What do we know about information security governance?

Purpose This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG. Design/methodology/approach The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised. Findings This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring. Research limitations/implications The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research. Practical implications This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation. Social implications This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to. Originality/value This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.

Download Full-text

Information security governance for e-services in southern African developing countries e-Government projects

Journal of Science and Technology Policy Management ◽

10.1108/jstpm-04-2014-0014 ◽

2016 ◽

Vol 7 (1) ◽

pp. 26-42 ◽

Cited By ~ 4

Author(s):

Avinash Ramtohul ◽

K.M.S. Soyjaudah

Keyword(s):

Information Security ◽

Emerging Economies ◽

Security Policy ◽

Software Integration ◽

Security Measures ◽

Content Type ◽

Security Governance ◽

Single Sign On ◽

Information Security Governance ◽

The Government

Purpose – Highly sensitive information pertaining to citizens and government transactions is processed in an electronic format, making information security a critical part of e-Government applications and architectures. Information security measures should ideally span from authentication to authorisation and from logical/physical access control to auditing of electronic transactions and log books. The lack of such measures compromises confidentiality, integrity and availability of information. Today, most e-Government projects in developing countries in Southern Africa Developing Community (SADC) face challenges in two main areas, namely, information security and application software integration. This paper aims to discuss and analyse the information security requirements for e-Government projects and proposes an information security governance model for service-based architectures (SBAs). Design/methodology/approach – The current state of information security in emerging economies in SADC countries was researched. The main problems identified were the lack of software integration and information security governance, policy and administration. The design consists of three basic layers: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures, implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study. Findings – The main problems identified were the lack of software integration and information security governance, policy and administration. These challenges are causing e-government projects to stagnate. Practical implications – The proposed approach for implementing information security in e-Government systems will ensure a holistic approach to ensuring confidentiality, integrity and non-repudiation, allowing e-Government maturity to progress from “interaction” to “online transaction” stage in emerging economies. Originality/value – Research has not focused on developing a solution for emerging economies which are facing difficulties in integration software applications to deploy end-to-end e-services and to produce an underlying identity management architecture and information security governance to secure the e-services developed and deployed using an SBA. The work produced in this paper is specific to SBAs in e-government environments where legacy systems already exist. The work includes: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study.

Download Full-text

Organizational objectives for information security governance: a value focused assessment

Information and Computer Security ◽

10.1108/ics-02-2014-0016 ◽

2015 ◽

Vol 23 (2) ◽

pp. 122-144 ◽

Cited By ~ 6

Author(s):

Sushma Mishra

Keyword(s):

Information Security ◽

Value Theory ◽

Individual Values ◽

Content Type ◽

Security Governance ◽

Comprehensive List ◽

A Value ◽

Value Focused Thinking ◽

Information Security Governance ◽

Organizational Security

Purpose – The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton’s (1959) value theory and Keeney’s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance. Design/methodology/approach – This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means. Findings – This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization. Originality/value – The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (“establish corporate control strategy”, “establish punitive structure”, “establish clear control development process”, “ensure formal control assessment functionality” and “maximize group cohesiveness”) have not been emphasized enough in security governance literature.

Download Full-text

Information security

Information Management & Computer Security ◽

10.1108/imcs-05-2013-0041 ◽

2014 ◽

Vol 22 (3) ◽

pp. 279-308 ◽

Cited By ~ 13

Author(s):

Mario Silic ◽

Andrea Back

Keyword(s):

Information Security ◽

Literature Review ◽

Future Research ◽

Future Directions ◽

Research Directions ◽

Content Type ◽

Current Trends ◽

Future Research Directions ◽

New Research ◽

Practical Implications

Purpose – The purpose of this literature review is to analyze current trends in information security and suggest future directions for research. Design/methodology/approach – The authors used literature review to analyze 1,588 papers from 23 journals and 5 conferences. Findings – The authors identified 164 different theories used in 684 publications. Distribution of research methods showed that the subjective-argumentative category accounted for 81 per cent, whereas other methods got very low focus. This research offers implications for future research directions on information security. They also identified existing knowledge gaps and how the existing themes are studied in academia. Research limitations/implications – The literature review did not include some dedicated security journals (i.e. Cryptography). Practical implications – The study reveals future directions and trend that the academia should consider. Originality/value – Information security is top concern for organizations, and this research analyzed how academia dealt with the topic since 1977. Also, the authors suggest future directions for research suggesting new research streams.

Download Full-text

Perceived significance of information security governance to predict the information security service quality in software service industry

Information Management & Computer Security ◽

10.1108/imcs-01-2013-0002 ◽

2014 ◽

Vol 22 (1) ◽

pp. 2-23 ◽

Cited By ~ 2

Author(s):

Sanjay Bahl ◽

O.P. Wali

Keyword(s):

Information Security ◽

Service Quality ◽

Significant Finding ◽

Total Quality ◽

Content Type ◽

Security Governance ◽

Security Service ◽

Information Security Governance ◽

Software Services

Purpose – Information security is a growing concern in society, across businesses and government. As the offshore IT services market continues to grow providing numerous benefits, there are also perceived risks with respect to the quality of information security delivered in the supply chain. This paper aims to examine, as a case, the perceptions of Indian software services provider (service provider) employees with respect to information security governance and its impact on information security service quality that is delivered to customers. Design/methodology/approach – The paper provides a framework built upon the existing dimensions and instruments for total quality management and service quality, suitably modified to reflect the context of information security. SmartPLS, a structural equation modelling technique, has been used to analyse field survey data collected from across various Indian cities and companies. Findings – Significant finding is that information security governance in an IT outsourcing company providing software services has a highly significant impact on the information security service quality, which can be predicted. The paper also establishes that there is a positive relationship collectively between elements of information security governance and information security service quality. Research limitations/implications – Since data used in this study were taken solely from the responses of employees of outsourced service companies in India, it does not show if this translates into service improvements as perceived by the customer. Practical implications – Information security governance should be made an integral part of corporate governance and is an effective strategic technique, if software outsourcing business enterprises want to achieve a competitive edge, provide client satisfaction and create trust. Originality/value – The paper presents empirical data validation of the connection between information security governance and quality of service.

