Abstract
The purpose of this article is to contribute scientifically to the thematic areas of organisational resilience and security risk management by providing a model of a flexible security management system that can be integrated with other management systems and be applied to the operational dimension of organisational resilience. To this end, the literature on security risk and operational resilience has been reviewed, as well as on security governance models based on enterprise security risk management and other international standards that allow integration with business processes. During the study, an incipient production of specific models that determine the maturity of different management systems was observed in the academic sphere, with a gap being detected in terms of security management system maturity models linked to organisational governance and enterprise risk management, which would facilitate their inclusion in the organisation's integrated management system in a practical way. It is concluded that the proposed model provides scientific support to practitioners, and, to a greater extent, to companies and other organisations irrespective of their size, sector of activity or location.
Similar content being viewed by others
Introduction
In the context of public or private organisations, the concept of the term "security" could currently be understood in two ways: as a state or perception, and as a process of risk reduction and protection, or resilience building in the face of possible threat scenarios, (Jore 2019, pp. 157–174).
Security understood as a state or perception can vary significantly according to different 'situational factors' and, notably for individuals, between different places and times of day, also taking into account that such perceptions can be influenced by the adoption of situational crime prevention measures (Hirschfield 2004, pp. 9–20) (George and Mawby 2013, pp. 93–104) or the degree of familiarity with the risk (Borodzicz and Gibson 2007, p. 142). At the organisational level, boards of directors of large companies are paying attention to security risks, as these are also perceived as a cause of disruption in international business (Goosman 2022, pp. 237–244) (Dau et al. 2018, pp. 79–97) (White 2013, pp. 425–442); while depending on the functional area asked, perceptions may vary within the organisation itself (Burns 2016).
Security understood as a process (in addition to routinely managing those operational risks of organisations intentionally induced by humans) actively collaborates in obtaining and analysing intelligence information received by senior management for strategic decision-making (Crump 2015), as well as in comprehensive crisis management (Borodzicz and Gibson 2007, p. 142) when facing serious disruptive events (global pandemics, natural disasters, large-scale cyber-attacks, etc.).
In an earlier study by the authors on security risk management, it was concluded that, over the last thirty years, the discipline of security risk management has established itself on the one hand as a subject area in its own right, and on the other hand as a field closely linked to enterprise risk management (hereafter ERM). Among its conclusions, it was considered pertinent to delve deeper into the current contribution to the organisational resilience of a security management system (hereinafter SMS) based on Enterprise Security Risk Management (hereinafter ESRM). In parallel, it was highlighted that it would also be relevant to identify and analyse the managerial implications of corporate security leadership and its capacity to promote organisational resilience through ESRM.
To avoid the SMS being misaligned from the rest of the organisation's corporate functions and the achievement of its objectives (Bernardo et al. 2018, pp. 453–480), such a system should be embedded in the organisation’s integrated management system (hereinafter IMS), together with other corporate areas involved in risk governance. Especially those areas with shared responsibility for the governance and implementation of processes that constitute, together with risk management, the core of the organisations' operational resilience and the preparation of their response plans: crisis management, business continuity and emergency or incident management (Mehravari 2013, pp. 119–125).
According to Petruzzi y Loyear (Petruzzi and Loyear 2016, pp. 44–56), ESRM involves all parts of businesses, proactively recognising and addressing risk without overlooking that the alignment of business continuity and crisis management within the ESRM philosophy are key requirements in any resilience programme. Along these lines, ASIS International already refers to these resilience processes in its standard ORM.1–2017 "Security and Resilience in Organisations and their Supply Chains"(ANSI/ASIS 2017). It is closely linked to sustainability and the supply chain, where it highlights the need to “continually integrate and optimise their risk and business management processes”. In the fields of business management and supply chain management, sustainability is considered a component of resilience, i.e. increasing the sustainability of the system makes the system more resilient (Balugani et al. 2020, p. 1742). According to Ogrean (Ogrean 2018, pp. 526–536), both of these—resilience and sustainability—have emerged as some of the biggest challenges facing organisations in their strategic pursuit of performance and competitiveness.
In the current Volatile, Uncertain, Complex and Ambiguous (V.U.C.A.) environment, in which companies and organisations operate, it is necessary to improve the efficiency of their internal processes through specific management systems. Many of them have started by implementing one or more management systems, usually beginning with quality, environmental and occupational health and safety, but as the number of management systems to be implemented grew, problems arose from the multiplicity of management systems, which were subsequently mitigated after the implementation of IMS (Zeng et al. 2011, pp. 173–186).
Today, standardised management systems are already in place for both the security function, i.e.: BS16000, ISO 28000, or ISO 27001, and for the areas that are at the core of organisational resilience, among others: BS 65000, ISO 22316, ISO 22361, ISO 22301 or ISO 22320. However, it is necessary to move from the abstraction of these standards to a security management model that facilitates their integration into an IMS and which includes the general tactical and operational guidelines that link the SMS with its implementation through a security programme. In that vein, ASIS International's ESRM Guideline (ASIS International 2019) “describes the ESRM approach and explains how it can enhance a security program while aligning security resources with organisational strategy to manage risk”.
This study will describe the ERMsec © model to provide scientific support to practitioners by contributing a fully integrable and flexible tool that could be operational (Maier et al. 2017, pp. 302–314) in any organisation, regardless of its size, objectives and geographical location. This will be done by reviewing the applicable theoretical framework regarding ESRM, its fit with organisational and operational resilience, and the integration on a SMS. Subsequently, the justification of the proposed model will be presented, delving into its structure and the design of the questionnaire through which the relevant data can be extracted to obtain the level of maturity of that management system. This model is intended to serve as a governance tool for the security function (Proença and Borbinha 2018, pp. 102–114) and to provide a framework against which to compare the maturity of SMS in different organisations or even with the SMS of individual business units within the organisation's own structure.
Theoretical framework
Enterprise security risk management (ESRM)
The ERM-based risk management framework appeared in the 1990s as a result of a need that arose from a competitive and complex environment, seeking to link risk management with business activities (Arena et al. 2010, pp. 659–675). ERM is the main form adopted by companies that are making increasing efforts to organise uncertainty and it peaked in the decade of the 1990s. (Shetty et al. 2018, pp. 224–238). In 2004, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) published the first comprehensive ERM guide (COSO ERM—Integrated Enterprise Risk Management Framework), later updated in 2017, with subsequent academic contributions intended to facilitate the effective implementation of enterprise risk management and the management of complex strategic risks through the ISO 31000 risk management standard (Bharathy and McShane 2014, pp. 38–46).
A company could implement different ERM frameworks, all of which should define the essential components, suggest a common language and provide clear ERM guidance. In addition, each implemented framework should also describe an approach to identify, analyse, respond to and monitor the risks and opportunities faced by the company (Alijoyo and Norimarna 2021, pp. 11–14). According to the classification of risks based on the COSO-ERM standard, which goes beyond those associated with accidental losses, these could be divided into strategic, operational, financial and compliance risks (Deloitte 2013) (Al-Terki 2013) as shown in Fig. 1.
