Chapter 6 Conclusion
6.3 Concluding Comments
Since the importance of information security and its severe impacts on organizations, the improvement of information security controls as well as managements are crucial for all organizations. For the information security management, ISO 27001 is the most important standards and it plays an important role while the organizations are considering strengthening their security management. However, with so many publications talking about the ISO 27001, there are scanty of academic researches focus on the ISO 27001 issues and nearly no researches were studying the adoption intentions of ISO 27001.
The ISO 27001 is a prominent standard of information security management, yet there is lack of academic attentions. Such deficiencies of the literature should be addressed, hence our research focused on the adoption intention of ISO 27001 in the extent of Taiwan, where the number of adoption organizations is listed at the 4th among the global11. In a small country but with high adoption rate of ISO 27001, it is an appropriate circumstance for studying what driver the organizations to adopt ISO 27001.
Before examine the adoption intentions, we need to know what is inside ISO 27001 and what are the characteristics of ISO 27001, knowing the nature of it is necessary for studying it. Therefore, we regards the ISO 27001 (or ISMS) is an administrative innovation, since the nature of ISO 27001 conformed to the traits of administrative innovations (Hsu, et al., 2010). From the innovation literatures, we introduced two important (i.e., innovation diffusion theory (Rogers, 2003) and institutional theory (DiMaggio & Powell, 1983) ) theories, both were widely used while studying adoption intentions, to the studies of ISO 27001. Combining the merits of two theories, we identified nine factors that might make influences on the intention of adoption and tested
11 See http://www.iso27001certificates.com/ for detail numbers, the rank we accessed on June 18, 2010.
those factors. From the innovation diffusion theory, we found the complexity exhibits the significant influences on intentions. From the perspective of institutional theory, the institutional environments are important influencing factors for organizations. Especially the coercive pressures, the organizations have no choice but to comply with the laws, regulations, and their essential customers’ requisitions.
The adoption intentions could be explained by the lens of the integrated model, and the findings filled the lack of studies on the ISO 27001 adoption. This study provides several academic and practical implications. It also extended the empirical literature of institutional and innovation diffusion studies to the area of information security. This study has several limitations as with any social science research, but, notwithstanding the defects and limitations, our study is one of the few that examines the importance of innovation characteristics and institutional environments simultaneously on the diffusion of innovation.
We hope the defects and limitations of our study can further be overcome in the future research, and thus to be more well-understanding the adoption intentions and behaviors. We believe the more conversant with intentions will lead us to be more understanding with the organizational behavior.
References
Adams, D., Nelson, R., & Todd, P. (1992). Perceived usefulness, ease of use, and usage of information technology: a replication. MIS Quarterly, 16(2), 227-247.
Anderson, J., & Gerbing, D. (1988). Structural equation modeling in practice: A review and recommended two-step approach. Psychological bulletin, 103(3), 411-423.
Attewell, P. (1992). Technology diffusion and organizational learning: The case of business computing. Organization science, 3(1), 1-19.
Basel, II. (2004). Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised Framework: Basel Committee Publications.
Bentler, P. (2006). EQS 6 structural equations modeling program manual. California:
Multivariate Software.
Bentler, P., & Bonett, D. (1980). Significance tests and goodness of fit in the analysis of covariance structures. Psychological bulletin, 88(3), 588-606.
Bidgoli, H. (2006). Handbook of Information Security Volume 1-3. New Jersey: John Wiley & Sons.
Bjorck, F. (2004). Institutional theory: a new perspective for research into IS/IT security in organisations. Paper presented at the The 37th Annual Hawaii International Conference on Information Systems 2004 (HICSS'04).
Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Paper presented at the workshop on New security paradigms.
Blunch, N. (2008). Introduction to structural equation modelling using SPSS and AMOS.
California: Sage.
Bodin, L., Gordon, L., & Loeb, M. (2008). Information security and risk management.
Communications of the ACM, 51(4), 64-68.
Bollen, K. (1989). Structural equations with latent variables. New Jersey: John Wiley &
Sons.
Brenner, J. (2007). ISO 27001: Risk management and compliance. Risk Management Magazine, 54, 24-29.
Byrne, B. (2006). Structural equation modeling with EQS: Basic concepts, applications, and programming. New Jersey: Lawrence Erlbaum Associates.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1), 28-46.
