Hardware Reference
In-Depth Information
Fig. 1.
The ISO/IEC 27001 group of requirements
3 Research Method
In order to answer our research questions in a structured way, we propose a research
method following an action research approach [14]. It can be defined as “an iterative
process involving researchers and practitioners acting together on a particular cycle of
activities, including problem diagnosis, action intervention and reflective learning”
[15]. The research method, presented in Figure 2, consists of three steps.
Step 1
-
Initial experiment
: An initial experiment is performed in a Luxembourger
SME. In order to identify the issues related to the implementation of an ISMS in such
an entity, many feedbacks are gathered from this experiment. Then, they are summa-
rised to put emphasis on the major issues encountered. Hence, our research objectives
are defined so as to address those issues. This step answers our first research question.
Step 2
-
Building the guide
: The guide is written in order to achieve the objectives
identified during the first step of the research method. To ensure the relevance and the
viability of the document, it is validated through experts' reviews. To do so, Luxem-
bourger experts in information security are mandated to theoretically evaluate the
guide. This process, closely tied with field experiments (Step 3), gives feedbacks in
order to improve the guide.
Step 3
-
Experimenting the guide
: As theoretical validation cannot bring an insurance
of effectiveness and adaptability of the guide, experiments are required within the
research method. They take place in several SMEs with different security back-
grounds and from different activity sectors. These experiments are not only conducted
by our team, but also by external individuals, in order to assess the usability of the
guide by people not involved in its development process. Each experiment leads to
several feedbacks and initiates upgrades to the guide.
