Next Article in Journal
Economic and Social Benefits of Aquavoltaics: A Case Study from Jiangsu, China
Next Article in Special Issue
Corporate Digital Transformation and the Internationalization of R&D
Previous Article in Journal
Sulfuric Acid Leaching Recovery of Rare Earth Elements from Wizów’s Phosphogypsum in Poland
Previous Article in Special Issue
How Upgrading of Provincial Development Zones Reduces Urban Carbon Emission: Evidence from a Time-Varying DID Analysis
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

The Influence of Information Security Management System Implementation on the Financial Performance of Indian Companies: Examining the Moderating Effect of National Culture

Department of Public Administration, Inha University, Incheon 22212, Republic of Korea
*
Author to whom correspondence should be addressed.
Sustainability 2024, 16(20), 9058; https://doi.org/10.3390/su16209058
Submission received: 31 July 2024 / Revised: 1 October 2024 / Accepted: 16 October 2024 / Published: 19 October 2024
(This article belongs to the Special Issue Advances in Economic Development and Business Management)

Abstract

:
The extensive focus on information technology (IT) within organizations, along with the substantial significance of information security issues, has made information security a top priority for executives. The International Organization for Standardization 27001 (ISO-27001) policy outlines the requirements for an effective Information Security Management System (ISMS). Implementing an ISMS not only enhances the overall profitability of a firm, but it also has a significant impact in various scenarios. In this study, we examined how ISMS implementation can assist corporations financially, with a specific focus on the moderating effect of Indian national culture. We analyzed financial performance following ISMS and ISO-27001 implementation using sample data from 420 Indian small and medium-sized enterprises (SMEs). By analyzing 256 survey questionnaires from 420 SMEs, we found that national culture amplifies the strong interaction between ISMS implementation and SME performance in India. We found that ISMS implementation increased the profitability of recognized Indian firms, supporting study hypotheses. The findings provide valuable insights for SMEs seeking to enhance financial performance through ISMS implementation, emphasizing the moderating role of national culture in shaping these outcomes.

1. Introduction

Information security management systems (ISMSs) have become a crucial topic in information security and management [1,2,3]. Modern industries, economic sectors, and service providers are integrating workforce diversity, tangible resources, and operational processes with governance strategic priorities to gain a competitive edge [4,5]. They are also diversifying resources to create and implement information systems that support these goals. By exchanging information, organizations improve efficiency. Under a unified ISMS architecture, human, technical, and procedural resources are connected to achieve organization-wide harmony [6]. Effective information security management requires this synergy for preserving information integrity, confidentiality, and availability. This coordination is crucial for organizations to improve security and position themselves for digital growth and profitability [7,8]. However, there are drawbacks, such as the potential for new criminal behavior arising from the unintended revelation of information [1,2,3,5]. In the early stages of digitalization, organizations often established realistic information security policies to lessen the impact of possible negative outcomes. However, due to the characteristics of current cyber threats, their focus is rapidly shifting to security management. They are developing information security mechanisms that include five operational processes: strategy and institutional structure, risk management, planning and implementation, and follow-up monitoring, to provide an institution with appropriate in-depth data security systems [9].
Mounting network security infractions, such as hacking, invasion, and impersonation, have earned widespread attention and highlighted the necessity of information security as an institutional issue [10]. As per a previously conducted study [11], the costs associated with cybersecurity incidents have become increasingly prevalent, resulting in significant financial damage such as operational losses, adverse stock market sentiments, emotional impact, and business interruption [12]. The International Organization for Standardization (ISO) 27001 [13] is a guideline implemented by organizations globally to facilitate the application of information security measures, particularly in India [14]. This ISO guideline was updated in 2022 (https://www.iso.org/standard/88435.html (accessed on 30 July 2024)). ISO-27001 provides a standard for the implementation of information security programs and has become the most recognized IT certification globally [15]. Given the concerns about information security breaches, ISO-27001 certification serves as a valuable demonstration of society’s commitment to information management and a proactive approach to information systems security [16]. ISO-27001 accreditation shows society and organizations’ commitment to information management and proactive information systems security. It informs customers, collaborators, and policymakers that the organization follows the most advanced data security standards. An organization’s reputation and trust in its ability to secure sensitive information strengthen with this sort of accreditation, ensuring sustainability and security [17]. It further exemplifies how effective cybersecurity management complies with world standards, making it more reliable and trustworthy [15,18].
Several scholars have found that ISMSs improve organizational effectiveness in areas such as operating efficiency, economic performance, productivity output efficiency, IT capabilities, and infrastructural facilities [19]. However, few research studies have explored the indirect influence of ISMS implementation on organizational performance [10]. Several researchers see ISMS implementation as an organizational responsibility rather than a competitive benefit [20]. We hold the view that cultural differences largely explain how ISMS implementation and organizational effectiveness vary from one setting to another [21]. Some countries with a high number of ISO-27001 certifications have robust economies (like Japan or China; https://www.iso.org/the-iso-survey.html (accessed on 30 July 2024)) and are thus excited about ISM standards because of their global activities [22,23]. Even though it has the fastest-growing economy in the world, the United States surprisingly ranked lower in the top 10 countries in terms of ISO-27001 yearly economic growth. It is possible that cultural variables are to blame for the relatively low rate of implementation [24,25].
Despite the growing adoption of information security management systems (ISMSs) like ISO-27001, the intersection between ISMS implementation, financial performance, and national culture remains underexplored in the existing literature. While many studies have examined the direct benefits of ISMSs in terms of compliance and risk reduction, few have investigated how cultural factors influence the financial outcomes of these systems, particularly in emerging markets like India. This study addresses this gap by examining how national culture moderates the relationship between ISMS implementation and firms’ financial performance, providing a more holistic understanding of the factors that drive success in diverse organizational contexts. This research investigates whether ISO-27001 accreditation indirectly boosts business profitability by using national culture as a moderating variable [26]. Culture may greatly impact organizational management and results, including innovation, decision-making, employee engagement, agreements, HRM practices, and governance. Hofstede [11] established six cultural characteristics, one of which we used (long vs. short-term orientation) to characterize how organizations and people in society focus on the present, past, or future. We believe cultural or contextual variables affect ISMS implementation and SME economic development [20]. Therefore, we will examine how national culture influences the link between the implementation of ISMSs and financial performance in small and medium-sized enterprises (SMEs) in India.

2. Literature Review and Research Hypotheses

2.1. Hofstede’s National Culture

Hofstede [26] defines culture as “the collective mental programming that distinguishes people of one country, region, or group from those of another country, region, or group”. According to Hofstede’s latest findings, six cultural dimensions characterize every country. Power distance and independent thinking regarding collectivism measure a culture’s legitimacy of uneven power distribution and group integration, respectively. The individualism vs. collectivism dimension is measured by assessing the degree to which individuals in SMEs prioritize personal goals versus group goals. Indicators include cooperation, team orientation, and the balance between individual versus collective decision-making [26,27]. Masculinity against femininity measures gender roles and ideals, while uncertainty avoidance measures ambiguity tolerance. This includes indicators such as the focus on achievement, risk-taking, and management styles within SMEs. Uncertainty avoidance represents how comfortable members of SMEs are with ambiguity and uncertainty. Indicators include risk aversion, preference for formal rules, and an emphasis on security and stability [26,28]. Long-term vs. short-term orientation shows a society’s organizational horizon, while luxury against regulation assesses the essential desires of individuals. The degree to which a society allows the relatively free gratification of basic human desires versus controlling such gratification through strict social norms represents an indulgence vs. restraint dimension, which may influence ISMS implementation [26,28]. These variables help explain cultural variations in social behavior across different societies [27,29].
In cultures with high power distance, there is a significant gap between upper and lower managers in terms of authority and decision-making. In strong individualist cultures, employees are self-reliant, confident in their abilities, and prefer achieving their goals independently. A strong masculine culture is characterized by assertive decision-making by men, rigorous management practices, and a strong drive for achievement. Cultures with high uncertainty avoidance tend to have a conservative approach to challenges, preferring stability and minimizing risk. Long-term-oriented organizations and management focus on policies and strategies that promote sustainability and longevity [10].
The third cultural factor is indulgence, which reflects a nation’s tendency towards the gratification of basic and natural human desires. In high-indulgence countries, corporate leaders are often very sociable and prioritize social interactions and enjoyment. Figure 1 illustrates the six cultural dimensions that define a nation’s culture.

