From INFORMATION & MANAGEMENT Annika Andersson, Karin Hedström, Fredrik Karlsson(2022)

1. “Standardizing information security
– a structurational analysis”
From INFORMATION & MANAGEMENT
Annika Andersson, Karin Hedström, Fredrik Karlsson
Presenter ：CHEN,YOU-SHENG (Shane) 2022/04/15

2. J C R
/45
2
For INFORMATION & MANAGEMENT

3. Vocabularies 1/5
/45
3
P. English Chinese
1 breaches 缺口
1 embody 具體化
1 legitimacy 合法性
1 de jure standard 強制性標準
1 input and throughput
legitimacy of standards
輸入及過程之
標準合法性
1 consensus 共識
1 warfare 交戰
1 appeals 籲求
1 sought-after 受歡迎
1 incidents 騷亂
P. English Chinese
1 perennial 長期存在的
1 consequences 後果
1 reputation 名聲
1 fuel pipelines 燃料管線輸送
1 antagonists 反派者
1 compelled 不得不
1 countermeasures 對策
1 legislative bodies 立法機關
1 trustworthiness 確實性
1 collective perception 集體認知

4. Vocabularies 2/5
/45
4
P. English Chinese
1 silver-bullets
銀彈(針對複雜問
題的解決方法)
1 one-size-fits-all-
approach
一體適用(一變應
萬變)
2 political interests 政治利益
2 democratically 民主主義
2 regulatory authority 監督管理機構
2 constitute patterns 構成模式
2 contextual setting 情境設置
2 strive for 爭取
2 deliberative procedures 審議程序
2 public power 公共權力
P. English Chinese
2 tensions 緊張關係
2 simultaneously 一齊
2 collide 衝突
2 consultation procedures 協商程序
2 map out 籌劃
3 exogenous
contingencies
外生意外事件
3 political alliances 政治聯盟
3 prevailing 佔優勢
3 rhetoric 修辭
3 credibility 可靠性

5. Vocabularies 3/5
/45
5
P. English Chinese
3 resistance 反抗
3 lean on 依賴
3 Common Criteria(CC) 通用評估準則
3 Recognition Agreement 互認協議
3 market discourse 市場論述
3 theoretical lens 理論透鏡
4 memory traces 記憶痕跡
4 routinization 程序
4 normative regulations 規範規章
4 contingent claims 未定權益
P. English Chinese
4 conventions 慣例
4 drawn upon 總結
5 asymmetries 不對稱
5 qualitative 定性
5 ontological assumption 本體假設
5 committee 委員會
5 headquarters 總部
5 ethnographic 民族誌學的
5 intrusive 打擾人的
5 correspondence 信件

6. Vocabularies 4/5
/45
6
P. English Chinese
5 cumbersome 難處理
5 chronological order 依時間先後
5 liaisons 聯絡
5 punishment 懲罰
6 taken-for-granted 理所當然
6 dality level 模式層面
6 contradictory 矛盾
6 enact 制定
6 inclusiveness 包容性
6 voluntarism 自願主義
P. English Chinese
7 interbranch 內部分支
7 ISO 國際標準化組織
7 CEN 歐洲標準委員會
7 manifested 清楚
7 formulation 構想
7 referral 推薦
7 well-grounded 有根據
7 witnessed 作證
8 strategic positions 戰略定位
8 secretariat 秘書處

7. Vocabularies 5/5
/45
7
P. English Chinese
8 chairperson 主席
8 counterweight 平衡力
8 sanction 認可
8 streamlined 現代化
8 guiding principle 指導原則
8 ambiguous 含糊不清
8 evident 明白
9 inquiry 調查
9 keep pace 跟上步伐
10 resistance 抵抗
P. English Chinese
10 devalued 貶低
10 shrug of indifference 冷漠的聳肩
10 hampering 妨礙
10 reputability 信譽
10 co-existence 共生
10 Reflexive monitoring 反思性監控
10 neglected 忽視
10 tailored 使適應
10 stems from 源於
10 avenue 途徑

8. 0 1
Introduction
0 2
Standard development and
legitimacy strategies
CONTENTS
/45
8
0 5
Material and methods
0 3
Legitimacy and standard development research
in information security research
0 4
Structuration theory and the process of
legitimating standard development
0 6
Results
0 7
Discussion and conclusion

