Information & Management 46 (2009) 267–270

Contents lists available at ScienceDirect

Information & Management

journal homepage: www.elsevier.com/locate/im

Information security management standards: Problems and solutions

Mikko Siponen a,*, Robert Willison b
a
University of Oulu, IS Security Research Center and Department of Information Processing Science, Linnanmaa, P.O. Box 3000, FIN-90014, Finland
b
Copenhagen Business School, Howitzvej 60, DK-2000 Frederiksberg, Denmark

A R T I C L E I N F O A B S T R A C T

Article history: International information security management guidelines play a key role in managing and certifying
Received 28 July 2003 organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to
Received in revised form 10 April 2007 determine and compare how these guidelines are validated, and how widely they can be applied. First,
Accepted 7 December 2008
we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal
Available online 20 May 2009
in scope; consequently they do not pay enough attention to the differences between organizations and
the fact that their security requirements are different. Second, we noted that these guidelines were
Keywords:
validated by appeal to common practice and authority and that this was not a sound basis for important
Information systems security
international information security guidelines. To address these shortcomings, we believe that
Information security management
standards information security management guidelines should be seen as a library of material on information
Information security management security management for practitioners.
Information security management ß 2009 Elsevier B.V. All rights reserved.
guidelines
Information security certification

1. Introduction
Information security management (ISM) guidelines, which
attempt to provide the best ISM practices, are used by organiza-
tions. By adopting an authoritative guideline, organizations can
demonstrate their commitment to secure business practices;
organizations may then apply for certification, accreditation, or a
security-maturity classification attesting to their compliance to a
set of rules and practices.
Complying with security management guidelines is essential.
However, current guidelines have two problems. First, the well
known ones are generic in scope, while organizations need
methods tailored to their environment and operations. Second,
they have not been validated but are fostered by an appeal to
common practice, which is an unsound basis for a true standard.
2. Research framework
2.1. Information security management guidelines
Different international ISM guidelines have been proposed,
including the TCSEC/Orange Book, GMITS, CobiT, IT Baseline
Protection Manual, Generally Accepted Information Security
Principles (GAISP), the System Security Engineering CMM (SSE-
* Corresponding author. Fax: +358 553 1890.
E-mail address: msiponen@tols16.oulu.fi (M. Siponen).
CMM) [22], and BS7799 and its derivatives (BS7799, BS ISO/
IEC17799: 2000).
These, not surprisingly, have common features. First, they were
offered either to help secure organizations’ IS or for certification
purposes, to prove that organizations’ IS complied with the
guideline; in theory, all standards can be used for both purposes.
Second, they were externally developed by committees. Third, they
provided an authoritative voice on infosec management.
Of the ‘‘standards’’, we selected BS7799, BS ISO/IEC17799: 2000,
GASSP/GAISP and the SSE-CMM for analysis on the basis of three
factors. First, they are all relatively new. Second, they are widely
advocated by scholars and practitioners; these four standards or
guidelines have received positive recognition. Third, their advo-
cates are geographically dispersed. BS7799 has advocates in
Australia, New Zealand, South-Africa and the UK [1] and the SSE-
CMM is well-known in Canada and the U.S.
The Common Criteria [9] and ITSEC [16] focused on technical
security features [18]. The Common Criteria has been used
primarily for evaluating security properties of IT products. Here,
we are focusing on ISM aspects and guidelines, which emphasize
organizational, social and behavioural aspects of ISM in organiza-
tions. Such issues include development of organizational strategies
that ensure that employees are educated to comply with the
security policies [11]. In addition, BS, GASSP and the SSE-CMM
were selected over GMITS, the OECD guideline, ISF and the IT
Baseline Protection Manual [17]. Furthermore the GASSP’s
‘‘pervasive principles’’ were based on the OECD principles [10].
Hence, GAISP can be viewed as an later version.

