Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Structuring IS framework for controlled corporate through statistical survey analytics

  • 90 Accesses


The Pharma Engineering Manufacturers are an evolving sector in terms of its high profile operations, richness of data and ever-increasing research in their field. With such bounty, its workflow in terms of information and data management is ever-changing and demanding to keep up to the market best practices and to avoid uncertainties in information management. As furtherance to such a stance, this paper is directed to study about a Controlled Corporate. The Parent company has its own Information Security Management System (ISMS) but the highlight sought here is how well the Parent’s ISMS is getting translated into its newly established Subsidiary operations. In present parlance, most of the company’s information are transmitted through digital forum, thereby making the Information Technology (IT) department in the organization to be more active than before. Considering these, the study is been directed on the lines to know first on how similar peers behave in terms of their IS (Information Security) management via analytical surveys. These findings are then presented with a strong theoretical base (global best practices like ISO/ NIST Frameworks) to consider the needed attributes for imputing a proper IS Framework for the Controlled Corporate operations.

Introduction & literature learning

A German-based Pharma Engineering company that has its presence in three different continents specializes in machine making and customized services to the customers; it is strengthening its control in Data and Information Security. This study is been directly reading the lines of control of how the Parent Company or the Head Office plays a role in the Subsidiary IT controls and how effective it had been in doing so. Moreover, the paper tries to justify and compare how the IT controls of the companies which are similar in operations in the engineering sector have a role to play through an empirical study in designing and effectuating a control mechanism for the company subsidiary taken into consideration. Company X (the name is not disclosed for security purpose) is studied for this purpose who specialize in producing and marketing machines. This company has integrated peripheral equipment for measurement, control, regulation, analysis and documentation of results. The machinery produced is basically used for the production of consumer products. The industries which act as the customer base for the machinery produced are Pharmaceuticals, chemical applications, food and beverage products, technical applications including batteries and electronic parts. The wide-flung operations of the company are spread across the continents of Europe, Asia, and America. Here the company foresees to establish an emphatic control mechanism in terms of Information Technology and its Security across its establishments. For the above-said purpose, the study is directed to first understand what IT Security means to a machine manufacturer and what are its special engineered consideration requirements on this. For the Parent company, it is imperative that it needs the target of business services to be met in and through IT to maximize profits; and in case of the Subsidiary, it is the requirement of uninterrupted services and support when the functions of IT are not decentralized from the Head office.

Research objectives

In a newly established subsidiary operation, it is crucial to identify information security risks and its control measurements. What are the ways and means through which these could be implemented with technology assessments within the organization for effectiveness?

  1. a)

    Initially understanding the existing internal business case model and its approaches

  2. b)

    And then by viewing that integration of best fit standard model to enhance the security governance to the organization?

  3. c)

    Will this case model study give an empirical view of Information security design, functionality, operations, and management of the company chosen (machine manufacturer subsidiary) in comparison with similar peers and help it in its march towards attaining ISO 9001 certification for the subsidiary.

On basis of the objectives, the observable outcomes in the form of results for the subsidiary should be:

  1. Information security responsibilities to be well defined and directed.

  2. Information security to be well integrated into company projects and operations and ensure information security risks identification and treatment.

  3. Security governance and management is well directed and purposed for business effectiveness and continuity of operations.

The next question of employment is of an empirical model. How the technicalities of the information security implementation, the fundamental theories, models, and practices of security management in an enterprise is been laid out? It starts with an understanding of security properties like specifically -Confidentiality -Integrity -Availability, otherwise known as the CIA and the more broadened or extended security properties or services which also include, Authenticity and Access Control (Anderson 2008). Confidentiality is a set of rules that limits access to information. It is (roughly) equivalent to privacy. Integrity is all about making sure that data is consistent, accurate and trustworthy, and that no modification or alteration by an unauthorized entity has taken place while the data has been in transit. Availability is to keep the system correctly functioning always to legitimate users. Authenticity is not a fundamental service in the CIA model but it is of the utmost importance when it comes to open systems. It is of paramount importance that we highlight it here, as any secure communication needs it. Access control is the traditional ‘centre of gravity’ for computer security. Its function is to control which principals have access to which system resources (Tipton and Nozaki 2007). Having put up the fundamentals of information security, we would now have to see how the operation is to be administered from the Parent company towards its Subsidiary.

Operating complex group structures only serves to magnify the additional governance and compliance burden and comes at a time when resource has never been more constrained, meaning that governance functions are having to deliver more for less; exercising effective subsidiary security governance and robust secure entity management can help to achieve this (PwC India article 2013).

Structure of study

To delve into the security influence more thoroughly, the paper evaluates in multiple dimensions, including subjective and descriptive pointers. By using the right population for the study, we validate and test the theoretical model by identifying gaps for an effective Information Security implementation in the Subsidiary. This study is majorly based on an Engineering sector association members based in India. This association majorly works as a bridge-head between German and Indian Engineering Industry. So, the universe population of similar members like the case of the studied Company X is currently 300 members in number (VDMA India article 2019). Of this, a representative sample of 64 members are taken up for study. The integrated study model is valuable for understanding information security compliance in a more holistic manner along with the risk attributed to it (Herath and Raghav Rao 2009). Hence we begin the paper with a review of the current position of Company X in terms of information security both at the Parent and at the Subsidiary level. This is been collated with the relevant literature in order to lay the theoretical foundation for developing an integrated theoretical model for testing the information security aspects. Following this, the results of the survey are produced with mixed methodology (both qualitative and quantitative)analysis to see how well the peers in the engineering sector perform in their Information Security.

Literature learning

The base work and the understandings through literature for the research are done through compartmentalization of topics relevant and ascribable to the respective domains. It starts with the latest advancements in the relevance of IT and its security practices, virtual environment, along with the controls prescribed to be placed in and around the computing techniques are been discussed. This is also read with the global market-relevant frameworks widely used and practiced in the corporate set up.

  • Understanding the Business First and foremost it starts with understanding the business context and the company objectives. The fundamental elements on which the company operates are maintenance of quality standards for the satisfaction of the customers and data security and protection. The value which the company attributes to data protection is well-meant by its representation in the management policy which reads as below.

“Data protection plays an important role in corporate structure at Company X. Preservation of personal rights, compliance with statutory requirements for data protection, and data security are fundamental elements of our company. The corporate goal is to collect data, minimize misuse of data, maintain data protection, and provide policy transparency to end-users. The principle of data avoidance, data minimization and protection are important corporate targets. All technical and organizational requirements are in accordance with the existing Data Protection Laws.” (Stephen 2018)

Given the above laid out objectives on data protection the related works in the field of security administration in corporates for both physical and logical operations are studied to come up with findings and gaps in relation to the case studied organization.

