{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T22:50:53Z","timestamp":1780527053214,"version":"3.54.1"},"reference-count":55,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2019,7,8]],"date-time":"2019-07-08T00:00:00Z","timestamp":1562544000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,7,8]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-09-2018-0108","type":"journal-article","created":{"date-parts":[[2019,6,3]],"date-time":"2019-06-03T06:17:38Z","timestamp":1559542658000},"page":"326-342","source":"Crossref","is-referenced-by-count":29,"title":["From theory to practice: guidelines for enhancing information security management"],"prefix":"10.1108","volume":"27","author":[{"given":"Ioanna","family":"Topa","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Maria","family":"Karyda","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"140","reference":[{"issue":"3","key":"key2020052710223789900_ref001","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020052710223789900_ref002","volume-title":"Cobit 4.1","author":"COBIT","year":"2007"},{"key":"key2020052710223789900_ref003","unstructured":"Collett, S. (2015), \u201cCSOonline\u201d, available at: www.csoonline.com\/article\/2881940\/security-awareness\/five-sneaky-ways-companies-are-changing-employees-security-behavior.html (accessed 10 January 2018)"},{"key":"key2020052710223789900_ref004","first-page":"283","article-title":"Investigation of employee security behaviour: a grounded theory approach","volume-title":"ICT Systems Security and Privacy Protection","year":"2015"},{"issue":"C","key":"key2020052710223789900_ref005","first-page":"90","article-title":"Future directions for behavioral information security research","volume":"32","year":"2013","journal-title":"Computers and Security"},{"issue":"5","key":"key2020052710223789900_ref006","doi-asserted-by":"crossref","first-page":"474","DOI":"10.1108\/IMCS-08-2013-0057","article-title":"Security culture and the employment relationship as drivers of employees\u2019 security compliance","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"issue":"1","key":"key2020052710223789900_ref007","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1287\/isre.1070.0160","article-title":"User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach","volume":"20","year":"2009","journal-title":"Information Systems Research"},{"issue":"3","key":"key2020052710223789900_ref008","doi-asserted-by":"crossref","first-page":"293","DOI":"10.1111\/j.1365-2575.2006.00219.x","article-title":"Value\u2010focused assessment of information system security in organisations","volume":"16","year":"2006","journal-title":"Information Systems Journal"},{"issue":"4","key":"key2020052710223789900_ref009","doi-asserted-by":"crossref","first-page":"391","DOI":"10.1111\/j.1365-2575.2007.00289.x","article-title":"User behaviour towards protective information technologies: the role of national cultural differences","volume":"19","year":"2009","journal-title":"Information Systems Journal"},{"issue":"7","key":"key2020052710223789900_ref010","doi-asserted-by":"crossref","first-page":"386","DOI":"10.17705\/1jais.00133","article-title":"The centrality of awareness in the formation of user behavioral intention toward protective information technologies","volume":"8","year":"2007","journal-title":"Journal of the Association for Information Systems"},{"key":"key2020052710223789900_ref011","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2014.03.004","article-title":"Information security knowledge sharing in organisations: investigating the effect of behavioral information security governance and national culture","volume":"43","year":"2014","journal-title":"Computers and Security"},{"issue":"1","key":"key2020052710223789900_ref012","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1111\/j.1365-2575.2012.00420.x","article-title":"Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service","volume":"24","year":"2014","journal-title":"Information Systems Journal"},{"issue":"2","key":"key2020052710223789900_ref013","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1057\/ejis.2009.6","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organisations","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"2","key":"key2020052710223789900_ref014","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organisations: role of penalties, pressures and perceived effectiveness","volume":"47","year":"2009","journal-title":"Decision Support Systems"},{"issue":"4","key":"key2020052710223789900_ref015","doi-asserted-by":"crossref","first-page":"615","DOI":"10.1111\/j.1540-5915.2012.00361.x","article-title":"Managing employee compliance with information security policies: the critical role of top management and organisational culture","volume":"43","year":"2012","journal-title":"Decision