2.2. National Culture vs. Corporate Culture

National culture refers to the collective programming of the mind that distinguishes the members of one nation from those of another [26]. It is a set of shared values, beliefs, norms, and practices that are deeply rooted in the history, traditions, and social institutions of a country. National culture influences how people perceive authority, handle uncertainty, engage in relationships, and make decisions [28,30]. Hofstede’s six cultural dimensions—power distance, individualism vs. collectivism, masculinity vs. femininity, uncertainty avoidance, long-term vs. short-term orientation, and indulgence vs. restraint—are key indicators of national culture and provide a framework for understanding the variations in cultural values across different countries [28,30].
Corporate culture, on the other hand, refers to the set of shared values, beliefs, and practices that are specific to an organization [31]. It represents the internal environment of an organization and is shaped by the organization’s history, leadership, industry, and internal processes [32]. Corporate culture defines how employees within an organization interact with one another, how they approach their work, and how they respond to challenges and opportunities [33]. Unlike national culture, which is relatively stable and slow to change, corporate culture can be more dynamic and subject to change based on strategic decisions, leadership changes, mergers, or shifts in the external environment [34]. In the context of this study, we focus primarily on national culture as the moderating variable that influences how ISMS are implemented and how they impact the financial performance of SMEs in India.

2.3. Information Security Management Systems (ISMSs and ISO-27001)

ISMSs have become increasingly vital across various sectors, including information technology, education, arts, architecture, and social services. In today’s digital age, an organization’s production capacity and competitive advantage rely heavily on securing its information assets, which are now key economic drivers. While digitalization offers numerous financial and operational benefits, it also exposes organizations to a growing number of sophisticated cyberattacks [35]. These security vulnerabilities, if not properly managed, can have significant consequences for a company’s operational continuity and financial stability.
Implementing an effective ISMS, such as ISO-27001, is essential to mitigate these risks. However, inadequate or incomplete ISMS implementations can leave companies vulnerable to security breaches, potentially resulting in severe financial losses [36]. ISO-27001 provides a comprehensive framework for managing information security risks by outlining policies, procedures, and controls designed to protect information assets. By creating a structured, long-term approach to securing commercial information systems, ISO-27001 not only helps organizations safeguard against cyber threats, but also enhances their overall financial performance by reducing risks and fostering trust with stakeholders [37].
To validate the measures and assess the estimation technique, we utilized SPSS 23 for conducting regression analysis. Subsequently, we performed a moderation analysis using linear multiple regression to evaluate the hierarchical pathways within the conceptual framework. To ensure that the data were suitable for regression, we meticulously followed a two-step procedure for data diagnosis [5,23,38,39].
The conceptual framework for this study illustrates the relationships between ISMS implementation, national culture, and firm financial performance (Figure 2). In the context of this study, the ISMS (such as ISO-27001) serves as a core independent variable influencing financial performance. National culture, as described by Hofstede’s cultural dimensions, is proposed as a moderating variable, shaping the strength and direction of the relationship between ISMS and financial performance. The effective implementation of an ISMS is expected to positively influence a firm’s financial performance by reducing security risks, improving operational efficiency, and fostering trust with stakeholders. National culture is hypothesized to moderate the relationship between ISMS implementation and financial performance. Cultural factors, such as power distance, individualism vs. collectivism, and uncertainty avoidance, may affect how firms approach ISMS adoption and the financial benefits they derive from it. The dependent variable, representing the financial outcomes of adopting ISMS, is influenced directly by the effectiveness of ISMS implementation and indirectly by cultural factors.

2.3.1. ISO-27001 and Information Security Management Systems (ISMSs)

ISO-27001 is a global standard for information security management that specifies principles for developing, executing, maintaining, and upgrading ISMSs [9,10,15]. Adopting an ISMS requires risk assessments to identify and mitigate security issues. It also involves creating information asset management and protection rules [40]. Continuous improvement ensures that safety protocols are monitored and modernized to cope with new hazards and vulnerabilities. When implementing an ISMS, risk assessments are used to identify and evaluate security concerns, and then mitigation steps are taken. It also involves creating information asset management and protection rules. Continuous improvement ensures that security measures are examined and upgraded to handle new threats and weaknesses [41].

2.3.2. Financial Impact of ISMS Implementation

An information security management system (ISMS) may boost profitability by lowering security breaches, incident response costs, and security process inefficiencies [42]. Ensuring regulatory compliance helps firms avoid data protection fines and penalties, while strengthening consumer trust encourages confidence and loyalty, possibly increasing sales and income [43]. By showing privacy and security commitment in Indian culture, ISMS implementation could enhance competitiveness in the market and credibility with investors. In cultures with high power distance and centralized decision-making, top executives may prioritize ISMS implementation to control and sustain corporate data [44]. Collectivist cultures emphasize shared security and data protection. ISMSs can provide Indian companies with a competitive advantage by showing their commitment to data security and recruiting shareholders who acknowledge risk management. SMEs may struggle to adopt ISMSs due to financial constraints and a lack of information security knowledge and training [45].
Implementing information security management principles enhances corporate productivity and economic performance [46]. ISMS implementation fosters trust, improves corporate image, increases brand awareness, and contributes to financial success. ISMS standards mandate that organizations demonstrate an alignment between their security programs and business governance, as well as the integration of IT security infrastructure into commercial operations [47]. These standards encompass organizational structures for information security professionals, commitments to security, competence requirements, risk acceptance methodologies, and contingency plans. Such practices aid businesses in mitigating computer malware risks. Customers become more engaged, security incidents become less costly, and companies achieve greater operational coordination [48].
On the contrary, adopting an ISMS ISO-27001 framework enables businesses to reduce unnecessary costs. The expenses linked to cybersecurity vulnerabilities are frequently transferred to customers. Therefore, ensuring network security can offer a competitive advantage for a service or product. Moreover, the ISMS ISO-27001 framework includes essential protocols for meeting the standards of efficient information sharing and maintaining accessible documentation of information [49].
With these approaches, organizations can modernize their information systems affordably and pave the way for growth and profitability [23,38]. Farooq et al. [50] discovered that businesses could achieve financial benefits following ISO-9001 [51] certification, highlighting the impact of quality management on company profitability. Similarly, several studies, as referenced in [52], have demonstrated that implementing ISO-14001 [53] certification can enhance a company’s financial standing and attractiveness in the market. Therefore, businesses that obtain ISO-27001 accreditation can anticipate improved profitability and expanded productivity. Consequently, we propose our first hypothesis (H1): higher ISMS accreditation in SMEs will have positive effects on financial performance.

2.4. Moderating Role of National Culture

Extensive studies on national culture indicate that it correlates with the implementation of ISMSs, which subsequently influences the economic performance of businesses [50]. Research conducted by Shojaie et al. [23] revealed that companies in countries with a high power distance culture place greater value on ISMS certification. Other studies have demonstrated that businesses with ISMS certifications tend to achieve better financial outcomes [10,50]. The second aspect of national culture is individualism, which suggests that businesses in more individualistic nations prioritize independence and self-reliance. However, enterprises in highly individualistic cultures may incur significant costs due to the diverse information required for ISMS accreditation, thereby increasing expenses. In contrast, firms in collectivist cultures are more inclined to pursue ISO-27001 certification [18].
In cultures where masculinity is highly valued, there is often a tendency towards rigidity and assertiveness. Managers from these cultures may resort to aggressive tactics in their pursuit of maximizing profit. Given the significant potential for business profitability through enhanced ISO-27001 implementation, experts recommend ISMS certification [5]. Small and medium-sized enterprises (SMEs) that implemented ISMSs in their operations have shown a positive correlation with company profitability [21]. The fourth cultural dimension, uncertainty avoidance, highlights management’s risk-averse behavior and their reluctance to pursue ISMS accreditation for their enterprises. One potential barrier to adopting ISO-27001 is financial constraints. It is crucial to be aware that implementing such a system requires a significant investment, which may not be financially feasible for all types of businesses [52].
A second study of the top ten countries (ISO, 2014) identified economic strength, highlighting Germany as a notable example. Despite being one of the world’s strongest economies, Russia does not have a high ISO-27001 certification rate [18,23]. This suggests that in cultures with strong uncertainty avoidance, management may prioritize reliable strategies over ISMS certification. However, the role of economic strength in ISMS implementation cannot be overlooked. Implementing ISO-27001 reflects a robust strategy that enhances the company’s financial performance [16,52].
Long-term thinking shows companies’ foresight. Long-term enterprises focus on long-term returns and have sustainable strategies [26]. According to this idea, Chang [5] found that long-term-oriented cultures had more forward-thinking managers. They suggested a strong link between long-term orientation and ISMS implementation, which boosted firm financial performance. Hamdi [25] proposes indulgence as the last level. Business leaders in indulgence cultures made intentional choices, whereas self-restraint cultures severely limited inhabitants. Indulgence-focused management emphasizes ISMS monitoring and ISO-27001 certification. Following Hofstede’s ideas on national cultural dimensions, we construct our additional hypotheses.
H2. 
National culture dimensions will have positive effects on SMEs’ financial performance.
H3. 
National culture dimensions will moderate the relationship between ISMS accreditation and SMEs’ financial performance.