Cerullo, V., & Cerullo, M. (2004). Business continuity planning: A comprehensive approach. Information Systems Management, 21(3), 70-78.
Chatterjee, D., Grewal, R., & Sambamurthy, V. (2002). Shaping Up For
E-Commerce:Institutional Enables of The Organisational Assimilation Web Technologies. MIS Quarterly, 26(2), 65-89.
Chen, A., Watson, R., Boudreau, M., & Karahanna, E. (2009). Organizational Adoption of Green IS & IT: An Institutional Perspective. Paper presented at the 30th IInternational Conference on Information Sytems (ICIS 2009), Phoenix.
Chen, T., Chung, Y., & Huang, G. (2003). Efficient proxy multisignature schemes based on the elliptic curve cryptosystem. Computers & Security, 22(6), 527-534.
Chin, W., & Gopal, A. (1995). Adoption intention in GSS: relative importance of beliefs.
ACM SIGMIS Database, 26(2&3), 42-64.
Churchill, G. A. (1979). A paradigm for developing better measures of marketing constructs. Journal of Marketing Research, 16(1), 64-73.
Cooper, R., & Zmud, R. (1990). Information technology implementation research: a technological diffusion approach. Management Science, 36(2), 123-139.
Cronbach, L. (1951). Coefficient alpha and the internal structure of tests. Psychometrika,
16(3), 297-334.
Culnan, M. J., & Williams, C. C. (2009). How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches. MIS Quarterly, 33(4), 673-687.
D'Arcy, J., & Hovav, A. (2008). An Integrative Framework for the Study of Information Security Management Research. In J. N. D. Gupta & S. K. Sharma (Eds.), Handbook of Research on Information Security and Assurance (pp. 55-67).
Pennsylvania: IGI Global.
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79-98.
Damanpour, F. (1991). Organisational Innovation: A Meta-Analysis of Effects of
Determinants and Moderators. Academy of Management Journal, 34(3), 555-590.
Damanpour, F. (1992). Organizational size and innovation. Organization studies, 13(3), 375.
Delmas, M. (2002). The diffusion of environmental management standards in Europe and in the United States: an institutional perspective. Policy Sciences, 35, 91-119.
Dhillon, G., & Backhouse, J. (2001). Current Directions in IS Security Research:
Towards Socio-Organisational Perspectives. Information Systems Journal, 11(2), 127-153.
Dickerson, M., & Gentry, J. (1983). Characteristics of adopters and non-adopters of home computers. Journal of Consumer Research, 10(2), 225-235.
DiMaggio, P. J., & Powell, W. W. (1983). The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organisational Fields. American Sociological Review, 48(2), 147-160.
Dinev, T., Goo, J., Hu, Q., & Nam, K. (2008). User behaviour towards protective information technologies: the role of national cultural differences. Information Systems Journal, 19(4), 391-412.
Downs Jr, G., & Mohr, L. (1976). Conceptual issues in the study of innovation.
Administrative Science Quarterly, 21(4), 700-714.
DTI/PWC. (2008). Safeguarding the new currency of business - Findings from the 2008 Global State of Information Security Study.
E&Y. (2008). Moving beyond compliance - Ernst & Young's 2008 Global Information Security Survey.
Eloff, J., & Eloff, M. (2003). Information security management: a new paradigm. Paper presented at the annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology.
Ezingeard, J., & Birchall, D. (2005). Information security standards: Adoption drivers (invited paper). Paper presented at the Security management, integrity, and internal control in information systems.
Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., & Weippl, E. (2007). Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard. Paper presented at the 13th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC'07), Victoria.
Fischer, P. (2007). Security Evaluation and Testing Past, Present and Future. In Sacher Paulus, Norbert Pohlmann & H. Reimer (Eds.), ISSE 2004 - Securing Electronic Business Processes: Highlights Of The Information Security Solutions Europe 2004 Conference (pp. 322 -328): Vieweg.
Fombrun, C., & Shanley, M. (1990). What's in a name? Reputation building and
corporate strategy. Academy of Management Journal, 33(2), 233-258.
Fornell, C., & Larcker, D. (1981). Evaluating structural equation models with
unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50.