Schematic representation of enterprise risk management (ERM) based on the report “Exploring Strategic Risk” (Deloitte 2013)
Until recently, financial risks (such as credit and market risks) and reputational risks were of most concern to the leaders of business organisations. However, operational risks are gaining importance, particularly due to the development of information technology and digitalisation, which has resulted in high exposure to risks, also in information and communication technology (ICT) SMEs, particularly if controls are not put in place (Doo 2019, pp. 651–684) (Nkurunziza 2021). The importance of operational risks has increased to the point where they are no longer considered minor risks and have become a major factor in the possibility of fatal consequences for companies (Karam and Planchet 2012), especially with the globalisation of risks such as the recent Coronavirus disease (COVID-19) or the energy and logistics crisis resulting from conflicts such as the one in Ukraine or the lack of supplies from China.
The conceptualisation of operational risk management first appeared in the 1990s (Kalia and Müller 2015), where operational risk could be defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (BCBS 2021), where each of the operational risks should be managed by its specialised function, with its own risk strategies, tools, and processes (Kallenberg 2009, pp. 90–110). According to the operational risk classification of the Basel Committee on Banking Supervision (BCBS 2019) in seven categories, we can distinguish those risks directly related to the security function (cybernetics, fraud, damage to physical assets, etc.) or to the continuity of operations, which may lead to the activation of emergency, business continuity and/or crisis response plans.
However, it is advisable to differentiate, within each organisation, between the owners of security risks and those who are jointly involved in their governance, within their respective spheres of responsibility. In the case of security risks, ASIS International has moved towards a similar philosophy to ERM to manage them through ESRM, where ESRM is a component of ERM (Feeney and Houchens 2019)—although this does not imply that an ERM programme must pre-exist or, if one exists, regardless of the level of maturity it has reached. It clearly states that final decisions are the responsibility of the asset owner, even if it shares some responsibility with the security function. ESRM defines at least four specific roles of responsibility: asset owner, security professionals, stakeholders and top management.
Beyond the possible understanding of the term "security" described in the introduction, either as perception or as a process, a more in-depth review of the academic literature has been carried out. Security is defined by the ESRM Guideline (ASIS International 2019) as the condition of being protected against hazards, threats, risks or losses. We could also define "security" as the perceived or actual ability to prepare for, adapt to, resist and recover from operational risks caused by deliberate, intentional and malicious acts by people, such as terrorism, sabotage, organised crime or piracy (Jore 2019, pp. 157–174).
Within the different security knowledge categories (Brooks 2010, pp. 225–239) the definitions of "security management" and "security risk management" are particularly useful for this study. Security management is defined as: “theories, principles, concepts, technique, process and practice of managing or controlling organisational resources to deliver the function of security”. “This category may include policy and procedures, administration, operations, training, awareness, finance, contracting, resource allocation, security decay and so on”. On the other hand, security risk management is also defined as “theories, principles, concepts and practices” it considers not only risk but also risk management. Based on these definitions, we can say that the former is more oriented towards security processes and management, and the latter towards providing a solid methodological source on which to base strategic, tactical or operational decisions and ensure that security expenditures achieve their maximum effectiveness (Anderson and Choobineh 2008, pp. 22–29). In terms of security risk management, Jore (Jore 2019, pp. 157–174) sees it as assessing and reducing the likelihood and consequences of potential attacks by implementing various risk reduction measures, such as establishing critical infrastructure protection and strengthening organisational resilience.
In an analysis of company case studies on ERM implementation of corporate governance and risk management (Aleem et al. 2013, pp. 236–248) they described how fundamental risk management principles based on corporate governance and ERM philosophy can be used by business managers in an organisation to manage security risks. They proposed that the key to managing security risk in a governance model is to understand that security risk is simply a subset of all risks that must be managed holistically across the enterprise. Although security risk may require highly specialised risk mitigation and response actions, the risk management process with fundamental risk principles is the same for security, financial, operational or other risks. In fact, the control of all risks as a whole—whether or not an ERM programme is implemented—should be under the top management’s ultimate responsibility and oversight, as one of its strategic organisational governance functions. Along these lines, the ASIS International ESRM Guideline defines ESRM as a “strategic approach to security management that ties an organisation's security practice to its overall strategy using globally established and accepted risk management principles.”(ASIS International 2019), and ESRM governance should also be aligned with overall organisational governance (Feeney 2019), establishing it as the strategic model for managing security risks in the enterprise.
Organisational resilience
The term “resilience” has become so popular in recent times that it has emerged as one of the “buzzwords” (Saunders and Becker 2015, pp. 73–81) and is being applied, at different scales, to describe the capacity to cope with often sudden and dramatic changes; at individual, community, societal and organisational levels (Gibson and Tarrant 2010, pp. 8–14). For the development of this study, we will consider only its organisational dimension, the academic interest of which has grown steadily in recent years; although, despite this, the conceptualisation of the construct is still in its infancy (Duchek 2019, pp. 1–32) (Hillmann and Guenther 2021, pp. 7–44). Gibson and Tarrant (Gibson and Tarrant 2010, pp. 8–14) detected, in the early conceptualisation of organisational resilience, an attempt to reuse the approach to business continuity management (BCM) by relabelling it as “resilience”, perhaps aiming at a functional application of early developments in the BCM field.
Organisations recognise resilience as a top or highly relevant priority in strategic decision-making (FERMA 2021), and those with a higher level of internal resilience are better able to mobilise resources, allocate staff and prioritise key functions, without fear of making difficult decisions based on intelligence and evidence-based analysis (McManus 2008) (Stephenson 2010) (Gracey 2020, pp. 313–327). Some studies have explored the interrelationship of resilience with other thematic areas such as sustainability (Settembre-Blundo et al. 2021, pp. 107–132) (Ogrean 2018, pp. 526–536), communications (McManus 2008), competitive excellence (Stephenson 2010), or supply chains (Falasca et al. 2008, pp. 596–605). The literature review has taken into account both the definitions of organisational resilience made by international normalisation institutions or standards (Table 1) and by other institutions or academic works, revealing a coincidence in terms of the basic components of organisational resilience: strategic, operational and financial; although some of these publications have introduced other components, such as compliance (FERMA 2021; IRM 2022) in line with the risk categorisation of the COSO- ERM standard (COSO 2017) which aims to cover different risk categories: strategic, operational, financial and compliance risks (Arena et al. 2014, pp. 178–197).