0378-7206/$ – see front matter ß 2009 Elsevier B.V. All rights reserved.
doi:10.1016/j.im.2008.12.007
268 M. Siponen, R. Willison / Information & Management 46 (2009) 267–270
2.1.1. Generally accepted systems security principles (GASSP)
The development of GASSP started in 1992, with support from
the U.S. government, the International Information Security
Foundation, and other world-wide organizations. GASSP version
2.0 was published in 1999, and with the release of version 3.0 the
name was changed to Generally Accepted Information Security
Principles. The aim in the development of GAISP was to document
common practice. The preface stated: ‘‘We believe it is time for the
Information Security profession to create our own set of accepted
principles and practices.’’ [11].
GAISP proposed three levels of information security principles:
pervasive (few, rarely changing) such as those of ethics and
awareness; broad functional (more detailed); and most detailed.
Pervasive principles lay down the basis for the others. In total,
there are nine pervasive principles. GAISP version 3.0 included the
‘‘Detailed Principles Cookbook’’ for guiding GAISP developers in
detailing the principles from authorities such as OECD and ISF.
2.1.2. BS7799 and derivatives
BS7799 was developed in 1995 by the UK Department of Trade
and Industry, with international companies joining in the effort. An
international version (BS ISO/IEC17799:2000 [7]) was later
published. The 1995 version [5] is well-known and respected.
Later versions were published in 1999 [6] and 2000 [7] but for
clarity, we refer to these as BS Version 1, BS Version 2 and BS
Version 3, respectively. A standard known as BS 7799-2: 2002 [8]
will be referred to as BS Version 4. BS Version 1 included ten key
controls that are essential for all organizations, however the term
key controls was changed in versions 2 and 3 to ‘‘information
security starting point’’ with eight ‘‘critical success factors.’’
BS Version 4 described a process for use of the guideline, known
as the ‘‘Plan–Do–Check–Act’’ process:
 Plan ! establish a security policy and relevant procedures and
controls; then prepare a statement of the scope of its application,
justifying why the controls were selected and why others were
not;
 Do ! implement the security policy and relevant procedures;
 Check ! assess and measure the process performance, and
report the results to management;
 Act ! take appropriate corrective actions.
These methods were intended for use both in securing IS and in
their certification.
2.1.3. The system security engineering capability maturity model
(SSE-CMM)
The development of the SSE-CMM started in 1993 as an NSA-
sponsored endeavor to extend the capability maturity model [14].
The purpose of the effort was to use the model to address security
issues in systems development. To aid in development of the SSE-
CMM, the International Systems Security Engineering Association
(ISSEA) was founded.
Versions 2.0 and 3.0 of the SSE-CMM both included base
practices that were grouped into 22 key process areas (11 security-
related and 11 general project-oriented), and six maturity levels.
Version 3.0 included 129 base practices, such as: ‘‘Identify system
security vulnerabilities.’’ The 11 security-related process areas
were: (1) administer security controls; (2) assess impact; (3) assess
security risk; (4) assess threat; (5) assess vulnerability; (6) build
assurance argument; (7) coordinate security; (8) monitor security
posture; (9) provide security input; (10) specify security needs;
and (11) verify and validate security.
The SSE-CMM was intended to be used in certificating the
maturity level of an organization’s IS security and thus its security
processes. Version 3.0 of the SSE-CMM also included a 10-point set
of rules of thumb, which could be seen as a process guiding the use
of the guideline. The maturity levels are similar to those of SEI’s
CMM/CMMI: (0) not performed; (1) performed initially, based on
individual effort; (2) planned and tracked, when there is a security
process in place; (3) well-defined, where the security process is
standardized, tailorable and integrated into the organization-wide
process; (4) quantitatively controlled, where the security process is
quantitatively measured; and (5) continuously improving, where
metrics are used to collect feedback that is then used to improve
the process.
2.2. Criteria for assessing infosec management guidelines
The guidelines were analyzed from the perspectives shown in
Table 1.
2.3. Scope of application
It is important to know how broadly ISM guidelines can be
applied, and also to assess the extent to which a guideline is suited
to the needs of small to large organizations. The scope of a
guideline may be generic (applying throughout organizations, with
rare exceptions where the it does not), universal (applicable, to all
organizations, from small to multinational, without exception) or
company-specific (where every company may have a unique set of
requirements). Thus a company-specific international ISM guide-
line would start by listing and modeling the organization’s unique
security goals and requirements. We argue that guidelines should
be company-specific, to a certain degree. General and generic
security practices may overlook specific requirements, which may
result in expenditure in the wrong places, resulting in waste and
potentially insecure systems [4].
2.4. Type of evidence
Two types of evidence, validation and argumentation, are
important in research and development efforts.
Given the importance of information security guidelines, it is
necessary to examine how, and on what evidence they are
validated. Claims may be based on arguments that have empirical
support. However, one criterion is accepted: that the research
processes and types of evidence should be made public and visible.
In argumentation theory, several fallacies are discussed, including
appeals to popularity (Ad Populum), to common practice and
authority (Ad Verecundiam). We argue that ISM guidelines should
not be based on fallacious arguments.
3. Analysis of BS7799, GAISP/GASSP, and the SSE-CMM
3.1. Scope of application
BS Version 1 (and derivatives), the SSE-CMM, and GASSP/GAISP
appear to be generic or universal in scope. The following citations
illustrate how these principles were embodied.
BS Version 1 states that ‘‘some controls are not applicable to every
IT environment and should be used selectively. However, most of the
controls documented are widely accepted’’ . . . and . . . ‘‘recommended
good practices for all organizations.’’ [5]. Thus, the controls are
applicable to all organizations, while leaving room for exceptional
Table 1
Criteria for evaluating ISM guidelines and guidelines.
Viewpoints Examples
Scope of application Generic, universal, company-specific
Type of evidence Is the research process visible? Is the evidence sound?
 M. Siponen, R. Willison / Information & Management 46 (2009) 267–270
situations. It also prescribed key controls that were universal. They
‘‘are either essential requirements . . . or are considered to be
fundamental building blocks for information security.’’ and the
controls ‘‘apply to all organizations and environments’’. Later
versions use ‘‘information security starting point’’ principles,
