{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T13:28:12Z","timestamp":1770816492188,"version":"3.50.1"},"reference-count":50,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2008,10,10]],"date-time":"2008-10-10T00:00:00Z","timestamp":1223596800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,10,10]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>A survey was designed and data were collected from information security managers in a selection of Norwegian organizations.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Technical\u2010administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness\u2010creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical\u2010administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>Provides insight into the non\u2010technological side of information security. While most other studies look at the effectiveness of single organizational security measures, the present study considers combinations of organizational security measures.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810908796","type":"journal-article","created":{"date-parts":[[2008,10,25]],"date-time":"2008-10-25T07:02:30Z","timestamp":1224918150000},"page":"377-397","source":"Crossref","is-referenced-by-count":89,"title":["Implementation and effectiveness of organizational information security measures"],"prefix":"10.1108","volume":"16","author":[{"given":"Janne","family":"Merete Hagen","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eirik","family":"Albrechtsen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jan","family":"Hovden","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022021420150136000_b1","doi-asserted-by":"crossref","unstructured":"Albrechtsen, E. (2007), \u201cA qualitative study of users' view on information security\u201d, Computers & Security, Vol. 26 No. 4, pp. 276\u201089.","DOI":"10.1016\/j.cose.2006.11.004"},{"key":"key2022021420150136000_b2","unstructured":"Albrechtsen, E. and Gr\u00f8tan, T.O. (2004), \u201cGammeldags tenkning i moderne organisasjoner? Om IKT\u2010sikkerhet i kunnskapsorganisasjoner\u201d (\u201cOld\u2010fashioned thinking in modern organizations? On ICT\u2010security in knowledge organizations)\u201d, in Lydersen, S. (Ed.), Fra flis I fingeren til ragnarokk, Tapir Akademisk, Trondheim, pp. 335\u201055 (in Norwegian)."},{"key":"key2022021420150136000_b3","unstructured":"Albrechtsen, E. and Hovden, J. (2007a), \u201cUser participation in information security\u201d, The Proceedings of ESREL2007."},{"key":"key2022021420150136000_b4","unstructured":"Albrechtsen, E. and Hovden, J. (2007b), \u201cIndustrial safety management and information security management: risk characteristics and management approaches\u201d, The Proceedings of ESREL2007."},{"key":"key2022021420150136000_b5","unstructured":"Albrechtsen, E. and Hovden, J. (unpublished), \u201cInformation security digital divide in organizations: information security managers versus users\u201d, manuscript submitted to Computers & Security."},{"key":"key2022021420150136000_b7","doi-asserted-by":"crossref","unstructured":"Berghel, H. (2005), \u201cThe two sides of ROI: return on investment vs risk of incarceration\u201d, Communications of the ACM, Vol. 48 No. 4, pp. 15\u201020.","DOI":"10.1145\/1053291.1053305"},{"key":"key2022021420150136000_b6","doi-asserted-by":"crossref","unstructured":"Blakely, B., McDermott, E. and Geer, D. (2001), \u201cInformation security is information risk management\u201d, Proceedings of the 2001 Workshop on New Security Paradigms, ACM Press, New York, NY, pp. 97\u2010104.","DOI":"10.1145\/508171.508187"},{"key":"key2022021420150136000_b8","unstructured":"Bolman, L.G. and Deal, T.E. (2003), Reframing Organizations: Artistry, Choice, and Leadership, Jossey\u2010Bass, San Francisco, CA."