1 1

National Culture and the ISO 27001 Development, based on the Information Security Guidelines Bahareh Shojaie · Hannes Federrath · Iman Saberi University of Hamburg, Germany https://svs.informatik.uni-hamburg.de

May 16th, 2016

2 2

Information Security Management Standards

•  International ISO 27001

–  Market assurance (Legal requirements) –  IT governance (Customer demand)

•  Motivation

–  National IS guidelines or ISO 27001

•  Contribution

–  Structured comparison –  National IS culture

3 3

Motivation for national IS guidelines development

•  ISO 27001/ ISO 27002 Development

•  Time establishment

•  National characteristics

–  Economy & trading

–  Specific legislation & requirements

–  History and development

4 4

National IS guidelines vs. ISO 27001

•  Stakeholder description

–  Compatibility level

•  Developed Vs. Developing

–  Focus level

•  Scope description

–  Detail level

5 5

National IS guidelines & ISO 27001 issued certificates

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%China

GermanyRussian Federation

BrazilUnited Kingdom

Saudi Arabia Poland

South Africa Pakistan

AustriaNorway

United Arab EmiratesQatar

New ZealandSri LankaSlovakia

AzerbaijanCroatiaUganda

LatviaRwanda

MalawiUSAIndia

JapanFrance

CanadaAustralia

Hong KongSingapore

Percentage Ave. ISO 27001 annual growth (ISO survey 2014)

Cou

ntrie

s

6 6

National IS guidelines & ISO 27001 issued certificates

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Japan

United Kingdom

India

China

USA

Sri Lanka

Uganda

Latvia

Rwanda

Malawi

Percentage Ave. ISO 27001 annual growth (ISO survey 2014)

7 7

National IS guidelines & ISO 27001 withdrawn certificates

0% 10% 20% 30% 40% 50%

ChinaGermany

Russian FederationBrazil

United KingdomPoland

South Africa Pakistan

AustriaUnited Arab Emirates

SlovakiaCroatia

USAIndia

JapanFrance

CanadaAustralia

Hong Kong, ChinaSingapore

Percentage Ave. ISO 27001 withdrawn certificates (ISO survey 2014)

Cou

ntrie

s

8 8

National IS guidelines & ISO 27001 withdrawn certificates

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Singapore

Pakistan

China

Brazil

Australia

United Arab Emirates

USA

Percentage Ave. ISO 27001 withdrawn certificates (ISO survey 2014)

9 9

Tightness vs. Looseness

UAI Uncertainty Avoidance

PDI Power Distance

IDV Individualism

Cultu

ral E

ffect

s

The Most Applicable Cultural Dimensions

The Most Leading Literature

Gelfand

National (Country)

National cultural characteristics & ISO 27001

UAI: Degree of comfortableness with uncertainty (Saudi Arabia) PDI: Relation to authority (Sri Lanka) IDV: Self image as »I« or »we« (New Zealand)

Hofstede

10 10

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%China

GermanyRussian Federation

BrazilUnited Kingdom

Saudi ArabiaPoland

South AfricaPakistan

AustriaNorway

United Arab EmiratesNew Zealand

Sri LankaSlovakia

CroatiaLatvia

MalawiUSAIndia

JapanFrance

CanadaAustralia

Hong KongSingapore

Ave. cultural characteristics distribution (Hofstede Centre)

Cou

ntrie

s

UAI PDI IDV Tight

National IS guidelines & cultural characteristics

11 11

National IS guidelines & cultural characteristics

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Japan

United Kingdom

India

China

USA

Germany

Poland

Australia

Slovakia

France

Ave. cultural characteristics distribution (Hofstede Centre)

nUAI nPDI nIDV nTight

12 12

The most effective national characteristics

•  National economic power

•  National IS requirements

•  National cultural barriers

–  National IS guidelines selection & development

–  ISO 27001 adoption & performance

13 13

Enhancing ISO 27001 long-term performance

•  Resource management

•  Main focus of development

•  Supplementary security guidelines

Bahareh Shojaie shojaie@informatik.uni-hamburg.de

14 14

References

•  ISO, 2014. ISO Survey 2014

•  Beckers, A structured comparison of security standards.

•  Hofstede, the Hofstede Centre http://geert-hofstede.com/countries.html