9. 01
Introduction
/45
9

10. Introduction
/45
10
Standards are documents that provide
“Requirements, specifications, guidelines or characteristics
that can be used consistently to ensure that materials,
products, processes, and services are fit for their purpose.
ISO (2015) Standards retrieved from
http://www.iso.org/iso/home/standards.htm
ISO 27001 ICON (CC BY)
”

11. Introduction
/45
11
• Information security incidents are a perennial
problem for organizations
• Information security standards play an important
role, where they advise on how these kinds of
countermeasures are to be designed and
implemented
• Establishing the legitimacy of standards is a core
issue for standardizing organizations, as
legitimacy is seen as positive in the collective
perception of all relevant stakeholders
Information security (CC BY-ND)

12. Introduction
/45
12
• International information security standards are no silver-bullets, and
they are not without criticism
• Our purpose is to complement the previous studies by adding a
legitimacy perspective on information security standard development
(input and throughput legitimacy)
• We use structuration theory as the analytical lens when analyzing 34
months of data from participating in information security standard
development (Ethnographic)
(CC BY-SA)

13. 02
Standard
development and
legitimacy strategies
/45
13

14. Standarddevelopment and legitimacystrategies
2.1. Legitimacy strategies
/45
14
Input legitimacy
• importance of stakeholder participation in the decision-making process (Kica 2012)
• a political criterion focused on citizens’ political participation and governments’
responsiveness (Scharpf 1999)
Throughput legitimacy
• concerned with the quality of the decision-making process and questions (Kica 2012)
• a procedural criterion concerned with the quality of governance processes (Schmidt 2013)
Output legitimacy (x)
• related to the results of the decision-making process (Kica 2012)
• a performance criterion encompassing policy effectiveness and outcomes (Scharpf 1999)
• we are not addressing output legitimacy in this study

15. Standarddevelopment and legitimacystrategies
2.2. Standard making and tensions
/45
15
An efficient process
and experts’
involvement
Type 1
The role of the experts
simultaneously
participating
Type 2
Different legitimacy
strategies
Type 3
3
t
y
p
e
s
o
f
t
e
n
s
i
o
n
s
↑ Expert participation
↑ Consensus-reaching
practice
////////////////////////
↓ Efficiency
↑ Interest groups
////////////////////////
↑ Potential conflict
• Stakeholder participation is a
key factor for input
legitimacy affecting initial
adoption (Botzem 2012)
• Output legitimacy is a key
for long-term use

16. 03 Legitimacy and
standard development
research in information
security research
/45
16

17. Legitimacy andstandarddevelopment research in informationsecurity
research
/45
17
Study Focus
Article content concerning
legitimacy strategies
Backhouse
et al. (2006)
To reveal “the power mechanisms
required for a standard to evolve
from an idea into an obligatory
passage point for organizations
and agencies.”
• industry representatives
• requires the active participation of
industry
To analyze the challenges for
establishing the Common Criteria
for Information Technology
Security Evaluation (CC) as a
global standard.
• importance of trust for establishing
and maintaining a standard
• by involving industry and aligns a
global standard
Table 1、De jure standard making information systems research and legitimacy.
The development of standards is not always the effect of economic and strategic
decisions; it can also be derived from exogenous contingencies and power structures

18. Legitimacy andstandarddevelopment research in informationsecurity
research
/45
18
Study Focus
Article content concerning
legitimacy strategies
Silva et al.
(2016)
To study the power dynamics of
establishing an information security
standard in the UK.
• legitimacy is crucial for establishing
standards
• market legitimacy being the more
prevailing
• involvement of reputable industry
experts
To study how power operates in
national and international contexts
during the development of de jure
information security standards.
• show how key actors’ rhetoric is to
appeal to a “best practice”
• does not reflect transparency that the
standardization organizations use.
Table 1、De jure standard making information systems research and legitimacy.
The potential adopters seem to lean on market legitimacy as the determining factor
when deciding whether to adopt a specific standard

19. 04
Structuration theory
and the process of
legitimating standard
development
/45
19

20. /45
（CC BY-NC-ND）
Structurationtheory and the process of legitimating
standarddevelopment
• We have used the original Giddens’ theory (1984) and its
operationalizations made by Halperin and Backhouse
(2007)
• Structuration theory used for advancing our
understanding of information security awareness and
behavior in organizations (Tsohou et al. 2015)
• Structures can differ in strength, and strong structures
are characterized by things taken for granted
20