},{"key":"key2022021420150136000_b9","unstructured":"BSI, Bundesamt f\u00fcr Sicherheit in der Informationstechnik (2004), IT Security Guidelines, IT Baseline Protection in brief."},{"key":"key2022021420150136000_b10","unstructured":"Cashell, B., Jackson, W., Jickling, M. and Webl, B. (2004), \u201cThe economic impact of cyber attacks\u201d, Congressional Research Service Report for Congress, available at: www.cisco.com\/warp\/public\/779\/govtaffairs\/images\/CRS_Cyber_Attacks.pdf."},{"key":"key2022021420150136000_b11","doi-asserted-by":"crossref","unstructured":"Dhillon, G. and Backhose, J. (2001), \u201cCurrent directions in IS security research: towards socio\u2010organizational perspectives\u201d, Information Systems Journal, Vol. 11 No. 2, pp. 127\u201053.","DOI":"10.1046\/j.1365-2575.2001.00099.x"},{"key":"key2022021420150136000_b12","doi-asserted-by":"crossref","unstructured":"Doherty, N.F. and Fulford, H. (2006), \u201cAligning the information security policy with the strategic information systems plan\u201d, Computers & Security, Vol. 25 No. 1, pp. 55\u201063.","DOI":"10.1016\/j.cose.2005.09.009"},{"key":"key2022021420150136000_b13","doi-asserted-by":"crossref","unstructured":"Ehn, P. (1992), \u201cScandinavian design: on participation and skill\u201d, in Adler, P.S. and Winograd, T.A. (Eds), Usability \u2013 Turning Technologies into Tools, Oxford University Press, New York, NY.","DOI":"10.1093\/oso\/9780195075106.003.0008"},{"key":"key2022021420150136000_b14","doi-asserted-by":"crossref","unstructured":"Gordon, L.A. and Loeb, M.P. (2002), \u201cThe economics of information security investment\u201d, ACM Transactions on Information and System Security (TISSEC), Vol. 5 No. 4, pp. 438\u201057.","DOI":"10.1145\/581271.581274"},{"key":"key2022021420150136000_b15","unstructured":"Hagen, J.M. (2007), \u201cEvaluating applied information security measures: an analysis of the data from the Norwegian Computer Crime Survey 2006\u201d, FFI\/REPORT\u20102007\/02558, pp. 35\u201048."},{"key":"key2022021420150136000_b16","doi-asserted-by":"crossref","unstructured":"Hale, A.R. (2000), \u201cCulture's confusion\u201d, Safety Science, Vol. 34 Nos 1\/3, pp. 1\u20104.","DOI":"10.1016\/S0925-7535(00)00003-5"},{"key":"key2022021420150136000_b17","unstructured":"Hale, A.R. and Baram, M.S. (Eds) (1998), Safety Management: The Challenge of Change, Pergamon, Oxford."},{"key":"key2022021420150136000_b19","unstructured":"Hollnagel, E., Woods, D.D. and Leveson, N. (2006), Resilience Engineering: Concepts and Precepts, Ashgate, Aldershot."},{"key":"key2022021420150136000_b21","doi-asserted-by":"crossref","unstructured":"H\u00f6ne, K. and Eloff, J.H.P. (2002), \u201cInformation security policy \u2013 what do international security standards say?\u201d, Computers & Security, Vol. 21 No. 5, pp. 402\u20109.","DOI":"10.1016\/S0167-4048(02)00504-7"},{"key":"key2022021420150136000_b18","unstructured":"Hubbard, W. (2002), Methods and Techniques of Implementing a Security Awareness Program, SANS Institute, white paper."},{"key":"key2022021420150136000_b22","unstructured":"Ilstad, S., Paasche, T. and Hovden, J. (1977), Survey\u2010metoden (Survey Methods), Tapir, Trondheim (in Norwegian)."},{"key":"key2022021420150136000_b23","unstructured":"ISO\/IEC 27001:2005 (2005), Information technology \u2013 security techniques \u2013 information security management systems."