  • Studies on IS Behaviour In the first work, the authors propagate the outcomes of compliance and noncompliance with the security measures in the corporate set up. And what are the influencing beliefs to draw a rational theory out of it? They emphasize on the Rational Choice theory where the individuals in the organization will base their attitude and behavior towards technology and safety, by making decisions of cutting across IS and investment. Through this, the individuals in the organization try to find and strike a balance between security investment and cost. To conclude, attitude plays a major role in terms of determining the intentions towards ISA (Information Security Awareness). This the authors tried to extrapolate through data collections and analysis of a structured model testing to prove that attitudes of the individuals do govern the intentions and behavior and thereby influence the systems for change. In studying this it can be understood and accepted to an extent that though systems may get updated or adopted to the latest trends eventually it’s the individual’s attitude and their impact through cultural syndromes also governs the behavior in a corporate set up (Bulgurcu et al. 2010).

In the next exploratory study the authors aim at an empirical descriptive to state what is information privacy. They started the work by exploring the various study disciplines which cognate this concept like economics, law, psychology, etc. and have then tried to define privacy in context-based definitions to draw a parallel with privacy, secrecy, confidentiality, and transparency, etc. They have tried to ascribe different types of information to various levels of usage and relate the term privacy more; so that information privacy in a macro model setup will influence and direct decision-makers at various strata of operations. Through this paper, the attributes and the types of privacy applications and implications are drawn parallel for the research work (Jeff Smith et al. 2011).

  • IS context in Parent & Subsidiary The next pertinent point is how the information assets are classified and the exchange of information is done between the parent and the subsidiary. Not only this, the role of third parties in relation to each of the parent and the subsidiary to be contemplated when outsourcing of services is done by the organization (like cloud management). For this, the authors say that ”The organizations should proactively manage this electronic or ”eBusiness’ risk associated with these relationships by driving through the State and Federal regulations, industry standards and customer pressures. Investors, regulators, and customers must have assurance that the businesses understand and manage the risk associated with housing and exchanging critical information assets (Christiansen et al. 2014).” This being utterly true, the size of the business and the nature of the information transacted should also be studied before attaching risks to operations of the subsidiary businesses and their information exchange.

Yet another important and crucial aspect of IT Security is Governance. The involvement of the Executives and the Board right from identification of information assets and risks to change planning, IT alignment, IT operations and monitoring are typical principles for the effectiveness of the system. According to studied author, Business strategy is in alignment with IT when the goals, activities, and processes of a business organization are in harmony with the information and its systems which are supporting it. And he proposes three alignment principles for model operations in governance. Like: Governance model to be laid, alignment evaluation to be done and for misaligned parts of operations identify activities for evolution (Aversano et al. 2012). With the models being prescribed, one of the challenges relative to today’s context is consistency in operations and consideration of legal entities. These being governance-related issues far more consideration is required in a proactive manner by both the parent and the subsidiary (PwC India article 2013).

  • Best Practices Frameworks and Governing Principles This section is going to deal with the widely practiced frameworks on ISMS across companies in the manufacturing sector. A detailed overview of the applicable frameworks and how the industry incorporates the same for usability is projected here. The ISMS as per ISO/IEC 27001:2013 helps to detect security control gaps and at best prevents security incidents or at least minimizes their impact (ISO/ IEC 27001 2013). The implementation of an ISMS in accordance with the international standard is a very complex subject which includes many activities and resources and can span for a long period of time. The ISO 27001 is to be read with ISO 27003:2017-ISMS implementation (ISO/ IEC 27003 2017) and ISO 27005:2018-Information Security Risk Management to support the concept of ISMS in ISO 27001. ISO/IEC 27005 is based on the generic ISO/IEC 31000 Risk management— Principles and guidelines. The ISO/IEC 27005 standard also closely correlates with the US NIST SP 800-39 Managing Information Security Risk, which was developed for the USA. ISO/IEC 27005:2011 does not cover organizational risk, whereas NIST SP 800-39 does (ISO/ IEC 27005 2018a).

These standards are deliberately broad in scope, hovering more than just privacy, integrity, confidentiality and IT/technical cyber security issues, and is available and used to organizations of all shapes and sizes. Companies are encouraged to assess their information risks so that then they can treat them (typically using information security controls) according to their needs, using the guidance and suggestions as part of internal controls wherever relevant (Gayko and Fan 2018). For the so-called dynamic nature of information risk and security, the ISMS concept incorporates continuous feedback and improvement activities to respond to any given organisation’s changes in the threats, vulnerabilities or impacts of incidents. On these lines, if one has to see how to make the ISO standardization to customization of best practices it could be emphasized on making an assessment with clear roadmap principles for the development of organizational momentum. This had to be done via Risk assessment principles called in through ISO 27005 and ISO 31000. Through this proper aligning of risk and security compliance principles can be achieved for illuminating change. In turn, making the organizational operational strategy to be in line with the overall strategy.

Continuing so, ISO 31000: Risk Management Approach (ISO/ IEC 31000 2018b) says on risk information should be captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. It ensures that its information security management system and security policies continue to evolve and adapt to changing risk exposures through risk management framework.

COBIT 2019 (Control Objectives for Information and Related Technologies) primarily for implementation of IT Governance (COBIT ISBN 978-1-60420-763-7 2019). This model has a two-stage implementation in the realm of industrial practice. One at the governance level and the other being at the management level. At first to Evaluate, Direct and Monitor business risks and at the second to Plan the activity, Build a plan, Run and also Monitor the same. COBIT provides much less guidance on precisely “how” things must be done when in comparison to the ISO standards which are much detailed (Mataracioglu and Ozkan 2011). Also COBIT is more targeted on the ISMS implemented company, whereas here in this case study it’s more directed for implementing an ISMS for the controlled corporate which is still in the nascent stage of operations in terms of ISMS. For that cause, the COBIT 2019 model is not called in for consideration for this piece of work.

NIST Cyber Security Framework basically suggest a set of activities to be done to achieve a group of outcomes (NIST 2018). These outcomes are basically the requirements defined by the organization’s stakeholders and customers. Some of the common known outcomes on the ground of IS are more reliable services, more transparency, responsiveness of IT to business, confidence of the top management and higher return on investment (NIST 2018). Seeing how well the organization allies itself with the procedures and implementation, the framework had come up with something called implementation tiers. By this NIST states ranking stages to be regarded on a company’s position on cybersecurity risk management and operational risk management. Figure 1 shows that the higher the tier level of the organization, the higher is the sophistication and maturity of the organization in cybersecurity.

Fig. 1

NIST Framework Implementation Tiers

From the tiers projected, it is now to see how the Security concerns within the organization are to be modeled and viewed and check where this piece of case studied company stands in terms of its work.