21. Structuration theory and the process oflegitimating
standarddevelopment
/45
21
↑Input ↓Throughput
Strong: ↓ Input ↑Th
Weak: ↓Throughput
↓Input
↑ Input
↑ Allocative
↑Throughput
↑Authoritative

22. 05
Material and methods
/45
22

23. Materialand methods
/45
23
-Interpretive ethnography research method
• This research is qualitative and interpretive
• The ethnographic method calls for the researcher
to be closely engaged with the daily life of
another community
1. To identify the instances where these standards
are negotiated
2. To understand why actors make the claims about
the negotiations that they do

24. Materialand methods
5.1. Contextual setting
/45
24
• A non-government association of national
standards organizations
• Founded in 1922 and has been working
internationally since the 1960s
• By 2020, SIS had 1067 companies, agencies,
and organizations as members
Via a designated website for all countries
to take part of
Standards are voted on at international
meetings
During our time of investigation, the
committee had 65 members representing
49 public and private organizations
The more frequently visited annual national
meeting is hosted over two workdays
Decisions on standards are made during
these days
Most focus is on strategies for upcoming
international meetings and issues

25. Materialand methods
/45
25
5.2. Data collection
Engaged in the development of standards over 34 months from February
2013 to November 2015
The members of the committee were informed about the purpose of
the research project and agreed to participate
The ethnographic material was collected by participant
observations, unstructured interviews, informal conversations
Texts were copied and pasted into a word document based on the
chronological order

26. Materialand methods
5.3. Analysis
1.How many persons
participated in the work
to develop information
security standards?
2.How many different
stakeholders
participated?
1.How open and transparent is the decision-making process?
2.Do we know who participated in the decision-making?
3.Do we know on which grounds a decision was taken?
4.Is the decision communicated to us?
5.Do all actors have a realistic chance of being heard?
6.How are agreements made?
7.On what grounds are decisions made?
• Aimed at tracing structuring processes by letting the modalities in Fig. 1
/45
26
Input Throughput

27. 06
Results
/45
27

28. Results
-The consensus and warfare structure
/45
28
The consensus structure The warfare structure
Emphasizes the participation of many
different stakeholders and sees
development as a process to reach
consensus
Uses military metaphors where
standard development is described as
going to war

29. Results
6.1.1 The consensus structure / Input legitimacy
/45
29
• The interpretative scheme of inclusiveness is present in most of the official
communication carried out by SIS and ISO
• The SIS aims for high input legitimacy
“When establishing an SIS/TC [technical committee of SIS], SIS has to make sure that as
many relevant stakeholders as possible are invited to participate and that these stakeholders
represent diverse organizations of the society.
Private companies, interbranch organizations, authorities, consumerand environment
organizations, union organizations, and public administration, when relevant, should all be
represented. Producers and consumers must be represented as well as that law-setting
authorities also take an active part in the work.”
(Rules for working in a technical committee in SIS/TC, 2011)

30. Results
6.1.1 The consensus structure / Input legitimacy
/45
30
• The norm is rather weak, as membership is voluntary
• They normally received responses from the same 2 to 3 members
“I want to encourage the whole committee to contribute, these are highly relevant standards,
and they become more relevant if more people contribute. If this workgroup is to remain, then
more people must participate.
Now it is only [name of person] that is commenting. There is no point in having meetings if
no one participates.”
(Private security consultant, 2015)

31. Results
6.1.1 The consensus structure / Input legitimacy
/45
31
• Norm is weakly sanctioned since nothing happens if you, as a member, do not participate
• The powers could draw upon here are the facilities to be able to stimulate members to
participate and time (and money) for members to participate
“I am also interested, but I’m in meetings all day tomorrow. Can we make a new
appointment?” [Information security manager at the municipality]
[...]
“I am also interested, but I am away at the ISO-meeting in Korea this week. Can we please
try to find another time? [Information security researcher].” (E-mail conversation between
members 2013)
“To put it simply – there are far too few persons that have the time to engage in the
development of international standards – leading to the standards ending up already finalized
on the table for voting.”
(In- formation security manager at a large manufacturing company, 2014)

