Information security failures identified and measured – ISO/IEC 27001:2013 controls ranked based on GDPR penalty case analysis

ABSTRACT This paper identifies the failures and impacts of information security, as well as the most effective controls to mitigate information security risks in organizations. Root cause analysis was conducted on all year 2020 GDPR penalty cases (n = 81) based on misconduct as defined in GDPR article 32: “security of processing.” ISO/IEC 27001 controls were used as failure identifiers in the analysis. As a result, this study presents both the most frequent and most expensive information security failures and correspondingly ranks and presents the correlation of the controls observed in the analysis. From a theoretical perspective, our study contributes by bridging the gap between regulation and information security and introduces a statistical method to analyze the GDPR penalty cases, and provides previously unreported findings about information security failures and their respective solutions. From a practical perspective, the results of our study are useful for organizations which aspire to manage information security more effectively in order to prevent the most typical and expensive information security failures. Organizations, as well as auditors implementing and assuring the ISO 27001, may use our results as a guideline whereby controls should be applied and verified first in sequential order based on their impact and interdependence.


Introduction
Information in its various forms is the most important asset of an organization; thus, failures in information security may not only threaten the integrity of organizations, but even their very existence (Gerber & von Solms, 2008).The primary objective of information security, the protecting of the confidentiality, integrity, and availability of information (Chapple et al., 2018), requires administration and governance (von Solms, 2006), whereby organizations' IT governance, risk management, and compliance function need to take decisions based on data-driven performance measurement metrics (Vaibhav, 2022).
International standardization frameworks play a necessary role in governing, assuring, and certifying effective information security in organizations (Siponen & Willison, 2009).The ISO/IEC 27001 is considered the de facto standard on how information security is managed, and it functions as the criterion for determining the quality, breadth, and depth of an organization's security controls (Calder & Gerard, 2013).Similar commonly used control frameworks are, e.g.The National Institute of Standards and Technology (NIST), Cyber Security Framework (CSF), and Control Objectives for Information and Related Technologies (COBIT) (Sulistyowati et al., 2020).
Legal aspects in terms of complying with information security and privacy regulation are becoming increasingly complex (Gerber & von Solms, 2008).The European Union General Data Protection Regulation (GDPR) aims to protect the privacy of EU citizens and consequently requires all organizations operating within the EU to have adequate control of information security (Regulation (EU) 2016/679).Violating the GDPR can lead to substantial financial penalties, and many have already been enforced (Ruohonen & Hjerppe, 2022).
Simultaneously, worldwide, many comparable regulatory frameworks, such as the GDPR, form a blueprint for how personal data may be protected and processed in a secure way.Developments similar to GDPR are the California Consumer Privacy Act (CCPA) (cf.Thomas, 2020), Brazil's Lei Geral de Proteçao de Dados (LGPD) (cf.Macedo, 2021), India's Personal Data Protection Bill (PDPB) (cf.Deva & Suchithra, 2020), and Japan's Act on Protection of Personal Information (cf.Higashizawa & Aihara, 2017).
In order to govern information security and compliance with regulation, intelligence on information security failures and controls to effectively manage these failures are becoming ever more important (von Solms, 2006).The identification, ranking, and selecting of the most important information security controls is a fundamental step toward mitigating the risks and threats, but it is also a very tricky process, and has been a major management challenge for years (Tariq et al., 2020).Thus, more research efforts are needed to minimize the gap between regulation and information security (Dlamini et al., 2009).
Early GDPR penalties have already been studied (cf.Presthus & Sønslien, 2021).However, no studies have so far been conducted explicitly to analyze GDPR penalty cases with statistical methods to identify information security failures with control frameworks such as the ISO/IEC 27001:2013.Likewise, standardization frameworks and ISO 27001 have been utilized to construct capability maturity models to assess the information security posture of an organization (cf.Lopez-Leyva et al., 2020;Monev, 2020), but they do not rank the ISO/IEC 27001:2013 controls based on their impact and interdependence.
Assessing information security can be a complicated and costly operation, thus simple analysis method should be applied.Root cause analysis (RCA) is an effective method to achieve this goal (York et al., 2014).This study presents a novel method to analyze information security failures of organizations with GDPR penalties.In this paper, we apply the RCA method to measure information security failures as identified and measured by analyzing European Union General Data Protection Regulation (GDPR) penalty cases.All year 2020 penalties (n = 81) throughout the EU member countries based on the definition of misconduct in GDPR article 32, "security of processing," were analyzed and matched with ISO/ IEC 27001:2013 standard controls.Our study matches the information security standard controls and the statistics from penalty cases, and provides previously unreported information about information security failure volumes and correlations within different industry domains.
The research problem of this paper is to identify and explore the failures and impacts of information security, as well as the most effective controls to mitigate the information security risks in organizations.More specific research questions are as follows: RQ 1: What are the most frequent and most expensive information security failures corresponding to ISO 27001 controls?
RQ 2: How many information security failures corresponding to ISO 27001 controls typically exist in a GDPR penalty case?RQ 3: How do the information security failures corresponding to ISO 27001 controls correlate?RQ 4: Are there any industry type differences in information security failures and penalties?
The remainder of the paper is structured as follows.Section 2 presents a literature review and explores important aspects of GDPR, and positions the ISO/ IEC 27001:2013 standard in an IT governance, risk management and compliance (IT-GRC) framework.Section 3 presents the material and methodology of the study.The results of the study are presented and discussed in section 4. Finally, section 5 concludes the paper, presenting theoretical and practical contributions as well as the limitations and future direction of the study.