3. Research Design, Materials, and Methods

This section discusses our sample data and analysis concerning information security, national culture, and SME financial success. We examined SMEs both with and without information security systems to understand how the installation of such systems impacts company profitability and how national culture moderates this relationship.

3.1. Data Sample

This study utilized a structured survey questionnaire method to gather data from participants. In addition to collecting demographic information from respondents, the questionnaire included research materials related to the variables examined in this study. The research aimed to explore the impact of information security measures on different aspects of a company [54].
The questionnaire was distributed via email to 1220 Indian SMEs that have implemented and utilized information security solutions. Managers of the IT divisions in each firm were contacted through phone, email, or in-person meetings to solicit their participation and insights for the study. Out of the 1220 SMEs, 420 firms initially responded, resulting in a response rate of 34.4%. In total, 271 surveys were completed. Fifteen surveys were identified as incorrect and were excluded from the analysis. Thus, the final dataset comprised 256 questionnaires from Indian firms. The 256 questionnaires represent 256 unique firms, each providing a single response per firm, thus avoiding any confusion between the number of firms and the number of responses. To ensure that the sample was representative of the population of SMEs in India, firms were selected across a range of industries and firm sizes, with efforts made to include both small and medium-sized enterprises, as defined by the Government of India’s SME classification.
The survey consisted of three sections, each containing fifteen multiple-choice questions. In total, there were forty-five questions, and each section used a Likert scale ranging from 1 (very low) to 5 (very high) to measure responses. According to Figure 3, when comparing responding and non-responding businesses across various criteria, such as firm age and size, no significant differences were found [55].
However, the sample composition shows that most companies surveyed are smaller (1–100 employees) and younger (0–15 years). This reflects the typical landscape of SMEs in developing countries like India, where many companies are still in the early stages of growth (Figure 3). This distribution highlights the challenges faced by younger and smaller companies in implementing complex management systems like ISO-27001. Since smaller companies may have limited resources and experience, the adoption of ISMS might differ significantly compared to larger, more established firms. The younger and smaller companies, being more flexible and adaptable, might more readily integrate cultural values and security standards, such as those proposed by Hofstede’s cultural dimensions and ISO-27001. However, larger and older companies, though fewer in number, may face more structural resistance to change due to their size and established practices. Since the sample skews toward smaller and younger companies, the study’s findings regarding the financial benefits of ISMS may be more applicable to SMEs at the early stages of growth. These companies are likely to experience more immediate financial gains from ISMS, especially in terms of mitigating risks and improving operational efficiency.

3.2. Research Model and Variables

3.2.1. ISMS ISO-27001

Our first sample consisted of a database of Indian SMEs that had achieved ISMS certification. Previous studies have examined how ISMS certification impacts the financial and non-financial performance of firms in developed countries, prompting us to focus on this developing nation (Hsu et al. 2016 [10]). It is important to note that the ISO-27001 certification holder could represent a private company, organization, or manufacturer in industries such as manufacturing, banking, services, or telecommunications. Additionally, we compiled a list of publicly listed firms without prior ISMS certification experience [6,36]. Using CompuStat, we then created a list of potential control firms. Subsequently, we matched these organizations within the same sector based on their pre-certification performance and company size.

3.2.2. National Culture

Eight questions adapted from Hofstede’s [26] national culture assessment were used. Good feelings about and cooperation with others, competition, extrinsic motivational behavior, individual character, emotional attachment with people, extrinsic behavior with people and their problems, helping others in need, and an unhelpful attitude towards others were the items used on a five-point Likert scale to measure this variable. For national culture, the Cronbach’s alpha was 0.955.

3.2.3. SME Economic Performance

Our working premise was that return on assets (ROA) would serve as an indicator of the efficiency with which SMEs operate. We hypothesized that businesses implementing information security systems would achieve higher total sales and profit margins compared to their competitors (Hypothesis 1). Therefore, ROA was our primary metric, calculated by dividing operational profit by total assets. ROA has been widely utilized in previous research to evaluate corporate performance [56].

3.2.4. Control Variable

Control variables, also known as controlled variables, are properties that researchers hold constants for all observations in an experiment. While these variables are not the primary focus of the research, keeping their values consistent helps the study establish the true relationships between the independent and dependent variables. By controlling these variables, we can more accurately isolate the impact of ISMS accreditation on financial performance. This study used SME age and size as control variables.

3.3. Methodology

We analyzed the return on investment (ROI) and return on equity (ROE) of businesses after implementing an information security management system to test our hypothesis. Our analysis suggests a significant difference in income between certified and non-certified businesses. To test our hypotheses and interpret the data, we used SPSS 23.0 [20]. The suggested theoretical structure for this study is shown in Figure 3 above.

4. Findings

4.1. Data Normality

Before evaluating the data, we ensured that there were no missing values or uncommitted respondents by confirming data normality. Next, we assessed the data sample for skewness and found that it fell within the acceptable range for proving distribution normalcy, typically between +3 and −3. We also examined the variance inflation factor (VIF) and determined that it remained below the threshold value of 3, indicating no significant issues with multicollinearity in the sample. Finally, the dataset was confirmed to meet all assumptions related to multivariate analysis, making it suitable for further research.

4.2. Reliability and Validity Analysis

Both Cronbach’s alpha and Composite Reliability (CR) values were above the 0.7 threshold, confirming that the scales used for ISMS ISO-27001 implementation and national culture exhibit strong internal consistency and reliability [57]. For ISMS ISO-27001, Cronbach’s alpha is reported at 0.909, with a CR of 0.928. Similarly, the national culture construct demonstrates an even higher Cronbach’s alpha of 0.955 and a CR of 0.964, indicating the strength of these scales in capturing the underlying constructs (Table 1). The factor loadings for the ISMS ISO-27001 implementation items all exceed the 0.7 standards, except for the “Roles within the ISMS clearly defined and communicated” (loading = 0.664). While slightly lower, this item still meets the general rule of thumb of exceeding 0.6, which is often considered acceptable in social science research [58]). The high loadings for other items, such as “Adequate resourcing” (0.904) and “Risk treatment process” (0.885), indicate that these components are particularly robust indicators of ISMS implementation (Table 1). The national culture scale also demonstrates strong factor loadings, with most items scoring above 0.9, such as “I feel good when I cooperate with others” (0.934) and “I’m not the sort of person who often comes to the aid of others” (0.924). These high loadings suggest that these items capture important elements of how national culture is expressed in organizational settings. However, one item, “When another person does better than I do, I get tense and aroused” (0.707), is slightly lower but still well within acceptable limits. Convergent validity is supported by the fact that the average variance extracted (AVE) values exceed the critical 0.5 threshold for both ISMS and national culture, ensuring that the variance captured by each construct is larger than the variance due to measurement error [35,59]. Additionally, the fact that the AVE values are lower than the CR values supports the strong reliability of the constructs. Discriminant validity was verified, as the inter-construct correlations were lower than the square roots of the respective AVE values. This indicates that ISMS ISO-27001 implementation and national culture are measuring distinct constructs, supporting the robustness of the measurement model. The ISMS ISO-27001 construct captures a detailed framework of internal security measures, making it a comprehensive tool for assessing information security practices. High factor loadings for items like “risk treatment process” and “repeatable risk assessment” highlight the importance of risk management in ISMS. For national culture, the inclusion of high-scoring items like “I feel good when I cooperate with others” provides insights into collectivist tendencies, which are especially relevant in the Indian cultural context. This could suggest that cooperative behavior and support for others play a significant role in how national culture affects ISMS implementation and, in turn, SME performance.

