web mining sample, but this could also indicate a certain
afﬁliation of this sector to this particular certiﬁcation body.
Out of the 261 ISO/IEC 27001 certiﬁed ﬁrms, 39 ﬁrms
(equaling 15%) did not publish a written reference to an ISO/IEC
certiﬁcation on their websites, one-third of them offering ICT
services. Out of these 39 ﬁrms, 5 ﬁrms displayed a logo instead,
representing less than 2% of the 261 ﬁrms.
Since our web scraper only searched for the top 25 webpages
per ﬁrm, our web scraper would have identiﬁed 44% of these
certiﬁed ﬁrms that are included in the MUP. This ﬁnding shows
that the remaining ISO/IEC 27001 certiﬁed ﬁrms would have
only be identiﬁed with a higher scraping effort, i.e., more web-
pages per company. Our manual analysis, furthermore, revealed
that especially larger ﬁrms do not display their certiﬁcates on
the top 25 webpages, but at lower level webpages—e.g., on the
webpages of speciﬁc products or news pages.
A. Discussion on the Adoption of ISO/IEC 27001 in Germany
The initial ﬁnding of our web mining revealed that double
the number of ﬁrms refer to ISO/IEC 27001 on their websites
1[Online]. Available: www.certipedia.com
Fig. 5. ISO/IEC 27001 “landscape” of German ﬁrms.
as valid certiﬁcates according to ISO (2018) are available in
Germany. Our manual categorization, however, showed that out
of the 2664 ﬁrms identiﬁed, only 792 ﬁrms are certiﬁed to
ISO/IEC 27001, which now represents roughly 60% of all valid
certiﬁcates. This ﬁnding shows that many ﬁrms refer to this
management system standard in relation to ISO/IEC 27001 for
reasons other than being certiﬁed. Therefore, the manual catego-
rization of all ﬁrm websites in our ISO/IEC 27001 analysis has
helped to create a “landscape” of the adoption of ISO/IEC 27001
(see Fig. 5) including a demand side and a supply side to
gain a better understanding of the ISO/IEC 27001 adoption in
On the demand side, the landscape does not only include cer-
tiﬁed ﬁrms, which is often the case with previous studies about
management system standards using ISO survey data. Firms can
also adopt this management system standard without seeking
certiﬁcation for themselves, which we refer to as implementing
ﬁrms. The results show a comparatively small number of ﬁrms
that have not (yet) received a certiﬁcate but have only adopted the
standard. Referring to a study by Irish managers, which stated
that 12% of ﬁrms use standards, such as ISO/IEC 27001, but
only 2% are certiﬁed , it could have been expected that more
ﬁrms had implemented the standard instead of being additionally
certiﬁed. However, it may not be worthwhile to communicate
on the website, if ﬁrms have implemented a standard without a
The landscape also shows the important role of IT personnel,
as discussed above by Benslimane et al. , as it also imple-
ments security practices in ﬁrms according to the ISO/IEC 27001
standard, which can also serve as a signal to stakeholders. For ex-
ample, IT personnel may have obtained certiﬁcates such as Infor-
mation Security Ofﬁcer or Auditor according to ISO/IEC 27001
(e.g.,  as an example).
A key ﬁnding of our explorative research is the possibility
to refer to partners (such as cloud computing providers or data
centers) that are certiﬁed. This option shows the main difference
between ISO/IEC 27001 and the other management system
standards, as it is possible to outsource information security to
some extent, which is unlikely for quality, environmental, and
energy management. It is, therefore, possible that outsourcing
will not take place in the Far East, for example, as discussed by
Fomin et al. , but to IT service providers within Germany
or Europe. This could also be spurred by the General Data
Protection Regulation (GDPR), which entered into force in May
10 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
2018. Although ISO/IEC 27001 certiﬁcation should not be seen
as a tool to signal GDPR compliance, ISO/IEC 27001 can help
to comply with the GDPR . In order to elaborate this effect
of “indirect certiﬁcation” theoretically, one can apply theories
about networking and, in particular, brand leveraging and co-
branding, concepts that traditionally originate from marketing
and, in particular, consumer research . In our case, ﬁrms can
be “embedded” in a network and gain reputation and trust by
claiming an alliance with a partner who is certiﬁed, as shown by
Hu et al. , in the case of technical standard alliances.
The “landscape” (see Fig. 5) also includes the supply side
of ISO/IEC 27001, by involving certiﬁcation bodies and con-
sultants as important actors in the diffusion work  of this
management system standard. The large number of consultants
active in the ﬁeld of ISO/IEC 27001 and providing knowledge
of this standard indicates, ﬁrst, a need for ﬁrms to use consulting
ﬁrms for the implementation of ISO/IEC 27001. Second, it
indicates that ﬁrms may implement this standard with the help
of consultants rather than to be ofﬁcially certiﬁed. This can also
help explain the low adoption of ISO/IEC 27001 in Germany
given the low number of valid certiﬁcates , although on
average almost 30% of all German companies claim to have
a formally deﬁned ICT security policy that takes into account
the conﬁdentiality, integrity, and availability of their data and
ICT systems .