Sciences"},{"issue":"1","key":"key2020052710223789900_ref016","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1016\/j.cose.2011.10.007","article-title":"Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory","volume":"31","year":"2012","journal-title":"Computers and Security"},{"issue":"1","key":"key2020052710223789900_ref017","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.im.2013.10.001","article-title":"Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition","volume":"51","year":"2014","journal-title":"Information and Management"},{"key":"key2020052710223789900_ref018","author":"ISO 27001","year":"2013"},{"key":"key2020052710223789900_ref019","author":"ISO 27002","year":"2013"},{"key":"key2020052710223789900_ref020","author":"ISO 27003","year":"2010"},{"key":"key2020052710223789900_ref021","author":"ISO 27005","year":"2011"},{"key":"key2020052710223789900_ref022","unstructured":"ISO Survey (2017), \u201cISO survey 2017\u201d, available at: www.iso27001security.com\/html\/27001.html"},{"key":"key2020052710223789900_ref024","author":"IT Governance Institute","year":"2008"},{"key":"key2020052710223789900_ref025","article-title":"Fostering information security culture in organisations: a research agenda","volume-title":"MCIS 2017 Proceedings","year":"2017"},{"issue":"3","key":"key2020052710223789900_ref026","doi-asserted-by":"crossref","first-page":"246","DOI":"10.1016\/j.cose.2004.08.011","article-title":"Information systems security policies: a contextual perspective","volume":"24","year":"2005","journal-title":"Computers and Security"},{"issue":"1","key":"key2020052710223789900_ref027","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1145\/2738210.2738216","article-title":"Shadow security as a tool for the learning organisation","volume":"45","year":"2015","journal-title":"ACM SIGCAS Computers and Society"},{"key":"key2020052710223789900_ref028","article-title":"Security subcultures in an organisation-exploring value conflicts","year":"2011"},{"issue":"3","key":"key2020052710223789900_ref029","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1108\/IMCS-09-2012-0051","article-title":"Evaluating and enriching information and communication technologies compliance frameworks with regard to privacy","volume":"21","year":"2013","journal-title":"Information Management and Computer Security"},{"issue":"12","key":"key2020052710223789900_ref030","doi-asserted-by":"crossref","first-page":"1049","DOI":"10.1108\/MRR-04-2013-0085","article-title":"Information security awareness and behavior: a theory-based literature review","volume":"37","year":"2014","journal-title":"Management Research Review"},{"issue":"5","key":"key2020052710223789900_ref056","doi-asserted-by":"crossref","first-page":"433","DOI":"10.1111\/isj.12043","article-title":"Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies","volume":"25","year":"2015","journal-title":"Information Systems Journal"},{"issue":"2","key":"key2020052710223789900_ref031","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1057\/ejis.2009.10","article-title":"What levels of moral reasoning and values explain adherence to information security rules and quest; an empirical study","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"3","key":"key2020052710223789900_ref032","first-page":"5","article-title":"Challenges generated by the implementation of the IT standards CobiT 4.1, ITIL v3 and ISO\/IEC 27002 in enterprises","volume":"43","year":"2009","journal-title":"Economic Computation and Economic Cybernetics Studies and Research"},{"key":"key2020052710223789900_ref033","volume-title":"Usability Engineering","year":"1994"},{"key":"key2020052710223789900_ref034","first-page":"102","article-title":"Information security behavior: towards multi-stage models","volume-title":"Pacis","year":"2013"},{"key":"key2020052710223789900_ref035","first-page":"156b","article-title":"Employees\u2019 behavior towards IS security policy compliance","volume-title":"40th HI International Conference on System Sciences HICSS 2007","year":"2007"},{"issue":"3","key":"key2020052710223789900_ref036","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1109\/MIC.2008.50","article-title":"A brief introduction to usable security","volume":"12","year":"2008","journal-title":"IEEE Internet Computing"},{"key":"key2020052710223789900_ref037","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1016\/j.cose.2015.10.006","article-title":"Information security policy compliance model in organisations","volume":"56","year":"2016","journal-title":"Computers and Security"},{"key":"key2020052710223789900_ref038","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1016\/j.cose.2015.01.002","article-title":"Personality, attitudes, and intentions: predicting initial adoption of information security behavior","volume":"49","year":"2015","journal-title":"Computers and