Information security standards have an important role in the development of organizational information security. They are seen to represent best practices in the field and act as a starting point for creating procedures that are implemented in organizations. As with every artifact information security standardsare the result of design processes; actors participate in a negotiation process when designing artifacts and actors are not equal in the power they exercise in these processes.
This paper presents a review of information security literature, investigating the nature and extent of information security standard-making research, to find in which, if any, ways the design processes of information security standards, the making of information security standards, have been researched.
Of 924 papers published between 1985 and 2013 mentioning information security and standards, only eight were found to deal specifically with standard-making, and only one of those studied methodically the processes of negotiation underlying information security standards; the other papers dealt only with formal or technical aspects of standard-making. Thus, there is little research on information security standard-making, and what research is done is to a large part descriptive rather than analytical.
This lack of research into the negotiation and power processes of information security standard-making represents a large gap in the field, with consequences for both researchers and practitioners: while information security standards are important and widely touted in the field, their making is as yet unstudied, the underlying processes of that making as yet not understood, and thus the claim that standards correctly reflect best practices as yet unfounded. Practitioners cannot be sure that standards represent the best practices of their field, and consequently cannot place their trust in them.
Future work in the field should investigate much closer the negotiation processes that underlie information security standards, for example through case studies following standards as they develop in standardization organizations such as ISO and its national constituents. This research must take into account both the technical and social factors which influence standards and their making.
Räisänen, Kalle, "Standard-Making in Information Security: A Literature Review" (2013). WISP 2012 Proceedings. 31.