Kantyra Kantyra

← Alle artikelen

Algemeen

The scientific basis of Detect, Assess, Resolve and Demonstrate

Alain Rees · 09-07-2026 · 17 min leestijd

In more than twenty years of working in information security, first in the financial sector and telecoms, later as an (interim) Chief Information Security Officer (CISO), the officer with ultimate responsibility for information security, in higher education, I have seen one pattern return again and again. Organisations that had everything in order on paper, with policies, certificates and thick reports, still turned out to be vulnerable when an incident or a critical audit arrived. The reverse also occurred: organisations that had genuinely arranged their affairs well were unable to show it at the decisive moment. That failed in front of the regulator or the auditor, just as much in front of the client who sent a supplier assessment, and sometimes even in front of their own board.

Out of that experience grew the working model that forms the core of Kantyra. It consists of four phases that together form a continuous cycle, in which demonstrability is not a final step but a fully fledged phase. Those phases are called Detect, Assess, Resolve and Demonstrate. When I put that model on paper, the question arose whether this is a handy consultant's model, or whether there is genuine science behind it. As a former lecturer in risk management, I felt obliged to take that question seriously.

So I dived into the academic literature. This article is the result of that search. It shows that the four phases of the model are not a marketing invention, but a summary of what four separate research streams have been showing for years: research into the difference between symbolic and genuine security, research into the effectiveness of certification, research into continuous auditing and evidence, and research into information security in small and medium-sized enterprises (SMEs). All sources are listed at the end, with their DOI (Digital Object Identifier), the permanent digital location of a scientific publication, so that you can check everything yourself.

For the sake of completeness I note that I am the founder of Kantyra and therefore have an interest in this story. That is precisely why I make the underpinning fully transparent, so that you can judge the arguments rather than the sender.

Why measures on paper do not protect

The most important scientific finding beneath this article comes from a corner that many security professionals do not read daily, namely organisation science. Within institutional theory it has been known for decades that organisations adopt norms and standards for two very different reasons. Sometimes they do it to genuinely become better. At least as often, however, they do it to gain legitimacy, for example because the environment expects it, the client asks for it or the competitor has it too. In that second case researchers speak of symbolic or ceremonial adoption. The organisation hangs the certificate on the wall, while daily practice barely changes.

For a long time this was mainly a theoretical distinction. That changed with the research by Corey Angst and colleagues, published in MIS Quarterly, one of the most authoritative scientific journals in information systems. They studied multi-year data from American hospitals and looked at the relationship between investments in information security and the occurrence of data breaches. The core of their finding is that it matters how an organisation adopts security. Hospitals that adopted measures symbolically saw no demonstrable decline in the number of data breaches. Hospitals that adopted security substantively, and therefore anchored it deeply in their processes and routines, did have fewer data breaches to deal with. For every director who thinks in quarters, it is relevant that this effect only became visible over time.

This research gives a name and an evidence base to something many CISOs know intuitively. The difference between an organisation that seems secure and one that is secure does not lie in the list of measures. It lies in whether those measures are anchored in daily work. That very difference is hard to see from the outside, and often from the inside too. I call that gap between seeming and being the verification gap. By this I mean that a reliable and up-to-date way is lacking to establish that measures exist, work and have been reviewed.

What certification does and does not prove

If symbolic adoption does not protect, what does a certificate say? That question has by now been thoroughly researched. Guido Culot and colleagues published a systematic literature review in 2021 of fifteen years of scientific research into ISO/IEC 27001, the standard of the international standardisation organisations ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission), worldwide the best-known standard for information security management and one of the most widespread ISO certifications. Their review orders the research field along five themes: the relationship with other standards, the motives for adoption, the implementation problems, the possible outcomes and the context factors.

Two patterns from that review matter for this article. First, the motives for certifying turn out to be strikingly often external in nature, such as client requirements, tender conditions and market pressure. That is precisely the profile against which institutional theory warns for symbolic adoption. Second, the authors observe that the empirical evidence about what certification really delivers remains limited and fragmented. After fifteen years of research, the question of whether an ISO 27001 certificate leads to better security has simply not been convincingly answered.

More recent research sharpens that picture further. A Swedish interview study among information security professionals, published in 2023, examined the so-called output legitimacy of ISO/IEC 27001, that is, the extent to which the standard delivers what stakeholders expect from it. The researchers distinguished eight information security objectives and found that the standard fulfils those objectives to strongly varying degrees. Their conclusion deserves to be taken to heart. Whoever treats ISO 27001 as a purely technical document gets little out of it. The value only arises when people with the right knowledge and skills use the standard as support for their work. Earlier comparative case research by Robert van Wessel and Henk de Vries (Rotterdam School of Management) into the implementation of security standards in Europe and China already showed how strongly the interpretation of the same standard differs per organisation and context.

