University of Twente Student Theses


Information security certification in context : a strategy selection maturity model

Hulshof, Mike (2021) Information security certification in context : a strategy selection maturity model.

[img] PDF
Abstract:For the last 20 years, increasing globalization and technological development have enabled and stimulated a greater degree of outsourcing smaller IT sub-components to more specialized vendors. The shift from an industry characterized by in-house development with little use of outsourcing to an industry with less in-house development and more widespread use of outsourcing has introduced novel challenges for technology providers worldwide. Technology providers, tasked with the development and delivery of these outsourced sub-components, must earn the trust of their partners by showing that they operate securely. Many organizations earn this trust through the assurance from an independent party, often in the form of security certification. However, traditional certification schemes are not catered to the use of widespread outsourcing and sub-contracting, introducing challenges for technology providers that must adhere to these schemes. This master’s thesis is carried out in cooperation with Innovalor, a technology provider specialized in the field of identity proofing and investigated information security certifications in the context of technology providers. The objective of this research project is to develop an artifact that supports the selection of an effective information security certification strategy. To this end, this master’s thesis is structured according to the Design Science Research Methodology (DSRM) and consists of three phases: Problem investigation, treatment design and treatment validation. In the problem investigation phase an extensive problem analysis was performed. First, a systematic literature review was conducted on the value of information security certification. Next, qualitative interviews with three stakeholders within Innovalor were conducted, revealing practical challenges associated with information security certification and establishing initial treatment candidates. These findings were compared to the findings from the literature review to reveal similarities and discrepancies between theory and practice. Subsequently, in addition to the interviews, several existing treatment candidates were extracted from practical developments in the field of information security certification. In the treatment design phase the artifact of this research project was designed. First, based on the findings from the first phase (problem investigation), the notion of a technology provider certification lifecycle was introduced. This model provides a general representation of the different stages of certification based on four scenarios. Second, additional qualitative interviews were conducted with eighteen stakeholders from several areas related to information security certification. The participants were asked to reflect on the treatment candidates that emerged from the problem investigation phase and they were given the opportunity to contribute with strategies of their own. All stakeholders were experts in their respective fields, providing a multidisciplinary perspective. From these interviews, five certification strategies and four optimization practices emerged, which led to the construction of a certification strategies selection framework. Finally, the selection framework was expanded to include optimization of one’s information security certification processes within a given scenario, which was accomplished by incorporating the concept of dedicated maturity levels into the construction of a novel certification maturity model. This certification maturity model forms the artifact of this research project and is designed to be used in a prescriptive manner. The model serves two purposes:  First, it aids in the construction of a development roadmap by showing how the maturity of information security certification strategies can be improved to positively affect the value of the business and/or processes.  Second, it can help in the decision-making process when considering an appropriate strategy for acquiring new certifications and managing existing ones, based on the context in which a technology provider operates. In the treatment validation phase the certification maturity model was validated according to the Unified Theory of Acceptance and Use of Technology (UTAUT). Expert interviews were conducted, in which the certification maturity model was submitted to a panel of nine experts from varying backgrounds. These experts were asked to predict what effects they think the proposed solution would have if it would be implemented in practice. Based on the findings of the validation, it was concluded that (1) the artifact sufficiently and accurately represents reality, (2) provides guidance when selecting an appropriate information security certification strategy by facilitating the construction of a certification roadmap and (3) the artifact itself is both easy to use and useful to Innovalor and practitioners from the field. The main strengths of this research are the introduction of the certification strategy selection framework and the certification maturity model. To conclude, the contributions of this research are fivefold: 1. By visualizing a high-level overview of the certification process based on the literature. 2. By visualizing the information security certification landscape from the perspective of Innovalor. 3. By introducing the notion of a technology provider certification lifecycle, showing the variability in certification needs as a technology provider progresses through four possible scenarios. 4. By constructing a certification strategies selection framework, mapping the strategies onto the same scenarios introduced in the technology provider certification lifecycle. 5. By combining the previous findings to construct an information security certification maturity model. Future work can improve on the limitations of this research project. The artifact could potentially be expanded to promote generalizability outside the field of information security certifications (e.g. certifications in general), across a broader context (e.g. outside of Europe) or beyond the scope of technology providers (e.g. outsourcing in general). In particular, we hypothesize that outsourcing of generic sub processes in general could be considered as a candidate scope in future research, but this requires further evaluation. The field of information security certification and IT auditing is continuously evolving, which puts the artifact presented in this research project at risk of becoming outdated if it is not revised to keep up with the developments. Finally, future research would do well to closely monitor and evaluate the ongoing developments concerning a modular approach to certification. Of particular interest are the ETSI standards that are continuing to emerge, which cater to the practical application of component certification.
Item Type:Essay (Master)
Innovalor, Enschede, the Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science, 85 business administration, organizational science
Programme:Business Information Technology MSc (60025)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page