Frost, P., & Egri, C. (1991). The political process of innovation. Research in organizational behavior, 13, 229-245.
Gibb, F., & Buchanan, S. (2006). A framework for business continuity management.
International Journal of Information Management, 26(2), 128-141.
Gopal, R., & Sanders, G. (1997). Preventive and deterrent controls for software piracy.
Journal of Management Information Systems, 13(4), 29-47.
Gordon, L., & Loeb, M. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438-457.
Guler, I., Guillen, M., & Macpherson, J. (2002). Global Competition Institutions, and the Diffusion of Organsational Practices: The International Spread of ISO 9000 Quality Certificates. Administrative Science Quarterly, 47(2), 207-223.
Gupta, B. B., Joshi, R. C., & Misra, M. (2009). An efficient analytical solution to thwart DDoS attacks in public domain. Paper presented at the International Conference on Advances in Computing, Communication and Control.
Gupta, J., & Sharma, S. (2008). Handbook of Research on Information Security and Assurance. Pennsylvania: Information Science Reference.
Gupta, M., & Sharman, R. (2009). Social and Human Elements of Information Security:
Emerging Trends and Countermeasures. Pennsylvania: Information Science Reference.
Hair, J., Anderson, R., Tatham, R., & Black, W. (1995). Multivariate data analysis: with readings. New Jersey: Prentice-Hall.
Hair, J., Black, W., Babin, B., Anderson, R., & Tatham, R. (2006). Multivariate Data Analysis. New Jersey: Prentice Hall.
Harn, L., & Ren, J. (2006). Efficient identity-based RSA multisignatures. Computers &
Security, 27(1-2), 12-15.
Haunschild, P., & Miner, A. (1997). Modes of Interorganizational Imitation: The Effects of Outcome Salience and Uncertainty. Administrative Science Quarterly, 42(3), 472-500.
Hawley, A. H. (1986). Human ecology: A theoretical essay. Chicago: University of Chicago Press.
Hoyle, R., & Panter, A. (1995). Writing about structural equation models. In R. H. Hoyle (Ed.), Structural equation modeling: Concepts, issues, and applications (pp.
158-176). California: : Sage.
Hsu, C., Lee, J.-N., & Straub, D. W. (2010). Institutional Influences on Information Security Innovations. Working paper.
Hsu, C., Lu, H., & Hsu, H. (2007). Adoption of the mobile Internet: An empirical study of multimedia message service (MMS). Omega, 35(6), 715-726.
Hu, L., & Bentler, P. (1999). Cutoff criteria for fit indexes in covariance structure analysis:
Conventional criteria versus new alternatives. Structural Equation Modeling: A Multidisciplinary Journal, 6(1), 1-55.
Iacovou, C. L., Benbasat, I., & Dexter, A. S. (1995). Electronic data interchange and small organizations: adoption and impact of technology. MIS Quarterly, 19(4), 465-485.
ISO, B. S. (2005a). ISO/IEC 27001: 2005, Information Technology - Security Techniques - Information Security Management Systems - Requirements.
ISO, B. S. (2005b). ISO/IEC 27002: 2005, Information Technology. Security Techniques.
Code of Practice for Information Security Management.
ISO, B. S. (2008). ISO/IEC 27005: 2008, Information Technology - Security Techniques - Information Security Risk Management.
Jöreskog, K., & Sörbom, D. (1993). LISREL 8: Structural equation modeling with the SIMPLIS command language. Illinois: Scientific Software.
Jain, A. K., Ross, A., & Pankanti, S. (2006). Biometrics: a tool for information security.
IEEE transactions on information forensics and security, 1(2), 125-143.
James, L., Mulaik, S., & Brett, J. (1982). Causal analysis: Assumptions, models, and data.
New Jersey: Sage.
Jeyaraj, A., Balser, D., Chowa, C., & Griggs, G. (2009). Organizational and institutional determinants of B2C adoption under shifting environments. Journal of
Information Technology, 24(3), 219-230.
Khalifa, M., & Davison, M. (2006). SME adoption of IT: the case of electronic trading systems. IEEE Transactions on Engineering Management, 53(2), 275-284.