The literature has also been reviewed to explore the direct relationship between risk management and resilience management. Although resilience management does not depend on risk considerations and assessments to be effective, it could benefit from such considerations and assessments if carried out correctly (Aven 2017, pp. 536–543), thus forging a causal relationship between risk management and resilience in that without the former, the functionality of the latter is compromised. According to ISO 31000, risk can be defined as the effect of uncertainty on objectives, which focuses on the effect of incomplete knowledge of events or circumstances on an organisation's decision-making (ISO 2019b). Uncertainty and its connection to the achievement of objectives is the concept that links risk management, corporate governance and resilience. Therefore, an organisation that manages uncertainty effectively will also have strong governance and be resilient (Dahms 2010, pp. 23–28). Risk management provides an understanding of how uncertainty can affect the organisation's objectives and how these specialised capabilities can address that uncertainty. The foundation of organisational resilience is a fundamental understanding of dealing with risk, particularly non-routine or disruption-related risk (Gibson and Tarrant 2010, pp. 8–14). Another particularity that can impact organisational resilience is preparedness for both predictable and unpredictable high-impact risks, with the former benefiting from prepared and tested response plans for specific scenarios. Whereas in the case of unpredictable risks, resilience will largely depend on the expertise of the organisation's specialists and managers (Groenendaal and Helsloot 2020, pp. 102–109).
Based on the risk classification of the COSO-ERM standard and the determinant link between risks and resilience as shown in previous sections, the division of corporate resilience into four dimensions is proposed, as shown in Fig. 2: strategic (i.e.: the entry of a competitor into the market), operational (i.e.: interruption of operations or asset impairment), financial (i.e.: market, credit or liquidity) and compliance (i.e.: introduction of new regulations or legislation). This risk/resilience taxonomy does not necessarily apply to all organisations but, following the literature review, at least the operational dimension is present in most cases (Leo 2020, pp. 1–15). For the purpose of this study, we will be focusing on its operational dimension, as security risks, among others, can cause disruptions in business continuity. Finally, we could say that a resilient organisation is one that understands its environment, identifies the inherent threats and risks or opportunities that affect it and, when these manifest themselves, activates its response plans and applies its acquired capacity to adapt to the "new normal".
Source Own elaboration
Organisational resilience based on enterprise risks.
Operational resilience
Operational resilience is seen as a priority issue, both from a regulatory perspective (NIAC 2010) (European Commission 2020) and as a matter of necessity for the organisations themselves, with the financial services sector starting to flesh it out in the form of standards or recommendations (see definitions in Table 2) along with other sectors such as the supply chain (Gould et al. 2010, pp. 287–302) and other services considered critical or essential to society (Alderson et al. 2015, pp. 562–586) (Labaka et al. 2016, pp. 21–33).
The Basel Committee on Banking Supervision recently published its revised "principles for the sound management of operational risk" (BCBS 2021). On a similar date, the Bank of England (Bank of England 2021) also published a policy statement on operational resilience whereby utilities should be able to prevent disruptions from occurring as far as possible, adapt systems and processes to continue to provide services and functions in the event of an incident, return to normal operation quickly when a disruption ends, and learn and evolve from incidents. Both institutions stress that operational resilience extends beyond business continuity and disaster recovery. It should be planned and implemented to cover threats already detected in the risk management process, regardless of whether they are man-made threats, natural hazards or system or supplier failures. However, all operational successes, careful designs and implemented controls are a kind of "illusion", because disruptions will occur at some point in the future, driving us to the need to organise the best possible design and implementation. At the same time, we must be prepared for the most severe disruption and accept our limited strength of knowledge about any future developments (Milkau 2021, pp. 408–425). On the other hand, Gartner (Gartner 2021) opens the range of stakeholders to include employees, citizen customers, as well as their partners, as we cannot lose sight of the fact that many of these services are also critical or essential to society (Trucco and Petrenj 2017, pp. 225–286). Finally, we can say that there are key attributes common to the definitions of operational resilience regarding the ability of any type of firm, not only in the financial sector, to prevent the occurrence of a crisis event, protect against an adverse event, respond to and recover from a crisis event, as well as maintain business services in the event of a disruption (Leo 2020, pp. 1–15).
Although each organisation, as in ERM implementation, will subsequently approach resilience in its own unique way (Burnard and Bhamra 2019, pp. 17–25) and given that management systems tend to be integrated within organisations, it makes sense that there is also an integrated functions model (Gibson and Tarrant 2010, pp. 8–14), the management of which provides the basis for linking different organisational capabilities, such as emergency, business continuity, crisis management and security. One such model has been developed and put into practice in the multinational organisation where one of the authors works, through the implementation of an operational resilience process that is based on the structure of normalised standards which fits perfectly with both the activation of response plans for disruptive events and the subsequent learning that is incorporated as the "new normal" in the improvement process within the management system (Fig. 3).
Source own elaboration
Operational Resilience Process.
According to Gracey (2020, pp. 313–327) disruptive events have an impact at the operational, tactical, and strategic levels. By following this structure, plans could be harmonised for each level according to various factors, such as the nature of the disruptive event, which part of the organisation has been affected, and its impact (Fig. 4); so allowing the possible concurrence of more than one activation at the same time to be more manageable, preventing the teams that make up the response committees or groups from becoming saturated due to the need to make decisions that are outside their area of competence, thus compromising the process’ success. It should be taken into account that certain organisations with a global geographic footprint or with a highly complex distribution of their business units and subunits may require a subdivision at the strategic level. In that case, the strategic level (crisis management) could be divided into different layers, according to the level of responsibility within the organisation; as observed in the model in Fig. 4, which proposes three teams (gold, silver and bronze), where the fourth (copper) being responsible for the activation of the tactical or operational levels. To enable a faster deployment of the organisation's response to threats to its strategic objectives, it is suggested that the upper-level committee is also alerted by the current committee, in case it needs to be escalated in terms of responsibility.
Source own elaboration
Operational Resilience Response Plans.
Management system
A management system is a structured method of ensuring that procedures are aligned with policies and objectives to manage organisational processes that are associated with the achievement of organisational objectives (Leflar and Siegel 2013). Organisations need nationally or internationally recognised standards to facilitate the design and implementation of a management system in a particular area, initially developing them from quality, environmental and safety standards. These standards provide a clear structure and rationale for such management. The main standards applied are ISO 9001 for quality management, ISO 14001 for environmental management and ISO 45001 for occupational health and safety management.
Most management systems based on the ISO standard have the following structure or are migrating to this model:
-
o
Purpose and scope.
-
p
Standards for consultation.
-
q
Terms and definitions.
-
r
Organisational context.
-
s
Leadership.
-
t
Planning.
-
u
Support.
-
v
Operation.
-
w
Performance evaluation.
-
x
Improvement.
The content of each of the first three clauses is discipline-specific and each standard may even have its own associated bibliography. From a governance and compliance point of view, the remaining seven sections are perfectly quantifiable for any organisation that intends to implement it, and a desirable target maturity level could therefore be determined.