4.3. Correlations among ISMS ISO-27001, National Culture, and SME Performance

Table 2 summarizes the mean scores, standard deviation (SD), and correlations for ISMS ISO-27001 implementation, national culture, and SME financial performance. The matrix indicates a substantial relationship between the exogenous variables (ISMS implementation and national culture) and the endogenous variable (SME financial performance) [14]. These results suggest and support the researchers’ objectives of exploring the interconnection between ISMS implementation, national culture, and firm performance. The findings highlight the importance of considering both ISMS implementation and national cultural factors when evaluating SME financial performance.
The correlation coefficients reveal expected patterns, such as a significant positive relationship between ISMS implementation and SME financial performance (r = 0.479, p < 0.01) and between national culture and SME financial performance (r = 0.249, p < 0.01). These findings underscore the necessity of thoroughly investigating hypotheses such as the association between ISMS implementation and SME financial performance, as well as the influence of national culture on this relationship.
A significant positive correlation of age with size (r = 0.294, p < 0.01) shows that older firms tend to grow larger over time. However, there is no significant relationship between age and ISMS (r = 0.000), indicating that both younger and older SMEs implement ISMS ISO-27001 at similar rates. This suggests that company maturity does not necessarily influence the decision to implement ISMS, which could be an important consideration for future studies examining ISMS adoption dynamics. Interestingly, age also has a positive, though weaker, correlation with financial performance (r = 0.188, p < 0.01). This aligns with the idea that older firms, due to their experience and established customer base, tend to perform better financially. National culture (NC) shows a strong positive correlation with financial performance (r = 0.712, p < 0.01) and a moderate positive correlation with ISMS implementation (r = 0.249, p < 0.01). These findings emphasize the role of cultural factors in driving both the adoption of management standards and financial success. Specifically, organizations that align with cultural dimensions favoring long-term orientation or uncertainty avoidance may be better suited for implementing rigorous management systems like ISMS, which could enhance financial outcomes. The strong correlation between ISMS and financial performance (r = 0.479, p < 0.01) suggests that ISMS implementation may serve as a mediating factor in how national culture affects firm outcomes. Firms that effectively implement ISMS, especially in cultural contexts that favor structure and security, appear to reap significant financial benefits. Firm size has a significant negative correlation with financial performance (r = −0.182, p < 0.01). This unexpected result may indicate that larger firms face different challenges or inefficiencies that could negatively impact performance compared to smaller firms. This could include bureaucratic complexity or slower decision-making processes. Similarly, size has a negative relationship with ISMS implementation (r = −0.382, p < 0.01), suggesting that larger firms may be slower to adopt ISMS or face greater challenges during implementation. This could be due to the complexity and resource demands of ISO-27001 in larger organizations. Further qualitative research could help unpack the reasons behind this negative correlation.
These results align with the broader objective of exploring how both internal and external organizational factors interact to influence firm performance. The positive relationships between ISMS and financial performance, as well as national culture and financial performance, underscore the value of integrating international standards like ISO-27001 into organizational practices, especially in culturally diverse contexts. The negative correlations observed with size, however, suggest that firms should be mindful of the unique challenges faced by larger organizations in implementing and benefiting from ISMS.

4.4. Hypothesis Testing

The results of the regression analysis on the effects of ISMS implementation on the financial performance of SMEs, the influence of national culture on the financial performance of SMEs, and the moderating role of national culture in the relationship between ISMS implementation and financial performance are summarized in Table 3. Model 1’s regression analysis included control variables such as business size and age [60]. The investigation examines aspects of SME financial performance using three models. Model 1 includes company size and age to regulate operations’ scale maturity and stability. Model 2 examines the primary impacts of ISMS implementation and country culture on SME financial performance. Model 3 investigates how national culture moderates ISMS implementation and financial success. According to the study’s main conclusions, there is a favorable and statistically significant correlation between ISMS implementation and improved financial results for SMEs. Another finding is that ISMS implementation has a good effect on SMEs’ financial performance. The importance of cultural aspects in achieving financial success is further shown by the fact that national culture has a substantial impact on the financial performance of SMEs. Country cultural characteristics limit the influence of ISMS implementation on financial performance, as shown by the strong interaction between ISMS implementation and country culture.
As shown in Model 2 of Table 3, the implementation of ISMS has a substantial, positive, and highly significant impact on a company’s economic performance, as shown by the path coefficient (B = 3.678; p < 0.000). This confirms the first hypothesis (H1), which states that a greater level of ISMS certification has a beneficial effect on the financial performance of SMEs. The second hypothesis (H2) is also supported by the data in Model 3 of Table 3, which reveals a strong relationship between national culture and corporate profitability (B = 2.818; p < 0.000). This highlights how cultural variables at the national level significantly impact the financial success of small and medium-sized enterprises.

4.4.1. Summary of Findings

H1. 
Supported. ISMS implementation positively affects SME financial performance (B = 3.678; p < 0.000).
H2. 
Supported. National culture significantly influences SME financial performance (B = 2.818; p < 0.000). These findings highlight the importance of both ISMS implementation and national cultural context in driving the financial success of SMEs.
Model 4 of Table 3 displays the findings of the moderating analysis. The results reinforce our hypothesized H1 and H2 by demonstrating a direct positive association between ISMS implementation and SME profitability, as well as between national culture and SME financial performance, with coefficients of (B = 15.230, p < 0.01) and (B = 16.255, p < 0.01), respectively. These results show a robust and direct correlation between ISMS implementation in SMEs in India and GDP growth, suggesting a link between national culture and the economic situation of companies [24].

4.4.2. Summary of Hypothesis Testing and Moderation Analysis

H1. 
Supported. ISMS implementation positively affects SME profitability. Path Coefficient: (B = 15.230, p < 0.01).
H2a. 
Supported. National culture significantly influences SME financial performance. Path Coefficient: (B = 16.255, p < 0.01).
H2b. 
Supported. The moderating analysis in Model 4 shows that national culture further enhances the positive effect of ISMS implementation on SME financial performance.
The strong correlation between ISMS implementation and GDP growth in SMEs in India highlights the significant role of national culture in shaping economic outcomes. These findings underscore the importance of both implementing effective information security management systems and considering national cultural factors to achieve better financial performance in SMEs. Our third estimation was that national culture would compromise the link between ISMS implementation and SMEs’ bottom lines. The data suggest that Hypothesis H2b indirectly moderates the link between ISMS installation and SMEs’ financial results (B = 3.120, p < 0.01). The findings demonstrated national culture moderates ISMS implementation and SME profitability positively and significantly [61]. It also seems to have a strong and progressive link with firm financial growth.

4.4.3. Summary of Findings

H1. 
Supported. ISMS implementation positively affects SME profitability. Path Coefficient: (B = 15.230, p < 0.01).
H2a. 
Supported. National culture significantly influences SME financial performance. Path Coefficient: (B = 16.255, p < 0.01).
H2b. 
Supported. National culture moderates the relationship between ISMS implementation and SME financial performance, enhancing the positive impact. Path coefficient for moderation: (B = 3.120, p < 0.01).

4.4.4. Influence of Other Factors

This study focuses on exploring the relationship between national culture, ISMS implementation, and the financial performance of SMEs. It is important to recognize that these relationships are likely influenced by various other factors that were not the primary focus of this research. Specifically, aspects such as social organization, internal processes, and technology may also play significant roles in shaping the outcomes observed in this study. While this study provides valuable insights into the role of national culture in ISMS implementation, it is crucial to acknowledge the broader context in which these interactions occur.

4.4.5. Implications

SME competitiveness increases dramatically with ISMS implementation, emphasizing the need for strong systems for handling information security. Strategic planning and policy formulation must also incorporate national culture, which affects financial performance. The data additionally demonstrates that national culture moderates ISMS implementation, amplifying its positive benefits in certain cultural situations, suggesting that various socioeconomic surroundings may need distinct approaches. These findings provide valuable insights for both researchers and practitioners, indicating that successful ISMS implementation and consideration of national cultural factors are crucial for enhancing the financial performance of SMEs.
Because comprehending the essence of the variables is critical, we have presented the substance of the elements and their indicators in Table 4. The models are structured as follows: External influences are controlled in Model 1. To assess their direct consequences, Model 2 examines ISMS uptake and country culture. Model 3 investigates national culture’s moderating effect. After examining how national culture moderates ISMS implementation and SME financial success, Model 4 sheds light on these factors’ interacting effects.