32. Results
6.1.2 The consensus structure / Throughput legitimacy
/45
32
• The interpretative scheme that transparent and consensus-based standard
development with many stakeholders yields better standards
“Standard making within ISO, CEN and therefore also SIS is based on four important
principles: openness, voluntarism, stakeholder- governance and consensus practice.”
(Rules for working in a technical committee in SIS/TC, 2011)
“The chair should ensure that all points of view have received adequate attention, that
consensus is reached, and that all resolutions are worded in a clear and precise manner and
are made available – by the secretary – for confirmation.”
(ISO, Joining in, 2012)

33. Results
6.1.2 The consensus structure / Throughput legitimacy
/45
33
• The norm is that all members should provide opinions on standard proposals
• It contributes to increased throughput legitimacy, although it does not
clearly state how this will be done
“By providing your opinions on the attached referral, you contribute to making the
upcoming standard more accepted and thereby more useful. Your opinions will be balanced
with the opinions of other referral-recipients that will mutually constitute the Swedish answer
to ISO.”
(SIS e-mail, September 19, 2013)
it [the standard development] is too internal and needs to be opened up. You [referring to SIS]
need to show that the standards are objective, neutral, and well-grounded.”
(Information security manager in a small municipality, November 13, 2014)

34. Results
6.1.2 The consensus structure / Throughput legitimacy
/45
34
• The norm is that we should listen to the opinions of all countries
• The standard-developing organization needs the ability to manage members’
opinions and stimulate members to provide opinions (power)
• The norm is very weakly sanctioned (nothing happens if a member does not
provide comments)
“Kindly write down your opinions in Chinese and then have someone translate them to
English. Because your opinions are important.”
The chair (2015) asks the Chinese

35. Results
6.2.1 The warfare structure / Input legitimacy
/45
35
• We need to move fast and that the few participating members’ special skills
are needed (interpretative schemes)
• The level of sanction for this norm is weak – there are no requirements for
certain experiences or educations
• A member’s power to draw on here is the authoritative resource to be skilled
in politics
“It is also practical political schooling that is needed – that is one thing that we must
acknowledge. Standard development is not only about creating documents; it is about real
politics in the real world.”
(Private security consultant, 2014)

36. Results
6.2.1 The warfare structure / Input legitimacy
/45
36
• The interpretative scheme is that liaisons and decisions about de jure
information security standards are made outside the formal meetings
• The power aspects here, the facilities to draw upon, are
• (1) having the ability to be social (authoritative resource)
• (2) having time (and money) to be social (allocative resource)
“To be successful in an international context you need [...] contacts – have coffee with
them, eat with them, attend the dinner-party ... much is decided in the bar.”
(Private security consultant, 2015)

37. Results
6.2.2 The warfare structure / Throughput legitimacy
/45
37
• Pressure from the industry and multinational companies (interpretative scheme)
• The level of sanction of this norm is weak since nothing happens if members do not comment
“We are subject to distasteful pressure from some industries and sometimes multinational
companies when it comes to pushing requirements that are favorable for their products. They
can find out something – a requirement or a cogent law that can favor their products.
And they can afford to fund commissioned research that supports their claims and ignores
reports that do not benefit their interests.
There is a democracy deficit, and where the only counterweight is commenting, auditing, and
working very hard in the committees. But it is very hard to stand up against those people.”
“Yes, no one would argue against IBM.”
(As two members from two smaller manufacturing companies discussed during a meeting in 2014)

38. Results
6.2.2 The warfare structure / Throughput legitimacy
/45
38
• The facilities made visible here are:
• Having the ability to work together with other countries
• Coordinate trans-national work
• Be skilled in the English language (all authoritative resources)
“This Japanese guy presented his proposal for a cloud standard at plenum last Tuesday, but
he was completely killed. Australia and England had looked at the proposal beforehand and
said that it was not needed.
I mainly feel sorry for this Japanese professor who speaks really poor English and who has lots
of Japanese people in the room that nod and agree. For no good at all”
(Private security consultant, 2015)

39. Results
6.2.2 The warfare structure / Throughput legitimacy
/45
39
• The standards that are completely revised take a long time
• The norms are that standards should be quickly developed and
that full revisions should be avoided
• Again, the level of sanction(norm) is very strong
Country S: “Change it completely? That will take four years! It is better with corrections,
minor corrections ...”
Country B: “I talked to colleagues in the UK, and they estimate that this will take up to 5–7
years – if revised in full.”
Chair: “We are lacking time; we need to move on. If we have time, we can discuss this after
lunch.”
Country G: “This is the 3rd Working Draft. We do not want a fourth or fifth!”
Chair: “We have to be quick with time. Don’t spend time on perfect wordings – the point
is that we should agree with the general idea.”
(2015)