Security management systems
Among the international standards and guidelines related to security are those described in Table 3. Although no two security functions are the same, many organisations often appoint a senior security executive to implement a strategic security framework with a wide range of responsibilities (ASIS 2022a), particularly in multinationals or where they are required for regulatory compliance such as in the case of critical infrastructure, essential services or a state's defence-related industry. Of these, ISO 28000 has been revised in 2022 and now allows for better alignment with ISO 31000 in terms of recommendations on principles; and also with ISO 22301 in terms of security strategies, procedures, processes, treatments and security plans. Figure 5 shows that ISO 28000 also applies the Plan-Do-Check-Act (PDCA) model to plan, establish, implement, operate, monitor, review, maintain and continually improve the effectiveness of an organisation's security management system. This ensures a degree of consistency with other management system standards, such as ISO 9001, ISO 14001, ISO/IEC 27001, and ISO 45001, which ensures consistent and integrated implementation and operation with related management systems.
PDCA model applied to the security management system, extracted from ISO 28000:2022
Integrated management systems
According to the Spanish Association for Quality, the integration of management systems is defined as the set of related or interacting elements that make it possible to implement and achieve the policy and objectives of an organisation, in terms of various aspects such as quality, environment, health and safety, or other management disciplines (AEC 2019). For reasons of efficiency in implementation, reduced bureaucracy, ease of auditability, and a better unitary vision, organisations tend to develop integrated management systems in such a way that links their components, instead of keeping each management system separate in silos (Calvo and Zapata 2010, pp. 1555–1564), regardless of which function within the company is ultimately responsible for governing them within its area of responsibility. Other authors highlight that this integration uses common resources to support the improvement of stakeholder satisfaction (Bernardo et al. 2017, pp. 121–133). Both ISO and BSI organisations, among others, have also contributed to the integration of these management systems, especially due to the similarities and compatibility of these standards, such as ISO 9001, ISO 14001, ISO 45001 or PAS 99.
There could be different motivations for implementing an IMS, such as customer or public regulator requirements, or following the competitors' lead. If we focus on the benefits, it is obvious that simplifying the number of audits and the process of self-certification or certification bodies, it reduces the associated costs and bureaucracy. (Zeng et al. 2010, pp. 171–179). It also seems logical that the greater the number of systems and processes to be integrated, the greater the difficulty of implementation. (Bernardo et al. 2012, pp. 23–33). There is abundant literature addressing the benefits and drawbacks of IMS implementation, including delving into the different levels of integration and strategies adopted (Domingues et al. 2016, pp. 164–174), but it must be up to each organisation to determine the boundaries and applicability of the IMS to establish its scope.
In accordance with the purpose of this study, a proposed methodology will be presented through which we will be able to discern the state of our security management system, with sufficient flexibility to indicate its level of maturity regardless of the matters attributed by each organisation to the security function, including the transversal governance of the organisation's operational resilience.
Methodology
The academic community is already aware of the urgency regarding resilience and has some development in this area. However, there is still limited research on metrics, the delivery mechanism and the relationship with other organisational variables (Xiao and Cao 2017, p. 4021), such as its interaction with security as a function responsible for the governance of operational resilience within the organisation. There are a number of integrated organisational resilience models that have been successfully implemented in a variety of different organisations, but for such models to make a significant contribution to organisational resilience, they must be based on a robust risk management programme that provides the foundation that links different organisational capabilities, such as emergency, business continuity, security, and crisis management (Gibson and Tarrant 2010, pp. 8–14).
A Maturity Model (MM) is a technique that has proven valuable for measuring different aspects of a process or an organisation and represents a path towards an increasingly organised and systematic way of doing business in organisations (Proença and Borbinha 2016, pp. 1042–1049). The authors of this research have also reviewed the literature on governance models for security risk based on ESRM, noting an incipient production in academia of specific models that determine the maturity of a security management system linked to organisational governance and ERM through an ESRM programme, to have a clear correspondence not only with internationally recognised management systems, but also with the specificity of the operations inherent to the security function within their organisation.
In the review of the international standards related to security, it has been noted that the specifications of some of the standards are not specific, remaining at a very general level and serving only to indicate compliance or non-compliance under the auditor's criteria, but without providing a breakdown of the minimum points that determine the level of maturity in the operational area. For this reason, a flexible model is needed in terms of the attributes that can be selected from a wide range, historically entrusted to the business security function and corporate security departments of organisations, such as security of assets, people, and information; but also crisis management and intelligence. All common steps in the structure of an ISO standard are met in this model, with the "Operation" section being the one that will vary from one organisation to another without influencing the final maturity assessment, allowing flexibility in the operational approach chosen by the organisation. For example, there will be organisations where security has operational responsibility for crisis management, in others, it will have prerogatives in terms of business continuity or emergency management, whilst it is also common for it to have intelligence attributions (ASIS Foundation 2022) in support of the business strategy. This model makes it possible, regardless of the powers assigned to security, to establish a level of maturity and strategies to advance from an initial starting point to the desired level for senior management in accordance with its strategic objectives.
Organisations where the corporate security function is also in charge of the cross-cutting governance of operational resilience, even if the responsibility for its implementation lies with the business itself, can utilise the flexibility of this model by matching resilience management systems (i.e.: ISOs 22316, 22361, 22301 and 22320) and security-specific ones (i.e.: ISO 28000). As can be seen in Fig. 3, the whole process of operational resilience could be divided into three phases. The first phase begins with the implementation of the management system, which may be embedded within the security management system, and continues until the moment when an event previously identified as triggering one or more of the response plans occurs, either by a real disruptive scenario or the performance of an exercise created for testing and training the teams. The third phase is the "new normal" phase, where the acquired capabilities will be part of the continuous improvement process included in the first phase.
Results
Taking into account all of the above, a model called ERMsec © has been developed, which is made up of a questionnaire divided into two sections. The first section consists of six initial control questions that help to frame the organisation within its geographical and activity sector (Fig. 6), and a second section with thirty-four variables distributed in seven parts that coincide with the seven clauses of Fig. 5. The result of the second section determines the maturity level according to the Capability Maturity Model Integration scale initially developed by Carnegie Mellon University (CMMI Institute 2020), in establishing 5 levels of process maturity: Non-Existent/Not Wanted (0); Ad Hoc (1); Repeatable (2); Defined (3); Managed (4); Optimised (5).
© questionnaire. Source own elaboration
First section of the ERMsec
A variable is a magnitude whose values are the object of study, and its definition makes measurable what is intended to be evaluated (Medianero Burga 2014, p. 61). In general, a variable (Fig. 7) has five basic elements:
-
I.
Name. It should be short and easy to remember. It must be unambiguous, avoiding confusion with other variables.
-
II.
Operational definition. A variable is an attribute or characteristic that can be measured, but that without an adequate operational definition could not be measured.
-
III.