4.4.6. Explanation of Variables and Indicators

To provide an accurate assessment of the correlations between the major variables, control factors like company size and age were kept constant. Participating in SMEs’ implementation of ISMS and cultural norms, as measured by Hofstede’s dimensions—power distance, individualism vs. collectivism, masculinity versus femininity, uncertainty avoidance vs. short-term orientation, indulgence vs. restraint—make up the independent variables. The direction and intensity of the association between ISMS implementation and SME financial success are affected by national culture, which also acts as a moderating variable.

4.4.7. Findings

To make certain that confounding variables like company age and size do not affect the findings, Model 1 establishes a baseline by controlling them. Next, Model 2 demonstrates how national culture impacts the beneficial correlation between ISMS implementation and SME success in business. Proceeding from this, Model 3 delves into the topic of national culture and its influence on the link between ISMS implementation and its moderating consequences. Model 4 concludes that SMEs may reap even greater positive aspects from ISMS implementation when national culture moderates and even accentuates the effect of ISMS implementation on financial performance.

4.4.8. Key Results

ISMS implementation has a positive effect on SME profitability, with a coefficient of B = 15.230 (p < 0.01). National culture significantly influences SME financial performance, as indicated by a coefficient of B = 16.255 (p < 0.01). Additionally, national culture moderates the relationship between ISMS implementation and SME financial performance, with a moderating effect coefficient of B = 3.120 (p < 0.01). These results provide comprehensive insights into how ISMS implementation and national cultural factors interact to influence the financial performance of SMEs, highlighting the importance of considering both elements in strategic planning and implementation. All three hypotheses investigated in the four models received supportive evidence. Table 4 also includes a summary of the findings addressing ISMS implementation in SMEs and its impact on financial performance, as well as the moderating role of national culture.

5. Discussion

This study used a multiple regression model to examine the assumptions about the information security system, the dimensions of national culture, and the information security management system (ISMS). The results have implications for cultural information security management and social science research in India. This research found that in small and medium-sized businesses, the implementation of ISMS, specifically ISO-27001, has a positive and significant impact on their financial performance. This supports previous research that has identified the financial benefits of robust information security practices, particularly in reducing risk, improving operational efficiency, and fostering stakeholder trust [36,37]. The profitability of a company is favorably correlated with national cultural elements. The link between information security measures and performance outcomes is moderated and solidified, in part, by cultural norms at the national level. Various researchers have discovered that promoting information security means taking social behavior into account and enhancing customers’ determination to continue working with the firm, given its prestige, which leads to the enterprise’s economic progress, according to Pawar and Palivela [62]. This suggests that Indian SMEs might boost earnings by deploying an information security system. Most participants in the banking, information management, and communications industries believe cybersecurity is essential to business success. In financial services, informatics, and telecoms, information security procedures are advanced. Our findings showed their assessment of ISMSs in a company. Further analysis reveals several critical aspects influencing the relationship between ISMS implementation and financial performance in SMEs.
Our findings show that national cultural dimensions, such as collectivism and uncertainty avoidance, significantly influence the success of ISMS adoption and its financial benefits. These results align with Hofstede’s theory, which posits that cultural values affect organizational practices and outcomes (Hofstede, Hofstede, & Minkov, 2010 [28]). Specifically, cultures that emphasize collective decision-making and high uncertainty avoidance may create environments more conducive to ISMS adoption, as they prioritize risk management and security protocols.

5.1. Impact of Cultural Dimensions

National culture, characterized by Hofstede’s dimensions including power distance, individualism vs. collectivism, and uncertainty avoidance, plays a significant role in shaping the effectiveness of ISMS. For instance, high power distance cultures may require more hierarchical approval processes for ISMS implementation, while collectivist cultures might facilitate better team collaboration in securing information systems [18,22,23].

5.2. Sector-Specific Insights

Different industries show varying levels of ISMS maturity. The financial and telecommunications sectors exhibit advanced information security measures, reflecting their higher sensitivity to data breaches and regulatory requirements. This sector-specific insight underscores the need for tailored ISMS strategies that align with industry-specific risks and compliance standards [63].

5.3. Challenges and Barriers

Despite ISMS’s acknowledged benefits, several challenges hinder its widespread implementation in SMEs [64]. These include limited financial resources, lack of expertise, and resistance to change [65]. Addressing these barriers requires targeted interventions such as financial incentives, training programs, and awareness campaigns to foster a security-centric culture within SMEs.

5.4. Global Standards and Best Practices

Adopting international standards like ISO-27001 can significantly enhance the ISMS framework within SMEs [16,66]. Compliance with such standards not only improves security posture, but also enhances the firm’s reputation, thereby attracting more customers and partners. This alignment with global best practices is crucial for SMEs aiming to compete in an increasingly interconnected global market.

5.5. Technological Integration

The integration of advanced technologies such as artificial intelligence and machine learning into ISMS can provide more robust security mechanisms. These technologies enable proactive threat detection and response, minimizing potential risks and enhancing overall system resilience.

5.6. Case Studies and Comparative Analysis

Examining case studies from various countries and industries provides valuable insights into the practical applications and outcomes of ISMS. Comparative analysis helps identify successful strategies and common pitfalls, guiding SMEs in implementing more effective information security measures.

6. Study Implications

The stated purpose is to incorporate an ISMS or adhere to an existing ISMS built on ISO-27001. The study’s findings highlight the need to promote a reasonable system for managing information security by enhancing the mental maturity of security vulnerability management. As part of this suggestion, international standards at different levels of the organization might be included. Our results show that firms that effectively implement ISMS, including strong risk management protocols and compliance with security standards, achieve superior financial performance compared to firms without such systems. This aligns with the studies in [35], which highlight the financial advantages of proactive security management, such as cost savings from reduced breach incidents and improved reputational capital. Additionally, the findings indicate that ISMS implementation can serve as a long-term investment for enhancing financial stability, especially for firms operating in increasingly digitalized and global markets.
Executive level: It is mostly about policy priorities and ISMS implementation. It is crucial to encourage the data security executive to influence supplier resource provisioning and needs and advocate liability-covered data pieces. To prepare for strategy execution in an information security management convergence, the company must regularly take advantage of an ISM. It should allow security system executives to report to directors instead of the COO. He can gather security information and execute strategic solutions.
Manager level: Information security managers should regularly complete tasks and reorganize security budgets. They are essential in coaching, advice, communication, direction, and advisories. They may make decisions on all or part of the company’s information systems. They should also develop or supervise information security techniques, implement them, minimize data protection risk, understand volatility, become familiar with the enterprise’s divisions, and evaluate information security system expenditures.
By exploring the intersection of ISMSs, financial performance, and national culture, this study fills a significant gap in the literature. Previous studies have largely focused on ISMS implementation from a technical or compliance perspective, overlooking the broader cultural context that can shape organizational outcomes. Our research demonstrates that national culture should be considered a critical factor when assessing the financial impact of ISMS, especially in diverse and culturally nuanced markets like India. This contribution extends the work of researchers such as Taras et al. [30], who emphasized the importance of cultural factors in organizational behavior but did not explore their specific interaction with information security management.