Kimberly, J., & Evanisko, M. (1981). Organisational Innovation: The Influence of Individual, Organisational, and Contextual Factors on Hospital Adoption of Technological and Administrative Innovations. Academy of Management Journal, 24(4), 689-713.
Kline, R. (2005). Principles and practice of structural equation modeling. New York:
The Guilford Press.
Knapp, K. (2009). Cyber-Security and Global Information Assurance: Threat Analysis and Response Solutions. Pennsylvania: Information Science Reference.
Knight, K. E. (1967). A descriptive model of the intra-firm innovation process. Journal of Business, 40, 478-496.
Kotulic, A., & Clark, J. (2004). Why there aren't more information security research
studies. Information & Management, 41(5), 597-607.
Lai, V., Liu, C., Lai, F., & Wang, J. (2008). Examining ERP Committee Beliefs: A Comparison of Alternative Models. Paper presented at the International Conference on Information Systems (ICIS) 2008.
Li, M. (2006). Change trend of averaged Hurst parameter of traffic under DDOS flood attacks. Computers & Security, 25(3), 213-220.
Liang, H., Saraf, N., Hu, Q., & Xue, Y. (2007). Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management. MIS Quarterly, 31(1), 59-87.
Lyytinen, K. (1991). Penetration of information technology in organizations: A comparative study using stage models and transaction costs. Scandinavian journal of information systems, 3(1), 87-109.
Mambo, M., Usuda, K., & Okamoto, E. (1996). Proxy signatures for delegating signing operation. Paper presented at the 3rd ACM conference on Computer and
communications security, New Delhi.
March, J. (1981). Decisions in organizations and theories of choice. In A. H. Van de Ven
& W. F. Joyce (Eds.), Perspectives on organization design and behavior (pp.
205-244). New York: John Wiley & Sons Inc.
Mardia, K. (1970). Measures of multivariate skewness and kurtosis with applications.
Biometrika, 57(3), 519-530.
Mardia, K. (1974). Applications of some measures of multivariate skewness and kurtosis in testing normality and robustness studies. Sankhy : The Indian Journal of Statistics, Series B, 36(2), 115-128.
Maruyama, G. (1997). Basics of structural equation modeling. New Jersey: Sage Publications.
McDonald, R., & Marsh, H. (1990). Choosing a multivariate model: Noncentrality and goodness of fit. Psychological bulletin, 107(2), 247-255.
Mellado, D., Fernández-Medina, E., & Piattini, M. (2007). A common criteria based security requirements engineering process for the development of secure information systems. Computer Standards & Interfaces, 29(2), 244-253.
Meyer, A., & Goes, J. (1988). Organizational assimilation of innovations: a multilevel contextual analysis. Academy of Management Journal, 31(4), 897-923.
Meyer, J. W., & Rowan, B. (1977). Institutionalized organizations: Formal structure as myth and ceremony. American journal of sociology, 83(2), 340-363.
Nunnally, J., & Bernstein, I. (1978). Psychometric theory. New York: McGraw-Hill.
Nunnally, J., Bernstein, I., & Berge, J. (1994). Psychometric theory. New York:
McGraw-Hill
O'Callaghan, R., Kaufmann, P., & Konsynski, B. (1992). Adoption correlates and share effects of electronic data interchange systems in marketing channels. Journal of Marketing, 56(2), 45-56.
Plouffe, C., Hulland, J., & Vandenbosch, M. (2001). Richness versus parsimony in modeling technology adoption decisions--understanding merchant adoption of a smart card-based payment system. Information Systems Research, 12(2),
208-222.
Prescott, M. B., & Conger, S. A. (1995). Information technology innovations: a classification by IT locus of impact and research approach. ACM SIGMIS Database, 26(2-3), 20-41.
Ramamurthy, K., Sen, A., & Sinha, A. (2008). An empirical investigation of the key determinants of data warehouse adoption. Decision Support Systems, 44(4), 817-841.
Richardson, R. (2008). CSI/FBI Computer Crime and Security Survey 2008.
Rogers, E. M. (1995). Diffusion of innovations. New York: Free Press.
Rogers, E. M. (2003). Diffusion of innovations: New York: Free Press.
Rowe, L. A., & Boise, W. B. (1974). Organizational innovation: Current research and evolving concepts. Public Administration Review, 34(3), 284-293.