B. Discussion on Driving Factors for ISO/IEC 27001
Certiﬁcation in Germany
Our regression analysis revealed that larger and more inno-
vative ﬁrms, most of them belonging to the ICT service sector,
are more prone to ISO/IEC 27001 certiﬁcation.
The signiﬁcant size effect supports the ﬁndings of previous
studies on other management system standards , both for
all ﬁrms and for ICT service providers. Obviously, certiﬁcation
costs present a problem for smaller companies that may not
be compensated by the beneﬁts of achieving certiﬁcation to
ISO/IEC 27001 . Since the ﬁrm size is often correlated
with ﬁrm age , we expected a positive effect that is only the
case for ICT service ﬁrms (see Table V), though not signiﬁcant
(see Table VI). Therefore, different organizational factors and
IT skills may lead to differences in the perception of ﬁrms in
terms of information security and related investments, apart from
size, age, and innovativeness, which should be subject to future
Our ﬁndings have several implications for managers, pol-
icy makers, and standard development organizations. From a
managerial perspective, it shows that ﬁrms can make use of
ISO/IEC 27001 either in terms of implementation versus cer-
tiﬁcation (1), the use of certiﬁed IT personnel (2), and the
reference to a certiﬁed partner (indirect certiﬁcation) (3) without
having to bear the time and cost for certiﬁcation. Therefore,
depending on their individual objectives, ﬁrms should critically
examine whether it is worthwhile to seek certiﬁcation (e.g., as a
competitive advantage or because stakeholders require an inde-
pendent attestation) or not. In some cases, the implementation of
ISO/IEC 27001 might be a good start to increase the overall level
of information security, including employee awareness, without
bearing the immediate costs for certiﬁcation.
From a policy perspective, our ﬁndings have an impact when
policy makers decide to make use of ISO/IEC 27001 to increase
the overall level of information security in ﬁrms. First, the sig-
niﬁcant ﬁrm size effect may require action. Policy makers could,
for example, spur the diffusion of ISO/IEC 27001 among SMEs
by providing incentives to ﬁrms that seek services, e.g., from
consultants, to implement an ISMS according to ISO/IEC 27001.
Second, the beneﬁts for smaller ﬁrms implementing an ISMS
according to ISO/IEC 27001 may not be sufﬁciently known or
measurable for smaller companies. Therefore, standards devel-
opment organizations could publish practical guidance docu-
ments, in particular, to help SMEs apply the ISO/IEC 27000
series, as proposed by the European Commission in its recent
rolling plan for ICT standardization . Third, it is worth
investigating whether independent third-party certiﬁcation is
required or whether a self-declaration of conformity might be
useful to achieve the respective goal. Finally, looking closely at
the ISO/IEC 27001 certiﬁed ﬁrms, they most often belong to
the ICT service sector. Hence, the question arises as to whether
the concentration of certiﬁcations among ICT service ﬁrms is
sufﬁcient for an overall adequate level of information security
because they provide services to companies throughout the entire
economy, or whether we have a signiﬁcant gap here. This might
be true, in particular, for manufacturing ﬁrms, particularly in
view of the increasing connectivity related to Industry 4.0, which
may require further actions from policy makers.
For the ﬁrst time, we used web mining as a data source and
method to examine German ﬁrms in the MUP database with a
website with reference to ISO/IEC 27001 in this article.
A manual categorization of all ﬁrms with ISO/IEC 27001
reference on their websites enabled the development of an
ISO/IEC 27001 “landscape”, as outlined in Fig. 5, covering
both the demand side (ﬁrms making use of this management
system standard) and the supply side of this management system
standard (ﬁrms providing services related to ISO/IEC 27001).
The implications of our ﬁndings can lead to a better under-
standing of the reasons for the (low) adoption of ISO/IEC 27001.
First, the small number of valid certiﬁcates reported in the ISO
survey is not necessarily due to the low adoption rate of the
standard. Firms can also beneﬁt from either implementing the
management system standard without seeking certiﬁcation or by
using certiﬁed IT personnel. Second, ﬁrms make use of certiﬁed
partners to which they refer on their websites, a phenomenon that
we term “indirect certiﬁcation.” These partners (mostly cloud
suppliers and data centers), therefore, have a multiplier effect
by providing information security to a larger number of ﬁrms.