7. Limitations of the Study

This study has some limitations that should be considered when interpreting the findings. First, the sample size was limited to 256 responses from Indian SMEs, which may not represent the broader population of SMEs in India or firms in other regions. This limitation affects the generalizability of the results beyond the studied sample. Additionally, the study focused solely on the Indian cultural context using Hofstede’s cultural dimensions, which, while recognized, may not fully capture the complexities of Indian culture or be uniformly applicable across all sectors within the country.
The study’s reliance on self-reported survey data introduces potential biases, such as self-reporting bias, where respondents might have provided socially desirable responses or inaccuracies regarding their firm’s financial performance and information security practices. Moreover, the research’s cross-sectional design means that it captures data at a single point in time, thus limiting the ability to establish causality or observe changes over time, such as evolving cybersecurity threats or shifts in cultural attitudes.
Focusing exclusively on SMEs presents another limitation, as these firms differ significantly from larger corporations in terms of resources, challenges, and strategies, potentially limiting the findings’ applicability to larger or different types of firms. The study measured financial performance using Return on Assets (ROA), which, although informative, may not encompass the full range of economic performance indicators. A more comprehensive assessment incorporating a broader set of financial metrics could provide deeper insights.
Furthermore, the study employed quantitative methods without integrating qualitative data, which could have offered richer insights into the motivations, challenges, and contextual factors influencing ISMS implementation and its impact. While control variables such as firm age and size were included, other potential confounding factors, such as industry-specific regulations, market conditions, and technological readiness, were not accounted for, which may influence the observed relationships. As noted by Yin [67], survey methods primarily capture the “what” of a phenomenon, offering a snapshot of the current situation. However, they often fall short in exploring the deeper processes behind the observed relationships—the “how” and “why” that are crucial for understanding complex interactions such as those between culture, ISMS adoption, and economic outcomes. In particular, the survey data used in this study may not fully capture the underlying mechanisms through which national culture influences the effectiveness of ISMS or how this, in turn, impacts financial performance. For instance, cultural values may shape not only the decision to implement ISMS but also how these systems are utilized and integrated into daily operations. These subtleties are difficult to uncover through quantitative surveys alone.
Another potential limitation of this study is the risk of bias introduced by socially desirable responses, particularly when participants are asked about sensitive topics such as financial performance. Respondents may feel pressured to provide answers that reflect more favorably on their organizations rather than giving an accurate account of their financial situation or the effectiveness of ISMS implementation.

8. Conclusions

An information security management system (ISMS) is a comprehensive strategy for protecting a company’s data based on risk assessment. This system includes people, policies, and IT systems. In India, this poses a significant challenge due to the substantial liabilities involved, even for leaders who opt for therapeutic measures, and the lack of understanding about the evolution of organizational information capital security management.
Performance reviews are essential for every position within an organization. Essentially, it is crucial to identify the factors that allow us to measure the success of the information security department and understand how it affects the firm’s overall profitability. Risk-based information security management systems (ISMSs) play a crucial role in safeguarding a company’s data. This system integrates people, policies, and IT infrastructure to mitigate risks effectively.
Despite efforts by leaders to implement remedial measures, organizations in India face significant challenges related to information security, largely due to a widespread lack of understanding about managing organizational information capital. To address these issues effectively, it is crucial to conduct performance evaluations at all organizational levels. These evaluations help identify the key factors that measure the effectiveness of the information security department and understand how these factors influence the overall profitability of the firm.
For better financial performance and information security, it is essential to implement an ISMS that follows ISO-27001 requirements. Information security management systems (ISMSs) provide a systematic approach to safeguarding sensitive data, administering it effectively, and assuring adherence to standards set by the industry. Adopting an ISMS may bring about substantial benefits, such as enhanced market competitiveness and the capacity to entice investment within the constraints of Indian national culture. Yet, businesses have obstacles in terms of knowledge and available resources that must be addressed before they can fully make use of these opportunities. Enhancing public awareness about the significance of information security, as well as offering funding for efficient safety protocols, are two ways to tackle these problems.

Author Contributions

Conceptualization, K.D. and S.M.; Methodology, K.D.; Validation, K.D.; Data curation, K.D.; Writing—original draft, K.D.; Writing—review & editing, S.M.; Visualization, K.D.; Supervision, S.M.; Funding acquisition, S.M. All authors have read and agreed to the published version of the manuscript.

Funding

This Research and the APC was Funded by INHA UNIVERSITY Research Grant.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The data presented in this study are available on request from the first and/or corresponding author.