40. Results
6.3 Interaction between the two structures
/45
40
The warfare structure that standards should be developed
quickly and efficiently undermined the consensus structure
A consensus-reaching practice since the norms stipulating
this practice were weakly sanctioned
To establish throughput legitimacy through a consensus
process and input legitimacy through many participating
stakeholders was not achieved or even considered
important in practice

41. 07
Discussion and
conclusion
/45
41

42. /45
42
Discussionand conclusion
7.1. Implications for research
We found that the SIS management somewhat sanctioned the warfare
structure
Members claimed that in most cases there were better results from the
warfare structure than from the consensus structure defined by SIS
The structure of warfare was strong, it contained no formal norms.
These informal norms, however, all had a strong sanction level
The consensus structure contained many more formal norms, but these
norms had a very weak level of sanction

43. /45
43
Discussionand conclusion
7.2. Implications for practice
• Our call for broader participation in de jure information security standardization
supports the consensus structure, thus supporting the legitimacy of these standards
on capturing best practices in general and for a diverse set of organizations
• Concerns the information security risks of a powerful warfare structure
o meeting marked needs is a good thing
o keeping the pace to meet these needs may result in certain topics not being as
well elaborated in the standards
• Our study is to raise the awareness among managers in general
o managers need to be aware that the differing structure may start to take over
the structure defined by the organization

44. /45
44
Discussionand conclusion
7.3. Limitations and avenues for future research
Explain how the decision process can be made more
transparent
How many actors need to be involved given a certain
kind of decision in order to increase legitimacy
To extend structuration theory’s notion on norms
concerning their level of sanction
• Limits the potential for generalizing our findings
• The tension between input and throughput legitimacy is to a large extent unexplored

45. /45
45
Discussionand conclusion
7.4. Conclusion
Uncover how structures in standard development affect the input and
throughput legitimacy of de jure information security standards
Consensus and warfare – that affected input and throughput legitimacy
very differently
Participating members weaken input legitimacy and quick decision-making
weakens throughput legitimacy
There is a need to identify norms as well as analyze these norms’ sanction level

46. THANKS

47. Resource
• Annika Andersson, Karin Hedström, Fredrik Karlsson,
“Standardizing information security – a structurational analysis”,
Information & Management,Volume 59, Issue 3,2022,103623,ISSN 0378-7206,
https://doi.org/10.1016/j.im.2022.103623.
(https://www.sciencedirect.com/science/article/pii/S0378720622000350)
• PPT template- Vector Designed By Windy from https://pptdaily.com/templates/formal-blue-
minimalist-curve-line-business-report-ppt-template-blue_134570
• P15,20,23,26,28,40,44 Microsoft Stock images (royalty-free images)

48. Extended learning
• Wiki_ 業界標準
https://zh.m.wikipedia.org/wiki/%E6%A5%AD%E7%95%8C%E6%A8%99%E6%BA%96
• Wiki_合法性
https://zh.m.wikipedia.org/wiki/%E5%90%88%E6%B3%95%E6%80%A7
• 吉登斯結構化理論（Geddens'Structuration Theory ）
https://wiki.mbalib.com/zh-tw/吉登斯结构化理论
• 主体性、实践意识、结构化: 吉登斯“结构化”理论再审视
http://www.shehui.pku.edu.cn/upload/editor/file/20191007/20191007141253_8532.pdf
• BS7799企業資訊安全管理認證
https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=79
• Resistance and Power in a Security Certification Scheme: The Case Of c:cure
https://www.researchgate.net/publication/308599032_Resistance_and_Power_in_a_Security_Certification_Scheme_The_Case_Of_cc
ure
• 國際CC 認證體系和 CCRA 簡介
https://www.atsec.cn/company/company-resources/downloads/pdf/CC_and_CCRA_Introduction.pdf
• 何謂本體論?
https://sites.google.com/site/philosophersnote/article/heweibentilun
• 民族誌研究
https://kenzenchen.files.wordpress.com/2009/04/cb20031.pdf
• 記憶痕跡
https://terms.naer.edu.tw/detail/1308777/
• 反思性監控(Reflexive monitoring)
https://www.ptt.cc/bbs/Sociology/M.1396095945.A.616.html