Security"},{"issue":"2","key":"key2020052710223789900_ref039","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1016\/j.im.2013.08.006","article-title":"Employees\u2019 adherence to information security policies: an exploratory field study","volume":"51","year":"2014","journal-title":"Information and Management"},{"key":"key2020052710223789900_ref040","first-page":"1","article-title":"Factors influencing protection motivation and IS security policy compliance","volume-title":"Innovations in Information Technology","year":"2006"},{"issue":"5","key":"key2020052710223789900_ref041","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1016\/j.im.2008.12.007","article-title":"Information security management standards: problems and solutions","volume":"46","year":"2009","journal-title":"Information and Management"},{"issue":"1","key":"key2020052710223789900_ref042","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1108\/IMCS-08-2012-0045","article-title":"Variables influencing information security policy compliance: a systematic review of quantitative studies","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"issue":"7","key":"key2020052710223789900_ref043","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1016\/j.im.2011.07.002","article-title":"Out of fear or desire? Toward a better understanding of employees\u2019 motivation to follow IS security policies","volume":"48","year":"2011","journal-title":"Information and Management"},{"key":"key2020052710223789900_ref044","first-page":"Sp 800-3","volume-title":"Risk Management Guide for Information Technology Systems","year":"2002"},{"issue":"5","key":"key2020052710223789900_ref045","first-page":"23","article-title":"Information security management system standards: a comparative study of the big five","volume":"11","year":"2011","journal-title":"International Journal of Electrical Computer Sciences (IJECSIJENS"},{"issue":"6","key":"key2020052710223789900_ref046","doi-asserted-by":"crossref","first-page":"472","DOI":"10.1016\/j.cose.2005.05.002","article-title":"The insider threat to information systems and the effectiveness of ISO17799","volume":"24","year":"2005","journal-title":"Computers and Security"},{"key":"key2020052710223789900_ref047","first-page":"169","article-title":"Identifying factors that influence employees\u2019 security behavior for enhancing ISP compliance","volume-title":"Trust, Privacy and Security in Digital Business","year":"2015"},{"key":"key2020052710223789900_ref048","article-title":"Analyzing security behaviour determinants for enhancing ISP compliance and security management","volume-title":"European, Mediterranean and Middle Eastern Conference on Information Systems (EMCIS)","year":"2016"},{"key":"key2020052710223789900_ref049","article-title":"Usability of security and privacy tools: the users\u2019 perspective","volume-title":"IFIP SEC 2018","year":"2018"},{"issue":"3","key":"key2020052710223789900_ref050","first-page":"190","article-title":"Motivating IS security compliance: insights from habit and protection motivation theory","volume":"49","year":"2012","journal-title":"Information and Management"},{"key":"key2020052710223789900_ref051","article-title":"On the low diffusion of privacy enhancing technologies in social networking: results of an empirical investigation","year":"2015"},{"key":"key2020052710223789900_ref052","first-page":"25","article-title":"Continuance of protective security behavior: a longitudinal study","volume-title":"Decision Support Systems","year":"2016"},{"key":"key2020052710223789900_ref053","article-title":"Why johnny can\u2019t encrypt: a usability evaluation of PGP 5.0","volume-title":"USENIX Security Symposium","year":"1999"},{"issue":"1","key":"key2020052710223789900_ref054","doi-asserted-by":"crossref","first-page":"1","DOI":"10.25300\/MISQ\/2013\/37.1.01","article-title":"Beyond deterrence: an expanded view of employee computer abuse","volume":"37","year":"2013","journal-title":"MIS Quarterly"},{"issue":"4","key":"key2020052710223789900_ref055","doi-asserted-by":"crossref","first-page":"330","DOI":"10.1108\/09685220910993980","article-title":"Impact of perceived technical protection on security behaviors","volume":"17","year":"2009","journal-title":"Information Management and Computer Security"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2018-0108\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2018-0108\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:11Z","timestamp":1753406591000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/27\/3\/326-342\/105963"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,8]]},"references-count":55,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,7,8]]}},"alternative-id":["10.1108\/ICS-09-2018-0108"],"URL":"https:\/\/doi.org\/10.1108\/ics-09-2018-0108","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2019,7,8]]}}}