Criteria for reference measurement. To measure the variables, it is necessary to indicate the measurement scale that will be used for information processing. In this tool, each variable has included requirements that will serve as a reference to obtain a value associated with the CMMI maturity level. For example, if any one of the requirements is met, the value of the variable will be "1" at the CMMI maturity level; and if all the requirements are met, the value will be "5".
-
IV.
Procedure to collect the data. To obtain data from primary sources, a survey has been prepared consisting of questions and their responses, which for their systematic processing have been grouped into two sections with different measurement scales.
© questionnaire. Source own elaboration
Example of a variable in the second section of the ERMsec
The first section is made up of six initial control questions, which are not complex as it is easy to obtain a numerical value, choose an option from a list or fill in a free text field. These questions will allow us to compare organizations according to their position in the stock market, sector of activity, resources allocated to the security function and the position of the Senior Security Executive and its department in the organization's hierarchy. (Fig. 6).
The second section consists of a total of thirty-four variables, with their respective criteria for reference measurement. In order to develop a high-level assessment that would provide consistent and substantiated results, an effort was made to identify the key cross-cutting compliance indicators of the international standards on which each of the variables, which contains the detailed assessments of the management system, is based. The international norms and standards that have been correlated to develop each of the issues in the second section have been, among others: COSO ERM – 2017; UNE-EN-ISO 22301:2019; ISO 22316:2017; UNE-ISO 28000:2007; UNE-ISO 31000:2018; UNE 166006:2018; UNE-EN ISO/IEC 27001; ESRM Maturity Assessment (ASIS 2022b); ANSI/ASIS ORM.1-2017; ANSI/ASIS/RIMS RA1-2015; ANSI/ASIS PAP.1: 2012; ANSI/ASIS PSC.1: 2012; BS 65000:2014. The correlation between them has been based on Annex SL (ISO 2021).
-
V.
Indicators of data collected. These two sections of the questionnaire will make it possible to compare the results obtained in order to determine whether the company's position in the market or sector, as well as the size of the resources, influence the maturity of the integrated security management system.
In the second section, there are the questions that will allow for specific data to be obtained about the management system itself, and the assessments that will result in both the partial result of each of the questions and the total result of the questionnaire. The result of each of the seven parts in Fig. 8 will be the average of the questions that compose it and will be represented graphically. Those graphs have also been incorporated in the results template to improve its comprehension and therefore facilitate the determination of action plans to reach the desired target (an example segment is available in this link). In addition, it allows for the comparison of business units within the organisation itself, specific operations or comparisons with other organisations in its sector or area of influence. It would be recommended for a better strategic governance to set a reference target to compare with the resulting value, as shown in Fig. 9.
Source own elaboration
Example of ERMsec@ questionnaire results.
Source own elaboration
Example of ERMsec@ graph based on questionnaire results.
In part 5 of the second section, which coincides with the "Do" of the Deming cycle, a proposal is made for security-related operations, which can be adapted to each organisation. In each of the security activities, it is desirable that the issues to be assessed come from a standardised source, such as the information systems security activity which has been referenced to ISO 27000. It should be noted that it does not take into account who owns the risk (the function or the business unit) or who is responsible for its management, as the aim here is to visualise the security management system situation either in the organisation as a whole or in a specific business unit.
Conclusions
Within organisations, security—understood as a process —bases its implementation on the management of the risks in its scope through ESRM, constituting a thematic area closely linked to ERM, but not necessarily requiring ERM to be already implemented in the organisation (Feeney 2019). In order to further explore how the security function contributes to organisational resilience, it has been demonstrated through a theoretical framework and literature review that it is possible and desirable to create security management and operational resilience models that are compatible with existing IMS in organisations. In the review of academic literature in prestigious databases, no such models have been found, which is why the proposed model is considered to be academically innovative and also a contribution to the strategic management of organizations and enterprises; as this model is equipped with a structure and a questionnaire through which the current maturity level is obtained, and even with the option of adjusting the target level within the strategic planning decided by each organisation, in line with its business objectives. This model is a governance tool for the security function while being flexible, as it allows the comparison of different businesses or sub-units within the organisation's own structure and even with other organisations, regardless of their size, sector of activity or geographical location.
In general, those organisations with multiple management systems perceive more benefits than those that executed only one standard or are managed separately in silos. While there is no single quick fix, single process, management system or software application that creates resilience (Gibson and Tarrant 2010, pp. 8–14) this does not preclude organisations from being able to establish the sweet spot they want to achieve in line with their strategic objectives. The ERMsec© model is based on the ideas proposed for the operational resilience process, providing an academic basis and scientific support to practitioners, mainly in its business application due to its flexibility to adapt to different types of organisations. The next step after proposing this model would be to test it through a process of quantitative research through surveys of large business organisations, for which preliminary tests have already been carried out and now require a formal study.
In the future, it would be interesting to delve deeper into a maturity framework that encompasses not only the operational resilience component, where the security function in companies contributes value, but the whole of organisational resilience in a transversal framework of a strategic nature, where some authors (Gracey 2020, pp. 313–327) (Denyer 2017, pp. 8–25) (Balugani et al. 2020, p. 1742) have already made some concrete proposals, and others propose its close connection with another strategic challenge such as sustainability (Ogrean 2018, pp. 526–536). Also related to operational resilience is the possibility of future studies on the operation of intelligence to support operational resilience in decision-making by crisis committees, business continuity and incident response teams. Other possible lines of research that emerge from this study:
-
Transfer this methodology to small and medium-sized companies, with a simpler survey that facilitates online responses from a larger number of companies, and that allows for comparison of key points with the first study carried out in large companies.
-
Based on the ASIS SSE-2022 Senior Security Executive Standard (ASIS 2022a) the managerial implications of security leadership and its ability to influence the promotion of operational resilience through ESRM could be further explored academically.
-
Resilience capability will depend to a large extent on the expertise of the organisation's specialists and managers (Groenendaal and Helsloot 2020, pp. 102–109), which is why it is necessary to propose new models of intervention for managers who sit on committees and exercise leadership in crisis management (Lalonde 2011, pp. 443–464).
-
Deepen in operational areas, potentially within the security area of responsibility such as intelligence, information security or operational resilience (incident management, business continuity and crisis management) transversally throughout the organisation.
References
AEC. 2019. Integración De Sistemas De Gestión. https://www.aec.es/web/guest/centro-conocimiento/integracion-de-sistemas-de-gestion. Accessed 9 Jun 2021
Alderson, David L., Gerald G. Brown, and W.M. Carlyle. 2015. Operational Models of Infrastructure Resilience. Risk Analysis 35 (4): 562–586. https://doi.org/10.1111/risa.12333.
Aleem, Azeem, Alison Wakefield, and Mark Button. 2013. Addressing the Weakest Link: Implementing Converged Security. Security Journal 26 (3): 236–248. https://doi.org/10.1057/sj.2013.14.