which ‘‘apply to most organizations and in most environments’’
[7]. Hence, they are generic.
GASSP distinguishes between what is ‘‘generally accepted’’ and
‘‘universally accepted’’ and notes that all principles may have
exceptions. Thus, GASSP is of generic scope but GAISP does not state
this view explicitly; rather, it offers ‘‘. . .comprehensive, objective
guidance for IS professionals, organizations, governments, and users.’’
[12]. It seems that such objectivism leans towards a universal view.
Even though the SSE-CMM ‘‘applies to all types and sizes of
security engineering organizations . . .’’, it states that organizations’
security requirements differ: ‘‘The SSE-CMM includes practices that
focus on gaining an understanding of the customer’s security needs.’’
The SSE-CMM takes this into account in two ways. First, the
designer can select the relevant process areas and base practices.
Second, the SSE-CMM describes what practices need to be
performed, though it does not state how they are to be performed.
The 12 common features, associated with the five maturity levels,
are universal.
3.2. Validation based on appeal to common practice and authority
The international ISM guidelines being considered were based
on ‘‘generally accepted principles’’, or ‘‘best practice’’. Neither the
evidence for the reasoning behind them nor the underlying
research processes were given or made public and visible. Thus, the
results are not verifiable or repeatable. Thus practitioners have no
way of evaluating the reliability (or objectivity) of the claimed best
practices.
GASSP and GAISP note how: ‘‘the principles have been developed
on the basis of experience, reason, custom . . .’’ and ‘‘practices are
generally accepted because they represent prevalent practice’’.
BS Version 1 states: ‘‘These generally accepted controls are often
referred to as baseline security controls, because they collectively
define an industry baseline of good security practice’’. This appeal to
common practice is evident when BS Version 1 argued that ‘‘most of
the controls documented are widely accepted by large, experienced
organizations as recommended good practices for all situations’’. BS
Version 2 and Version 3 continue with the ‘‘information security
starting point’’ principles justified since they are ‘‘considered to be
common best practice for information security’’ [6].
The SSE-CMM version 2.0 offered a similar justification; the
standard ‘‘is a compilation of the best-known security engineering
practices’’.
The appeal to common practice is a faulty argument. In
addition, it is questionable whether any research methods have
been used to obtain results supporting such a claim: the SSE-CMM
versions 2.0 and 3.0 and GASSP reports imply that there have been
none. Hopkinson [15] states that the SSE-CMM version 2.0 was
based on experts’ judgment and their personal experience. This
also seems to be the case for version 3.0: ‘‘The SSE-CMM model was
developed by a consensus process’’. GASSP and GAISP present a
similar line of reasoning: principles were ‘‘generally accepted by
agreement (often tacit agreement) rather than formal derivation from
a set of postulates or basic concepts’’. GAISP maintained that ‘‘these
principles will be reviewed and vetted by skilled information security
experts and authorities who will ensure’’ that they are valid. This was
an appeal to authority.
Hefner and Monroe [13] reported that the SSE-CMM also used
key and community reviewers. They also referred to pilot projects,
which they suggested made the SSE-CMM fundamentally sound.
However, no further evidence was provided about them.
269
4. The weaknesses of prior ISM guidelines and
a possible solution
We will term the current position taken on ISM guidelines as
the traditional view. According to our analysis, the guidelines were
developed externally by security experts, and their scope was
generic or universal.
4.1. The traditional view
Guidelines developed according to the traditional view were
based on generic or universal principles, which the guidelines’
developers sought to validate by appealing to common practice
and authority. Both approaches are problematic. Generic and
universal guidelines do not pay enough attention to organizational
difference. Such guidelines do not address the organization’s own,
and unique, information security needs, but prescribe universal or
general procedures. In addition, and perhaps more worryingly,
information security may not be applied in areas where it is
required.
BS Versions 2 and 3 have moved in the right direction by stating
that the guidelines can be used as a starting point for developing
organization-specific guidelines. ISM guidelines [7] were validated
by appeals to common practice and authority. Because some
organizations are using certain practices, does not prove that they
are best practices. Consequently, we have no evidence of the
reliability of the guidelines. The current international ISM guide-
lines do not meet this criterion.
4.1.1. Overcoming the weaknesses of the current ISM guidelines
Rigorous empirical studies are needed in which all possible
variables are considered. The authors of guidelines should (1)
try to validate their usefulness and implications empirically,
and (2) consider how various environmental and organizational
factors may affect the use of the guideline. Both qualitative
(e.g., action research, interpretive field studies, interpretive
case research) and quantitative (e.g., survey) studies are
required.
First, there is a need to study what security techniques and
methods are currently in use and their real effects and possible
weaknesses. Second, studies are needed, to examine not only the
individual techniques, but managers and users perceptions of their
value, etc. In addition, the problems and implications of using
guidelines in organizations should be considered. In particular,
more care needs to be paid to the generalizability of the findings.
When developing new guidelines, the extent that existing results
can be generalized should be assessed.
4.2. Guidelines as a library of research results for practitioners
Guidelines must be crafted for the benefit of practitioners. Their
scope of application should be considered on its individual
principles and any findings should have undergone a peer-review
process. While we cannot outline a full guideline here, we can
illustrate our proposal with a simple example (Table 2).
In this simple example there are two areas: user compliance
with respect to security policies and guidelines, and risk analysis.
Each consists of objectives, principles and cautions. The objectives
lay down the general aim of the principles. In this example, the
areas are risk analysis and user compliance with respect to security
policies and guidelines. The principles act as a guide to how the
different means for ensuring security should be used. The caution
could warn about some pitfalls in the use of a principle. The key
references for objectives, principles and caution are listed, so that
practitioners can refer to them for further information. The
Evidence column shows the evidence on which the objectives,
270 M. Siponen, R. Willison / Information & Management 46 (2009) 267–270

