ISO/IEC 27001: An empirical multi-method research

The adoption of digital technologies, the emergence of platform-based business models, and the switch to smart working practices are increasing the number of potential entry points in firms’ networks and therefore their potential vulnerabilities. However, despite the relevance of the issue, the managerial debate on the topic is still scant and several research gaps exist. Under this premise, this doctoral thesis touches on the following aspects. First, by discussing the issue with senior executives and information security experts, it highlights the most relevant information security challenges in the context of Industry 4.0. In doing this, it also shows where current approaches fail short, and what emerging practices are gaining relevance. Second, by conducting a systematic literature review, the thesis provides a comprehensive synthesis of the academic body of knowledge on ISO/IEC 27001 (i.e., the most renowned international management standard for information security and the fourth most widespread ISO certification) as well as it formulates a theory-based research agenda to inspire future studies at the intersection between information systems and managerial disciplines. Third, by resorting to Grey models, it investigates the current and future diffusion patterns of ISO/IEC 27001 in the six most important countries in terms of issued certificates. Fourth, by performing an event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies, the dissertation sheds light on the performance implications of ISO/IEC 27001 adoption as well as the role of some contextual factors in affecting the outcomes of the adoption. Overall, this doctoral thesis provides several contributions to both theory and practice. From a theoretical point of view, it highlights the need for managerial disciplines to start addressing information security-related aspects. Moreover, it demonstrates that investments in information security pay off also from a financial perspective. From a practical point of view, it shows the increasingly central role that ISO/IEC 27001 is likely to have in the years to come and it provides managers with evidence on the possible performance effects associated to its adoption.

The adoption of digital technologies, the emergence of platform-based business models, and the switch to smart working practices are increasing the number of potential entry points in firms’ networks and therefore their potential vulnerabilities. However, despite the relevance of the issue, the managerial debate on the topic is still scant and several research gaps exist. Under this premise, this doctoral thesis touches on the following aspects. First, by discussing the issue with senior executives and information security experts, it highlights the most relevant information security challenges in the context of Industry 4.0. In doing this, it also shows where current approaches fail short, and what emerging practices are gaining relevance. Second, by conducting a systematic literature review, the thesis provides a comprehensive synthesis of the academic body of knowledge on ISO/IEC 27001 (i.e., the most renowned international management standard for information security and the fourth most widespread ISO certification) as well as it formulates a theory-based research agenda to inspire future studies at the intersection between information systems and managerial disciplines. Third, by resorting to Grey models, it investigates the current and future diffusion patterns of ISO/IEC 27001 in the six most important countries in terms of issued certificates. Fourth, by performing an event study complemented by an ordinary least squares regression on a dataset of 143 US-listed companies, the dissertation sheds light on the performance implications of ISO/IEC 27001 adoption as well as the role of some contextual factors in affecting the outcomes of the adoption. Overall, this doctoral thesis provides several contributions to both theory and practice. From a theoretical point of view, it highlights the need for managerial disciplines to start addressing information security-related aspects. Moreover, it demonstrates that investments in information security pay off also from a financial perspective. From a practical point of view, it shows the increasingly central role that ISO/IEC 27001 is likely to have in the years to come and it provides managers with evidence on the possible performance effects associated to its adoption.