Considering the above, the stages of work and the standards which support these processes would be ISO 27001/27003/27005/31000 and NIST 2018. As narrowed down to these standards which are widely prevalent in the manufacturing sector, let us now consider its usability and what justifications it had to place for the current work. To start with the one reason for not using COBIT in this model study for IS is that it is not always very detailed to answer the control objectives of this study as to “what must be done” (Mataracioglu and Ozkan 2011). That being said the ISO 27001 principles as defined by the implementation process of ISO 27003 with specialized focus through risk management of ISO 27005 and 31000 makes the study directed to the controls of the industry-specific requirements like manufacturing. Further NIST framework identifies systematically cyber-physical vulnerabilities and analyzes their potential impact in intelligent manufacturing systems (DeSmit et al. 2017). If this sector had to be noted with more reasons for ascribing the above models, the one and the main reason is quality assurance for the end-user. Producing products with ISO certifications or customer-specified standards helps to ensure that the end-user will remain satisfied over a long period of time. ISO helps to keep costs down for the end-user. Manufacturing errors increase costs across the board, which ultimately gets passed on to the consumer. Low-quality products that break and need to be repaired or replaced decrease the overall value while increasing maintenance costs. When the quality and security standards are met, process level efficiency improves which ultimately takes care of customer satisfaction improvements. The size and geography of such companies using these standards are not a barrier, because they are global in approach and implies to all industries and corporate sectors which thrive for continuous improvements and seek for long term standing basis in the market.

Context of Engineering and Information Security(IS)

This section specifically deals with two major purviews. First in terms of what IS means to the engineering sector entities in the current realm and the second is to see where the Company X stands in terms of its present controls and position when it comes to data handling and protection measures.

Engineering Sector view on IS

Here the main focus is the relevance of information or cybersecurity particularly in terms of the machine manufacturing industry in pharmaceuticals. There had been an increase in cyber attacks incidents felt across sectors. IT and cybersecurity are not just about a single component. It facilitates an entire cyberspace in which packaging, filling or media supply systems are interconnected and share data with each other. In recent times, pharmaceutical manufacturers’ data are stored in distributed data centers, i.e. cloud data centers, rather than on a single computer. If internet or intranet are connected in some way with the manufacturing process, then IT and cybersecurity threats will also affect the manufacturing processes (Mettler 2019). But it doesn’t stop there, hackers also target companies for their rich profiles of data. Today companies move from analog processes to digital processes. In such a case most of their information processed for manufacturing are machine read and are integrating machine learning and usage of artificial intelligence with big data analytics (Zarreh et al. 2018). All this with increased warehousing data gives the hackers a thriving ground to launch a security attack. Before we get into to know how the manufacturing sector tends to protect itself from exposure, let us consider the major risks which this sector foresees in this digital age.

According to a study conducted, the top impending challenges faced in the manufacturing/engineering sector are detailed as: cybersecurity breaches, Intellectual Property (IP) theft or industrial espionage, disruptive innovations, skill gap or talent gaps, booming competition and regulatory issues (Kassner 2018). When seeing how these types of risks related to the processes of the company, then we had to consider what are the latest techniques which the companies follow within their systems today.

To start within the industry of pharma engineering one of the attractive concepts today is Virtual Reality (VR) which companies seek to apply to enhance communication and disseminate information. Working in the 3D model, the users navigate through the model and interact between the components of the machines, which can also be made online for testing purposes (Dinis et al. 2018). Here again, there is another interesting and similar lines of concept called Augmented Reality (AR). In the case of AR, the users not only see the visual information and interact with them, but they can also participate in it by using the necessary text and audio information about workplaces, parts and work conditions(Novak-Marcincin et al. 2013). Next great resource in the business world through technology is Big data. With these business, decisions are made by the corporates. It is through the development of smart, better and data-driven real-time information getting translated for decisions through Big Data. It is a thriving ground through which the organization networks to gather, process, filter and distribute analyzed data. It acts as a liaisoning resource to make both informed and uninformed business decisions today (Fadiya 2017).

Next is the concept of Cloud Computing. This is one of the grey area in terms of IS management. The remote monitoring and maintenance of IT system services used by manufacturing companies can represent a security loophole. This is mainly seen with more implementation of service-oriented concepts in the manufacturing sector and is widely witnessed among the SMEs (Small and Medium Enterprises) (Mettler 2019). Remote processes in the manufacturing industry use cloud solutions via the cloud infrastructure from IT service providers that operate computing centers. By this, it enables the cloud systems to access factory resources and systems in a standardized way (Stock et al. 2014).

Another interesting and important concept when it comes to the manufacturing sector is Energy Efficiency (EE) through IoT (Internet of Things). This is business-critical which tries to connect various physical objects using electronic sensors and the internet. Monitoring is achieved by metering the energy consumption and getting the real-time data. This brings in the best practices within the system by which energy managers can take actions for eliminating the possible energy wastages in the manufacturing operations (Tan et al. 2017).

All the above discussed are various forms of Artificial Intelligence (AI) applied in manufacturing are a significant contributor to the productivity boost needed to bring the projected growth in the company. All the various kinds of AI techniques drive innovation, transformation and productivity through optimization, throughput, discovery, decisions, and creations with undenied exposure to breaches (Manyika 2017).

Position of the Case Studied Company

It had been studied that the management and the control of IT operations of the subsidiaries are from the centralized parent organization through virtual systems positioned in Germany. The company being in the Pharma Engineering industry as a machinery manufacturer, it will operate in domains like Mechanics, Softwares, Machine Designing, Electricals, customized Operational Interfaces, and Machinery Documentation. This industry is in one of the highly regulated industry, a major governing standard for it in terms of Data Security is Medicines and Healthcare Products Regulatory Agency (MHRA) GMP (Good Manufacturing Practices) Data Integrity Definitions and Guidance for Industry, March 2015. Revised draft of GXP Data Integrity Definitions and Guidance for Industry, July 2016.

The data management policy states that “The data governance should be integral to the Industry quality system.” The approach to manage data should commensurate with risks to safety and product quality in the event of a data integrity lapse. In order to manage data effectively, companies will need to develop and implement policies, procedures, training curricula and validation guidelines surrounding data management and security (Ranganathan and Coronado 2019).

In aligning in lines with some of this requirement, the crucial domains of IT Security are handled by the parent company (server management, backup management, access management to name a few) on behalf of the subsidiary. Currently, the subsidiary is not in possession of any written down documents for intellectual and physical security management. Some of the current IS practices undertaken by the studied company in its subsidiary set up are as below.

Security responsibilities through Segregation of Duty (SOD) are assigned among the participants of the system. Asset prioritization and management for operations are under the control of the Head Executives. In terms of Information controls the Company exercises the Non-Disclosure practices amongst its insiders and third parties. IS awareness and trainings are in the development stage with general compliance. Database access including storage medium management are restricted only to authorized personnel. Access policies are yet to be defined for hardware and disaster management are for future functional implementation time table. Virtual Changes in business domain operations should be grouped and defined (Sim et al. 2009). But the question in this company case is, who will be the owner and the possessor of such changes (whether the parent or the subsidiary) and where will it be documented and maintained.