Table 2
An example of a guideline as a library of research results for practitioners.

Areas Content (objectives, principles and cautions) Key references Evidence

1. Employees’ compliance with respect to
security policies and guidelines
Objective 1: To make users comply with security policy objectives. [21,23,24] Quantitative survey
Principle 1: Wide dissemination of security policies, use of software Deterrence theory
preventives and disciplinary actions for non-compliance, and enough
full-time security staff (or their increased visibility) increase
information security.

Caution for principle 1: The mere existence of security practice [20] Conceptual
(e.g., policies, education programs) does not guarantee their
quality in practise.

2. Risk analysis Objective 1: Risk analysis with the aim of calculating and managing risk. [2] Conceptual
Objective 2: Risk analysis as a tool for communication between
developers and managers.

Principles: (1) Analysis of security relevant resources and assets; (2) [19] Conceptual
analysis of threats whose occurrence could cause loss; (3) analysis of
vulnerabilities in security controls which may increase the frequency
of threat occurrences or their impact; (4) analysis of the overall risk;
(5) analysis and selection of appropriate controls that may reduce the risks.

Caution: Risk analysis to meet objective 1 is subjective. [3] Conceptual

principles and cautions are based. Practitioners may extract only
those points they need.
5. Conclusions
It is widely accepted that ISM guidelines play an important role
in managing and certifying information security in organizations.
We analyzed BS7799 and its derivatives, GASPP/GAISP, and the
SSE-CMM to show how these guidelines were validated and their
scope of application. They are generic or universal in scope and
thus they do not pay enough attention to the differences between
organizations and their security requirements. The guidelines
were validated by appeal to common practice and authority and
this process is likely to be fallible.
[16] Information Technology Security Evaluation Criteria (ITSEC), Harmonised Criteria
of France, Germany, the Netherlands and the United Kingdom, 1990.
[17] IT Baseline Protection Manual, BSI, Germany, 1996.
[18] P. Overbeek, Common criteria for IT security Evaluation – Update Report, in:
Proceedings of the IFIP TC11 Eleventh International Conference on Information
Security, Cape Town, South Africa, 1995.
[19] T. Saltmarsh, P. Browne, Data processing – risk assessment, in: M. Wofsey (Ed.),
Advances in Computer Security Management, (vol. 2), John Wiley and Sons Ltd,
1983, pp. 93–116.
[20] M. Siponen, Information security standards focus on the existence of process not
its content? Communications of the ACM 49 (8), 2006, pp. 97–100.
[21] M. Siponen, S. Pahnila, A. Mahmood, Employees’ adherence to information
security policies: an empirical study, in: Proceedings of the IFIP SEC2007, Sand-
ton, Gauteng, South Africa, 2007.
[22] SSE-CMM, The Appraisal Method, v2.0 and v3.0, 1998, http://www.sse-cmm.org.
[23] D. Straub, Effective IS security: an empirical study, Information Systems Research
1 (3), 1990, pp. 255–276.
[24] D. Straub, W. Nance, Discovering and disciplining computer abuse in organiza-
tions: a field study, MIS Quarterly 14 (1), 1990, pp. 45–60.