Acknowledgments

This work was supported by an INHA UNIVERSITY Research Grant.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Al-Dhahri, S.; Al-Sarti, M.; Abdul, A. Information security management system. Int. J. Comput. Appl. 2017, 158, 29–33. [Google Scholar] [CrossRef]
  2. Gillies, A. Improving the quality of information security management systems with ISO27000. TQM J. 2011, 23, 367–376. [Google Scholar] [CrossRef]
  3. Stewart, H.; Jürjens, J. Information security management and the human aspect in organizations. Inf. Comput. Secur. 2017, 25, 494–534. [Google Scholar] [CrossRef]
  4. Prajogo, D.I.; McDermott, P. Examining competitive priorities and competitive advantage in service organisations using Importance-Performance Analysis matrix. Manag. Serv. Qual. Int. J. 2011, 21, 465–483. [Google Scholar] [CrossRef]
  5. Chang, H. Is ISMS for financial organizations effective on their business? Math. Comput. Model. 2013, 58, 79–84. [Google Scholar] [CrossRef]
  6. Susanto, H.; Almunawar, M.N. Information Security Management Systems: A Novel Framework and Software as a Tool for Compliance with Information Security Standard; Apple Academic Press: Palm Bay, FL, USA, 2018. [Google Scholar]
  7. Chander, M.; Jain, S.K.; Shankar, R. Modeling of information security management parameters in Indian organizations using ISM and MICMAC approach. J. Model. Manag. 2013, 8, 171–189. [Google Scholar] [CrossRef]
  8. Olugbode, M.; Elbeltagi, I.; Simmons, M.; Biss, T. The Effect of Information Systems on Firm Performance and Profitability Using a Case-Study Approach. Electron. J. Inf. Syst. Eval. 2008, 11, 11–16. [Google Scholar]
  9. Candra, J.W.; Briliyant, O.C.; Tamba, S.R. ISMS planning based on ISO/IEC 27001: 2013 using analytical hierarchy process at gap analysis phase (Case study: XYZ institute). In Proceedings of the 2017 11th International Conference on Telecommunication Systems Services and Applications (TSSA), Bali, Indonesia, 26–27 October 2017; pp. 1–6. [Google Scholar]
  10. Hsu, C.; Wang, T.; Lu, A. The impact of ISO 27001 certification on firm performance. In Proceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS), Koloa, HI, USA, 5–8 January 2016; pp. 4842–4848. [Google Scholar]
  11. Kala, E.M. The impact of cyber security on business: How to protect your business. Open J. Saf. Sci. Technol. 2023, 13, 51–65. [Google Scholar] [CrossRef]
  12. Romanosky, S. Examining the costs and causes of cyber incidents. J. Cybersecur. 2016, 2, 121–135. [Google Scholar] [CrossRef]
  13. ISO27001; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. ISO: Geneva, Switzerland, 2022.
  14. Goel, S.; Shawky, H.A. Estimating the market impact of security breach announcements on firm values. Inf. Manag. 2009, 46, 404–410. [Google Scholar] [CrossRef]
  15. Kitsios, F.; Chatzidimitriou, E.; Kamariotou, M. The ISO/IEC 27001 information security management standard: How to extract value from data in the IT sector. Sustainability 2023, 15, 5828. [Google Scholar] [CrossRef]
  16. Podrecca, M.; Culot, G.; Nassimbeni, G.; Sartor, M. Information security and value creation: The performance implications of ISO/IEC 27001. Comput. Ind. 2022, 142, 103744. [Google Scholar] [CrossRef]
  17. Jevelin, J.; Faza, A. Evaluation the Information Security Management System: A Path Towards ISO 27001 Certification. J. Inf. Syst. Inform. 2023, 5, 1240–1256. [Google Scholar] [CrossRef]
  18. Shojaie, B.; Federrath, H.; Saberi, I. The Effects of Cultural Dimensions on the Development of an ISMS Based on the ISO 27001. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security, Toulouse, France, 24–27 August 2015; pp. 159–167. [Google Scholar]
  19. Haufe, K.; Colomo-Palacios, R.; Dzombeta, S.; Brandis, K.; Stantchev, V. ISMS core processes: A study. Procedia Comput. Sci. 2016, 100, 339–346. [Google Scholar] [CrossRef]
  20. Bokhari, S.A.A.; Myeong, S. Use of artificial intelligence in smart cities for smart decision-making: A social innovation perspective. Sustainability 2022, 14, 620. [Google Scholar] [CrossRef]
  21. Bokhari, S.A.A.; Manzoor, S. Impact of information security management system on firm financial performance: Perspective of corporate reputation and branding. Am. J. Ind. Bus. Manag. 2022, 12, 934–954. [Google Scholar] [CrossRef]
  22. Shojaie, B. Implementation of Information Security Management Systems Based on the ISOIEC 27001 Standard in Different Cultures. Ph.D. Thesis, Staats-und Universitätsbibliothek Hamburg Carl von Ossietzky, Hamburg, Germany, 2018. [Google Scholar]
  23. Shojaie, B.; Federrath, H.; Saberi, I. Evaluating the effectiveness of ISO 27001: 2013 based on Annex A. In Proceedings of the 2014 Ninth International Conference on Availability, Reliability and Security, Fribourg, Switzerland, 8–12 September 2014; pp. 259–264. [Google Scholar]
  24. Kim, S. ISMS Implementation and Maintenance in Compliance with Finland’s National Cybersecurity Requirements. Bachelor’s Thesis, Haaga-Helia University of Applied Sciences, Helsinki, Finland, 2022. [Google Scholar]
  25. Hamdi, Z.; Norman, A.A.; Molok, N.N.A.; Hassandoust, F. A comparative review of ISMS implementation based on ISO 27000 series in organizations of different business sectors. J. Phys. Conf. Ser. 2019, 1339, 012103. [Google Scholar] [CrossRef]
  26. Hofstede, G. Dimensionalizing cultures: The Hofstede model in context. Online Read. Psychol. Cult. 2011, 2, 8. [Google Scholar] [CrossRef]
  27. Hofstede, G.; Kolman, L.; Nicolescu, O.; Pajumaa, I. Characteristics of the ideal job among students in eight countries. In Key Issues in Cross-Cultural Psychology; Garland Science: New York, NY, USA, 2021; pp. 199–216. [Google Scholar]
  28. Hofstede, G.; Hofstede, G.; Minkov, M. Cultures and Organizations: Software of the Mind, 3rd ed.; McGraw Hill: New York, NY, USA, 2010. [Google Scholar]
  29. Hofstede, G.; Van Deusen, C.A.; Mueller, C.B.; Charles, T.A.; Network, B.G. What goals do business leaders pursue? A study in fifteen countries. J. Int. Bus. Stud. 2002, 33, 785–803. [Google Scholar] [CrossRef]
  30. Taras, V.; Kirkman, B.L.; Steel, P. Examining the impact of Culture’s consequences: A three-decade, multilevel, meta-analytic review of Hofstede’s cultural value dimensions. J. Appl. Psychol. 2010, 95, 405. [Google Scholar] [CrossRef]
  31. Maher, M.A. Diagnosing and changing organizational culture: Based on the competing values framework. J. Organ. Chang. Manag. 2000, 13, 300–303. [Google Scholar] [CrossRef]
  32. Schein, E.H. Organizational Culture and Leadership; John Wiley & Sons: Hoboken, NJ, USA, 2010; Volume 2. [Google Scholar]
  33. Sadri, G.; Lees, B. Developing corporate culture as a competitive advantage. J. Manag. Dev. 2001, 20, 853–859. [Google Scholar] [CrossRef]
  34. Hatch, M.J. Dynamics in organizational culture. Handb. Organ. Chang. Innov. 2004, 207, 190–211. [Google Scholar]
  35. Dubnjakovic, A. Information Seeking Motivation Scale development: A self-determination perspective. J. Doc. 2017, 73, 1034–1052. [Google Scholar] [CrossRef]
  36. Lele, Q.; Lihua, K. Technical framework design of safety production information management platform for chemical industrial parks based on cloud computing and the internet of things. Int. J. Grid Distrib. Comput. 2016, 9, 299–314. [Google Scholar] [CrossRef]
  37. Le, T.T. Corporate social responsibility and SMEs’ performance: Mediating role of corporate image, corporate reputation and customer loyalty. Int. J. Emerg. Mark. 2023, 18, 4565–4590. [Google Scholar] [CrossRef]
  38. Shohoud, M. Study the Effectiveness of ISO 27001 to Mitigate the Cyber Security Threats in the Egyptian Downstream Oil and Gas Industry. J. Inf. Secur. 2023, 14, 152–180. [Google Scholar] [CrossRef]
  39. Velasco, J.; Ullauri, R.; Pilicita, L.; Jácome, B.; Saa, P.; Moscoso-Zea, O. Benefits of implementing an ISMS according to the ISO 27001 standard in the ecuadorian manufacturing industry. In Proceedings of the 2018 International Conference on Information Systems and Computer Science (INCISCOS), Quito, Ecuador, 13–15 November 2018; pp. 294–300. [Google Scholar]
  40. Alexei, A. Ensuring information security in public organizations in the Republic of Moldova through the ISO 27001 standard. J. Soc. Sci. 2021, 4, 84–94. [Google Scholar] [CrossRef]
  41. Kenyon, B. ISO 27001 Controls–A Guide to Implementing and Auditing; IT Governance Ltd.: Ely, UK, 2024. [Google Scholar]
  42. Asosheh, A.; Hajinazari, P.; Khodkari, H. A practical implementation of ISMS. In Proceedings of the 7th International Conference on e-Commerce in Developing Countries: With focus on e-Security, Kish Island, Iran, 17–18 April 2013; pp. 1–17. [Google Scholar]
  43. Chavez, S.; Anahue, J.; Ticona, W. Implementation of an ISMS Based on ISO/IEC 27001: 2022 to Improve Information Security in the Internet Services Sector. In Proceedings of the 2024 14th International Conference on Cloud Computing, Data Science & Engineering (Confluence), Noida, India, 18–19 January 2024; pp. 184–189. [Google Scholar]
  44. Kitsios, F.; Chatzidimitriou, E.; Kamariotou, M. Developing a risk analysis strategy framework for impact assessment in information security management systems: A case study in it consulting industry. Sustainability 2022, 14, 1269. [Google Scholar] [CrossRef]
  45. Blanco, C.; Santos-Olmo, A.; Sánchez, L.E. QISS: Quantum-Enhanced Sustainable Security Incident Handling in the IoT. Information 2024, 15, 181. [Google Scholar] [CrossRef]
  46. Hennelly, P.; Srai, J.; Graham, G.; Wamba, S.F. Reconfiguring business processes in the new political and technological landscape. Bus. Process Manag. J. 2019, 25, 386–390. [Google Scholar] [CrossRef]
  47. Mukundan, N.; Prakash Sai, L. Perceived information security of internal users in Indian IT services industry. Inf. Technol. Manag. 2014, 15, 1–8. [Google Scholar] [CrossRef]
