Understanding information technology security standards diffusion: An institutional perspective

Organizations´ dependency on information technology (IT) resources raises concerns over IT confidentiality, integrity, and availability. IT security standards (ITSS) which play a key role in IT security governance, are meant to address those concerns. It is then important for researchers, managers, and policymakers to understand the reasons for the low levels of ITSS diffusion in organizations. Building on institutional perspective, this study shows that none of the ITSS has yet reached the stage of legitimation that would prompt a widespread diffusion across organizations. Of particular focus is the benchmarking of ISO/IEC 27000 against other more diffused ISO generic standards. Three methodological approaches were used: structured documentation analysis, public secondary data analysis, and informal interviews of experts. This study sensitizes managers and policy-makers to the key role of institutional mechanisms in shaping ITSS diffusion.