Journal of Digital Information Management


Vol No. 20 ,Issue No. 3 2022

Why ISO27001 Certified Organizations Still Experience Data Leakage?
Harrison Stewart
Harrison Stewart Group Germany
Abstract: The increases in mobile applications, IoT, and cloud technology have recently witnessed massive data leaks, ranging from personally identifiable information to corporate secrets. Despite numerous standards and frameworks, human errors that cause information security breaches have not yet been managed. This study contributes to the ISMS literature regarding the processing and operating of an ISMS concept based on the new comprehensive measures of information security management. The study uses exploratory surveys to determine significant differences in the fifty financial institutes. The study confirmed that the primary root cause of information security incidents is the interrelationship between humans and technology. The results of this study show that the NFC principle can assist in the enhancement and ability to monitor the performance of these interconnections compared to other recognized standalone ISMS standards.
Keywords: Information security management systems (ISMSs); Reformed ISMS; Human error related information security incident, Technology error related information security incident, Factors related information security incident Why ISO27001 Certified Organizations Still Experience Data Leakage?
DOI:https://doi.org/10.6025/jdim/2022/20/3/90-103
Full_Text   PDF 4.16 MB   Download:   108  times
References:

[1] Anderson, H.L. (1986) Metropolis, Monte Carlo and the MANIAC. Los Alamos Science, 14, 96–108.
[2] D’Agostino, R., Pearson, E.S. (1973) Tests for departures from normality. Empirical results for the distribution of b1 and b2. Biometrika, 60, 613–622
[3] Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N. (2010) Taintdroid: An information- flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10. USENIX Association: Berkeley, CA, USA, 1–29.
[4] Ishikawa, K. (1985). What Is Total Quality Control? The Japanese Way (trans. David), p. 56–61.
[5] Lu, J..NJ: Englewood Cliffs (2005). ISO/IEC. Prentice Hall, Inc. ISO/IEC: Englewood Cliffs, USA. International Organization for Standardization/International Electrotechnical Commission, p. 27002 – Information technology – Security techniques – Information security management systems – Requirements.
[6] ISO/IEC (2009) ISO/IEC, 27000. Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary. International Organization for Standardization/International Electro technical Commission.
[7] Jouini, M., Rabai, L.B.A., Aissa, A.B. (2014) Classification of security threats in information systems. Procedia Computer Science, 32, 489–496.
[8] Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., Gritzalis, D. (2010). An insider threat prediction. In: The 7th International Conference on Trust, Privacy, and Security in Digital Business (TrustBuse2010), Vol. 6264 of LNCS, p. 26.e37.
[9] Loch, K.D., Carr, H.H., Warkentin, M.E. (1992) Threats to information systems: Today’s reality, yesterday’s understanding. MIS Quarterly, 16, 173–186.
[10] Luo, T., Hao, H., Du, W., Wang, Y., Yin, H. (2011). Attacks on webview in the android system, In. Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC’11. ACM: New York, USA, p. 343– 352.
[11] Neumann, P.G. (1999) Inside risks: Risks of insiders. Communications of the ACM, 42, 160–160.
[12] O’Mahony, M. (1986). Sensory Evaluation of Food: Statistical Methods and Procedures. CRC Press: Boca Raton, p. 487.
[13] Stewart, H., Jürjens, J. (2017) Information security management and the human aspect in organizations. Information and Computer Security, 25, 494–534.
[14] Stewart, H., Jürjens, J. (2018) Data security and consumer trust in FinTech innovation in Germany. Information and Computer Security, 26, 109–128.
[15] Von Solms, R., Van Niekerk, J. (2013) From information security to cyber security. Computers and Security, 38, 97–102 .
[16] Von Solms, R. (1998) Information security management (3): The Code of Practice for Information Security Management (BS 7799). Information Management and Computer Security, 6, 224–225.
[17] Vroom, C., Von Solms, R. (2004) Towards information security behavioural compliance. Computers and Security, 23, 191–198.
[18] Warkentin, M., Willison, R. (2009) Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18, 101–105.
[19] Wilson, M., Hash, J. (2003). Building Information Technology Security Awareness and Training Program [NIST special publication], Vol. 800, p. 1–39.