{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,18]],"date-time":"2026-01-18T12:50:57Z","timestamp":1768740657528,"version":"3.49.0"},"reference-count":50,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2016,7,22]],"date-time":"2016-07-22T00:00:00Z","timestamp":1469145600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Society is increasingly dependent on Information Security Management Systems (ISMS), and having these kind of systems has become vital for the development of Small and Medium-Sized Enterprises (SMEs). However, these companies require ISMS that have been adapted to their special features and have been optimized as regards the resources needed to deploy and maintain them, with very low costs and short implementation periods. This paper discusses the different cycles carried out using the \u2018Action Research (AR)\u2019 method, which have allowed the development of a security management methodology for SMEs that is able to automate processes and reduce the implementation time of the ISMS.<\/jats:p>","DOI":"10.3390\/fi8030036","type":"journal-article","created":{"date-parts":[[2016,7,22]],"date-time":"2016-07-22T09:54:45Z","timestamp":1469181285000},"page":"36","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Applying the Action-Research Method to Develop a Methodology to Reduce the Installation and Maintenance Times of Information Security Management Systems"],"prefix":"10.3390","volume":"8","author":[{"given":"Antonio","family":"Santos-Olmo","sequence":"first","affiliation":[{"name":"Research and Development Department, Sicaman Nuevas Tecnolog\u00edas, Tomelloso 13700, Spain"},{"name":"Research Group GSyA, University of Castilla-la Mancha, Ciudad Real 13700, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0086-1065","authenticated-orcid":false,"given":"Luis","family":"S\u00e1nchez","sequence":"additional","affiliation":[{"name":"Research Group GSyA, University of Castilla-la Mancha, Ciudad Real 13700, Spain"},{"name":"Project Prometeo of Senescyt, University of the Armed Forces (ESPE), SanGolqui 170501, Ecuador"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Rosado","sequence":"additional","affiliation":[{"name":"Research Group GSyA, University of Castilla-la Mancha, Ciudad Real 13700, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eduardo","family":"Fern\u00e1ndez-Medina","sequence":"additional","affiliation":[{"name":"Research Group GSyA, University of Castilla-la Mancha, Ciudad Real 13700, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mario","family":"Piattini","sequence":"additional","affiliation":[{"name":"Research Group Alarcos, University of Castilla-la Mancha (UCLM), Ciudad Real 13700, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2016,7,22]]},"reference":[{"key":"ref_1","unstructured":"Von Solms, R. (2014). Information Security Management: Processes and Metrics. [Ph.D. Thesis, Degree-Granting University]."},{"key":"ref_2","unstructured":"Santos-Olmo, A., S\u00e1nchez, L.E., Rosado, D.G., Fern\u00e1ndez-Medina, E., and Piattini, M. (2015, January 10\u201312). Aplicaci\u00f3n del m\u00e9todo de Investigaci\u00f3n-Acci\u00f3n para desarrollar una Metodolog\u00eda \u00c1gil de Gesti\u00f3n de Seguridad de la Informaci\u00f3n. Proceedings of the VIII Congreso Iberoamericano de Seguridad Inform\u00e1tica (CIBSI15), Quito, Ecuador. (In Spanish)."},{"key":"ref_3","unstructured":"Candiwan, C. (2014, January 17\u201319). Analysis of ISO27001 Implementation for Enterprises and SMEs in Indonesia. Proceedings of the International Conference on Cyber-Crime Investigation and Cyber Security (ICCICS2014), Kuala Lumpur, Malaysia."},{"key":"ref_4","unstructured":"Whitman, M., and Mattord, H. (2012). Principles of Information Security, Cengage Learning."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1109\/MC.2004.17","article-title":"Computer Security in the Real World","volume":"37","author":"Lampson","year":"2004","journal-title":"IEEE Comput. Soc."},{"key":"ref_6","unstructured":"Whitman, M., and Mattord, H. (2013). Management of Information Security, Cengage Learning."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1145\/775265.775268","article-title":"Protection","volume":"8","author":"Lampson","year":"1974","journal-title":"ACM Oper. Syst. Rev."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"388","DOI":"10.1145\/361011.361067","article-title":"Protection and the Control of Information Sharing in Multics","volume":"17","author":"Saltzer","year":"1974","journal-title":"Commun. ACM"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"236","DOI":"10.1145\/360051.360056","article-title":"A lattice model of secure information flow","volume":"19","author":"Denning","year":"1976","journal-title":"Commun. ACM"},{"key":"ref_10","unstructured":"Ellison, C. SPKI Certificate Theory. Available online: http:\/\/www.ietf.org\/rfc\/rfc2692.txt."