  48. Tewamba, H.N.; Kamdjoug, J.R.K.; Bitjoka, G.B.; Wamba, S.F.; Bahanag, N.N.M. Effects of information security management systems on firm performance. Am. J. Oper. Manag. Inf. Syst. 2019, 4, 99–108. [Google Scholar] [CrossRef]
  49. Han, J.; Kim, Y.J.; Kim, H. An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Comput. Secur. 2017, 66, 52–65. [Google Scholar] [CrossRef]
  50. Farooq, U.; Ahmed, J.; Ashfaq, K.; Hassan Khan, G.u.; Khan, S. National culture and firm financial performance: A mediating role of firm financing decision. Cogent Bus. Manag. 2020, 7, 1858640. [Google Scholar] [CrossRef]
  51. ISO9001:2015; I. Quality Management Systems—Requirements. ISO: Geneva, Switzerland, 2015.
  52. Kala Kamdjoug, J.R.; Nguegang Tewamba, H.J.; Fosso Wamba, S. IT capabilities, firm performance and the mediating role of ISRM: A case study from a developing country. Bus. Process Manag. J. 2019, 25, 476–494. [Google Scholar] [CrossRef]
  53. ISO14001:2015, I. Environmental Management Systems—Requirements with Guidance for Use. ISO: Geneva, Switzerland, 2015.
  54. Fornell, C.; Larcker, D.F. Structural equation models with unobservable variables and measurement error: Algebra and statistics. 1981, 18, 382–388. [CrossRef]
  55. Xu, L.; Jiang, C.; Wang, J.; Yuan, J.; Ren, Y. Information security in big data: Privacy and data mining. IEEE Access 2014, 2, 1149–1176. [Google Scholar] [CrossRef]
  56. Sato, H.; Kanai, A.; Tanimoto, S. A cloud trust model in a security aware cloud. In Proceedings of the 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet, Seoul, Republic of Korea, 19–23 July 2010; pp. 121–124. [Google Scholar]
  57. Fornell, C.; Larcker, D.F. Evaluating structural equation models with unobservable variables and measurement error. J. Mark. Res. 1981, 18, 39–50. [Google Scholar] [CrossRef]
  58. Hair, J.F. Multivariate data analysis. In International Encyclopedia of Statistical Science; Springer: Berlin/Heidelberg, Germany, 2009. [Google Scholar] [CrossRef]
  59. Boiko, A.; Shendryk, V.; Boiko, O. Information systems for supply chain management: Uncertainties, risks and cyber security. Procedia Comput. Sci. 2019, 149, 65–70. [Google Scholar] [CrossRef]
  60. He, W.; Liu, C.; Lu, J.; Cao, J. Impacts of ISO 14001 adoption on firm performance: Evidence from China. China Econ. Rev. 2015, 32, 43–56. [Google Scholar] [CrossRef]
  61. Moneva, A.; Leukfeldt, R. Insider threats among Dutch SMEs: Nature and extent of incidents, and cyber security measures. J. Criminol. 2023, 56, 416–440. [Google Scholar] [CrossRef]
  62. Pawar, S.; Palivela, H. LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). Int. J. Inf. Manag. Data Insights 2022, 2, 100080. [Google Scholar] [CrossRef]
  63. Prislan, K.; Mihelič, A.; Bernik, I. A real-world information security performance assessment using a multidimensional socio-technical approach. PLoS ONE 2020, 15, e0238739. [Google Scholar] [CrossRef] [PubMed]
  64. Ikram, M.; Sroufe, R.; Zhang, Q. Prioritizing and overcoming barriers to integrated management system (IMS) implementation using AHP and G-TOPSIS. J. Clean. Prod. 2020, 254, 120121. [Google Scholar] [CrossRef]
  65. Hariom; Rajak, S.; Kumar, A. An Analytical Framework for Analysing Barriers for the Implementation of Industry 4.0. J. Inst. Eng. (India) Ser. C 2024, 105, 401–416. [Google Scholar] [CrossRef]
  66. Tajammul, M.; Parveen, R. Comparative analysis of big ten ISMS standards and their effect on cloud computing. In Proceedings of the 2017 International Conference on Computing and Communication Technologies for Smart Nation (IC3TSN), Gurgaon, India, 12–14 October 2017; pp. 362–367. [Google Scholar]
  67. Yin, R.K. Case Study Research: Design and Methods; Sage: London, UK, 2009; Volume 5. [Google Scholar]
Figure 1. Hofstede’s cultural dimensions (Source: Trainers Library; Hofstede’s cultural dimensions (https://www.trainerslibrary.org/), accessed 30 July 2024).
Figure 1. Hofstede’s cultural dimensions (Source: Trainers Library; Hofstede’s cultural dimensions (https://www.trainerslibrary.org/), accessed 30 July 2024).
Sustainability 16 09058 g001
Figure 2. Conceptual framework for ISMS, national culture, and SME financial performance.
Figure 2. Conceptual framework for ISMS, national culture, and SME financial performance.
Sustainability 16 09058 g002
Figure 3. Demographic characteristics of respondent SME firms.
Figure 3. Demographic characteristics of respondent SME firms.
Sustainability 16 09058 g003
Table 1. Evaluation of reliability and validity for constructs related to ISMS ISO-27001 and national culture.
Table 1. Evaluation of reliability and validity for constructs related to ISMS ISO-27001 and national culture.
VariablesMeasurement ItemsFactor LoadingsCronbach’s AlphaComposite Reliability
ISMS
ISO-27001
Determination of internal and external factors relevant to ISMS0.7530.9090.928
The scope of ISMS 270,001 documented0.848
Established information security policy that is appropriate0.878
Roles within the ISMS are clearly defined and communicated0.664
The ISMS adequately resourced0.904
The information security risk assessment process is repeatable0.732
A program to ensure the ISMS achieves its outcomes0.840
There is an information security risk treatment process to select appropriate risk treatment options0.885
National CultureI feel good when I cooperate with others0.9340.9550.964
Competition is the law of nature0.922
When another person does better than I do, I get tense and aroused0.707
I often do “my own thing”0.877
When people get emotionally upset, I tend to avoid them0.826
People should keep their troubles to themselves0.907
I often go out of my way to help another person0.899
I’m not the sort of person who often comes to the aid of others0.924
Table 2. Descriptive statistics (mean, standard deviation) and correlation matrix of study variables (age, size, FP; financial performance, ISMS; information security management system, and NC; national culture) of surveyed small and medium-sized enterprises (SMEs) in India.
Table 2. Descriptive statistics (mean, standard deviation) and correlation matrix of study variables (age, size, FP; financial performance, ISMS; information security management system, and NC; national culture) of surveyed small and medium-sized enterprises (SMEs) in India.
VariablesNMeanSDAgeSizeFPISMSNC
Age2561.440.4971
Size2561.370.4830.294 **1
FP25612.053.8170.188 **−0.182 **1
ISMS2564.35510.468910.000−0.382 **0.479 **0.651
NC2563.85750.847180.060−0.193 **0.712 **0.249 **0.770
** The correlation is significant at the 0.01 level (2-tailed). ISMS: information security management systems and NC: national culture in bold are the average variance extracted (AVE) values.
Table 3. Regression results showing the impact of age, size, ISMS implementation, and national culture on SME financial performance.
Table 3. Regression results showing the impact of age, size, ISMS implementation, and national culture on SME financial performance.
VariablesDependent Variable: Firm Performance
Model 1Model 2Model 3Model 4
Independent Variables
(Constant)11.938 ** (0.841)−5.510 * (2.389)12.428 ** (1.766)65.320 ** (6.853)
Age2.031 ** (0.479)1.606 ** (0.436)1.105 ** (0.313)0.571 * (0.289)
Size2.053 ** (0.493)0.559 (0.485)0.186 (0.351)0.172 (0.314)
ISMS 3.678 ** (0.477)2.702 ** (0.347)15.230 ** (1.610)
NC 2.818 ** (0.181)16.255 ** (1.702)
Moderating Effect
ISMS × NC 3.120 ** (0.393)
Obs.256256256256
F-Model13.631 **30.953 **105.930 **118.155 **
R0.3110.5180.7920.838
R20.0970.2680.6270.702
Adjusted R20.0900.2600.6210.696
Standard Errors of Estimates3.6423.2842.3502.105
Durbin-Watson2.0572.2092.0092.158
** Correlation is significant at the 0.01 level (2-tailed); * Correlation is significant at the 0.05 level (2-tailed).
Table 4. Overview of evaluation models for ISMS implementation, national culture, and SME financial performance.
Table 4. Overview of evaluation models for ISMS implementation, national culture, and SME financial performance.
EssenceIndicatorsResults (Effects)
Dependent VariableSME financial performance
Model 1Control VariablesConstants, age, size
Model 2Independent VariableISMS implementation, national cultureSupported
Model 3Moderating VariableNational cultureSupported
Model 4Moderating TestISMS implementation x national cultureSupported
Hypothesis 1Higher ISMS ISO-27001 implementation in SMEs has a significant effect on financial performance.Supported
Hypothesis 2aNational culture dimensions such as high-power distance, collectivism, masculinity, uncertainty avoidance, long-term orientation, and high indulgence significantly impact SME financial performance.Supported
Hypothesis 2bNational culture dimensions moderate the relationship, strengthening the relationship between ISMS ISO-27001 accreditation and SMEs’ financial performance.Supported
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Duggal, K.; Myeong, S. The Influence of Information Security Management System Implementation on the Financial Performance of Indian Companies: Examining the Moderating Effect of National Culture. Sustainability 2024, 16, 9058. https://doi.org/10.3390/su16209058

AMA Style

Duggal K, Myeong S. The Influence of Information Security Management System Implementation on the Financial Performance of Indian Companies: Examining the Moderating Effect of National Culture. Sustainability. 2024; 16(20):9058. https://doi.org/10.3390/su16209058

Chicago/Turabian Style

Duggal, Kanika, and Seunghwan Myeong. 2024. "The Influence of Information Security Management System Implementation on the Financial Performance of Indian Companies: Examining the Moderating Effect of National Culture" Sustainability 16, no. 20: 9058. https://doi.org/10.3390/su16209058

APA Style

Duggal, K., & Myeong, S. (2024). The Influence of Information Security Management System Implementation on the Financial Performance of Indian Companies: Examining the Moderating Effect of National Culture. Sustainability, 16(20), 9058. https://doi.org/10.3390/su16209058

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop