CCE Theses and Dissertations

Campus Access Only

All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.

Date of Award


Document Type

Dissertation - NSU Access Only

Degree Name

Doctor of Philosophy in Information Systems (DISS)


Graduate School of Computer and Information Sciences


Gurvirender P. Tejay

Committee Member

Marlyn Littman

Committee Member

Ling Wang


Within the modern and globally connected business landscape, the information assets of organizations are constantly under attack. As a consequence, protection of these assets is a major challenge. The complexities and vulnerabilities of information systems (ISs) and the increasing risks of failure combined with a growing number of security incidents, prompts these entities to seek guidance from information security management standards. The International Organization of Standardization (ISO) Information Security Management System (ISMS) standard specifies the requirements for establishing, operating, monitoring, and improving an information security management system within the context of an organization's overall business risks. Importantly, this standard is designed to ensure the selection of adequate information security controls for the protection of an organization's information assets and is the only auditable international standard for information security management.

The adoption of, and certification against the ISO ISMS standard is a complex process which impacts many different security aspects of organizations and requires significant investments in information security. Although many benefits are associated with the adoption of an information security management standard, organizations are increasingly employing economic measures to evaluate and justify their information security investments. With the growing emphasis on the importance of understanding the economic aspects of information security, this study investigated the economic value of the ISO ISMS standard adoption and certification.

The principles of the efficient market hypothesis and the event study methodology were employed to establish whether organizations realized economic gains from obtaining certification against the ISO ISMS standard. The results of this research showed that capital markets did not react to the ISO ISMS certification announcements. Furthermore, the capital market reaction to information security breaches was not different between ISO ISMS certified and non-certified firms. It was concluded that the ISO ISMS certification did not create economic value for the certified firms

To access this thesis/dissertation you must have a valid OR email address and create an account for NSUWorks.

  Contact Author

  Link to NovaCat