Some of the company’s present technologically challenging projects are in facets of AR, Digitization and AI. It foresees to control some of its machines functionalities hands-free and voice-controlled within a defined security operation area. The Parent having ambitious outlays in one hand and in the other its Subsidiary is on the way of implementing its ISMS. Forthcoming sections are going to say on how well this process should be channeled within the group for effectiveness.

Research methodology and techniques

In this work, both qualitative and quantitative analysis or mixed integrated approach is adopted to have an embedded holistic approach in a single case study model. In integrated designs, the targeted domain are grouped for synthesis not by methods but rather by findings viewed for answering the research questions (Sandelowski et al. 2006). The qualitative component sheds additional light on the quantitative component thereby providing further understanding of all the criteria or objectives use to judge this article. The ground of mixed methods would benefit from additional research on the perceived value of mixed methods, where the perceived value here stands for the abstracting of best ideas or practices through analysis. With mixed study as the strategy of inquiry through field experiment via survey, the case study adopts practices like:

  • Posing research questions

  • Doing the sample study

  • Instrumentation of the data collection methods

  • Having the units for analysis

  • Strategical analytics

The critical evaluation of this research is for qualitative methods to address “process” questions and for quantitative methods to address “outcome” questions (Yin 2006). The method of collection of data had been majorly primary data, which was sought to work out via survey and interviews.

  • Sample Size & Data Collection: The sample of 64 members are determined on a statistical random basis of the given population of 300 Asociation members, representing about 21% of the total population.

  • Data Validity & Reliability: Major part of the research project is focussed on the information gathered from the primary sources, hence the uncertain code of data validity wouldn’t be present for the work done. Further, the data sought are directly from the persons who are engaged as owners of such operations, hence credibility is well intact.

  • Relevance & Applicability: In social science research usually the mixed integrated design is not an uncommon phenomenon for application. Based on the research questions sought, not all research results can be interpreted quantitatively. Hence converging both objective and explanatory methods, a sequential design has to be arrived at. Moreover, as this paper embeds both manner of design based on the broad objectives set initially, relevancy and application in terms of each methodology is now ascribed through mapping of the research objectives.

  • Qualitative Approach: Broadly this can be segregated into two kinds like the Inductive or Deductive approach. In the Inductive method, it’s narrowing down from the broad base to an indication point of inference. Whereas in the deductive approach the work starts from a particularly significant point and then trying to cover its avenues and borders of influence (Jerman-Blažič et al 2008). Below are the used qualitative methodologies of this research.

This particular methodology is been applied for an objective under this study, where the mode of application is basically deducing a business process for effective management controls. For elaborating on the same lines of methodology, the narrative approach is well-read through concepts and models with data to illustrate how more than one individual and their stories come together to form a cohesive theory (Griffiths 2013). An extended version of this is the segmented narrative model where based on the surveys conducted the whole persona is segregated into relative segments based on the subdomains objectives of the research question to form a condition and fulfill the requirements out of it.The next being Grounded Theory. The crux of this method is based on the evidence collected from various sources are collated in an open interaction way for the identified themes (Hafez 2015). Basically, the grounded theory works on the principle of behavior of the collated responses, where such a narrative portrays to exemplify the common ground of actions which are repetitive to frame a theory of practice out of it. Based on these themes or events which have been recorded during the data collection are put up together to form a theory out of the data.

  • Quantitative Approach: The model adopted for analysis is the Multiple Regression (MR) because mostly in social science, Regression is preferred and versatile with popularity. It’s basically a model of realization of Analysis of Variance (ANOVA). It allows the researchers to know the strength and the nature of relations between the variables selected for the study, particularly between more than one independent variable with that of a dependent variable (Illowsky and Dean 2018). It works on a concept of coding of the variables undertaken for the study. Being a numeric based study, the coding here refers to the variables which are inturn derived from the responses of the population to the research questions. With these coded variables in hand, it basically works to find the relation/effect of one variable on the other. Usually, in simple regression, there is only one predictor variable and one dependent variable. But in MR the advantage being more than one predictor variable can be used to understand the outcome of the dependent variable. Usually the simple regression formula is calculated as:

$$ \text{Y= a+ bX1} $$

But when this formula is seconded with more predictor variables to the MR model, one can get the following regression equation:

$$ \text{Y= a+ bX1 + bX2 + .....bXn} $$

where Y is the predicted value or the dependent variable, X1 is the value of the first predictor variable, and X2....Xn is the value of the ’n’ predictor variables. MR analysis can reveal how sets of variables are related to each other but cannot prove the causal relations among variables (Urdan 2011). This being one of the argument of the authors studied, but in practice the three main advantages for MR Analysis proved time and again for ascribing this model study are:

  1. 1)

    causal analysis,

  2. 2)

    forecasting an effect, and

  3. 3)

    trend forecasting.

Following so in this paper, this model is highly recommended for understanding and proving the presence of MR in making objective judgments based on the variables correlative behavior for the research questions. Other than correlation analysis, which focuses on the strength of the relationship between two or more variables, regression analysis also identifies the strength of the effect that the independent variables have on a dependent variable.

The analysis starts with framing a Null Hypothesis at the beginning to assume that there are no relations between the variables involved. It is an important assumption saying that there is nonexistence of multicollinearity, otherwise states like the independent variables are not related among themselves. But eventually tested to prove an Alternative Hypothesis (as applicable) exists and that the Null Hypothesis should be rejected. In this article the data/ variables sought are through open-ended questions, hence the uniqueness of the coding variables and their aptness of relating the changes to the dependent variable can be well brought out in this model to find how the causal relationships occur between them.

  • Additional Insights: Being read through the validation techniques it is now here to project on how these data collection and research approaches are going to relate to the work intended. As read so far the work is intensified on the study of IS controls in an organization in line with the market best practices to form a constructive opinion and recommend the same for a controlled corporate. For these, the variables in the study are the best practiced internal controls in the organization which personate the role or need for standardized practices in an organization (Dobre et al. 2012). For this the conceptual model of MR steps to identify the classes of transactions or events that generate the internal controls for significant operations and disclosures. It helps to understand the client’s control environment who provide values for the controls placed by engaging leaders based on their professional judgment on a daily basis on the IS operations. This is done prior to applying the MR formula run through analytics. On applying the MR analysis the independent variable would be the IS internal control. There are many ways to evaluate internal control, such as a questionnaire survey, and internal control evaluation system based on internal control objectives (Wang and Guan 2017), however through this MR methodology the model coefficients run is a percentage showing the impact upon the company on the event of IS controls working. This is much elaborated on the stands of qualitative analytics and explanations where no numerical values are ascribable to the controls placed by the organization.

Inference & comparison of results for control framework

This section is first going to project the major problems faced in general by this sector especially in terms of cybersecurity or IS. Following this, the research is then projected to show the results of the survey conducted under the various domains.