Literature review
In this section, the important features and relevant literature of GDPR and ISO 27001 are presented and positioned in the IT governance, risk management and compliance (IT-GRC) framework.Table 1 presents the most relevant literature reviewed, bringing forth the research gap as well as positioning the IT-GRC as the overarching domain, governing information security with compliance with regulation and control frameworks.

The European Union General Data Protection Regulation
The European Union General Data Protection Regulation (GDPR) came into force in May 2018, and unified the diverse data protection laws throughout the EU into one regulation fit for purpose in the 21 st century (Cornock, 2018).The main objective of GDPR is to safeguard the fundamental right of EU citizens to data protection and protection with respect to the processing of their personal data.GDPR lays out a wide variety of requirements as to how personal data may be processed by an organization, as well as granting individuals, also known as data subjects, many rights, which enable them to have more control over how their personal data is processed (Regulation (EU) 2016/679).
GDPR carries a paramount requirement about information security.The GDPR article 32, "security of processing," obliges organizations to implement technical and organizational measures to guarantee the adequate security of personal data.Article 32, however, does not require a specific set of such measures, because GDPR is technology neutral and grants a great deal of freedom in terms of how to realize compliance (Selzer et al., 2021).Providing only a minimum amount of guidance to meet the information security requirement, the regulation outlines examples and protection objectives, which include (Regulation (EU) 2016/679): • The pseudonymization and encryption of personal data • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services • The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident • A risk-based process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing The distinction between data processors and data controllers is important in GDPR.The data controller is the entity determining how personal data is used and is thus ultimately responsible for information security.For example, if a vendor hosts a website on behalf of an organization, the organization becomes the data controller, and the vendor will be the data processor (Hintze, 2018).When processing is outsourced to a processor, the controller may only contract such processors which are able to provide sufficient guarantees of adequate information security (Regulation (EU) 2016/679).GDPR defines a data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."As a consequence of a data breach, the data controller is obliged to make a timely report about it to the supervisory authority, as well as inform the data subjects of whether their right to privacy is significantly compromised (Regulation (EU) 2016/679).The supervisory authorities acting in each EU member country have the task of ensuring compliance with the GDPR, and in order to fulfil this function they have various investigative and corrective powers.The most severe form of corrective power is administrative fines, where the maximum penalty is up to 20 million euros, or 4% of the total worldwide annual turnover (Regulation (EU) 2016/ 679).Penalties issued by the supervisory authorities are public information; thus GDPR enables transparency in cases of data breaches caused by information security failures throughout the European Union (Garrison & Hamilton, 2019).
Penalties are imposed depending on certain criteria such as the nature, gravity, and duration of the infringement, categories of personal data affected, the number of data subjects in scope, and the level of damage suffered by them, as well as aggravating or mitigating circumstances such as relevant previous infringements and the degree of cooperation with the supervisory authority.GDPR has allowed each EU member state to establish its own rules on the calculation of penalties and determine whether and to what extent penalties may be imposed on public organizations (Regulation (EU) 2016/679).The European Data Protection Board, which ensures the consistent application of GDPR, has published draft guidelines on the calculation of penalties to harmonize the methodology of the supervisory authorities (EDPB, 2022).
The relationship and interdependency between GDPR and information security is recognized in the literature (cf.Geko & Tjoa, 2018), but it is not entirely clear how information security frameworks can support compliance with GDPR (Serrado et al., 2020).However, models and tools have been proposed to assess the privacy risk, together with information security related risk, in order to assist organizations to select high-risk areas for further control actions (Wei et al., 2020).
Violations which led to GDPR penalties have already been explored and studied (cf.Ruohonen &Hjerppe, 2022, andPresthus &Sønslien, 2021).A study by Akhlaghpour et al. (2021) was conducted on 93 GDPR enforcement cases, which identified several risk categories and their associated mitigation measures.A similar study by Saemann et al. (2022) presented a work that analyzed and categorized 856 GDPR fines based on different violations, where it was found that one of the main drivers for GDPR penalties was the data subjects' complaints to authorities, or existing incidents which were a public concern.
The supervisory authorities' enforcement actions show that organizations fail to ensure adequate technical and organizational measures in implementing GDPR article 32 (Degli-Esposti & Ferrándiz, 2021).Previous studies show that penalties issued following the first 24 months after GDPR implementation were relatively conservative and did not reach the maximum threshold.Most of these early penalties were a response to privacy violations, but notably the majority of the larger fines were triggered by information security incidents, and, on average, information security violations led to relatively weightier fines than pure privacy violations (Wolff & Atallah, 2021).Craddock (2022) argues that early GDPR fines were largely inconsistent, and proposes a methodology to forecast the amount of GDPR penalties in future, which will be much higher.Since the authorities are expected to get tougher with prosecutions (Barret, 2020), more research efforts are needed to analyze the impacts of GDPR (Hirvonen, 2022) to minimize the gap between regulation and information security (Dlamini et al., 2009).

IT governance, risk management and compliance framework
The information technology governance, risk management and compliance (IT-GRC) framework is derived from corporate governance, where the business focus is aligned with the IT management of an organization (Osden & Lubbe, 2009).The objective of IT-GRC is to implement effective management techniques with business strategies and IT, and also to manage industry standards and compliance with information security and regulatory requirements (Schlarman, 2009).
IT-GRC integrates and streamlines essential processes to manage the risks which threaten the confidentiality, integrity, and availability (CIA) of key operations of an organization (Nicho et al., 2017), while the primary focus of information security is, similarly, the commitment to ensuring the continuous CIA of information in an organization (Chapple et al., 2018).Information security is primarily risk management, and therefore it is a fundamental element of IT-GRC (Wright, 2019), where governing decisions should be based on data-driven performance measurement metrics (Vaibhav, 2021).
Effective control frameworks are necessary when managing the information security risk within the organizational IT-GRC structure.A wide variety of information security standards to certify an organization, such as NIST and COBIT, are available, whereas the ISO/IEC 27001:2013 is one of the most facilitated standards (Dharmalingam et al., 2018;Sulistyowati et al., 2020) and recommended by the literature (cf.Brenner, 2007;Mayer & Smet, 2017).The relationship of ISO 27001 with successful IT-GRC is well recognized, because the standard encompasses all the necessary goals under its Information Security Management System (ISMS) to support an effective IT-GRC implementation (Sanskriti & Astitwa, 2018).

The ISO/IEC 27001:2013 in the ISO 27000 family of standards
The ISO/IEC 27000 family of standards is a numbered series of international information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).The correct designation for the standard includes the ISO/IEC prefix, and a suffix which is their date of publication.The formal title of ISO 27001 standard is "Information technology -Security techniques -Information security management systems -Requirements" and is referred to simply as ISO 27001 (ISO/IEC 27001:2013).
The core of the ISO 27001 standard requires organizations to adopt a risk-based approach and provides a model for "establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS) to protect the confidentiality, integrity and availability of information from threats and vulnerabilities."The standard requires establishing a risk assessment framework, identifying, analyzing, and evaluating risks, and finally selecting a risk treatment plan, which is the process of building the security controls to protect the organization's information assets (ISO/IEC 27001:2013).
ISO/IEC 27001:2013 controls are shown in Annex A, which first has 14 control clauses, each of which is identified with one or more control objectives, which are further served by a total of 114 controls (ISO/IEC 27001:2013).for certifying an ISMS, so they are jointly referred to as the "common language of organizations around the world for information security" (Humphreys, 2011).
ISO 27002 was updated on February 15, 2022, and Annex A of ISO 27001 was aligned with those changes in the last quarter of 2022.In the new versions, the number of controls has decreased from 114 to 93, and these are placed in 4 sections instead of the previous 14.In the new versions, the security controls are divided into separate sections according to their specific type, which are organizational security controls (n = 37), personal safety controls (n = 8), physical security controls (n = 14), and technical safety controls (n = 34).In the new versions, there are 11 new controls.While none of the controls were deleted, some controls were merged together (ISO/IEC 27002:2022).
Notably, ISO/IEC 27701:2019 is an auxiliary standard to ISO 27001 and ISO 27002, and it specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).ISO 27701 is not mandatory for ISO 27001 certification, but it extends the information security requirements of ISO 27001 to take into account the protection of privacy and personally identifiable information, and provides guidance on how these requirements should be implemented ISO/IEC 27701:2019.
When placing ISO 27001 and GDPR side by side, it is clear that even though ISO 27001 and GDPR have different standpoints, they both apply a risk management approach to data.GDPR aims to mitigate the privacy risks of data subjects by placing various provisions on personal data processing, while ISO 27001 obliges organizations to adopt a continuously maintained ISMS (Diamantopoulou et al., 2020), which is a compliance facilitator to support the response of organizations to the security requirements of GDPR (Lopes et al., 2019).
As the ISO 27001 provides a deep-rooted history of development and best practices, it has been a basis for studies assessing the information security maturity and risks of organizations.However, these studies typically do not rank the ISO 27001 controls based on their impact or provide further input on how to improve the assessed maturity and risk levels (Anass et al., 2020).
For example, Monev (2020) proposes a methodology for performing information security maturity assessment solely based on ISO 27001 and ISO 27002.Another study by Nungky et al. (2022) proposes a situational awareness model to assess cybersecurity risks based on Annex A of ISO/IEC 27001:2013.
A study by Shojaie et al. (2014) classified the ISO/IEC 27001:2013 controls into categories which support organizations in evaluating and improving their ISMS performance, as well as providing understanding of relevant security flaws.Another study by Khajouei et al. (2017) provided a ranking of effective ISO/IEC control objectives in a single case organization.For similar studies, see, for example, Lopez-Leyva et al. (2020) and Makupi & Karume (2019).Furthermore, many of the proposed maturity models have been greatly influenced by the ISO 27001 (cf.Al-Matari et al., 2021;Bashofi & Salman, 2022).

Material and method
In this section the approach to gathering and analyzing the research data is described.

Material of the study
The publicly available data source for this study is the GDPR Enforcement Tracker, which is a freely accessible website maintained by a global law firm, CMS.The database contains formal GDPR penalty case reports, which have been issued by the data protection authorities in EU member countries to organizations not complying with the regulation (GDPR Enforcement Tracker).
The database was searched with the year 2020, together with GDPR article 32 "security of processing," which resulted in 81 GDPR penalty case reports, where the penalty type was "insufficient technical and organizational measures to ensure information security."These GDPR penalty case reports formally describing and specifying information security failures accounted for the penalties issued to 81 different organizations.Out of the total of 81 GDPR penalty case reports, there were 25 cases which also included references to articles other than information security.The supervisory authorities issue penalties as a whole and do not distinguish the penalty amounts between failures in different quoted GDPR articles.

Methodology of the study
The method applied in the study was root cause analysis (RCA) to identify what caused the information security failures and what their impacts were.Root cause analysis as a method is a process which applies data collection, cause charting, root cause identification, and generation of recommendations.Only when root causes are determined can corrective measures that prevent future events of the type observed be specified (Rooney et al., 2004).The different RCA subtype methods can be summarized into the following three categories (York et al., 2014): • Chart type RCAs, which are constructed in the style of a flow chart  (Doggett, 2005).Tabular type RCAs are, for example, the 5 whys method (Card, 2016) and the Failure Modes and Effects Analysis (FMEA) (Paciarotti et al., 2014).Typical graphical RCAs are histograms and the pareto 80/20 method (York et al., 2014).RCA as a methodology is challenged by the problem of "many hands," which means that the root causes cannot easily be pinpointed to a single individual or contributing factor responsible for the outcome or the solution that fixes the problem.RCA implies that there is only a single root cause, which often is not the case in a complex environment.RCAs also typically lack solutions to eliminate the root cause problems (Peerally et al., 2016).
The RCA method of this study is a mixture of tabular and graphical RCA types.
Each GDPR penalty case, with its respective information security failures corresponding to a specific failure identifier (ISO 27001 control), as well as the total penalty of the case, were mapped in a table.This table, which contained binary variables, enabled further analysis, and the graphical presentation of results is presented in Table 3.
This study was conducted before the new version of ISO/IEC 27001:2022 was published, and therefore the criteria of this analysis were the ISO/IEC 27001:2013 Annex A controls, which were used as root cause identifiers in each individual 81 GDPR penalty case.
There were 38 individual information security failures on the ISO 27001 control level, which included five failures that could not be matched with any exact ISO 27001 control.These five failures were included in the scope of the analysis because they were specifically addressed by the supervisory authorities, and consequently were the cause of the issued penalties.In the presented results, these unmatched information security failures do not have the ISO number prefix, unlike the failures which were mapped to a specific ISO 27001 control.
The 38 information security failures on the ISO 27001 control level were mapped to their respective 21 control objectives and further to their respective 12 control clauses, while the five unmatched failures were mapped within their own groups.
Penalty amount calculations for each individual information security failures were first conducted separately on the ISO 27001 control level.The total penalty amount of a single GDPR penalty case was divided by the number of information security failures that were observed in the case.For example, in a GDPR penalty case, where there were three observed information security failures and the total penalty was 600 euros, the cost of an individual failure was 200 euros.Next, the average was calculated for all information security failures, which became the penalty for each individual information security failure.Penalty amount calculations were further conducted separately on ISO 27001 control objectives and control clauses.
The 81 GDPR penalty cases were grouped to present the number of information security failures per case, which ranged from 1 to 13.The average penalty was calculated for each of these groups.
Information security failure correlations were calculated separately on ISO 27001 controls and further on their respective control objectives and control clauses.To emphasize their strategic significance, the ISO 27001 controls which had very strong (0.65 and above) correlation are presented in the results.After that, the fairly strong (0.35 and above) correlation of ISO 27001 control objectives and the correlation (0.3 and above) of ISO 27001 control clauses are presented in the results.P-values of the Pearson correlation were used, and results where the p-value was lower than 0.05 were considered statistically significant.
Finally, all the 81 GDPR penalty cases were grouped to present the penalty amounts and frequencies in different industry sectors.

Results and discussion
In this section the results of the analysis and answers to the research questions are presented.Both ISO/IEC 27002:2013 and ISO/IEC 27701:2019 standards are used for interpreting the results.

The most frequent information security failures
The top 10 most frequent information security failures corresponding to ISO 27001 controls are presented in Figure 1.
The most frequent (n = 47) failure is the lack of "A.9.The third most frequent failure (n = 31) is lack of "A.8.2.1 Classification of information."Information shall be classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification (ISO/IEC 27001:2013).The organization should mandate asset owners to follow the formal classifying scheme, which further specifies how the asset should be protected (ISO/IEC 27002:2013), while ISO 27701 further recommends taking personally identifiable information into consideration (ISO/IEC 27701:2019).This control applies to the GDPR article 32 requirement of having risk assessment conducted in order that adequate organizational and technical controls are further selected and implemented (Regulation (EU) 2016/679).
The fourth most frequent failure (n = 18) is lack of implementation of "A.10.1.1Policy on the use of cryptographic controls," which is necessary to maximize the benefits of using cryptographic techniques and to avoid inappropriate or incorrect use.GDPR addresses encryption as a technique to secure personal data processing (Regulation (EU) 2016/679), although making a decision on whether a cryptographic solution is appropriate should be seen as part of the wider risk assessment process, which is used to determine whether a cryptographic control is appropriate and applied (ISO/IEC 27002:2013).ISO 27701 additionally guides the organization to provide information to the data subject regarding the circumstances in which it uses cryptography to protect personally identifiable information.The organization should also provide information to the data subject which can assist them in applying their own cryptographic protection (ISO/IEC 27701:2019).
The fifth most frequent failure (also n = 18) is lack of control in "A.13.2.3 Electronic messaging."Information involved in electronic messaging shall be appropriately protected (ISO/IEC 27001:2013).There are many types of electronic messaging such as e-mail, electronic data interchange, and social networking, which play a role in communications.Information security considerations should include, e.g.protecting messages from unauthorized access, or modification or denial of service in line with the risk-based classification scheme adopted by the organization (ISO/IEC 27002:2013).
The sixth most frequent failure (n = 14) is inadequate "A.12.4.1 Event logging."Many data breaches were caused by lack of tracing of user actions in systems.Therefore, event logs recording user activities, exceptions, faults, and information security events should be produced, kept, and regularly reviewed (ISO/IEC 27002:2013).ISO 27701 provides additional guidance by recommending a process to review the event logs, and where possible, event logs should specifically record user access to personally identifiable information (ISO/IEC 27701:2019).
The seventh most frequent failure (also n = 14) is lack of "A.14.2.8 System security testing," which is important because GDPR requires regular testing and assessment of the effectiveness of measures for ensuring the security of processing (Regulation (EU) 2016/679).New and updated systems require thorough testing and verification during the development processes, including the preparation of detailed schedules of activities and test outputs under a range of conditions.The extent of testing should be in proportion to the importance and nature of the system (ISO/IEC 27002:2013), which once again refers to the need for having risk assessment conducted.
The eighth most frequent failure (n = 12) is lack of control in "A.8.2.3 Handling of assets."Procedures for handling an asset shall be developed and implemented in accordance with the information classification scheme adopted by the organization (ISO/IEC 27001:2013).The classification scheme used within the organization may not be equivalent to the schemes used by other organizations, which should be taken into account when information is transferred (ISO/IEC 27002:2013).
The ninth most frequent failure (also n = 12) is "Human error," which was not mapped to any specific ISO 27001 control.Human errors can be caused by insufficient information security awareness, education, and training.Human errors addressed by the supervisory authorities, however, also comprised pure accidents or the mistakes of well-educated staff members, leading to loss of confidentiality, integrity, or availability of information.
Finally, the tenth most frequent failure (n = 9) is lack of control in "A.15.1.2Addressing security within supplier agreements", which is also required by GDPR (Regulation (EU) 2016/679).Supplier agreements should be established and documented to ensure that there is no misunderstanding between the organization and the supplier regarding both parties' obligations to fulfil relevant information security requirements.The agreements may vary considerably for different organizations and among different types of suppliers; thus, care should be taken to include all relevant information security risks and requirements (ISO/IEC 27002:2013).ISO 27701 further guides the organization to specify in agreements with suppliers whether personal data is processed and the minimum technical and organizational measures that the supplier needs to meet (ISO/IEC 27701:2019).All 38 information security failures corresponding to ISO 27001 controls are ranked based on their frequency and presented in Table 4.
A ranking of the most frequent information security failures corresponding to ISO 27001 control objectives is presented in Figure 2.
Information security failures corresponding to ISO 27001 control objectives reaching the threshold of 20 observations are explained here.The most frequent failure (n = 58) is the lack of "A.9.4 System and application access control," where the objective is to prevent unauthorized access to systems and applications.The second most frequent failure (n = 44) is the lack of "A.8.2 Information classification," where the objective is to ensure that information receives an appropriate level of protection in accordance with its importance to the organization.The third most frequent failure (n = 32) is lack of controls "A.7.2During employment," where the objective is to ensure that employees and contractors are aware of and fulfil their information security responsibilities after being recruited by an organization.
Fourth (n = 23) are information security failures that were not mapped on ISO 27001 controls, which form their own category.Most of these failures consist of pure human errors or the neglect of given instructions.The fifth most frequent failure (n = 32) is lack of "A.16.1 Management of information security incidents and improvements," where the objective is to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
A ranking of the most frequent information security failures corresponding to ISO 27001 control clauses is presented in Figure 3.
The most frequent information security failure corresponding to the ISO 27001 control clause is "A.9 Access control" (n = 66), followed by "A.8 Asset management" (n = 49) and "A.7 Human resource security" (n = 32).In conclusion, these results can be taken into account in organizations which aspire to manage information security

The most expensive information security failures
The top 10 most expensive information security failures corresponding to ISO 27001 controls are presented in Figure 4.The most expensive failure (€ 9,266,667) was "Technical data integrity inconsistencies in systems leading to confidentiality breach."This failure was not mapped to any specific ISO 27001 control, and it was part of a penalty in a case where the total penalty was almost 28 million euros.In that penalty case there were only two other information security failures, which explains the high penalty amount for this failure, which can further be traced to controls and measuring how information systems shall be developed, tested, and maintained to protect data integrity and confidentiality.
The second most expensive failure (€ 2,272,222) was lack of control in "A.12.1.2Change management."Inadequate control of changes to information security processing, facilities, and systems is a common cause of a data breach.Changes to the operational environment, especially when transferring a system from the development to operational stage, can impact the reliability of applications, and therefore formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes (ISO/IEC 27002:2013).
The third most expensive failure (€ 1,984,034) was inadequate "A.9.2.3 Management of privileged access rights."Inappropriate use of system administration privileges (any feature of an information system that enables the user to override system or application controls) is a major contributory factor to failures or breaches of systems.Thus, the allocation of privileged access rights should be controlled through a formal authorization process in accordance with the relevant access controls policy (ISO/ IEC 27002:2013).
The fourth most expensive failure (€ 1,214,167) was inadequacies in "A.12.2.1 Controls against malware."Protection against malware shall be based on malware detection and repair software, information security awareness, and appropriate system access and change management controls (ISO/IEC 27001:2013).The use of malware detection and repair software as the sole malware control is not usually adequate and commonly needs to be accompanied by operating procedures that prevent the introduction of malware (ISO/IEC 27002:2013).
The fifth most expensive failure (€ 1,102,858) was inadequate "A.14.2.8 System security testing," followed by the sixth most expensive failure (€ 603,400) lack of control in "A.8.2.1 Classification of information," which were both present in the top 10 most frequent information security failures.
The seventh most expensive failure (€ 593,171) was inadequacy in "A.16  security events."All employees and contractors should be made aware of their responsibility to report information security events to the proper channels as quickly as possible (ISO/IEC 27002:2013).
The eighth most expensive failure (€ 592,221) was lack of "A.16.1.1Responsibilities and procedures" concerning incident management, where management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents (ISO/ IEC 27001:2013).If incidents are not reported, further investigated, and fixed, then incidents remain unaddressed, which consequently causes data breaches to become even more severe and more extensive.ISO 27701 further guides on establishing responsibilities and procedures for the identification and recording of breaches of personal data as well as notification to required parties, including the timing of such notifications and the disclosure to authorities (ISO/IEC 27701:2019), which is also required by GDPR (Regulation (EU) 2016/679).
The ninth most expensive failure (€ 569,592) was lack of control in "A.14.1.2Securing application services on public networks."Applications accessible via public networks are subject to a range of network related threats, and therefore a detailed risk assessment and selection of controls is indispensable.The required controls often include cryptographic methods, authentication, and securing data transfer (ISO/IEC 27002:2013).ISO 27701 recommends encryption, specifically when personal data is transmitted over untrusted data transmission networks (ISO/IEC 27701:2019).
Finally, the tenth most expensive failure (€ 580,427) was lack of control in "A.9.4.2 Secure logon procedures."The procedure for logging into a system or application should be designed to minimize the opportunity for unauthorized access, and thus a suitable authentication technique should be chosen to substantiate the claimed identity of a user.Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as cryptographic means, smart cards, or biometric means, should be used (ISO/IEC 27002:2013).ISO 27701 additionally guides the organization on providing the capability for secure log-on procedures for any user accounts under the data subjects control (ISO/ IEC 27701:2019).
All 38 most expensive information security failures corresponding to ISO 27001 controls are presented in Table 5.
A ranking of the most expensive information security failures corresponding to ISO 27001 control objectives is presented in Figure 5. Information security failures corresponding to ISO 27001 control objectives reaching the threshold of a 500,000 euro penalty are explained here.The most expensive failure (€ 1,984,934) was inadequate "A.9.2 User access management," where the objective is to ensure access for authorized users and to prevent unauthorized access to systems and services.The second most expensive failure (€ 1,214,167) was lack of "A.12.2 Protection from malware," where the objective is to ensure that information and information processing facilities are protected against malware.The third most expensive failure (€ 870,309) was lack of control in "A.14.2 Security in development and support processes," where the objective is to ensure that information security is designed and implemented within the whole development lifecycle of information systems.
The fourth most expensive failure (€ 800,366) was inadequate control in "A.12.1 Operational procedures and responsibilities," where the objective is to ensure correct and secure operations of information processing facilities.The fifth most expensive failure (€ 569,592) was lack of "A.14.1 Security requirements of information systems," where the objective is to ensure that information security is a fundamental element of information systems across their entire lifecycle.
A ranking of the most expensive information security failures corresponding to ISO 27001 control clauses is presented in Figure 6.
The most expensive information security failure corresponding to ISO 27001 control clause (€ 757,272) was inadequate "A.14 System acquisi-tion, development and maintenance," followed by the category of failures (€ 483,607) which were not mapped specifically on any ISO 27001 control.The third most expensive failure was lack of control in "A.12 Operations security" (421,878 €), and in conclusion, these results can be taken into account in organizations which aim to manage information security more effectively to prevent the most expensive failures by implementing controls based on their importance.

The amount of information security failures in a GDPR penalty case
The amount of information security failures corresponding to ISO 27001 controls typically existing in GDPR penalty cases in the year 2020 is presented in Table 6.
The amount of information security failures ranges from 1 to 13 failures per GDPR penalty case.There are typically a low number of failures in a case.In 30% of the cases there were only 2 failures, and in 25% of the cases only 3 failures were observed, while single failure cases consisted of 12% of the cases analyzed.Cases where there were four or more failures comprised 33% of all the cases.Notably, there were only two cases with more than ten failures, and in the single case with the most observed -thirteen -information security failures, the penalty was over 22 million euros.