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Vivas, T., Zambrano, A., and Huerta, M. (2008, January 20\u201324). Mechanisms of security based on digital certificates applied in a telemedicine network. Engineering in Medicine and Biology Society, 2008. EMBS 2008, Proceedings of the 30th Annual International Conference of the IEEE, Vancouver, BC, Canada.","DOI":"10.1109\/IEMBS.2008.4649532"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1109\/2.485845","article-title":"Role-Based Access Control Models","volume":"29","author":"Sandhu","year":"1996","journal-title":"IEEE Comput."},{"key":"ref_13","unstructured":"Eloff, J., and Eloff, M. (2003, January 17\u201319). Information Security Management\u2014A New Paradigm. Proceedings of the 2003 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on Enablement through Technology (SAICSIT '03), Fourways, South Africa."},{"key":"ref_14","first-page":"92","article-title":"Iso\/iec 27000, 27001 and 27002 for information security management","volume":"4","author":"Disterer","year":"2013","journal-title":"J. Inf. Secur."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Barthe, G., Livshits, B., and Scandariato, R. (2012). Engineering Secure Software and Systems, Springer.","DOI":"10.1007\/978-3-642-28166-2"},{"key":"ref_16","unstructured":"M.P. Ltd. (1997). Managing Information System Security, Palgrave Macmillan."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Kemmerer, R.A. (2003, January 10). Cybersecurity. Proceedings of the 25th International Conference on Software Engineering, Portland, OR, USA.","DOI":"10.1109\/ICSE.2003.1201257"},{"key":"ref_18","first-page":"1","article-title":"The development duality of information systems security","volume":"4","author":"Baskerville","year":"1992","journal-title":"J. Manage. Syst."},{"key":"ref_19","unstructured":"McDermott, J., and Fox, C. (1999, January 6\u201310). Using Abuse Case Models for Security Requirements Analysis. Proceedings of the 15th Annual Computer Security Applications Conference, Phoenix, AZ, USA."},{"key":"ref_20","unstructured":"Anderson, C. (2006). The Long Tail: How Endless Choice Is Creating Unlimited Demand, Random House Business Books."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1109\/MC.2002.1012422","article-title":"Computer attack trends challenge Internet security","volume":"35","author":"Householder","year":"2002","journal-title":"IEEE Comput."},{"key":"ref_22","unstructured":"James, H.L. (1996, January 30\u201331). Managing information systems security: A soft approach. Proceedings of the Information Systems Conference of New Zealand, Palmerston North, New Zealand."},{"key":"ref_23","unstructured":"Papazafeiropoulou, A., and Pouloudi, A. (2000, January 3\u20135). The Government\u2019s Role in Improving Electronic Commerce Adoption. Proceedings of the European Conference on Information Systems 2000 Conference, Wienna, Austria."},{"key":"ref_24","unstructured":"Dimopoulos, V., Furnell, S., Jennex, M., and Kritharas, I. (2004, January 26). Approaches to IT Security in Small and Medium Enterprises. Proceedings of the 2nd Australian Information Security Management Conference, Securing the Future, Perth, Australia."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"297","DOI":"10.1108\/09685220510614425","article-title":"Information systems security issues and decisions for small businesses","volume":"13","author":"Gupta","year":"2005","journal-title":"Inf. Manage. Comput. Secur."},{"key":"ref_26","unstructured":"Helokunnas, T., and Iivonen, L. (2003). e-Business Research Forum\u2014eBRF 2003, Tampere University of Technology."},{"key":"ref_27","unstructured":"ISBS (2006). Information Security Breaches Survey 2006, Department of Trade and Industry."},{"key":"ref_28","unstructured":"Furnell, S.M., Gennatou, M., and Dowland, P.S. (2000, January 7). Promoting Security Awareness and Training within Small Organisations. Proceedings of the 1st Australian Information Security Management Workshop, Deakin University, Geelong, Australia."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Johnson, D.W., and Koch, H. (2006, January 4\u20137). Computer Security Risks in the Internet Era: Are Small Business Owners Aware and Proactive?. Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06), Maui, HI, USA.","DOI":"10.1109\/HICSS.2006.91"},{"key":"ref_30","unstructured":"O\u2019Halloran, J. ICT business management for SMEs. Available online: http:\/\/www.computerweekly.com\/feature\/ICT-business-management-for-SMEs."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1016\/j.cose.2005.09.009","article-title":"Aligning the Information Security Policy with the Strategic Information Systems Plan","volume":"25","author":"Doherty","year":"2006","journal-title":"Comput. Secur."