Alijoyo, A. and Stefiany Norimarna. 2021. The Role of Enterprise Risk Management (ERM) using ISO 31000 for the Competitiveness of a Company that Adopts the Value Chain (VC) Model and Life Cycle Cost (LCC) Approach.
Al-Terki, Abdulaziz. 2013. The Role of Operational Risk in ERM Framework. https://www.grc-summit.com/middleeast/2013/downloads/day2/3-Role-of-OpRisk-in-Enterprise-Risk.pdf. Accessed 7 Mar 7 2022
Anderson, Evan E., and Joobin Choobineh. 2008. Enterprise Information Security Strategies. Computers & Security 27 (1): 22–29. https://doi.org/10.1016/j.cose.2008.03.002.
ANSI/ASIS. 2012. PSC.1: 2012—Management System for Quality of Private Security Company Operations–Requirements with Guidance. https://webstore.ansi.org/preview-pages/ASIS/preview_ANSI+ASIS+PSC.1-2012+(R2017).pdf. Accessed 4 Oct 2021
ANSI/ASIS. 2012. Security Management Standard Physical Asset Protection. https://webstore.ansi.org/preview-pages/ASIS/preview_ANSI+ASIS+PAP.1-2012.pdf. Accessed 12 Nov 12 2021
ANSI/ASIS. 2017. ANSI/ASIS ORM.1–2017 Security and Resilience in Organizations and their Supply Chains. https://www.asisonline.org/publications--resources/standards--guidelines/orm/. Accessed 11 Apr 2022
ANSI/ASIS/RIMS. 2015. ANSI/ASIS/RIMS RA.1–2015—Risk Assessment. https://webstore.ansi.org/preview-pages/ASIS/preview_ANSI+ASIS+RIMS+RA.1-2015.pdf. Accessed 9 Oct 2021
Arena, Marika, Michela Arnaboldi, and Giovanni Azzone. 2010. The Organizational Dynamics of Enterprise Risk Management. Accounting Organizations and Society 35 (7): 659–675.
Arena, M., G. Azzone, E. Cagno, A. Silvestri, and P. Trucco. 2014. A Model for Operationalizing ERM in Project-Based Operations through Dynamic Capabilities. International Journal of Energy Sector Management 8 (2): 178–197.
ASIS. 2022a. ASIS SSE-2022a Senior Security Executive Standard. https://store.asisonline.org/senior-security-executive-standard.html?utm_source=email&utm_medium=email-ssestandard&utm_campaign=standards-guidelines&utm_content=2022-may. Accessed 4 Jun 2022
ASIS. 2022b. ESRM Maturity Assessment. https://www.asisonline.org/publications--resources/esrm/esrm-survey/. Accessed 11 Apr 2022b
ASIS Foundation. 2022. The State of Security Management: A Baseline Phenomenological and Empirical Study. https://store.asisonline.org/the-state-of-security-management.html?utm_source=newsletter&utm_medium=eurodynamics&utm_campaign=foundation&utm_content=2022. Accessed 11 May 2022
ASIS International. 2019. Enterprise Security Risk Management (ESRM) Guideline. https://www.asisonline.org/publications--resources/news/press-releases/asis-releases-new-enterprise-security-risk-management-esrm-guideline/. Accessed 19 Dec 2020
Aven, Terje. 2017. How some Types of Risk Assessments can Support Resilience Analysis and Management. Reliability Engineering & System Safety 167: 536–543. https://doi.org/10.1016/j.ress.2017.07.005.
Balugani, Elia, Maria Angela Butturi, Delroy Chevers, David Parker, and Bianca Rimini. 2020. Empirical Evaluation of the Impact of Resilience and Sustainability on Firms’ Performance. Sustainability (basel, Switzerland) 12 (5): 1742. https://doi.org/10.3390/su12051742.
Bank of England. 2021. Operational Resilience of the Financial Sector. https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector. Accessed 12 Apr 2022
BCBS. 2021. Basel Committee on Banking Supervision—Revisions to the Principles for the Sound Management of Operational Risk. https://www.bis.org/bcbs/publ/d515.pdf. Accessed 30 Jan 2022
BCBS. 2019. OPE Calculation of RWA for Operational Risk—OPE30 Advanced Measurement Approaches. https://www.bis.org/basel_framework/chapter/OPE/30.htm?tldate=20220224&inforce=20191215&published=20200327&export=pdf. Accessed 12 Jul 2022
Bernardo, Merce, Marti Casadesus, Stanislav Karapetrovic, and Iñaki. Heras. 2012. Do Integration Difficulties Influence Management System Integration Levels? Journal of Cleaner Production 21 (1): 23–33. https://doi.org/10.1016/j.jclepro.2011.09.008.
Bernardo, Merce, Maria Gianni, Katerina Gotzamani, and Alexandra Simon. 2017. Is there a Common Pattern to Integrate Multiple Management Systems? A Comparative Analysis between Organizations in Greece and Spain. Journal of Cleaner Production 151: 121–133. https://doi.org/10.1016/j.jclepro.2017.03.036.
Bernardo, Merce, Katerina Gotzamani, Fotis Vouzas, and Marti Casadesus. 2018. A Qualitative Study on Integrated Management Systems in a Non-Leading Country in Certifications. Total Quality Management & Business Excellence 29 (3–4): 453–480. https://doi.org/10.1080/14783363.2016.1212652.
Bharathy, Gnana K., and Michael K. McShane. 2014. Applying a Systems Model to Enterprise Risk Management. Engineering Management Journal 26 (4): 38–46.
Borodzicz, Edward P., and Steven D. Gibson. 2007. Corporate Security Education: Towards Meeting the Challenge. Security Journal 20 (2): 142. https://doi.org/10.1057/palgrave.sj.8350032.
Brooks, David J. 2010. What is Security: Definition through Knowledge Categorization. Security Journal 23 (3): 225–239. https://doi.org/10.1057/sj.2008.18.
BSI. 2014. BS 65000:2014 Guidance on Organizational Resilience. https://www.bsigroup.com/en-GB/our-services/Organizational-Resilience/#:~:text=Organizational%20resilience%20is%20defined%20by,order%20to%20survive%20and%20prosper%22. Accessed 15 Mar 2022
BSI. 2015. BS 11600 Security Management—Strategic and Operational Guidelines. https://shop.bsigroup.com/products/security-management-strategic-and-operational-guidelines/standard. Accessed 2 Nov 2021
Burnard, Kevin John, and Ran Bhamra. 2019. Challenges for Organisational Resilience. Continuity & Resilience Review 1 (1): 17–25. https://doi.org/10.1108/CRR-01-2019-0008.
Burns, Maria G. 2016. Logistics and Transportation Security: A Strategic, Tactical, and Operational Guide to Resilience. Boca Raton: CRC Press.
Calvo, Miguel Ángel Carmona and Miguel Ángel Rivas Zapata. 2010. Desarrollo De Un Modelo De Sistema Integrado De Gestión Mediante Un Enfoque Basado En Procesos. 4th International Conference on Industrial Engineering and Industrial Management: 1555–1564.
Central Bank of Ireland. 2021. Cross Industry Guidance on Operational Resilience. https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp140/cross-industry-guidance-on-operational-resilience.pdf. Accessed 8 Jan 2022
CMMI Institute. 2020. Capability Maturity Model Integration. https://cmmiinstitute.com/cmmi. Accessed 21 Mar 2022
Commonwealth of Australia. 2016. Organisational Resilience—Good Business Guide. https://www.organisationalresilience.gov.au/Documents/Organisational-Resilience-Good-Business-Guide.PDF. Accessed 29 Apr 2022
COSO. 2017. ERM—Integrating with Strategy. https://www.coso.org. Accessed 23 Feb 2022
Crump, J. 2015. Corporate Security Intelligence and Strategic Decision Making Taylor and Francis. https://doi.org/10.1201/b18399.
Dahms, Ted. 2010. Resilience and Risk Management—Dahms Argues that Compliance Against a Universal Set of Rules Reduces Resilience. Australian Journal of Emergency Management 25 (2): 23–28.
Dau, Luis Alfonso, Elizabeth M. Moore, and Max Abrahms. 2018. "Global Security Risks, Emerging Markets and Firm Responses: Assessing the Impact of Terrorism." In Contemporary Issues in International Business: Institutions, Strategy and Performance, edited by Davide Castellani, Rajneesh Narula, Quyen T. K. Nguyen, Irina Surdu and James T. Walker, 79–97. Cham: Springer International Publishing.
Deloitte. 2013. Exploring Strategic Risk: A Global Survey. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-exploring-strategic-risk.pdf. Accessed 12 Feb 2022
Denyer, David. 2017. Organizational Resilience: A Summary of Academic Evidence, Business Insights and New Thinking. BSI and Cranfield School of Management: 8–25.
Domingues, Pedro, Paulo Sampaio, and Pedro M. Arezes. 2016. Integrated Management Systems Assessment: A Maturity Model Proposal. Journal of Cleaner Production 124: 164–174. https://doi.org/10.1016/j.jclepro.2016.02.103.
Doo, Song Il. 2019. A Study on Legal Risk Under Enterprise Risk Management & Management System Centered on the Board of Directors. Journal of Hongik Law Review 20 (1): 651–684.
Duchek, Stephanie. 2019. Organizational Resilience: A Capability-Based Conceptualization. Business Research: 1–32.
European Commission. 2020. Directive of the European Parliament and of the Council on the Resilience of Critical Entities. https://ec.europa.eu/home-affairs/counter-terrorism-and-radicalisation/protection/critical-infrastructure-resiliance_en. Accessed 14 Feb 2022
Falasca, Mauro, Christopher W. Zobel, and Deborah Cook. 2008. A Decision Support Framework to Assess Supply Chain Resilience. Proceedings of the 5th International ISCRAM Conference: 596–605.
Federal Reserve Board. 2020. Agencies Release Paper on Operational Resilience. https://www.federalreserve.gov/newsevents/pressreleases/bcreg20201030a.htm. Accessed 10 Jan 2022
Feeney, David R. 2019. A Brief Guide to ESRM Implementation. https://www.asisonline.org/security-management-magazine/articles/2019/11/a-brief-guide-to-esrm-implementation/. Accessed 23 Feb 2022
Feeney, D. and Houchens, T. 2019. ASIS Guideline on ESRM: First Look. https://cdn.fs.pathlms.com/tPdFQJCwRVGYLJSUKzwA. Accessed 19 Jan 2022
FERMA. 2021. The Role of Risk Management in Corporate Resilience. https://www.ferma.eu/publication/the-role-of-risk-management-in-corporate-resilience/. Accessed 25 Apr 2022
Gartner. 2021. Definition of Operational Resilience—IT Glossary. https://www.gartner.com/en/information-technology/glossary/operational-resilience. Accessed 15 Mar 2022
George, Richard, and Rob I. Mawby. 2013. Security at the 2012 London Olympics: Spectators’ Perceptions of London as a Safe City. Security Journal 28 (1): 93–104. https://doi.org/10.1057/sj.2013.37.
Gibson, C.A., and M. Tarrant. 2010. A “Conceptual Models” Approach to Organisational Resilience. Australian Journal of Emergency Management 25 (2): 8–14.
Goosman, Ashley. 2022. Evolving Corporate Crisis Response Coordination for Maximum Resilience. Journal of Business Continuity & Emergency Planning 15 (3): 237–244.
Gould, Julie E., Cathy Macharis, and Hans-Dietrich. Haasis. 2010. Emergence of Security in Supply Chain Management Literature. Journal of Transportation Security 3 (4): 287–302. https://doi.org/10.1007/s12198-010-0054-z.
Gracey, Aaron. 2020. Building an Organisational Resilience Maturity Framework. Journal of Business Continuity & Emergency Planning 13 (4): 313–327.
Groenendaal, Jelle, and Ira Helsloot. 2020. Organisational Resilience: Shifting from Planning-Driven Business Continuity Management to Anticipated Improvisation. Journal of Business Continuity & Emergency Planning 14 (2): 102–109.
Hillmann, Julia, and Edeltraud Guenther. 2021. Organizational Resilience: A Valuable Construct for Management Research? International Journal of Management Reviews : IJMR 23 (1): 7–44. https://doi.org/10.1111/ijmr.12239.
Hirschfield, Alex. 2004. Inter-Relationships between Perceptions of Safety, Anti-Social Behaviour and Security Measures in Disadvantaged Areas. Security Journal 17 (1): 9–20.
IRM. 2022. A Risk Management Standard. https://www.theirm.org/media/4709/arms_2002_irm.pdf. Accessed 30 Apr 2022
ISO. 2013. ISO/IEC 27001:2013 Information Technology—Security Techniques—Information Security Management Systems—Requirements. https://www.iso.org/standard/54534.html. Accessed 21 Feb 2022
ISO. 2017. ISO 22316:2017. Security and Resilience—Organizational Resilience—Principles and Attributes. https://www.iso.org/standard/50053.html. Accessed 8 Feb 2022
ISO. 2019a. ISO 22301:2019a Security and Resilience—Business Continuity Management Systems—Requirements. https://www.iso.org/standard/75106.html. Accessed 22 Feb 2022
ISO. 2019b. ISO 31000:2019b Risk Management–Principles and Guidelines. https://www.iso.org/standard/65694.html. Accessed 22 Mar 2022
ISO. 2021. Annex SL (Normative) Harmonized Approach for Management System Standards. ISO/IEC Directives, Part 1. https://www.iso.org/sites/directives/current/consolidated/index.xhtml. Accessed 30 Apr 2022
ISO. 2022. ISO 28000:2022. Security and Resilience—Security Management Systems—Requirements. https://www.iso.org/obp/ui/#iso:std:iso:28000:ed-2:v1:en. Accessed 4 May 2022
Jore, S.H. 2019. The Conceptual and Scientific Demarcation of Security in Contrast to Safety. European Journal for Security Research 4 (1): 157–174. https://doi.org/10.1007/s41125-017-0021-9.