Information security failure correlations
Next, the results on how the information security failures corresponding to ISO 27001 controls correlate are presented.Information security failures which have a fairly strong (0.30 and above) correlation, and which have statistical significance (p-value lower than 0.05) consist of a total of 61 observations.To highlight the strategic significance of these correlated controls, Table 7 presents the set of seven controls which have a very strong (0.65 and above) correlation.
The controls "A.11.1.5Working in secure areas" and "A.8.2.2.Labelling of information" have a very strong correlation.In the analyzed cases, there were many data confidentiality breaches, where employees had not handled information within the organizations' physical premises in a secure way.Often, paper documents or other physical media containing sensitive personal data were transported outside of secure areas, and were later found in waste bins by complete outsiders.Therefore, a data labeling scheme, which further instructs on how information should be processed within the physical premises, is crucial.ISO 27701 additionally guides the organization on making their employees aware of the definition of personal data and how to recognize such information ISO/IEC 27701:2019.
The control "A.8.3.3.Physical media transfer" correlates with "A.8.3.1.Management of removable media" and "A.5.1.2.Review of the policies for information security."In many cases there were data breaches, where staff-members had lost unencrypted equipment or media containing sensitive information.Therefore, organizations should have a policy and instructions on how media containing information should be protected against unauthorized access, misuse, or corruption during transport, as well as procedures for the management of  The control "A.12.1.2Change management" correlates with "A.9.2.3 Management of privileged access rights" and "A.12.2.1 Controls against malware."Changes to the organization, business processes, information processing facilities, and systems that affect information security should be managed together with privileged access rights administration because inappropriate system administration privileges are a major contributory factor to failures and system breaches.This has a connection to malware protection, because if malware is injected successfully to hack and misuse administrative accounts, the attackers gain the ability to make changes within IT systems, steal information, and possibly cover their tracks by disabling monitoring solutions and deleting system and security event logs (ISO/IEC 27002:2013).
A group of controls concerning incident management are naturally correlated together, because organizations need to have responsibilities and procedures in place to ensure a quick, effective, and orderly recognition of unexpected information security disruptions and incidents.Potential data breaches shall be reported through appropriate management channels as quickly as possible in order to be thoroughly assessed by competent personnel who are responsible for taking timely decisions on further actions.
Next, the results on how the information security failures corresponding to ISO 27001 control objectives correlate are presented.Information security failures, which have a fairly strong (0.30 and above) correlation, and which have statistical significance (p-value lower than 0.05), consist of a total of 19 observations.To foreground the strategic significance of these correlated controls, Table 8 presents the set of 11 controls which are above the 0.35 correlation rate.
The ISO 27001 security objective "A.9.2 User access management" correlates with many other security objectives.Unauthorized access to systems and services should be prevented in order that the secure operations of information processing facilities are assured.In addition, logging and monitoring are a crucial part of user access management in order that user specific actions can be traced, and this needs to be ensured within the whole development lifecycle of an information system according to control objective "A.14.2 Security in development and support processes." The security control objectives "A.11.2 Equipment" and "A.11.1 Secure areas" correlate.So do the control objectives "A.8.3 Media handling" and "A.5.1 Management direction for information security."These correlation sets are explained by many data breaches being caused by inadequate organizational data labeling schemes, which should lead to further policies instructing how information within the premises of an organization needs to be handled, as well as how physical media and equipment need to be encrypted or otherwise adequately protected before they are transferred outside the organizational premises.
The security control objectives "A.9.4 System and application access control" and "A.13.2 Information transfer," however, have a negative In many GDPR penalty cases the failure was caused due to the supplier not being able to provide sufficient guarantees to supply adequate information security to the organization, which ultimately was the data controller.Therefore, security objective "A.15.1 Information security in supplier relationships" naturally correlates with "A.14.1 Security requirements of information systems." Next, the results on how the information security failures corresponding to ISO 27001 control clauses correlate are presented.Information security failures, which have a fairly strong (0.30 and above) correlation and have statistical significance (p-value lower than 0.05) consist of a total of five observations.These are presented in Table 9.
The ISO 27001 control clause "A.12 Operations security" correlates with "A.14 System acquisition, development and maintenance" and "A.16 Information security incident management."It is natural that operations are closely connected to how systems security is continuously maintained, while efficient incident management should be at the heart of the daily business of an organization.
The control clause "A.9 Access control" has a negative correlation with "A.13 Communications security," which is explained by many GDPR penalty cases where failures in access control management do not coexist with failures regarding information transfer requirements.
However, the control clause "A.9 Access control" correlates with "A.7 Human resource security."Processes concerning employees hired by or departing from the organization, as well as staff-members changing positions within the organization, are governed by the HR function.Therefore, these processes should be aligned with access control management in order that new and obsolete, as well as the changing organizational roles of employees, correctly match with the access they have or should not have in systems and applications.
The control clause "A.7 Human resource security" also correlates with "A.13 Communications security."In the analyzed GDPR penalty cases, a multitude of data breaches took place in different electronic messaging channels such as e-mail, websites, and social media.These failures were caused by a lack of proper instructions and awareness training, which should be provided by the HR departments of an organization.

Industry type differences in information security failures and penalties
Table 10 presents the total and average GDPR penalties, as well as the number of cases based on article 32 "security of processing" in the year 2020 per industry sector.
In the year 2020 all the issued 81 GDPR penalties based on article 32 "Security of processing," where the penalty type was "insufficient technical and organizational measures to ensure information security," amounted to almost 100 million euros.The average of total penalties within all industry sectors was € 1,220,411.
The number of cases and total and average penalties vary significantly between different industry sectors.The largest amount of total GDPR penalties was € 42,050,136, and the most issued 17 penalty cases were issued to the industry sector "Media, Telecoms and Broadcasting," which averaged a penalty of € 2,473,537 per case.The industry sector "Public Sector and Education" was also issued with 17 penalty cases, but the total penalty was only € 1,606,300, averaging a penalty of € 94,488 per case.The results concerning public sector and education are affected by the inconsistent administrative fine calculation methods of the supervisory authorities.GDPR has allowed each EU member state to establish their own rules on penalties applicable to infringements, and to determine whether and to what extent administrative fines have been imposed on public organizations.
The industry sector "Accommodation and Hospitality" received the biggest average GDPR penalty of € 20,450,000 with its single penalty case.The industry sector "Transportation and Energy" had the second biggest average penalty of € 4,412,000, with five penalty cases issued.The industry sectors "Real estate" and "Employment" in turn received the smallest penalties, which are meager compared to other sectors.

Conclusions
This study has presented the most frequent and most expensive information security failures and consequently ranked the corresponding ISO 27001 controls that were used as failure identifiers in the analysis.The answer to RQ 1 is as follows: poor access control restriction and management of privileged access rights were very common causes of data confidentiality loss.The lack of implementing an appropriate information classification scheme was a cause of many different failures, because without risk assessments, further risk-based controls such as adequate cryptographic measures, suitable controls against malware, or proportionate system security development and testing could not be implemented.Failure to address security within supplier agreements was a common cause of incidents, as often there was a misunderstanding between the organization and supplier regarding both parties' obligations to fulfil the relevant information security requirements.Shortcomings in information security awareness, education, and training led to a multitude of different problems as staff members did not know what was expected of them.
This study further presented how many information security failures typically exist in a GDPR penalty case.The answer for RQ 2 is as follows: the amount of information security failures ranges from 1 to 13 failures per GDPR penalty case.There are typically a low number of failures in a case.In 30% of cases, there were only 2 failures, and in 25% of cases, 3 failures were observed, while single failure cases comprised 12% of the cases analyzed.
This study also presented how the observed information security failures correlate.The answer to RQ 3 is as follows: the top correlation was observed in inadequate organizational datalabeling schemes and lack of education on how employees should handle information assets within the premises of an organization.Several data confidentiality breaches were caused by careless staff members carrying documents containing sensitive personal data outside the facilities of an organization, which were later discovered in waste bins by complete outsiders.In many cases, staff-members had lost unencrypted equipment or media containing sensitive information during transfer.Inadequate control in information security incident management led to data breaches being unaddressed, which consequently caused failures to become more severe and more extensive; thus, a group of controls concerning incident management were naturally correlated together.
This study additionally presented insights into industry type differences in information security failures and penalties.The answer to RQ 4 is as follows: the number of cases, as well as total and average penalties, vary significantly between different industry sectors.The largest amount of total GDPR penalties (€ 42,050,136) and most issued (n = 17) penalty cases were experienced by the industry sector "Media, Telecoms and Broadcasting," while the industry sector "Employment" received only one (€ 15,000) penalty.

Theoretical and practical contributions
Firstly, our study contributes by bridging the gap between regulation and information security as presented by Dlamini et al. (2009).Secondly, our study introduces a statistical method to analyze the GDPR penalty cases and provides previously unreported findings about information security failures and their respective solutions.Thirdly, our work expands on previous work by Ruohonen and Hjerppe (2022) and Presthus & Sønslien (2021) by further exploring early GDPR violations and sanctions from the year 2020.
From a practical perspective, our study provides input to the study of Vaibhav (2022) by providing data-driven performance measurement metrics to decision-making in information security governance.The results of our study are useful for organizations which aspire to manage information security more effectively in order to prevent the most typical and expensive information security failures by applying controls based on their importance and correlation.Organizations, as well as auditors implementing and assuring the ISO 27001, may use our results as a guideline whereby ISO 27001 controls should be applied and verified first in sequential order based on their impact and interdependence.

Limitations and future directions
There are three limitations in our study.Firstly, the quality of the GDPR penalty case reports written by the different supervisory authorities in each EU member county varies.The analyzed 81 penalty case reports do not always follow the same structure, and their length and level of precision differ.In some of the cases, the supervisory authority scrutinized the information security failures at a very detailed level.However, in other cases, the descriptions are comparatively limited; thus, it is possible that in these cases the underlying information security failure root causes were left undefined by the supervisory authority.In our study, however, only information security failures which were explicitly addressed in the penalty case reports were analyzed.
Secondly, the data source of our study, the GDPR Enforcement Tracker, may not be completely up to date.It is possible there were more than 81 GDPR penalty cases issued in the year 2020, which were not yet included in the database when this study was conducted.Additionally, organizations which were issued with a GDPR penalty may have lodged a court appeal, which may eventually alter the original supervisory authority decisions.
Thirdly, the penalty calculations of our study are not definitive.Even though all the 81 analyzed GDPR penalty cases can be categorized in the penalty type "insufficient technical and organizational measures to ensure information security," there were 25 cases which also included references to other GDPR articles, outside of the requirements considering information security.If a GDPR penalty is issued to an organization, the supervisory authorities administer penalties as a whole and do not separate the penalty amounts to address a specific article.
GDPR penalty cases are a fruitful and transparent ground to explore information security failures, their impacts, and respective solutions based on control frameworks.We encourage further research which would analyze GDPR penalty cases with the statistical methods we applied in our study with further versions of the ISO/IEC 27001 as well as with other similar standardization frameworks.It would also be constructive to analyze the readiness of organizations toward information security compliance with case study methods to generate more research hypotheses.
From a broader perspective, researchers and information security practitioners at other institutions are encouraged to use this study as a motivation to popularize the assessed and ranked information security controls in order to effectively manage the complex and challenging information security risks within organizational IT-GRC driven ISMS frameworks.

Disclosure statement
No potential conflict of interest was reported by the author(s).
prevent the most typical failures by implementing controls based on their importance.

Figure 4 .
Figure 4. Top 10 most expensive information security failures corresponding to ISO 27001 controls.

•
Tabular type RCAs, which are constructed in a table with predefined column headings and categories • Graphical RCAs, which visualize the results in a bar graph or any graphical display of numerical data Popular examples of chart type RCAs are the cause and effect diagram, current reality tree, and the cause and interrelationship diagram

Table 4 .
Most frequent information security failures corresponding to ISO 27001 control.

Table 5 .
Most expensive information security failures corresponding to ISO 27001 control.

Table 6 .
The amount of information security failures corresponding to ISO 27001 controls typically in a case.

Table 7 .
Information security failure correlations corresponding to ISO 27001 controls.

Table 8 .
Information security failure correlations corresponding to ISO 27001 control objectives.

Table 9 .
Information security failure correlations corresponding to ISO 27001 control clauses.

Table 10 .
GDPR penalties based on article 32 "security of processing" in the year 2020 per industry sector.