},{"key":"key2022021420150136000_b24","doi-asserted-by":"crossref","unstructured":"Johnson, E. (2006), \u201cAwareness training, security awareness: switch to a better programme\u201d, Network Security, Vol. 2006 No. 2, pp. 15\u201018.","DOI":"10.1016\/S1353-4858(06)70337-3"},{"key":"key2022021420150136000_b26","doi-asserted-by":"crossref","unstructured":"Karyda, M., Kiountouzis, E. and Kokolakis, S. (2005), \u201cInformation systems security policies: a contextual perspective\u201d, Computers & Security, Vol. 24 No. 3, pp. 246\u201060.","DOI":"10.1016\/j.cose.2004.08.011"},{"key":"key2022021420150136000_b27","unstructured":"Keeney, M., Kowalski, E., Capelli, D., Moore, A., Shimeall, T. and Rogers, S. (2005), Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Carnegie Mellon, Software Engineering Institute, Pittsburgh, PA."},{"key":"key2022021420150136000_b25","doi-asserted-by":"crossref","unstructured":"Kemp, M. (2005), \u201cBeyond trust: security policies and defence in depth\u201d, Network Security, Vol. 2005 No. 8, pp. 14\u201016.","DOI":"10.1016\/S1353-4858(05)70271-3"},{"key":"key2022021420150136000_b28","doi-asserted-by":"crossref","unstructured":"Kotulic, A.G. and Clark, J. (2004), \u201cWhy there aren't more information security research studies\u201d, Information & Management, Vol. 41 No. 5, pp. 597\u2010607.","DOI":"10.1016\/j.im.2003.08.001"},{"key":"key2022021420150136000_b29","unstructured":"Levin, M. and Klev, R. (2002), Forandring som praksis. L\u00e6ring og utvikling i organisasjoner (Change as practice. Learning and development in organizations), Fagbokforlaget, Bergen (in Norwegian)."},{"key":"key2022021420150136000_b20","doi-asserted-by":"crossref","unstructured":"Lie, T., Hovden, J., Karlsen, J.E. and Alteren, B. (2008), \u201cThe safety representative under pressure. A study of occupational health and safety management in the Norwegian oil and gas industry\u201d, Safety Science, Vol. 46 No. 3.","DOI":"10.1016\/j.ssci.2007.06.018"},{"key":"key2022021420150136000_b30","doi-asserted-by":"crossref","unstructured":"Lobree, B. (2002), \u201cImpact of legislation on information security management\u201d, Security Management Practices, November\/December, pp. 41\u20108.","DOI":"10.1201\/1086\/43323.11.5.20021101\/39851.7"},{"key":"key2022021420150136000_b31","doi-asserted-by":"crossref","unstructured":"Mitropoulos, S., Patsos, D. and Douligeris, C. (2006), \u201cOn incident handling and response: a state\u2010of\u2010the\u2010art approach\u201d, Computers & Security, Vol. 25 No. 5, pp. 351\u201070.","DOI":"10.1016\/j.cose.2005.09.006"},{"key":"key2022021420150136000_b32","unstructured":"Morgan, G. (1998), Images of Organizations, Sage, London."},{"key":"key2022021420150136000_b33","unstructured":"Netsec (2004), \u201cUsing metrics to improve security, security brief, using metrics to improve security\u201d, available at: www1.netsec.net\/content\/securitybrief\/archive\/2004\u201009_Metrics.pdf."},{"key":"key2022021420150136000_b34","unstructured":"OECD (2002), Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, OECD, Paris."},{"key":"key2022021420150136000_b35","unstructured":"Randazzo, M.R., Keeney, M., Kowalski, E., Capelli, D. and Moore, A. (2004), Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, Carnegie Mellon, Software Engineering Institute, Pittsburgh, PA."},{"key":"key2022021420150136000_b36","doi-asserted-by":"crossref","unstructured":"Rasmussen, J. (1997), \u201cRisk management in a dynamic society\u201d, Safety Science, Vol. 27 Nos 2\/3, pp. 183\u2010213.","DOI":"10.1016\/S0925-7535(97)00052-0"},{"key":"key2022021420150136000_b37","unstructured":"Reznec, L. (2003), \u201cWhich models should be applied to measure computer security and information assurance\u201d, The Proceedings of the IEEE International Conference on Fuzzy."},{"key":"key2022021420150136000_b38","unstructured":"Ringdal, K. (2001), Enhet og mangfold: samfunnsvitenskaplig forskning og kvantitativ metode (Unity and Diversity: Social Science and Quantitative Methods), Fagbokforlaget, Bergen (in Norwegian)."