Kalia, Vinay, and Roland Müller. 2015. Risk Management at Board Level—A Practical Guide for Board Members, 2nd ed. Austria: Haupt Bern.
Kallenberg, Kristian. 2009. Operational Risk Management in Swedish Industry: Emergence of a New Risk Paradigm? Risk Management (leicestershire, England) 11 (2): 90–110. https://doi.org/10.1057/rm.2009.6.
Karam, E. and F. Planchet. 2012. Operational Risks in Financial Sectors. Advances in Decision Sciences
Labaka, Leire, Josune Hernantes, and Jose M. Sarriegi. 2016. A Holistic Framework for Building Critical Infrastructure Resilience. Technological Forecasting & Social Change 103: 21–33. https://doi.org/10.1016/j.techfore.2015.11.005.
Lalonde, Carole. 2011. Managing Crises through Organisational Development: A Conceptual Framework. Disasters 35 (2): 443–464. https://doi.org/10.1111/j.1467-7717.2010.01223.x.
Leflar, James J., and Marc H. Siegel. 2013. Organizational Resilience : Managing the Risks of Disruptive Events : A Practitioner’s Guide, edited by Marc H. Siegel Boca Raton: CRC Press.
Leo, Martin. 2020. Operational Resilience Disclosures by Banks: Analysis of Annual Reports. Risks (basel) 8 (4): 1–15. https://doi.org/10.3390/risks8040128.
Maier, Dorin, Astrid Fortmüller, Irmer Sven-Joachim, and Andreea Maier. 2017. Development and Operationalization of a Model of Innovation Management System as Part of an Integrated Quality-Environment-Safety System. Amfiteatru Economic 19 (44): 302–314.
McManus, Sonia Therese. 2008. Organisational Resilience in New Zealand.
Mehravari, Nader. 2013. Resilience Management through use of CERT-RMM & Associated Success Stories. In 2013 Ieee International Conference on Technologies for Homeland Security (Hst): 119–125.
Milkau, Udo. 2021. Operational Resilience as a New Concept and Extension of Operational Risk Management. Journal of Risk Management in Financial Institutions 14 (4): 408–425.
NIAC. 2010. A Framework for Establishing Critical Infrastructure Resilience Goals. https://www.dhs.gov/xlibrary/assets/niac/niac-a-framework-for-establishing-critical-infrastructure-resilience-goals-2010-10-19.pdf. Accessed 21 Nov 2021
Nkurunziza, Annie Seilla. 2021. A Framework for Cybersecurity Risk Management: A Case of ICT SMEs in Nairobi, Kenya. Doctoral Dissertation, United States International University-Africa.
Ogrean, Claudia. 2018. Integrating Resilience and Sustainability into the Core Organizational Strategy—Is it Possible Or Imperative? Economic and Social Development: Book of Proceedings: 526–536.
Petruzzi, J., and R. Loyear. 2016. Improving Organisational Resilience through Enterprise Security Risk Management. Journal of Business Continuity & Emergency Planning 10 (1): 44–56.
Proença, Diogo, and José Borbinha. 2016. Maturity Models for Information Systems—A State of the Art. Procedia Computer Science 100: 1042–1049. https://doi.org/10.1016/j.procs.2016.09.279.
Proença, Diogo and José Borbinha. 2018. "Information Security Management Systems—A Maturity Model Based on ISO/IEC 27001."Springer International Publishing, Systems.
Saunders, W.S.A., and J.S. Becker. 2015. A Discussion of Resilience and Sustainability: Land use Planning Recovery from the Canterbury Earthquake Sequence, New Zealand. International Journal of Disaster Risk Reduction 14: 73–81. https://doi.org/10.1016/j.ijdrr.2015.01.013.
Settembre-Blundo, Davide, Rocío González-Sánchez, Sonia Medina-Salgado, and García-Muiña E. Fernando. 2021. Flexibility and Resilience in Corporate Decision Making: A New Sustainability-Based Risk Management System in Uncertain Times. Global Journal of Flexible Systems Management 22: 107–132. https://doi.org/10.1007/s40171-021-00277-7.
Shetty, S., M. McShane, L. Zhang, J. P. Kesan, C. A. Kamhoua, K. Kwiat, and L. L. Njilla. 2018. Reducing Informational Disadvantages to Improve Cyber Risk Management†. Geneva Papers on Risk and Insurance: Issues and Practice 43 (2): 224–238.
Standards Australia. HB 167–2006—Security Risk Management. https://www.standards.org.au/standards-catalogue/sa-snz/publicsafety/ob-007/hb--167-2006. Accessed 25 Jan 2022
Stephenson, Amy Victoria. 2010. Benchmarking the Resilience of Organisations. Department of Civil & Natural Resources Engineering: University of Canterbury.
Trucco, Paolo, and Boris Petrenj. 2017. Resilience of Critical Infrastructures: Benefits and Challenges from Emerging Practices and Programmes at Local Level, 225–286. Dordrecht: Springer. https://doi.org/10.1007/978-94-024-1123-2_8.
White, Adam. 2013. The Impact of the Private Security Industry Act 2001. Security Journal 28 (4): 425–442. https://doi.org/10.1057/sj.2012.53.
Xiao, Lei, and Huan Cao. 2017. Organizational Resilience: The Theoretical Model and Research Implication. ITM Web of Conferences 12: 4021. https://doi.org/10.1051/itmconf/20171204021.
Zeng, Sal X., Vivian W. Y. Tam, and N.. Le.. Khoa. 2010. Towards Effectiveness of Integrated Management Systems for Enterprises. Inzinerine Ekonomika-Engineering Economics 21 (2): 171–179.
Zeng, S.X., X.M. Xie, C.M. Tam, and L.Y. Shen. 2011. An Empirical Examination of Benefits from Implementing Integrated Management Systems (IMS). Total Quality Management & Business Excellence 22 (2): 173–186. https://doi.org/10.1080/14783363.2010.530797.
Funding
This paper has been supported by Project PID2021-124641NB-I00 of the Ministry of Science and Innovation (Spain).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Marquez-Tejon, J., Jimenez-Partearroyo, M. & Benito-Osorio, D. Integrated security management model: a proposal applied to organisational resilience. Secur J (2023). https://doi.org/10.1057/s41284-023-00381-6
Accepted:
Published:
DOI: https://doi.org/10.1057/s41284-023-00381-6