Schultz, E. E. (2004). Sarbanes-Oxley - a huge boon to information security in the US.
Computers & Security, 23(5), 353-354.
Schumacker, R., & Lomax, R. (2004). A beginner's guide to structural equation modeling.
New Jersey: Lawrence Erlbaum Associates.
Scott, W. R. (2001). Institutions and organizations. California: Sage.
Siponen, M., & Willison, R. (2007). A critical assessment of IS security research between 1990-2004. Paper presented at the 15th European Conference on Information Systems, St. Gallen, Switzerland.
Siponen, M. T., & Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. ACM SIGMIS Database, 38(1), 60-80.
Smith, E., & Eloff, J. (2002). A Prototype for Assessing Information Technology Risks in Health Care. Computers & Security, 21(3), 266-284.
Son, J., & Benbasat, I. (2007). Organizational Buyers' Adoption and Use of B2B Electronic Marketplaces: Efficiency-and Legitimacy-Oriented Perspectives.
Journal of Management Information Systems, 24(1), 55-99.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems: NIST special publication.
Straub, D. W. (1990). Effective IS Security. Information Systems Research, 1(3), 255-276.
Sumner, M. (2009). Information Security Threats: A Comparative Analysis of Impact,
Probability, and Preparedness. Information Systems Management, 26(1), 2-12.
Sun, L., Srivastava, R., & Mock, T. (2006). An information systems security risk
assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22(4), 109-142.
Tan, M., & Teo, T. (2000). Factors influencing the adoption of Internet banking. Journal of the AIS, 1(1es).
Tanaka, J. (1993). Multifaceted conceptions of fit in structural equation models. In K. A.
Bollen & J. S. Long (Eds.), Testing structural equation models (pp. 10-39).
California: Sage.
Taylor, S., & Todd, P. (1995). Understanding information technology usage: A test of competing models. Information Systems Research, 6(2), 144-176.
Teo, H., Tan, B., & Wei, K. (1995). Innovation diffusion theory as a predictor of adoption intention for financial EDI. Paper presented at the International Conference on Information Systems (ICIS).
Teo, H. H., Wei, K. K., & Benbasat, I. (2003). Predicting Intention to Adopt
Interorganisational Linkage: An Institutional Perspective. MIS Quarterly, 27(1), 19-49.
Teo, T., Lim, G., & Fedric, S. (2007). The adoption and diffusion of human resources information systems in Singapore. Asia Pacific Journal of Human Resources, 45(1), 44.
Tierney, J. (2008). Common Criteria A brief history and overview. In K. E. Mayes & K.
Markantonakis (Eds.), Smart Cards, Tokens, Security and Applications (pp.
173-194). Berlin Springer.
Tipton, H., & Krause, M. (2007). Information Security Management Handbook. Florida:
CRC Press.
Tornatzky, L., & Klein, K. (1982). Innovation characteristics and innovation
adoption-implementation: A meta-analysis of findings. IEEE Transactions on Engineering Management, 29(1), 28-45.
Tsipenyuk, K., Chess, B., & McGraw, G. (2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6), 81-84.
Vacca, J. (2009). Computer and information security handbook. Massachusetts: Morgan Kaufmann.
von Solms, B. (2000). Information security- the third wave? Computers & Security, 19(7), 615-620.
von Solms, B., & von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371-376.
von Solms, R. (1999). Information security management: why standards are important.
Information Management & Computer Security, 7(1), 50-57.
Wang, H., & Wang, C. (2003). Taxonomy of security considerations and software quality.
Communications of the ACM, 46(6), 75-78.
Weingart, S. H. (Ed.). (2000). Physical security devices for computer subsystems: A survey of attacks and defenses.
West, S., Finch, J., & Curran, P. (1995). Structural equation models with nonnormal variables: Problems and remedies. In R. Hoyle (Ed.), Structural Equation Modeling: Concepts, Issues, and Applications (pp. 56–75). California: Sage.
Westphal, J., Gulati, R., & Shortell, S. (1997). Customisation or Conformity? An
Institutional and Network Perspective on the Content and Consequences of TQM Adoption. Administrative Science Quarterly, 42, 366-394.
Whitman, M. E., & Mattord, H. J. (2008). Principles of information security.