References
[1] J. Backhouse, C. Hsu, L. Silva, Circuits of power in creating de jure standards:
shaping an international information systems security standard, MIS Quarterly 30
(Special issue), 2006, pp. 413–438.
[2] R. Baskerville, Risk analysis: an interpretative feasibility tool in justifying infor-
mation systems security, European Journal of Information Systems 1 (2), 1991, pp.
121–130.
[3] R. Baskerville, Risk analysis as a source of professional knowledge, Computers and
Security 10 (8), 1991, pp. 749–764.
[4] R. Baskerville, Information systems security design methods: implications for
information systems development, Computing Surveys 25 (4), 1993, pp. 375–414.
[5] 7799BS, Code of Practice for Information Security Management, Department of
Trade and Industry, DISC PD003, British Standard Institute, London, UK (1995).
[6] BS7799-1, Code of Practice for Information Security Management, Department of
Trade and Industry, 1999.
[7] BS ISO/IEC 17799:2000 (BS 7799-1:2000), Information Technology – Code of
Practice for Information Security Management, British Standards Institute, 2000.
[8] BS 7799-2:2002 Information security management systems – Specification with
guidance for use, BSI, UK, 2002.
[9] Common Criteria, Common criteria for information technology security evalua-
tion, 2006, http://www.commoncriteriaportal.org/public/consumer/index.php?-
menu=2.
[10] GASSP, Generally Accepted System Security Principles (GASSP), Version 2.0,
Information Systems Security, June, vol. 8, no. 3, 1999.
[11] GAISP V3.0, 2003, http://www.issa.org/gaisp/_pdfs/v30.pdf.
[12] GAISP, Detailed Principles Cookbook, 2003, http://www.issa.org/gaisp/_pdfs/
v30.pdf.
[13] R. Hefner, W. Monroe, System Security Engineering Capability Maturity Model,
Conference on Software Process Improvement, UC Irvine, CA, USA, 1997.
[14] J. Herbsleb, D. Zubrow, D. Goldenson, W. Hayes, M. Paulk, Software quality and the
capability model, Communications of the ACM 40 (6), 1997, pp. 30–40.
[15] J. Hopkinson, Security standards overview, in: Proceedings of the Second Annual
International Systems Security Engineering Conference, 2001.
Mikko Siponen is a Professor and Director of the IS
Security Research Centre in the Department of Infor-
mation Processing Science at the University of Oulu,
Finland. He holds a Ph.D. in Philosophy from theUni-
versity of Joensuu, Finland, and Ph.D. in IS from the
University of Oulu, Finland. His research interests
include IS security, IS development, computer ethics,
and philosophical aspects of IS. He has published 30
papers in journals, such as MIS Quarterly Journal of the
Association for Information Systems, European Journal of
Information Systems, Information & Organization, Infor-
mation Systems Journal, ACM Database, Communications
of the ACM and IEEE IT Professional. He has received over 5.4 million USD of research
funding from companies and numerous funding bodies. He has acted as SE for ICIS
and is currently SE for an MIS Quarterly special issue entitled ‘Information Systems
Security in a Digital Economy’. He sits on the editorial boards of the European Journal
of Information Systems, Journal of Organizational and End User Computing and the
Journal of Information Systems Security.
Robert Willison is an Assistant Professor in the
Department of Informatics, Copenhagen Business
School. He received his Ph.D. in IS from the London
School of Economics and Political Science. His research
focuses on IS security, with a specific interest in
employee computer crime. He has published in journals
including Information and Organisation, European Jour-
nal of Information Systems and Communications of the
ACM. He acts as an AE for the European Journal of
Information Systems and is currently guest editing a
special issue of the journal entitled ‘Behavioral and
Policy Issues in IS Security’.