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"557","DOI":"10.1109\/32.799955","article-title":"Qualitative Methods in Empirical Studies of Software Engineering","volume":"25","author":"Seaman","year":"1999","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"94","DOI":"10.1145\/291469.291479","article-title":"Action research","volume":"42","author":"Avison","year":"1999","journal-title":"Commun. ACM"},{"key":"ref_34","unstructured":"Genero, M., Cruz-Lemus, J.A., and Piattini, M. (2014). M\u00e9todos de Investigaci\u00f3n en Ingenier\u00eda del Software, Editorial RA-MA."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Bugdol, M., and Jedynak, P. (2015). Integration of Standardized Management Systems, In Integrated Management Systems, Springer.","DOI":"10.1007\/978-3-319-10028-9"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Bugdol, M., and Jedynak, P. (2015). Integrated Management Systems, Springer.","DOI":"10.1007\/978-3-319-10028-9"},{"key":"ref_37","unstructured":"International Organization for Standardization (2013). ISO\/IEC 27001:2013, Information Technology\u2014Security Techniques Information Security Management Systemys\u2014Requirements, International Organization for Standardization."},{"key":"ref_38","unstructured":"International Organization for Standardization (2013). ISO\/IEC 27002:2013, the International Standard Code of Practice for Information Security Management (en desarrollo), International Organization for Standardization."},{"key":"ref_39","unstructured":"COBIT 5 (2012). Cobit Guidelines, Information Security Audit and Control Association, ISACA."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1002\/1099-1670(200012)5:4<243::AID-SPIP126>3.0.CO;2-0","article-title":"SPI in very small team: A case with CMM","volume":"5","author":"Batista","year":"2000","journal-title":"Softw. Process Improv. Pract."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1002\/spip.137","article-title":"A Process Framework for Small Projects","volume":"6","author":"Hareton","year":"2001","journal-title":"Softw. Process Improv. Pract."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1002\/spip.191","article-title":"SPICE for Small Organisations","volume":"9","author":"Tuffley","year":"2004","journal-title":"Softw. Process Improv. Pract."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1023\/A:1021638523413","article-title":"Experiences in the Application of Software Process Improvement in SMES","volume":"10","author":"Villalon","year":"2004","journal-title":"Softw. Qual. J."},{"key":"ref_44","first-page":"4","article-title":"Sustaining Best Practices: How Real-World Software Organizations Improve Quality Processes","volume":"7","author":"Mekelburg","year":"2005","journal-title":"Softw. Qual. Prof."},{"key":"ref_45","unstructured":"S\u00e1nchez, L.E., Santos-Olmo, A., Fern\u00e1ndez-Medina, E., and Piattini, M. (2013). Small Medium Enterprises: Concepts, Methodologies, Tools, Applications, IGI Global."},{"key":"ref_46","first-page":"3038","article-title":"Managing Security and its Maturity in Small and Medium-sized Enterprises","volume":"15","author":"Parra","year":"2009","journal-title":"J. Univers. Comput. Sci."},{"key":"ref_47","unstructured":"Santos-Olmo, A., S\u00e1nchez, L.E., Fern\u00e1ndez-Medina, E., and Piattini, M. (2011, January 8\u201311). Desirable Characteristics for an ISMS Oriented to SMEs. Proceedings of 8th International Workshop on Security in Information Systems (ICEIS 2011), Beijing, China."},{"key":"ref_48","unstructured":"Santos-Olmo, A., S\u00e1nchez, L.E., Fern\u00e1ndez-Medina, E., and Piattini, M. (2012, January 28). A Systematic Review of Methodologies and Models for the Analysis and Management of Associative and Hierarchical Risk in SMEs. Proceedings of the 9th International Workshop on Security in Information Systems (WOSIS12), Wroclaw, Poland."},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"S\u00e1nchez, L.E., Santos-Olmo, A., Fern\u00e1ndez-Medina, E., and Piattini, M. (2010, January 30\u201331). Building ISMS Through Knowledge Reuse. Proceedings of the 7th International Conference on Trust, Privacy & Security in Digital Business (TRUSTBUS'10), Bilbao, Spain.","DOI":"10.1007\/978-3-642-15152-1_17"},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"S\u00e1nchez, L.E., Santos-Olmo, A., Fern\u00e1ndez-Medina, E., and Piattini, M. (2010). Security Culture in Small and Medium-Size Enterprise, In ENTERprise Information Systems, Springer.","DOI":"10.1007\/978-3-642-16419-4_32"}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/8\/3\/36\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T19:26:50Z","timestamp":1760210810000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/8\/3\/36"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,7,22]]},"references-count":50,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2016,9]]}},"alternative-id":["fi8030036"],"URL":"https:\/\/doi.org\/10.3390\/fi8030036","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,7,22]]}}}