Our web mining based analysis of ﬁrms that refer to
ISO/IEC 27001 on their websites showed that this method can
be used in combination with a manual ﬁrm-by-ﬁrm evaluation
to gain a better understanding of the drivers for certiﬁcation to
ISO/IEC 27001. We have shown that ﬁrm size, innovativeness,
and afﬁliation to the ICT service sectors are potential drivers
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 11
for ISO/IEC 27001 certiﬁcation. In particular, smaller ﬁrms
seek less certiﬁcation than larger ﬁrms, which may call for the
need for supporting SMEs in implementing ISO/IEC 27001 and
From a legal perspective, certiﬁcation against ISO/IEC 27001
is voluntary for ﬁrms per se. However, this could change in the
near future not only in the light of the NIS-Directive but also
of the latest EU Cybersecurity Act. In addition, ﬁrms can adopt
ISO/IEC 27001 to demonstrate compliance with the principles
of technical and organizational measures to protect information
for the purpose of the GDPR . Thereby, the results of this
article can help to derive more substantial recommendations
for the application of this management system standard, e.g.,
if a mandatory certiﬁcation for ﬁrms in speciﬁc sectors or
alternative measures to increase the adoption of ISO/IEC 27001
From a methodological perspective, web mining of ﬁrm web-
sites supplements the traditional methods of standard adoption
research, which are often based on surveys and are qualitative
in nature, or in the case of diffusion research based on national
However, web mining and this article are not without limi-
tations. As far as the applicability of the method is concerned,
our web scraping ﬁrst covered only the top 25 webpages per
website. A previous study showed that the median number of
subweb pages per website of German ﬁrms is 15, but this number
of webpages is also strongly correlated with the size of the ﬁrm
. This suggests that our rather low per-website scraping limit
can induce a bias against larger ﬁrms, which we also found in
our validation, indicating that German ISO/IEC 27001 certiﬁed
ﬁrms may be even larger than our empirical results suggest. For
future web mining studies, we therefore suggest either using a
higher scraping limit for all ﬁrms or adjusting the scraping limit
according to the available ﬁrm size information.
Second, our analysis assumes that all ﬁrms certiﬁed to
ISO/IEC 27001 would announce this on their websites. How-
ever, ﬁrms are not obliged to do so, and some sectors, such as ICT
services or electronics, may be more prone to the presentation
of their certiﬁcates on their websites than other sectors .
Therefore, ﬁrms active in the health or tourism sector may see
a lower value for their goal of publishing their certiﬁcates and
hence there may be a distortion in certain sectors.
Third, our web mining (by keywords only) cannot distinguish
whether ﬁrms are certiﬁed or otherwise refer to this management
system standard. Therefore, only a combination of web mining
and manual analysis allowed a suitable categorization. In order to
make use of this method to a greater extent, further automation
would be needed using a web scraper. This could include the
recognition of images to identify certiﬁcates, or the use of neural
networks to predict whether a ﬁrm is certiﬁed to a particular
management system standard.
Finally, the positive relationship of ﬁrm drivers for
ISO/IEC 27001 certiﬁcation does not necessarily imply causal-
ity. Further research is needed to examine the drivers and barriers
to the adoption of ISO/IEC 27001. As a ﬁrst step, our catego-
rized ﬁrms that are certiﬁed to ISO/IEC 27001 or have adopted
this standard (without certiﬁcation) can be used to analyze the
context in which ﬁrms refer to the use of ISO/IEC 27001 on their
website as a motive for adoption and further sector segmentation.
This analysis could also be extended to ﬁrms that refer to certiﬁed
partner ﬁrms to examine the drivers for this type of “indirect
certiﬁcation”. Additional methodological approaches, such as
interviews and surveys, are needed to theoretically support
these correlations and to identify further drivers and barriers
in connection with ISO/IEC 27001 certiﬁcation. Our identiﬁed
ﬁrms can therefore serve as a sample.
Our approach of deﬁning certiﬁcations based on management
system standards as organizational innovation itself opens up a
new research ﬁeld to investigate the relationship between prod-
uct innovation and certiﬁcations in the context of international
management system standards as organizational innovations
. This raises the question of timing, i.e., whether product in-
novations trigger certiﬁcation to management system standards
as organizational innovations  or vice versa. However, this
question cannot be answered by the available cross-sectional
data but requires time-series data.
See Tables VIII–Table X
CORRELATION MATRI X O F T HE VARIABLES
Notes: The table shows the pairwise correlation coefﬁcients of all observations in the MUP.
ICT sector service coefﬁcients are in brackets.
TAB L E IX
CORRECTED LOGIT ESTIMATES
Notes: The table displays the coefﬁcients of all observations in the MUP and ICT service
sectors applying rare event logistic regression.
∗p<0.10. ∗∗ p<0.05. ∗∗∗ p<0.01.
12 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
TAB L E X
PROBIT ESTIMATION RESULTS FOR SECTOR DUMMIES
Notes: The table displays the coefﬁcients and marginal effects based on the ICT service
sector. ∗p<0.10. ∗∗ p<0.05. ∗∗∗ p<0.01.
M. Mirtsch would like to thank G. Dudek for valuable insights,
S. Mareschow and G. Miklis for assisting in categorizing web
scraped ﬁrms, M. Franke for IT support, and S. Stobbe for the
language editing and proofreading. Finally, the authors grate-
fully acknowledge the valuable suggestions of three anonymous
 ISOfocus, “The cyber secrets,” Jan./Feb. 2019. [Online]. Available: https:
 S.-Y. Peng, “‘Private’ cybersecurity standards? Cyberspace governance,
multistakeholderism, and the (Ir) relevance of the TBT regime,” Cornell
Int. Law J., vol. 51, no. 2, pp. 445–469, 2018.
 S. Shackelford and S. O. Bradner, “Have you updated your toaster?
Transatlantic approaches to governing the internet of everything,” Kelley
School Bus. Res. Paper No. 18-60, pp. 1–31. 2018. [Online]. Available:
https://ssrn.com/abstract = 3208018
 Accenture, “The cost of cybercrime,” Ninth Annual Cost of
Cybercrime Study, Independently Conducted by Ponemon Institute
LLC and Jointly Developed by Accenture, 2019. [Online] Available:
 R. Saint-Germain, “Information security management best practice based
on ISO/IEC 17799,” Inf. Manage. J., vol. 39, no. 4, pp. 60–66, 2005.
 G. Disterer, “ISO/IEC 27000, 27001 and 27002 for information security
management,” J. Inf. Secur., vol. 4, no. 2, pp. 92–100, 2013.
 Information Security Management Systems, ISO/IEC 27001:2013 (EN),
 P. Castka and C. J. Corbett, “Management systems standards: Diffusion,
impact and governance of ISO 9000, ISO 14000, and other management
standards,” Foundations Trends Technol. Inf. Oper. Manage., vol. 7, no.
3/4, pp. 161–379, 2013.
 E.M.Rogers,Diffusion of Innovations, 5th ed. New York, USA: Free
 V. Fomin, H. Vries, and Y. Barlette, “ISO/IEC 27001 information systems
security management standard: Exploring the reasons for low adoption,”
in Proc. 3rd Eur. Conf. Manage. Technol., 2008, pp. 1–13.
 Y. Barlette and V. Fomin, “The adoption of information security man-
agement standards: A literature review,” in Proc. Inf. Resour. Manage.:
Concepts, Methodologies, Tools Appl., 2010, pp. 69–90.
 Y. Barlette and V. V. Fomin, “Exploring the suitability of IS security
management standards for SMEs,” in Proc. 41st Annu. Hawaii Int. Conf.
Syst. Sci., 2008, pp. 308–317.
 Z. Abu Bakar, N. A. Yaacob, Z. M. Udin, J. R. Hanaysha, and L. K. Loon,
“The adoption of business continuity management best practices among
malaysian organizations,” Adv. Sci. Lett., vol. 23, no. 9, pp. 8484–8491,
 A. Skopak and S. Sakanovic, “Adoption of standard for information
security ISO/IEC 27001 in Bosnia and Herzegovina,” in Proc. Int. Conf.
Econ. Social Stud. Sarajevo, 2016, pp. 35–42.
 C. Candiwan, “Analysis of ISO27001 implementation for enterprises and
SMEs in Indonesia,” in Proc. Int. Conf. Cyber-Crime Investigation Cyber
Secur., 2014, pp. 50–58.
 K. I. Alshitri and A. N. Abanumy, “Exploring the reasons behind the low
ISO 27001 adoption in public organizations in Saudi Arabia,” in Proc. Int.
Conf. Inf. Sci. Appl., 2014, pp. 1–4.
 B. AbuSaad, F. A. Saeed, K. Alghathbar, and B. Khan, “Implementation
of ISO 27001 in Saudi Arabia—Obstacles, motivations, outcomes, and
lessons learned,” in Proc. Australian Inf. Secur. Manage. Conf., 2011, pp.
 R. Van Wessel and H. J. de Vries, “Business impact of international
standards for information security management. Lessons from case com-
panies,” J. Inf. Commun. Technol. Standardization, vol.1, pp. 25–40, 2013.
 J. Kinne and J. Axenbeck, “Web mining of ﬁrm websites: A framework
for Web scraping and a pilot study for Germany,” Leibniz Assoc., Berlin,
Germany, ZEW Discussion Paper 18-033, 2019.
 J. Kinne and D. Lenz, “Predicting innovative ﬁrms using web mining and
deep learning,” Leibniz Assoc., Berlin, Germany, ZEW Discussion Paper
 K. Blind, “Certiﬁcations based on international management system stan-
dards as innovation indicators: An explorativefeasibility analysis,” in Proc.
24th EURAS Annu. Standardisation Conf., Standards, Bio-Based Econ.,
2019, pp. 51–69.
 H. Armbruster, A. Bikfalvi, S. Kinkel, and G. Lay, “Organizational inno-
vation: The challenge of measuring non-technical innovation in large-scale
surveys,” Technovation, vol. 28, no. 10, pp. 644–657, 2008.