Massachusetts: Course Technology.
Xu, J., & Lee, W. (2003). Sustaining availability of web services under distributed denial of service attacks. IEEE Transactions on Computers, 52(2), 195-208.
Zhu, K., Dong, S., Xu, S., & Kraemer, K. (2006). Innovation diffusion in global contexts:
determinants of post-adoption digital transformation of European companies.
European Journal of Information Systems, 15(6), 601-616.
Zmud, R. (1984). An examination of'push-pull'theory applied to process innovation in knowledge work. Management Science, 30(6), 727-738.
Zucker, L. (1977). The role of institutionalization in cultural persistence. American Sociological Review, 42(5), 726-743.
Appendix A. Researches on IS Security
Table A-1: Researches on IS Security Technologies
C&S ISS IM&CS I&M MISQ ISR JIS JMIS ISJ EJIS JAIS CAIS
Cryptography and Secure Communications 234 202 122 3 0 0 0 0 0 0 0 2
System, Software, and Data Security 80 229 6 2 0 3 0 1 2 0 0 1
Security Attacks and Malwares 93 156 26 0 0 1 2 0 0 1 0 2
Physical Security 13 57 0 0 0 0 1 1 0 0 0 1
Standards and Certifications 7 6 2 0 0 0 0 0 0 0 0 1
Total 427 650 156 5 0 4 3 2 2 1 0 7
Table A-2: Researches on IS Security Management
C&S ISS IM&CS I&M MISQ ISR JIS JMIS ISJ EJIS JAIS CAIS
Risk Management 34 36 29 3 3 2 1 2 0 2 1 4
Awareness, Behavior, or Education Issues 31 49 27 0 1 1 0 0 1 1 1 0
Legal or Ethical Issues 37 123 40 8 6 2 2 3 0 3 3 5
Security Management Standards and Plan 78 129 43 3 2 1 0 0 2 1 1 2
Business Continuity Planning/Management 5 20 17 0 0 0 1 0 0 0 1 4
Security Investment and Strategy 5 20 12 0 0 3 0 4 0 0 0 1
Audit and Assurance 9 13 0 0 0 1 3 0 0 0 0 3
Total 199 390 168 14 12 10 7 9 3 7 7 19
Table A-3: Survey Period and Survey Volumes and Issues
Appendix B. Questionnaire Instruments
Relative Advantages
Improvement of management (adapted from (Lai, et al., 2008) ) 導入 ISO27001 認證可以改善公司對於資訊流的控管
導入 ISO27001 認證可以增進公司管理,降低資安事件造成的衝擊 導入 ISO27001 認證可以使公司成員在資訊安全上的權責更加清楚 Compatibility
Compatible with current process (adapted from (Teo, et al., 2007; Zhu, et al., 2006))
ISO27001 認證的規範相容於目前公司的作業流程 公司原先的作業流程已經包含資訊安全上的考量
要將公司的流程與 ISO27001 認證的規範做整合是容易的 Complexity
Complexity of the certification (adapted from (Ramamurthy, et al., 2008; Teo, et al., 2007))
ISO27001 認證的內容對我們公司的資訊人員來說是容易理解的
導入 ISO27001 的過程當中,公司需要針對 ISO27001 的規範內容做許多 教育訓練與宣導
整體來說,導入 ISO27001 認證是一個非常複雜的過程 Coercive forces
Legal requirements (adapted from (Liang, et al., 2007) & (Chen, et al., 2009) ) 法規或主管機關要求我們採用 ISO27001 認證
目前或是未來可以預期的法規促使我們採用 ISO27001 認證 採用 ISO27001 認證可使我們公司符合法規上對資訊安全的要求 Customer requirements (adapted from (Khalifa & Davison, 2006))
我們的客戶認為我們應該採用 ISO27001 認證
為了與現有的客戶持續生意上的往來,我們須具備 ISO27001 認證 我們重要的大客戶鼓勵我們採用 ISO27001 認證
Mimetic forces
Frequency-based imitation (adapted from (Son & Benbasat, 2007)) 許多與我們相同產業中的公司已經採用 ISO27001 認證
Frequency-based imitation (adapted from (Son & Benbasat, 2007)) 許多與我們相同產業中的公司已經採用 ISO27001 認證