The sum of this research stream is not that certification is pointless. The sum is that a certificate is a snapshot of a system, while protection depends on the daily operation of that system. A certificate answers the question of whether the system was adequately designed on the audit date. The question your board, your regulator and your supply chain partners really ask, namely whether it works today and whether you can show that, it does not answer.

Why the annual audit is structurally too late

The second research stream comes from audit science and is older than many people think. As early as 1991, Miklos Vasarhelyi and Fern Halper, then working at AT&T Bell Laboratories, described a system for the continuous audit of large online systems. Their premise was as simple as it was radical. In an environment that changes permanently, a periodic check after the fact is by definition outdated information. Whoever checks once a year does not know, for eleven months of the year, where they stand.

From that idea grew a complete research field, that of continuous auditing, in other words continuous control and continuous assurance. Alexander Kogan, Ephraim Sudit and Vasarhelyi formulated a research programme for it in 1999. Michael Alles and colleagues tested the theory in practice in 2006 with a pilot implementation at Siemens, in which the operation of internal controls in business processes was monitored continuously and automatically. Their findings, and the lessons from follow-up pilots they published in 2008, show two things. Continuous monitoring of measures is technically feasible. It does, however, require formalisation, because whoever wants to be able to establish continuously that a measure works must record in advance what that measure entails, which standard it must meet and which signal counts as a deviation.

For information security this research stream is directly relevant, because the classic accountability rhythm in our field is still periodic, with the annual internal audit, the three-yearly recertification and the self-assessment in the accountability cycle. Between those moments, what you may safely call a blind spot arises. Measures erode, exceptions pile up and new systems escape the overview. The literature on continuous auditing points to a way out. Do not treat evidence as an annual project, but as a continuous by-product of ordinary work. Every assessment, every change and every completed action yields a piece of evidence, provided it is recorded at the moment itself.

In fairness I must add that measuring security also remains a difficult question scientifically. Ever since the first guidelines for security metrics, such as publication 800-55 of the American standards institute NIST (National Institute of Standards and Technology), the field has wrestled with the question of which indicators really say something about the effectiveness of measures. That is no reason to abandon measuring. It is a reason to start small, with the basic question that surprisingly often remains unanswered, namely whether the measure exists, whether it works and whether that has recently been reviewed by someone.

The legislator asks for demonstrable security

The third research stream is legal in nature, and here the science touches directly on current Dutch practice. In European data protection law, the General Data Protection Regulation (GDPR) has anchored a principle that goes further than the duty to do it well. That principle is the accountability principle. Article 5(2) of the GDPR stipulates that the controller must not only comply with the principles, but must also be able to demonstrate compliance. The Article 29 Working Party, the predecessor of the European Data Protection Board, elaborated that principle as early as 2010 in its opinion on the accountability principle, with as its core that responsibility without provability does not legally suffice.

The legal literature is, incidentally, not uncritical about this principle. Analyses in journals such as the European Journal of Risk Regulation point out that the combination of the accountability principle and the risk-based approach places the burden of proof emphatically on the organisation itself, with all the documentation burdens that entails. Yet that very criticism confirms the heart of the matter, namely that the legislator has made demonstrability a standalone obligation and that organisations must arrange their way of working accordingly.

You now see the same movement in cybersecurity legislation. The Dutch Cybersecurity Act (Cyberbeveiligingswet, Cbw), the Dutch law that transposes the European NIS2 directive (Network and Information Security), imposes a duty of care on organisations and makes the board explicitly responsible for it. Whoever falls under the law must take appropriate measures on the basis of a risk assessment and must be able to show the regulator that this system exists and is maintained. The accountability frameworks within the Dutch public sector, such as the Baseline Information Security Government (BIO 2.0) and NEN 7510, the standard of the Dutch standardisation institute NEN for information security in healthcare, also revolve at their core around the same principle. An organisation must not only take the measures, but also be able to account for them.

Whoever places this legal line alongside the earlier research streams sees something striking. The legislator asks for precisely that which organisation science shows makes the difference. Substantive adoption, in the research by Angst and colleagues the form that genuinely protects, leaves traces in the form of assessments, decisions, adjustments and anchoring in processes. Symbolic adoption mainly leaves documents that stand apart from practice. An accountability obligation that asks for current and traceable evidence from daily operation is therefore, whether the legislator intended it that way or not, a test of the difference between seeming and being.

Why this bites harder for SMEs

The fourth research stream brings the issue to the organisations where it will hit hardest in the coming years, namely small and medium-sized enterprises. Through the Cbw and especially through its knock-on effect in supply chains, via supplier assessments, procurement conditions and insurance requirements, thousands of organisations face accountability questions without having a security department of their own for it.

Dutch researchers play a leading role in this research stream. The group around Marco Spruit (Utrecht University, now Leiden University) published a systematic literature review in 2021 of socio-technical security metrics for SMEs. Their analysis exposes two unsolved problems that every SME entrepreneur will recognise, namely aggregating separate measurements into one comprehensible picture and adapting the approach to one's own situation. There are plenty of separate measurements and separate measures, but SMEs need their translation into actionable advice tailored to their own organisation. The researchers conclude that there is an urgent need for intuitive, threat-based forms of risk assessment for the least digitally mature SMEs. In follow-up research they actually developed such a threat-based assessment approach for SMEs.

Earlier, Bilge Yigit Ozkan and Spruit had already shown that the existing standards and maturity models are simply too heavy for this segment, and that SMEs benefit from light, pre-structured self-assessment that can grow along with the organisation. From the criminological angle, the research line of Rutger Leukfeldt, affiliated with Leiden University, the Netherlands Institute for the Study of Crime and Law Enforcement (NSCR) and The Hague University of Applied Sciences, has moreover underlined for years that cybercrime is long since no longer only a problem for large enterprises and that smaller organisations in particular need support that fits their scale.

The common thread in this research is that SMEs do not need a stripped-down version of the multinational's toolkit, but a fundamentally different form. That form is pre-structured, comprehensible, phrased in their own language and equipped with a built-in translation of signals into concrete actions.

The working method that follows from the research

Whoever places these four research streams side by side sees a working method emerge. It is the model I developed in practice and that is built into Kantyra, but its logic follows directly from the literature.

Detect

The cycle does not begin with an annual inventory, but with the continuous capture of signals from practice, such as incidents, changes in systems and suppliers, outcomes of supplier assessments and changes in standards, legislation and supply chain requirements. The basis lies in the literature on continuous auditing, which shows that a snapshot ages from the day it is made. Continuous does not, however, mean that everything is monitored second by second. In practice, some of the signals arise at the moment of acting, for example during an incident or a failed exercise, and another part comes from fixed daily checks on deadlines, test dates and reviews. Even that combination already differs fundamentally from a single annual measurement. The threat-based assessment research for SMEs moreover shows that starting from concrete threats works better than starting from abstract standard texts.

Assess

Signals only become usable after weighing. The question then is what a signal means for one's own organisation, with its systems, its people and its risk appetite. Here lies the aggregation problem from the SME research, because separate findings must come together in an assessment that leads to a decision. This is also the phase where the difference between symbolic and substantive begins. Whoever assesses to tick a box produces paper. Whoever assesses to decide provides direction.

Resolve

The finding of Angst and colleagues is decisive here. Protection only arises when measures are adopted substantively, and are therefore anchored in processes and routines, with clear ownership and follow-up. Resolving is, in this model, therefore not ticking off a list, but assigning, carrying out and anchoring actions, in the awareness that the effect needs time and requires maintenance.

Demonstrate

Finally comes the phase that is missing from the common frameworks. The well-known international frameworks order the work along functions such as identify, protect, detect, respond and recover, recently supplemented with govern. For none of those functions is demonstrability the organising principle, while the accountability principle from the GDPR and the duty of care from the Cbw do ask for it, and while the audit literature shows that evidence that has to be reconstructed after the fact always comes too late. In this model, demonstrating is therefore a fully fledged fourth phase. The trail of signals, assessments, decisions and completed actions arises within it automatically at the moment of acting, and evidence is linked at that same moment to the right judgement or the right measure, so that it remains findable there. Evidence thus becomes, for the most part, a by-product of ordinary work. An organisation does that not because the auditor is coming, but because it wants to know for itself where it stands. That the file is thereby also ready for the regulator, the auditor and the supply chain partner is a welcome bonus.

The four phases emphatically form a cycle. What you encounter while demonstrating, for example a measure that turns out not to work or an assessment that is outdated, immediately forms a signal again for the next round. Whoever knows the Deming cycle recognises the kinship. The essential difference lies in the final phase. Where the check step in that classic cycle is an internal affair, demonstrating points outward, at the board, the regulator and the supply chain, and is therefore a test you cannot postpone until the annual audit season.

What does this mean for your organisation?

If you remember one thing after this article, let it be the conclusion that the science gives no reason at all to rest easy on a certificate or a folder of policies, and every reason to invest in the genuine anchoring of measures and in the ability to show that operation continuously. Ask yourself three questions. Do you know what is currently at play in your organisation and your supply chain? Can you show today, without preparation time, that your three most important measures exist, work and have recently been reviewed? And if the answer is no, how many weeks does it take you to gather that evidence after all?

Organisations that cannot answer these questions may have no security problem on paper, but they do have a verification gap. In the coming years, with the Cbw and the knock-on effect of supply chain requirements, that gap turns from an internal inconvenience into an external liability. The four phases from this article are my answer to that, not as a theoretical construct, but as a working method you can start with tomorrow. Begin by detecting, assess what you see, resolve what matters most and record what you do from the first day.

Accountability and sources

This article is a substantiated synthesis of existing scientific research and not independent, peer-reviewed research of its own. The studies mentioned were selected for relevance, for publication in scientific journals or conference proceedings, and for verifiability. Where I interpret or explain, that interpretation is my own responsibility.

  1. Angst, C.M., Block, E.S., D'Arcy, J. & Kelley, K. (2017). When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches. MIS Quarterly, 41(3). https://doi.org/10.25300/MISQ/2017/41.3.10
  2. Culot, G., Nassimbeni, G., Podrecca, M. & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. The TQM Journal. https://doi.org/10.1108/TQM-09-2020-0202
  3. Kamil, Y., Lund, S. & Islam, M.S. (2023). Information security objectives and the output legitimacy of ISO/IEC 27001: stakeholders' perspective on expectations in private organizations in Sweden. Information Systems and e-Business Management. https://doi.org/10.1007/s10257-023-00646-y
  4. Van Wessel, R., Yang, X. & De Vries, H.J. (2011). Implementing international standards for Information Security Management in China and Europe: a comparative multi-case study. Technology Analysis & Strategic Management. https://doi.org/10.1080/09537325.2011.604155
  5. Vasarhelyi, M.A. & Halper, F.B. (1991). The Continuous Audit of Online Systems. Auditing: A Journal of Practice & Theory, 10(1). Reprinted in D.Y. Chan, V. Chiu & M.A. Vasarhelyi (eds.), Continuous Auditing. Theory and Application (Emerald, 2018). https://doi.org/10.1108/978-1-78743-413-420181004
  6. Kogan, A., Sudit, E.F. & Vasarhelyi, M.A. (1999). Continuous Online Auditing: A Program of Research. Journal of Information Systems, 13(2). https://doi.org/10.2308/jis.1999.13.2.87
  7. Alles, M., Brennan, G., Kogan, A. & Vasarhelyi, M.A. (2006). Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. International Journal of Accounting Information Systems, 7(2). https://doi.org/10.1016/j.accinf.2005.10.004
  8. Alles, M., Kogan, A. & Vasarhelyi, M.A. (2008). Putting Continuous Auditing Theory into Practice: Lessons from Two Pilot Implementations. Journal of Information Systems, 22(2). https://doi.org/10.2308/jis.2008.22.2.195
  9. National Institute of Standards and Technology (2003 and later). Security Metrics Guide for Information Technology Systems (NIST SP 800-55). https://doi.org/10.6028/nist.sp.800-55
  10. Article 29 Working Party (2010). Opinion 3/2010 on the principle of accountability (WP 173). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf
  11. Quelle, C. (2018). Enhancing Compliance under the General Data Protection Regulation: The Risky Upshot of the Accountability- and Risk-based Approach. European Journal of Risk Regulation. https://doi.org/10.1017/err.2018.47
  12. Van Haastrecht, M., Yigit Ozkan, B., Brinkhuis, M. & Spruit, M. (2021). Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics. Applied Sciences, 11(15). https://doi.org/10.3390/app11156909
  13. Van Haastrecht, M. and others (2021). A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs. Proceedings of ARES 2021. https://doi.org/10.1145/3465481.3469199
  14. Yigit Ozkan, B. & Spruit, M. (2019). Cybersecurity Standardisation for SMEs. International Journal of Standardization Research, 17(2). https://doi.org/10.4018/ijsr.20190701.oa1
Zien hoe dit in Kantyra werkt?

In een demo van 30 minuten lopen we het model door aan de hand van jouw situatie.

Plan een demo

Meer in de fase Algemeen