 G. Hashem and J. Tann, “The adoption of ISO 9000 standards within
the Egyptian context: A diffusion of innovation approach,” Total Qual.
Manage. Bus. Excellence, vol. 18, no. 6, pp. 631–652, 2007.
 L. G. Tornatzky, M. Fleischer, and A. Chakrabarti, TheProcessesofTech-
nological Innovation (Issues in Organization and Management Series).
Lexington, MA, USA: Lexington Books, 1990.
 M. V. Uzumeri, “ISO 9000 and other metastandards: principles for man-
agement practice?” Acad. Manage. Perspectives, vol. 11, no. 1, pp. 21–36,
 ISO, “Management system standards.” Accessed on: Mar. 1, 2019. [On-
line]. Available: https://www.iso.org/management-system- standards.html
 Conformity Assessment—Vocabulary and General Principles,EN
ISO/IEC 17000:2004, 2004.
 M. Spence, “Job market signaling,” Quart. J. Econ., vol. 87, no. 3, pp.
 W. K. Viscusi, “A note on “lemons” markets with quality certiﬁcation,”
Bell J. Econ., vol. 9, no. 1, pp. 277–279, 1978.
 G. A. Akerlof, “The market for “lemons”: Quality uncertainty and the
market mechanism,” Quart. J. Econ., vol. 84, no. 3, pp. 488–500, 1970.
 A. Terlaak and A. A. King, “The effect of certiﬁcation with the ISO 9000
quality management standard: A signaling approach,”J. Econ. Behav. Org.,
vol. 60, no. 4, pp. 579–602, 2006.
MIRTSCH et al.: EXPLORING THE ADOPTION OF THE INTERNATIONAL INFORMATION SECURITY MANAGEMENT SYSTEM 13
 M. Delmas and I. Montiel, “The diffusion of voluntary international
management standards: Responsible Care, ISO 9000, and ISO 14001 in
the chemical industry,” Policy Stud. J., vol. 36, no. 1, pp. 65–93, 2008.
 S. W. Anderson, J. D. Daly, and M. F. Johnson, “Why ﬁrms seek ISO 9000
certiﬁcation: regulatory compliance or competitive advantage?” Prod.
Oper. Manage., vol. 8, no. 1, pp. 28–43, 1999.
 K. D. Gotzamani and G. D. Tsiotras, “An empirical study of the ISO 9000
standards’ contribution towards total quality management,” Int. J. Oper.
Prod. Manage., vol. 21, no. 10, pp. 1326–1342, 2001.
 M. Terziovski, D. Power, and A. S. Sohal, “The longitudinal effects of
the ISO 9000 certiﬁcation process on business performance,” Eur. J. Oper.
Res., vol. 146, no. 3, pp. 580–595, 2003.
 M. Potoski and A. Prakash, “Information asymmetries as trade barriers:
ISO 9000 increases international commerce,” J. Policy Anal. Manage. vol.
28, no. 2, pp. 221–238, 2009.
 B. Manders, H. J. de Vries, and K. Blind, “ISO 9001 and product innova-
tion: A literature review and research framework,” Technovation, vol. 48,
pp. 41–55, 2016.
 H. A. Quazi, Y.-K. Khoo, C.-M. Tan, and P.-S. Wong, “Motivation for ISO
14000 certiﬁcation: development of a predictive model,” Omega, vol. 29,
no. 6, pp. 525–542, 2001.
 P. DiMaggio and W. W. Powell, “The iron cage revisited: Collective
rationality and institutional isomorphism in organizational ﬁelds,” Amer.
Sociol. Rev., vol. 48, no. 2, pp. 147–160, 1983.
 E. Naveh, A. Marcus, and H. Koo Moon, “Implementing ISO 9000:
Performance improvement by ﬁrst or second movers,” Int. J. Prod. Res.,
vol. 42, no. 9, pp. 1843–1863, May 2004.
 A. Terlaak and A. A. King, “Follow the small? Information-revealing
adoption bandwagons when observers expect larger ﬁrms to beneﬁt more
from adoption,” Strategic Manage. J., vol. 28, no. 12, pp. 1167–1185,
 M. A. Delmas and M. Montes-Sancho, “An institutional perspective on
the diffusion of international management system standards: The case of
the environmental management standard ISO 14001,” Bus. Ethics Quart.,
vol. 21, no. 1, pp. 103–132, 2011.
 T. H. Arimura, N. Darnall, and H. Katayama, “Is ISO 14001 a gateway
to more advanced voluntary action? The case of green supply chain
management,” J. Environ. Econ. Manage., vol. 61, no. 2, pp. 170–182,
 P. J. Singh, M. Feng, and A. Smith, “ISO 9000 series of standards:
comparison of manufacturing and service organisations,” Int. J. Qual. Rel.
Manage., vol. 23, no. 2, pp. 122–142, 2006.