The Manufacturing is at risk of cyberattack when:

  • Lack of investment in cybersecurity, particularly when compared with the finance sector where security is prioritized.

  • Primary targets such as banks and tech companies’ increased investment in security meaning manufacturing and other sectors are now considered easier targets.

  • Manufacturing companies becoming collateral damage as they are unintentionally caught up in ransomware attacks such as Wannacry and NotPetya.

  • Increasing use of IoT devices that often have poor security (such as default passwords) and can provide a foot in the door for cybercriminals.

  • Manufacturing companies are warehousing data that is of interest to cybercriminals.

  • Lack of cybersecurity safety awareness and adequate staff training.

  • Vulnerabilities throughout the supply chain wherever suppliers/insiders have remote access to systems (Staff Writer-Thomas Industry Update 2019).

With these problems in hand, now as a foresight the studied standards in Section 3 are collated to form a formulated guidance. This is depicted in Fig. 2. With this formulated guidance laid out, it is then aligned to the outcomes of the research objectives. The eight principles shown in Fig. 2 as best practices are aligned to the empirical study objectives listed as below.

  • Current context and managment role playing are tested under Objective 1- IS responsibilities-whether defined and directed

  • Principles like assessment of processes, risk management and implementation of IS are take under Objective 2- IS integration through Risk Identification and Treatment

  • Indicators of training, monitoring and business continuity are tested under Objective 3- IS Management for business effectiveness

Fig. 2

Formulated Guidance

With the alignment in place now the initial inferences or hypotheses are drawn for the work. Following majorly the MR approach for the research, it requires hypothesis as the start point which is otherwise called a Null Hypothesis. In this is assumed to be that:

$$ H_{0}: {\ss}_{1}={\ss}_{2}=...{\ss}_{n}=0 $$

Meaning the above model/objectives are not a good fit when the Null Hypothesis assumes or is represented with all values to be as 0 (Hogg et al. 2005). But to refute this hypothesis at least one or more variables should be different from zero, to form an Alternate Hypothesis. In forming so:

$$ H_{A}: {\ss}_{i}\neq 0 $$

Following this, the equation arrived would be like:

$$ Y_{i}: {\ss}_{0} + {\ss}_{1}X_{1} + {\ss}_{2}X_{2} +...{\ss}_{n}X_{n} + U $$

To be meant as the Beta risk and the consonants or the predicting variables form together case wise to arrive at the Predicted variable (Y) (Hogg et al. 2005). Having seen the possible mathematical representation scenario for the results, the Null Hypothesis are now drawn at the start followed by its results and interpretation to check whether there is a change in the Null Hypothesis to form an Alternate Hypothesis or not.

  • Null or Initial Hypothesis:

  1. 1.

    IS responsibilities being well-directed and defined have no relationship with the business case model.

  2. 2.

    IS risk management and integration into the company operations are not related to the compliances of market best practices.

  3. 3.

    IS governance and management for business effectiveness have no relationship with the current IS design and functionality of the organization.

Its time to check for the results of the analysis done objective wise. Also, the observable outcomes are verified for the work. The work which started with collection of data from similar peers in the Pharma Engineering sector showed the following results in terms of their size and the type of the represented sampled, now brought out in Figs. 3 and 4.

Fig. 3

Type of the Population

Fig. 4

Size of the Population

Having understood on the general attributes of the population, objective wise results are given below.

  • Objective 1: IS responsibilities-whether defined and directed It starts with the research question of how crucial are the IS risks and its control measurements for the subsidiary set up. For knowing the answer to this question it is required to verify the outcome by first checking whether the IS responsibilities are well defined and directed. To make this representation the MR model was selected by using SPSS (Statistical Package for the Social Sciences) tool to run the regression and arrive at results. Getting the actual interpretation, Figs. 6 and 7 gives the Model Summary, the ANOVA and the Coefficients tables. Before interpreting numbers, the assumptions identified for this objective are:

  1. 1.

    SOD (Segregation of Duty) in IT is controlled by factors like the number of IT staff, IT asset value, presence of Steering Committee and number of employees exercising the security controls of the organization (Objective1.1-Fig. 6).

  2. 2.

    Authorization & Authentication (AA) in IT are controlled by factors like the number of IT staff, IT asset value, presence of Steering Committee and number of employees exercising the security controls of the organization (Objective1.2-Fig. 7).

These two attributes together are to verify the outcome of Objective 1. For interpretation of Fig. 6, one can ask whether the predictors are significantly contributing to the happening of the Dependent variable SOD- the answer is assertive. The adjusted R square (R2) value is the start point for interpretation (taken from the Model Summary table) for the MR model. From Fig. 6, the value is ascribed to be 65%, meaning the predictors contribute 65% towards determining the SOD controls in the organization.

And in the case of Fig. 7, the predictors contribute 73% to determine the AA controls in the organization. The next verification check for the MR is the P-value (α) significance (Sig) shown in the ANOVA table which should be less than 0.05. In the given case of Figs. 6 and 7; P value shown are < 0.05, meaning this regression which is run significantly contribute for the assumptions made. The idea being:

P-value ≤ α: The data do not follow the specified distribution so Reject Null Hypothesis.

P-value >α: Cannot conclude the data do not follow the specified distribution because it Fails to reject Null Hypothesis (Huber 2011).

Saying so, the last table is the Coefficients in Figs. 6 and 7, which gives the values of ß(Beta), Standard Error, T-Value, P-value Significance, Tolerance level-the inverse of VIF (Variance Inflation Index) and the VIF. The notable columns of this table are the P-value and the VIF.

P-Value (α) is the Statistical significance is often referred to as the Sig. (short for “probability value”) or simply p in research papers. The VIF quantifies the extent of correlation between one predictor and the other predictors in the model. It is used for diagnosing collinearity or multicollinearity (Cohen et al. 2014). The VIF for a variable is computed as:

$$ VIF=\frac{1}{1-R^{2}} $$

A VIF computed for each predictor in a predictive model means as the following.

  • A value of 1 means that the predictor is not correlated with other variables. The higher the value, the greater is the correlation of the variable with other variables.

  • Values of more than 4 or 5 are sometimes regarded as being moderate to high, with values of 10 or more being regarded as very high (Cohen et al. 2014). These numbers are the general thumb rules. Now looking on the actual results, we see that:

In saying so, when considered for the actual results the Sig. P-value for the predicting values are found to be < 0.05 for all 4 variables in Figs. 6 and 7. They all stand to be 0.05,0.03,0.04,0.00 and 0.05,0.01,0.03,0.00 respectively. In these numbers one do not see much of variation, this is because all the 4 predicting variables remain to be same whereas the predicted variable only varies. Hence the correlating difference between these unchanged predicting and changing predicted variables remain to be minimal.

And then coming to the VIF factors one can see that there is a greater correlation of each variable with the other as its value existing are mostly recorded between 4 to 6 in the coefficient tables. The values in Figs. 6 and 7 are 5.07, 4.02, 6.17, 5.18. The interesting aspect behind this same collinearity statistics is, the constants or the predictors are kept to be the same.

This numeric representation is more extended by way of a graphical depiction, Histogram. The below Fig. 5 talks about the level of distribution of the variables for Objective 1. From the distribution depicted one can say that the model is a good fit because closer are the heights of the bars that follow the shape of the line. Data that fit the distribution well have bars that closely follow the line(Cohen et al. 2014). Reality is so in this figure for most of the variables.

Fig. 5

Symmetric Histogram

Now on getting into the contextual interpretation of the MR results, it could be said from:

Figure 6- The dependent variable SOD had been significantly impacted for occurrence to the extent of 65% by the independent variables like number of IT staffs, IT asset value, employees having security controls and presence of IT Steering Committee. In other terms on the onsight, an organization’s SOD is well determined by the presence of these independent variables.

Fig. 6

Regression Results of Objective 1.1

Figure 7- The dependent variable here is the AA again determined by the same set of independent variables as in Fig. 6. Here the level to which these independent variables has a say on the AA (dependent variable) is 73%. Moreover, all these variables are statistically proven for being a good fit model through the previously described significance.

Fig. 7

Regression Results of Objective 1.2

Following this, is now to check whether the outcome question at the start of the section for this particular objective is getting answered. The outcome projected was to check whether the IS responsibilities are well defined and directed in an organization set up. Hereby IS responsibilities are meant to be proper when the IS Controls in terms of IT SOD and Authentication and Authorisation (AA) are present for the operational activities of the system. From the MR model run, one can infer that the population represented by 64 companies are likely in terms to agree that SOD and AA are primarily determined by the independent factors discussed earlier.

As an extention to these verses, the independednt factors are correlated to the dependent variables to say:

  • IT staff numbers (predicting variable) in the organisation do play a positive impacting role in determining what kind of SOD and AA (predicted variables) controls should be there in the set up.

  • IT Asset values are also a determining factor. Meaning more the company invest in technology and IT infrastructure more should be the concentration on its controls.

  • Employees with controls meaning, the number of employees having both physical and logical IT Security controls in the organisation. This number is crucial in determining the scope of IS framework in the organisation. In the sense that to whom and for whom should this framework address or cater to.

  • Presence of Steering Committee in the organisation propels the need to have proper IT controls and likely are the chances to have proper SOD and AA with this committee’s action.

Study Inference:

For the context of the case studied organization of Company X, it is required from this model to first establish a proper SOD and then to ensure AA for all the IT-related operations within the controlled environment. This had to be incorporated with management support and proper role-playing. In other words, this model had brought out the importance and the significance of having SOD and AA controls within the organization, thereby ensuring Security properties like Confidentiality and Integrity in the systems (Fig. 8).

Fig. 8

Normal Q-Q Plot for Objective 2

Defining proper SOD and AA are the right requirement for the Subsidiary under consideration of the Company X, based on the its existing number of employees, IT Asset value and monitoring controls.

Deduction from Hypothesis:

Starting first should be from the initial hypothesis to write a correct conclusion. It was initailly hypothesized: IS responsibilities being well-directed and defined have no relationship with the business case model.

Well to put this in the current context, this Null Hypothesis does not hold good anymore. This is because the variables forming part of the assumptions are not zero. Moreover the business case model like understanding the company context in terms of its business, employee structure, asset value and monitoring controls do play a major role in the conduct of having well directed IS responsibilities inside the organisation.

In summary, the scope in which to look for SOD and AA parameters are to be defined by the assets that are involved and by a set of processes that operates on them. Hence it could be said that, to put a good theory into practice through the business case model is to have well defined and directed responsibilities via role playing or engineering inside the organization, ensured by proper SOD and AA.

  • Objective 2: IS integration through Risk Identification and Treatment The viewpoint and the end outcome projected for this sub-objective is to know whether Risk identification and treatment is done when the IS policies are integrated into the company system. For this stated purpose, the MR approach is adopted again. It starts with the Null Hypothesis being - IS Risk Management and integration into the company operations are not related to the compliances of market best practices. In order to refute this assumption made:

Risk Identification is taken to be the predicted variable when Security training, Security awareness, IT asset value, IT operations reporting and Security policy compliance and audits (otherwise components forming part of the best practices frameworks) are taken to be the predicting variables.

With the meaning understood previously for the figures mentioned in the Summary, ANOVA and Coefficients tables, here for Objective 2 its directly getting into the interpretation of results.

In the model Summary table of Fig. 9 one can infer the Adjusted R2 to be 66% and the P-value significance of the ANOVA table is < 0.05 (0.04). These mean to state that the model run through MR or linear regression is termed to be of good significance. Also, the Durbin-Watson (DW) correlation which is a measure of autocorrelation of residuals in regression analysis, is termed to be of positive autocorrelation when its value is between 0 to < 2 (Jaccard and Turrisi 2003). In this given case, the DW correlation is positive of value 1.87 (from Model Summary of Fig. 9).

Fig. 9

Regression Results of Objective 2

Further in the coefficients table when the ß risk is read with the Sig. value, one can see that all the predicting variables (except for Security training variable) are of great significance in determining the risk identification process in the organization. This is because all these predicting variables have Sig < 0.05. And greater correlation within each variable also exits with high factor values of VIF, in case of all 5 predicting/ independent variables.

Extending the interpretation with a regression plot (also called Q-Q plot(Quantile-Quantile)) as shown in Fig. 8, which plots quantiles of the data versus quantiles of a distribution. The figure portrayed is meant to be a normal positive distribution. The upward concavity, roughly appearing on the straight line of the graph indicates positive skewness(Jaccard and Turrisi 2003). Thus reiterating it to be a good fit model.

Study Inference:

Now getting into the lessons learnt in the context of Company X, it is studied that Risk Identification and Treatment are primary and would be integrated into the system when the best practices (the predicting variables) of the market framework models are practiced in the organization. When Risk identification and treatment becomes primary, then business effectiveness is ensured.

Deduction from Hypothesis:

The initial Hypothesis being IS risk management and integration into the company operations are not related to the compliances of market best practices, is proved to be false by the model results. Thus paving a way for the Alternate Hypothesis to state that regular compliance of the best practices Security Framework ensures proper Risk Management in the organization.

  • Objective 3: IS Management for business effectiveness The last sub-objective of the study is said to take analysis via qualitative methodology route of segmented narrative model to form a grounded theory (Bryant and Charmaz 2007). The outcome of the survey results were with closed-ended questions, hence the qualitative methodology is followed Urquhart (2012).

In this section, the business effectiveness for continuity is studied in three different aspects like:

  1. 1.

    Organization DRP (Disaster Recovery Plan) and it’s testing

  2. 2.

    Real-time adherence of security termination rights for employees

  3. 3.

    GDPR (General Data Protection Regulation) 2016 compliance in the organization.

The initial hypothesis of this study was IS governance and management have no relationship with the IS design and functionality of the organisation. The above three were identified as the primary functions to ensure effectiveness and continuity. Accordingly, the survey results are now interpreted to find the peers behavior in the industry and what learning could be derived from them.

On analysing Fig. 10 results, in case of DRP plan the reader can witness that 57 (89%) respondents have rated their organization’s DRP between the scale of 6-10, meaning it to be of a positive note on existence and only 7 (11%) respondents are not affirmative of a DRP plan in their organisation. In terms of testing of the plan, the organization who test the plan at least once or above in a year are recorded to be 48 (75%) and balance 16 (25%) do not test the plan on a yearly basis. The inference made out of this is, majority of the industry are practitioners of the DRP, otherwise known as Incident Management (a pre-requirement as per ISO 27001).

Fig. 10

Results of Objective 3

In Termination of Security rights adherence on a real-time basis for the discharged employees, 76% (49) respondents have told that their organization practices it and the balance 24% (15) seems not to do them.

Following this, the GDPR compliance in terms of data processing agreements between the controlled corporates [as per Article 28(3) in GDPR 2016], is found to be practiced by similar peers of Company X in case of 86% (55) companies.

Deduction from Hypothesis:

For the given model the Null Hypothesis could be conveniently rejected because the survey results project occurrences which are contrary, to state that the primary functions (like DRP, GDPR compliance) in the organization design are a requirement for Business effectiveness (as per ISO).

Study Inference:

The concluding theory from the segmented narrative description seen is, getting the hands-on experience of the IS best practices through compliance in the Company systems achieves longevity of the operations called Business Continuity.

Gaps to be addressed

The gaps in the system in relation to the case study company are:

  • As initially witnessed in Section 2.2, the company does have SOD assigned but not AA construed in relation to the IT operations. Work in terms of identity and access management along with encryption policy is a need for the subsidiary when in comparison to the peers.

  • In terms of Risk Management, the parent is said to follow FMEA (Failure mode Effective Analysis) for identification and treatment of the organization’s IT risks (Stephen 2018). In terms of its IT, the major risks identified at the parent level are data loss, data theft and crash of system. Scope of expansion and detailing of IT risks in terms of change management, environmental or safety effects, sabotage, lack of learning/ training and legal exposure are some of the other major risks which are open for improvement within the controlled entity as a whole.

  • Dealing in terms of Security Management and Governance, IT safety protocols and Emergency Preparedness and Response Procedures which are currently in possession of the parent are more than five years old. Upgrading them and developing documents relevant for the group operations are imperative. Moreover, the country context of the subsidiaries should also be considered for the development of such so as to ensure compliance with the law of the land.

Recommendations for forward approach

In order to derive value through sustainability, organizations must be able to recognize, manage and respond to both the opportunities and the risks. To ensure that an organization is achieving its objectives, staying within its risk tolerance threshold and satisfying stakeholders, it should constantly monitor and evaluate the sustainability activities it undertakes. On reviewing the research results and the gaps, questions the organization should be asking as part of their activities are:

  • Are activities and responsibilities are well aligned to the corporate strategy to achieve objectives?

  • Are IS processes and integration adding value in terms of risk awareness thereby making them agile to respond to changes?

With that note, the very purpose of this paper was first to:

  • Assess the cruciality of the IS process and its risk and then

  • Recommend a Control Framework for the company and finally

  • Help the Subsidiary march towards ISO 9001 certification.

On understanding the need for IS Governance and Risk Management implementation in the organization through the analytical results, it’s now to check for the recommended model for the controlled entity adoption. Previously, the formulated guided principles as an integration of the best practices of ISO and NIST were brought out in Fig. 2 for adoption. Continuing so, a 10 stage pointer model is now given as a recommendation for a forward approach.

  1. 1.

    Appraisal of IS/IT issues as a lead to IS framework business case.

  2. 2.

    A roadmap to surface the ultimate objectives of IT and business to be laid out.

  3. 3.

    Ensure all operational technology, products, and services are integrated to IS framework with management support and role-playing.

  4. 4.

    Risk assessment- IT risks need to be identified throughout the organization.

  5. 5.

    Aligning the implementation process with the risk assessed.

  6. 6.

    Provision of business internal controls with risk, governance and compliance frameworks as means of mitigation.

  7. 7.

    Device incident planning and testing as part of the IS process.

  8. 8.

    Implement the IS process with proper training cycle for employees in consultation with HR.

  9. 9.

    Monitoring and Review cycle to be defined to continuously defend the security networks.

  10. 10.

    Continuous improvement and communication for IS evolution.

  • Industrial Application With the recommendations, it is now time to see who will be covered for benefit by this work. This work is basically done on the Pharma sector mid-sized companies which deal with the machinery manufacture. Studying the standard practices and this industry’s best practices, the 10 stage pointer model implications entail for similar types of organizations like mid-sized manufacturers. The above prescribed 10 stage pointer model is a culmination of ISO, NIST attributes and widely used best practices. Such a recommendation which works on the basis of ISO 27001 directly emphasis the point of ISO certification that serves as a public statement of an organization’s ability to manage information security (Mataracioglu and Ozkan 2011). The focus areas are given as strategic alignment, value delivery, risk management, resource management, and performance measurement. Corporate governance includes the responsibility for solid internal control, and internal controls rely on information security. These 10 pointer model do conceive and ensure that its IS management system and policy measures do continue to evolve and adapt to the changing risk exposures. Further, through this organization which adapts such model will spend less money in terms of recovering from security and data recovery incidents, which may also translate into lower insurance premiums. Through this model some of the misperceptions in the industrial parlance are sought to be driven away, like:

  1. 1.

    IT department has to handle the scope of ISMS.

  2. 2.

    ISMS is an information technology process.

  3. 3.

    ISMS establishment can thoroughly be done only by IT organizations.

These misconceptions can be strongly refuted by the statistical survey work of this article to state that: The scope of ISMS applies to the whole of the organization and that its responsibility does not lie with the IT department alone. In fact, the Head of the organization is the owner of its ISMS. Manufacture, Service, and Procurement can be done in any organization, however, the main organization that has to establish ISMS is the organization itself which perceives it.

Conclusion and future work

Effective IS requires active involvement of the Board and employees so as to enable quality management system which will improve overall performance and facilitate opportunities to enhance customer satisfaction. For this, risk-based thinking assures the company to determine the factors which contribute to deviation from the planned results of quality management (ISO 9001 2015). Some of the major checks of ISO 9001:2015 is to consistently meet requirements to address future needs and expectations of the increasingly dynamic business complexity. To establish quality principles like customer focus, process approach, evidence-based decision making and improvement, holistic view covering even IS process is a need of the hour within the company set up. Moreover, for a Controlled Corporate, the strain to entrust ISMS across the group is an ordeal. Hence the recommendations provided as a way out for this might not only evolve business but also ensure proven security techniques and strategies for the group. However, no way is unerring unless tested and experienced. This work could also be further studied in terms of the behavioral approach of the individuals of the organization for the change management and their difficulties in its adoption to set out a greater performance.