},{"key":"key2022021420150136000_b39","unstructured":"Schneier, B. (2000), Secrets & Lies. Digital Security in a Networked World, Wiley, Indianapolis, IN."},{"key":"key2022021420150136000_b40","doi-asserted-by":"crossref","unstructured":"Siponen, M. (2000), \u201cA conceptual foundation for organizational information security awareness\u201d, Information Management and Computer security, Vol. 8 No. 1, pp. 31\u201041.","DOI":"10.1108\/09685220010371394"},{"key":"key2022021420150136000_b41","doi-asserted-by":"crossref","unstructured":"Siponen, M.T. and Oinas\u2010Kukkonen, H. (2007), \u201cA review of information security issues and respective research contributions\u201d, The Database for Advances in Information Systems, Vol. 38 No. 1, pp. 60\u201081.","DOI":"10.1145\/1216218.1216224"},{"key":"key2022021420150136000_b42","doi-asserted-by":"crossref","unstructured":"Sundt, C. (2006), \u201cInformation security and the law\u201d, Information Security Technical Report, Vol. 11 No. 1, pp. 2\u20109.","DOI":"10.1016\/j.istr.2005.11.003"},{"key":"key2022021420150136000_b43","doi-asserted-by":"crossref","unstructured":"Thomson, K\u2010L. and von Solms, R. (2006), \u201cTowards an information security competence maturity model\u201d, Computer Fraud & Security, Vol. 2006 No. 5, pp. 11\u201015.","DOI":"10.1016\/S1361-3723(06)70356-6"},{"key":"key2022021420150136000_b44","doi-asserted-by":"crossref","unstructured":"Von Solms, B. (2000), \u201cInformation security \u2013 the third wave?\u201d, Computers & Security, Vol. 19 No. 7, pp. 615\u201020.","DOI":"10.1016\/S0167-4048(00)07021-8"},{"key":"key2022021420150136000_b45","doi-asserted-by":"crossref","unstructured":"Von Solms, B. (2001), \u201cInformation security \u2013 a multidimensional discipline\u201d, Computers & Security, Vol. 20 No. 6, pp. 501\u20108.","DOI":"10.1016\/S0167-4048(01)00608-3"},{"key":"key2022021420150136000_b46","doi-asserted-by":"crossref","unstructured":"Von Solms, B. (2006), \u201cInformation security \u2013 the fourth wave\u201d, Computers & Security, Vol. 25 No. 3, pp. 165\u20108.","DOI":"10.1016\/j.cose.2006.03.004"},{"key":"key2022021420150136000_b47","unstructured":"Voss, B.D. (2001), The Ultimate Defense of Depth: Security Awareness in Your Company, SANS Institute, white paper."},{"key":"key2022021420150136000_b48","doi-asserted-by":"crossref","unstructured":"Ward, P. and Smith, C.L. (2002), \u201cThe development of access control policies for information technology systems\u201d, Computer & Security, Vol. 21 No. 4, pp. 365\u201071.","DOI":"10.1016\/S0167-4048(02)00414-5"},{"key":"key2022021420150136000_b49","doi-asserted-by":"crossref","unstructured":"Wiant, T.L. (2005), \u201cInformation security policy's impact on reporting security incidents\u201d, Computers & Security, Vol. 24 No. 6, pp. 448\u201059.","DOI":"10.1016\/j.cose.2005.03.008"},{"key":"key2022021420150136000_b50","unstructured":"Wiencke, H.S., Aven, T. and Hagen, J. (2006), \u201cA framework for selection of methodology for risk and vulnerability assessments of infrastructures depending on ICT\u201d, The Proceedings of ESREL2006."}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220810908796","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810908796\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810908796\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:07Z","timestamp":1753402147000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/4\/377-397\/181867"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,10,10]]},"references-count":50,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2008,10,10]]}},"alternative-id":["10.1108\/09685220810908796"],"URL":"https:\/\/doi.org\/10.1108\/09685220810908796","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2008,10,10]]}}}