 G. M. P. Swann, “The economics of standardization: An update,” Innov.
Econ. Limited, London, U.K., Rep. U.K. Dept. Bus., Innov. Skills, 2010.
 X. Cao and A. Prakash, “Growing exports by signaling product quality:
Trade competition and the cross-national diffusion of ISO 9000 quality
standards,” J. Policy Anal. Manage., vol. 30, no. 1, pp. 111–135, 2011.
 B. Manders, “Implementation and impact of ISO 9001,” Ph.D. dissertation,
Erasmus Res. Inst. Manage. Rotterdam, The Netherlands, 2015.
 P. Bansal and W. C. Bogner, “Deciding on ISO 14001: Economics, insti-
tutions, and context,” Long Range Planning, vol. 35, no. 3, pp. 269–290,
 K. Blind and A. Mangelsdorf, “Zertiﬁzierung in deutschen Unternehmen–
zwischen Wettbewerbsvorteil und Kostenfaktor,” in Zertiﬁzierung als Er-
folgsfaktor. Berlin, Germany: Springer, 2016, pp. 23–32.
 M. L. Katz and C. Shapiro, “Network externalities, competition, and
compatibility,” Amer. Econ. Rev., vol. 75, no. 3, pp. 424–440, 1985.
 C. J. Corbett and D. A. Kirsch, “International diffusion of ISO 14000
certiﬁcation,” Prod. Oper. Manage., vol. 10, no. 3, pp. 327–342, 2001.
 F. Tuczek, P. Castka, and T. Wakolbinger, “A review of management
theories in the context of quality, environmental and social responsibility
voluntary standards,” J. Cleaner Prod., vol. 176, pp. 399–416, 2018.
 D. Maier, A. M. Vadastreanu, T. Keppler, T. Eidenmuller, and A. Maier,
“Innovation as a part of an existing integrated management system,”
Procedia Econ. Finance, vol. 26, pp. 1060–1067, 2015.
 T. H. Jørgensen, A. Remmen, and M. D. Mellado, “Integrated management
systems—Three different levels of integration,” J. Cleaner Prod., vol. 14,
no. 8, pp. 713–722, 2006.
 R. Gey and A. Fried, “Metastructuring for standards: How organizations
respond to the multiplicity of standards,” in Corporate and Global Stan-
dardization Initiatives in Contemporary Society. Hershey, PA, USA: IGI
Global, 2018, pp. 252–276.
 H. J. de Vries and F. El Osrouti, “Impact studies on standards and standard-
isation - Looking back and moving forward,” in Proc. 24th EURAS Annu.
Standardisation Conf., Standards, Bio-Based Econ., 2019, pp. 131–142.
 C. B. Stamm, “ISO 26000 gets taken around: Diffusion work as crucial
link between standard creation and adoption,” in Corporate Social Re-
sponsibility and Corporate Change. Berlin, Germany: Springer, 2019, pp.
 Information Technology—Security Techniques—Information Security
Management Systems—Overview and Vocabulary, ISO/IEC 27000:2018
 R. Von Solms and J. Van Niekerk, “From information security to cyber
security,” Comput. Secur., vol. 38, pp. 97–102, 2013.
 ISO, “The ISO survey of management system standard certiﬁcations
2017,” 2018. [Online]. Available: https://www.iso.org/the-iso- survey.
html, Accessed on: Feb. 2, 2019.
 D. Tunçalp, “Diffusion and adoption of information security management
standards across countries and industries,”J. Global Inf. Technol. Manage.,
vol. 17, no. 4, pp. 221–227, 2014.
 T. Neubauer, A. Ekelhart, and S. Fenz, Interactive Selection of ISO 27001
Controls Under Multiple Objectives. Boston, MA, USA: Springer, 2008,
 N. F. Doherty and H. Fulford, “Do information security policies reduce
the incidence of security breaches: an exploratory analysis,” Inf. Resour.
Manage. J., vol. 18, no. 4, pp. 21–39, 2005.
 C. Hsu, T. Wang and A. Lu, “The impact of ISO 27001 certiﬁcation on
ﬁrm performance,” in Proc. 49th Hawaii Int. Conf. Syst. Sci., 2016, pp.
 G. P. Tejay and B. Shoraka, “Reducing cyber harassment through de jure
standards: A study on the lack of the information security management
standard adoption in the USA,” Int. J. Manage. Decis. Making, vol. 11,
no. 5/6, pp. 324–343, 2011.
 Y. Benslimane, Z. Yang, and B. Bahli, “Information security between
standards, certiﬁcations and technologies: An empirical study,” in Proc.
Int. Conf. Inf. Sci. Secur., 2016, pp. 1–5.
 A. Longras, T. Pereira, P. Cameiro, and P. Pinto, “On the track of
ISO/IEC 27001: 2013 implementation difﬁculties in portuguese organi-
zations,” in Proc. Int. Conf. Intell. Syst., 2018, pp. 886–890.
