Information security failures identified and measured – ISO/IEC 27001:2013 controls ranked based on GDPR penalty case analysis

Tietueen suppeat tiedot
annif.suggestionsdata security|data protection|risk management|safety and security|data systems|enterprises|protection of privacy|cyber security|legislation|data communications networks|enen
annif.suggestions.linkshttp://www.yso.fi/onto/yso/p5479|http://www.yso.fi/onto/yso/p3636|http://www.yso.fi/onto/yso/p3134|http://www.yso.fi/onto/yso/p7349|http://www.yso.fi/onto/yso/p3927|http://www.yso.fi/onto/yso/p3128|http://www.yso.fi/onto/yso/p3637|http://www.yso.fi/onto/yso/p26189|http://www.yso.fi/onto/yso/p13854|http://www.yso.fi/onto/yso/p1957en
dc.contributor.authorSuorsa, Mikko
dc.contributor.authorHelo, Petri
dc.contributor.departmentfi=Ei tutkimusalustaa|en=No platform|-
dc.contributor.facultyfi=Tekniikan ja innovaatiojohtamisen yksikkö|en=School of Technology and Innovations|-
dc.contributor.orcidhttps://orcid.org/0000-0002-0501-2727-
dc.contributor.organizationfi=Vaasan yliopisto|en=University of Vaasa|
dc.date.accessioned2023-10-31T14:04:22Z
dc.date.accessioned2025-06-25T13:04:40Z
dc.date.available2023-10-31T14:04:22Z
dc.date.issued2023-10-18
dc.description.abstractThis paper identifies the failures and impacts of information security, as well as the most effective controls to mitigate information security risks in organizations.Root cause analysis was conducted on all year 2020 GDPR penalty cases (n = 81) based on misconduct as defined in GDPR article 32: “security of processing.” ISO/IEC 27,001 controls were used as failure identifiers in the analysis. As a result, this study presents both the most frequent and most expensive information security failures and correspondingly ranks and presents the correlation of the controls observed in the analysis. From a theoretical perspective, our study contributes by bridging the gap between regulation and information security and introduces a statistical method to analyze the GDPR penalty cases, and provides previously unreported findings about information security failures and their respective solutions. From a practical perspective, the results of our study are useful for organizations which aspire to manage information security more effectively in order to prevent the most typical and expensive information security failures. Organizations, as well as auditors implementing and assuring the ISO 27001, may use our results as a guideline whereby controls should be applied and verified first in sequential order based on their impact and interdependence.-
dc.description.notification© 2023 The Author(s). Published with license by Taylor & Francis Group, LLC. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The terms on which this article has been published allow the posting of the Accepted Manuscript in a repository by the author(s) or with their consent.-
dc.description.reviewstatusfi=vertaisarvioitu|en=peerReviewed|-
dc.format.bitstreamtrue
dc.format.contentfi=kokoteksti|en=fulltext|-
dc.format.extent22-
dc.identifier.olddbid19228
dc.identifier.oldhandle10024/16371
dc.identifier.urihttps://osuva.uwasa.fi/handle/11111/1456
dc.identifier.urnURN:NBN:fi-fe20231031142116-
dc.language.isoeng-
dc.publisherTaylor & Francis-
dc.relation.doi10.1080/19393555.2023.2270984-
dc.relation.ispartofjournalInformation Security Journal: A Global Perspective-
dc.relation.issn1939-3547-
dc.relation.issn1939-3555-
dc.relation.urlhttps://doi.org/10.1080/19393555.2023.2270984-
dc.rightsCC BY 4.0-
dc.source.identifierScopus:85174298223-
dc.source.identifierhttps://osuva.uwasa.fi/handle/10024/16371
dc.subjectInformation security-
dc.subjectISO 27001-
dc.subjectGDPR-
dc.subjectGeneral Data Protection Regulation-
dc.subject.disciplinefi=Tuotantotalous|en=Industrial Management|-
dc.titleInformation security failures identified and measured – ISO/IEC 27001:2013 controls ranked based on GDPR penalty case analysis-
dc.type.okmfi=A1 Alkuperäisartikkeli tieteellisessä aikakauslehdessä|en=A1 Peer-reviewed original journal article|sv=A1 Originalartikel i en vetenskaplig tidskrift|-
dc.type.publicationarticle-
dc.type.versionpublishedVersion-

Tiedostot

Näytetään 1 - 1 / 1
Name:
Osuva_Suorsa_Helo_2023.pdf
Size:
948.34 KB
Format:
Adobe Portable Document Format
Description:
Artikkeli
Lataa

Kokoelmat

Artikkelit