Cultural Aspects in Information Security Standard Development
Information security standards reflect “best practices” developed globally by information security experts. Indirectly these standards have an impact on how information security is developed in different organisation, because they are often used as a point of departure for local information security work. It is, for example, mandatory for Swedish governmental agencies to use the ISO-27000 series when adopting an information security management system.
Despite the significant impact international information security standards have, the knowledge about how these standards are developed is still limited. The project has been working with the research question: which structures affect the work to develop information security standards?
The aim of the project Cultural aspects in information security standard development was to investigate the culture, embodied as structures, which characterises the work to develop information security standards. Increased knowledge about this kind of work is important, because it increases the understanding about why standards are shaped in certain ways and the context in which these standards can be considered “best practices”.
The investigation was carried out as an ethnographic study in order to capture the structures behind the development work of information security standards. The researchers participated as members of a so-called technical committee. The membership meant that the researchers attended information security development work during several years, which resulted in detailed insights into how the work is carried out.
SIS, the standardisation organisation that the project has followed, describes the development work as based on consensus between many different stakeholders. The ethnographic study partly shows something different. The study found that standard development work has clear elements of consensus, however the study also showed that the participation is low. This means that in practice the few actors that participate in the decision making about information security standards have great power. The study also found that the development work includes a second structure, which is characterised by strategy, politics, and competition – this present especially in the international work. This structure is not as visible to third parties as the first structure.
An interesting future research question concerns how to increase the participation when standards are developed.