 S. Uwizeyemungu and P. Poba-Nzaou, “Understanding information tech-
nology security standards diffusion: An institutional perspective,” in Proc.
Int. Conf. Inf. Syst. Secur. Privacy, 2015, pp. 5–16.
 J. A. Schumpeter, Theorie der wirtschaftlichen entwicklung. Leipzig:
Duncker & Humblot. English Translation Published in 1934 As the Theory
of Economic Development. Cambridge, MA, USA: Harvard Univ. Press,
 T. Oliveira and M. F. Martins, “Literature reviewof information technology
adoption models at ﬁrm level,” Electron. J. Inf. Syst. Eval., vol. 14, no. 1,
pp. 110–121, 2011.
 K. K. Kuan and P. Y. Chau, “A perception-based model for EDI adoption
in small businesses using a technology–organization–environment frame-
work,” Inf. Manage., vol. 38, no. 8, pp. 507–521, 2001.
 Y.-M. Wang, Y.-S. Wang, and Y.-F. Yang, “Understanding the determinants
of RFID adoption in the manufacturing industry,” Technol. Forecasting
Social Change, vol. 77, no. 5, pp. 803–815, 2010.
 M.-J. Pan and W.-Y. Jang, “Determinants of the adoption of enterprise
resource planning within the technology-organization-environment frame-
work: Taiwan’s communications industry,” J. Comput. Inf. Syst., vol. 48,
no. 3, pp. 94–102, 2008.
 I. Heras-Saizarbitoria and O. Boiral, “ISO 9001 and ISO 14001: towards a
research agenda on management system standards,” Int. J. Manage. Rev.,
vol. 15, no. 1, pp. 47–65, 2013.
 J. Llach, R. D. Castro, A. Bikfalvi, and F. Marimon, “The relationship
between environmental management systems and organizational inno-
vations,” Hum. Factors Ergonom. Manuf. Serv. Ind., vol. 22, no. 4, pp.
 G. Mangiarotti and C. A. F. Riillo, “Determinants of ISO9000:2000
certiﬁcation in services and manufacturing: An empirical analy-
sis for luxembourg,” in Proc. 4ème Colloque Luxembourgeois sur
l’économie de la Connaissance Dans une Perspective Européenne, 2010,
 E. Hoti, “The technological, organizational and environmental framework
of IS innovation adaption in small and medium enterprises. Evidence from
research over the last 10 years,” Int. J. Bus. Man age., vol.3, no. 4, pp. 1–14,
 N. Askitas and K. F. Zimmermann, “The internet as a data source for
advancement in social sciences,” Int. J. Manpower, vol. 36, no. 1, pp.
 R. Kosala and H. Blockeel, “Web mining research: A survey,” ACM
SIGKDD Explorations Newslett., vol. 2, no. 1, pp. 1–15, 2000.
14 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
 A. Gök, A. Waterworth, and P. Shapira, “Use of web mining in studying
innovation,” Scientometrics, vol. 102, no. 1, pp. 653–671, 2015.
 G. Miner, J. Elder IV, A. Fast, T. Hill, R. Nisbet, and D. Delen, Prac-
tical Text Mining and Statistical Analysis for Non-Structured Text Data
Applications. Cambridge, MA, USA: Academic, 2012.
 J. S. Katz and V.Cothey, “Web indicators for complex innovationsystems,”
Res. Eval., vol. 15, no. 2, pp. 85–95, 2006.
 J. Youtie, D. Hicks, P. Shapira, and T. Horsley, “Pathways from discovery
to commercialisation: using web sources to track small and medium-sized
enterprise strategies in emerging nanotechnologies,” Technol. Anal. Strate-
gic Manage., vol. 24, no. 10, pp. 981–995, 2012.
 S. K. Arora, J. Youtie, P. Shapira, L. Gao, and T. Ma, “Entry strategies
in an emerging technology: a pilot web-based study of graphene ﬁrms,”
Scientometrics, vol. 95, no. 3, pp. 1189–1207, 2013.
 C. Beaudry, M. Héroux-Vaillancourt, and C. Rietsch, “Validation of a
web mining technique to measure innovation in high technology Canadian
industries,” in Proc. 1st Int. Conf. Adv. Res. Methods Anal., 2016, pp. 1–25.
 M. Nathan and A. Rosso, “Innovative events,” Centro Studi Luca
d’Agliano, Torino, Italy, Develop. Stud. Work. Paper 429, 2017.
 J. Bersch, S. Gottschalk, B. Müller, and M. Niefert, “The Mannheim
Enterprise Panel (MUP) and ﬁrm statistics for Germany,” Zentrum für
Europäische Wirtschaftsforschung (ZEW), Mannheim, Germany, ZEW
Discussion Paper 14-104, 2014.