  1. COBIT ISBN 978-1-60420-763-7 (2019) Framework: Introduction and methodology ISACA

  2. Anderson R (2008) Security engineering. Wiley, New York

  3. Aversano L, Grasso C, Tortorella M (2012) A literature review of business/it alignment strategies. Procedia Technol 5:462–474

  4. Bryant A, Charmaz K (2007) The Sage handbook of grounded theory. Sage

  5. Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q 34(3):523–548

  6. Christiansen J, D’angona R, Bell C (2014) Method and system for assessing, managing, and monitoring information technology risk. June 3 US Patent 8 744:894

  7. Cohen P, West SG, Aiken LS (2014) Applied multiple regression/correlation analysis for the behavioral sciences. Psychology Press

  8. DeSmit Z, Elhabashy AE, Wells LJ, Camelio JA (2017) An approach to cyber-physical vulnerability assessment for intelligent manufacturing systems. J Manuf Syst 43:339–351

  9. Dinis FM, Martins JP, Carvalho BR, Guimarães AS (2018) Disseminating civil engineering through virtual reality: An immersive interface. Int J Online Eng ISSN: 1861-2121 14(Issue:5):225– 232

  10. Dobre F, Vilsanoiu D, Turlea E (2012) A multiple regression model for selecting audit team members. Procedia Econ Financ 3:204– 210

  11. Fadiya SO (2017) Analysing a large amount of data as a decision support systems tool in Nigeria organisation. Int J Cogn Res Sci ISSN: 2334-8496 5(Issue:1):121–130

  12. Gayko KWJ, Fan K (2018) Security standards white paper for Sino-German industry 4.0 intelligent manufacturing. Federal Ministry of Economic Affairs and Energy

  13. Griffiths D (2013) Risk based internal auditing. Retriev July 4:2006

  14. Hafez S (2015) The integration of six sigma and balanced scorecard in internal auditing. Integration 6(18):43–54

  15. Herath T, Raghav Rao H (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst 18(2):106–125

  16. Hogg RV, McKean J, Craig AT (2005) Introduction to mathematical statistics. Pearson Education, Prentice Hall

  17. Huber PJ (2011) Robust statistics. Springer, Berlin

  18. Illowsky B, Dean S (2018) Introductory business statistics

  19. ISO/ IEC 27001 (2013) Information Security Management System. ISO

  20. ISO 9001 (2015) Quality Management Systems-Requirements. ISO

  21. ISO/ IEC 27003 (2017) Information Security Management Systems implementation. ISO

  22. ISO/ IEC 27005 (2018a) Information Security Risk Management. ISO

  23. ISO/ IEC 31000 (2018b) Risk management – Guidelines. International Standard First Edition. ISO

  24. Jaccard J, Turrisi R (2003) Interaction effects in multiple regression, vol 72. Sage, Newcastle upon Tyne

  25. Jeff Smith H, Dinev T, Xu H (2011) Information privacy research: an interdisciplinary review. MIS Quart 35(4):989–1016

  26. Jerman-Blažič B et al (2008) An economic modelling approach to information security risk management. Int J Inf Manag 28(5):413–422

  27. Kassner M (2018) Why manufacturing companies need to up their cybersecurity game

  28. Manyika J (2017) A future that works: Ai automation employment and productivity. McKinsey Global Institute Research, Technical Report

  29. Mataracioglu T, Ozkan S (2011) Governing information security in conjunction with cobit and iso 27001. arXiv:1108.2150

  30. Mettler H (2019) Cybersecurity is an important issue for the pharmaceutical industry

  31. NIST (2018) Framework documents, cybersecurity framework version 1.1

  32. Novak-Marcincin J, Barna J, Janak M, Novakova-Marcincinova L (2013) Augmented reality aided manufacturing. Procedia Comput Sci 25:23–31

  33. PwC India article (2013) Subsidiary governance: an unappreciated risk

  34. Ranganathan V, Coronado A (2019) 7 key elements to data security and quality control for pharma labs

  35. Sandelowski M, Voils CI, Barroso J (2006) Defining and designing mixed research synthesis studies. Res Sch Natl Ref J Spons Mid-South Educ Res Assoc Univ Alabama 13(1):29

  36. Sim TY, Li F, Vogel-Heuser B (2009) Benefits of an interdisciplinary modular concept in automation of machine and plant manufacturing. IFAC Proc Vol 42(4):894–899

  37. Stephen M. (2018) Management handbook. Company X

  38. Stock D, Stöhr M, Rauschecker U, Bauernhansl T (2014) Cloud-based platform to facilitate access to manufacturing it. Issue:C 25:320–328

  39. Tan YS, Ng YT, Low JSC (2017) Internet-of-things enabled real-time monitoring of energy efficiency on manufacturing shop floors. Proced CIRP ISSN 2212-8271(61):376–381

  40. Tipton HF, Nozaki MK (2007) Information security management handbook. CRC Press, Boca Raton

  41. Staff Writer-Thomas Industry Update (2019) Cybercriminals shifting focus away from financial sector to target manufacturers

  42. Urdan TC (2011) Statistics in plain English. Routledge, Abingdon

  43. Urquhart C (2012) Grounded theory for qualitative research: A practical guide. Sage, Newcastle upon Tyne

  44. VDMA India article (2019) Vdma member list

  45. Wang X, Guan S-p (2017) Research on the relationship between internal control and financial performance–social responsibility as the intermediary variable. In: 3rd Annual International Conference on Management Science and Engineering (MSE 2017). Atlantis Press

  46. Yin RK (2006) Mixed methods research: Are the methods genuinely integrated or merely parallel. Res Sch 13 (1):41–47

  47. Zarreh A, Saygin C, Wan HD, Lee Y, Bracho A et al (2018) Cybersecurity analysis of smart manufacturing system using game theory approach and quantal response equilibrium. Procedia Manuf 17:1001–1008

Download references


The support of Arden University-Berlin and the Case Studied Company is much appreciated for their fervent aid throughout the period of this research, in helping to collect data useful for the analysis and the conclusion of the work. Special acknowledgment to Dr. Ricarda Seiche for the guidance.

Author information

Correspondence to Rachel John Robinson.

Ethics declarations

Conflict of interests

Author declares there is No Conflict of Interest

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Robinson, R.J. Structuring IS framework for controlled corporate through statistical survey analytics. J. of Data, Inf. and Manag. (2020).

Download citation


  • Controlled corporate
  • ISMS
  • IS framework