 Eurostat, “Statistical classiﬁcation of economic activities in the
european community,” NACE Rev. 2, 2008. Accessed on: Feb.
2, 2019. [Online]. Available: https://ec.europa.eu/eurostat/ramon/
nomenclatures/index.cfm?TargetUrl = LST_NOM_DTL&StrNom =
NACE_REV2&StrLanguageCode = EN&IntPcKey = &StrLayoutCode =
 G. King and L. Zeng, “Logistic regression in rare events data,” Political
Anal., vol. 9, no. 2, pp. 137–163, 2001.
 O. Hogan, R. Jayasuriya, and C. Sheehy, “Economic Contribution of
Standards in Ireland: A report for the National Standards Authority of
Ireland,” Centre for Econ. Bus. Res. (CEBR), London, U.K., Dec. 2015.
 DEKRA, “Informationssicherheit.” [Online]. Available: https://www.
dekra-akademie.de/de/iso2700x-schulung/, Accessed on: March 7, 2019.
 I. M. Lopes, T. Guarda, and P. Oliveira, “How ISO 27001 can help achieve
GDPR compliance,” in Proc. 14th Iberian Conf. Inf. Syst. Technol., 2019,
 K. L. Keller, “Brand synthesis: The multidimensionality of brand knowl-
edge,” J. Consum. Res., vol. 29, no. 4, pp. 595–600, 2003.
 J. Hu, Y. Zhang, and X. Fang, “Research on partner selection mechanism
of technological standard alliance: From the perspective of network em-
beddedness,” in Proc. Portland Int. Conf. Manage. Eng. Technol., 2015,
 Eurostat. “ICT security in enterprises,” 2015. [Online].
ICT_security_in_enterprises. Accessed on: Nov. 19, 2018.
 H. Mintzberg, S. Ghoshal, J. Lampel, and J. B. Quinn, The Strategy
Process: Concepts, Contexts, Cases. Harlow, UK: Pearson Educ., 2003.
 J. M. Utterback and W. J. Abernathy, “A dynamic model of process and
product innovation,” Omega, vol. 3, no. 6, pp. 639–656, 1975.
 European Commission, “2019 Rolling plan for ICT standardisation,” DG
Internal Market, Ind., Entrepreneurship SMEs, Eur. Commission, Brus-
sels, Belgium, 2019.
 C. Tankard, “What the GDPR means for businesses,” Netw. Secur.,vol.
2016, no. 6, pp. 5–8, 2016.
Mona Mirtsch received the M.Sc. degree in business
administration from the San Diego State University,
San Diego, CA, USA, in 2004, and the Diploma
in business administration from the European Uni-
versity Viadrina Frankfurt (Oder), Frankfurt (Oder),
Germany, in 2006. She is currently working toward
the Ph.D. degree in innovation economics with the
Technische Universität Berlin, Berlin, Germany, in
the ﬁeld of cybersecurity and conformity assessment.
From 2006 to 2010, she was a Trainee and a Brand
Manager for a multinational fast-moving consumer
goods corporation in Hamburg, Germany. From 2010 to 2017, she was a Sales
Manager also responsible for quality management for a family-owned metal
forming company in Berlin, Germany. Since 2017, she has been working with the
Department for Accreditation and Conformity Assessment at the Bundesanstalt
für Materialforschung und -prüfung (Federal Institute for Materials Research
and Testing—BAM), Berlin, Germany, dealing with questions of quality infras-
Jan Kinne received the master’s degree in geog-
raphy from the Heidelberg University, Heidelberg,
Germany, in 2016. He is currently working toward
the Ph.D. degree in applied geoinformatics at the Uni-
versity of Salzburg, Salzburg, Austria in the ﬁeld of
microgeograhic innovation research using web data.
He was a Visiting Fellow with the Institute for
Quantitative Social Sciences, Harvard University in
2019. Since 2016, he has been working as a Re-
searcher with the Economics of Innovation Depart-
ment, ZEW Centre for European Economic Research.
Based on his Ph.D. research, he co-founded istari.ai (istari artiﬁcial intelligence),
a startup company for AI-driven web analysis of company websites. His main
areas of study were geoinformatics and spatial analysis (GIScience).
Knut Blind received the Bachelor’s degree of Arts
from Brock University, St. Catharines, ON, Canada,
in 1990 and the Diploma in economics and the Doc-
toral degree in economics from Freiburg University,
Freiburg, Germany in 1995. He studied economics,
political science, and psychology at Albert-Ludwigs-
Universität Freiburg, Freiburg, Germany.
In April 2006, he was appointed as a Professor of
Innovation Economics with the Faculty of Economics
and Management, Technische Universität Berlin. Be-
tween 2008 and 2016, he also held the endowed Chair
of Standardisation at the Rotterdam School of Management, Erasmus University.
Since 1996, he has been with the Fraunhofer Society (currently the Fraunhofer
Institute of Systems and Innovation Research).