Download Full-text

Information security governance implementation within Ghanaian industry sectors

Information Management & Computer Security ◽

10.1108/imcs-06-2013-0044 ◽

2014 ◽

Vol 22 (3) ◽

pp. 235-250 ◽

Cited By ~ 2

Author(s):

Winfred Yaokumah

Keyword(s):

Information Security ◽

Business Strategy ◽

Oil And Gas ◽

Sampling Strategy ◽

Content Type ◽

Security Governance ◽

Utility Companies ◽

Information Security Governance ◽

And Performance ◽

Industry Sectors

Purpose – The purpose of this study is to assess the levels of information security governance (ISG) implementation among major Ghanaian industry sectors. The intent is to benchmark inter-industry sector ISG implementation and to identify areas that may require improvement. Design/methodology/approach – Random sampling strategy was used, and data were collected via Web survey. The data analysis utilized a one-way analysis of variance to determine the differences in means of the levels of implementation of ISG focus areas among five main industry sectors. Findings – The results showed that, as a whole, all the industry sectors have only partially implemented ISG. In particular, there existed statistical significant differences in ISG implementation among the industry sectors. Ranking ISG implementation, Financial Institutions were close to completion, Utility Companies, Others (Information Technology, Oil and Gas, Manufacturing) and Public Services had PI ISG and health care and educational institutions were at the planning stages. The result also revealed that all the industry sectors made marginal effort trying to align information security to business strategy, and performance measurement remained the least implemented focus area. Originality/value – Organizational leaders could use these findings to benchmark industry sectors’ ISG implementation, which could lead to competitiveness. Again, international enterprises that do businesses with these industry sectors would better understand the level of involvement of the top executives in governing information security toward the protection of valuable information assets.

Download Full-text

Information security governance: pending legal responsibilities of non-executive boards

Journal of Management & Governance ◽

10.1007/s10997-016-9358-0 ◽

2016 ◽

Vol 21 (4) ◽

pp. 793-814 ◽

Cited By ~ 4

Author(s):

Laura Georg

Keyword(s):

Information Security ◽

Security Governance ◽

Information Security Governance ◽

Legal Responsibilities ◽

Executive Boards

Download Full-text

Size does matter – span of control in hospitals

Journal of Health Organization and Management ◽

10.1108/jhom-04-2016-0073 ◽

2017 ◽

Vol 31 (2) ◽

pp. 192-206 ◽

Cited By ~ 6

Author(s):

Christina Holm-Petersen ◽

Sussanne Østergaard ◽

Per Bo Noergaard Andersen

Keyword(s):

Design Methodology ◽

Hospital Staff ◽

Leadership Capacity ◽

Decision Makers ◽

Span Of Control ◽

Content Type ◽

Frontline Leaders ◽

Practical Implications

Purpose Centralization, mergers and cost reductions have generally led to increasing levels of span of control (SOC), and thus potentially to lower leadership capacity. The purpose of this paper is to explore how a large SOC impacts hospital staff and their leaders. Design/methodology/approach The study is based on a qualitative explorative case study of three large inpatient wards. Findings The study finds that the nursing staff and their frontline leaders experience challenges in regard to visibility and role of the leader, e.g., in creating overview, coordination, setting-up clear goals, following up and being in touch. However, large wards also provide flexibility and development possibilities. Practical implications The authors discuss the implications of these findings for decision makers in deciding future SOC and for future SOC research. Originality/value Only few studies have qualitatively explored the consequences of large SOC in hospitals.

Download Full-text

How “The Three Rules” guide strategy and investment decisions at Deloitte Consulting LLP

Strategy and Leadership ◽

10.1108/sl-03-2015-0019 ◽

2015 ◽

Vol 43 (3) ◽

pp. 7-14 ◽

Cited By ~ 1

Author(s):

Jim Moffatt

Keyword(s):

Design Methodology ◽

Large Scale ◽

Investment Decisions ◽

Decision Makers ◽

Research Project ◽

Content Type ◽

First Case ◽

Practical Implications ◽

Thought Leadership

Purpose – This case example looks at how Deloitte Consulting applies the Three Rules synthesized by Michael Raynor and Mumtaz Ahmed based on their large-scale research project that identified patterns in the way exceptional companies think. Design/methodology/approach – The Three Rules concept is a key piece of Deloitte Consulting’s thought leadership program. So how are the three rules helping the organization perform? Now that research has shown how exceptional companies think, CEO Jim Moffatt could address the question, “Does Deloitte think like an exceptional company?” Findings – Deloitte has had success with an approach that promotes a bias towards non-price value over price and revenue over costs. Practical implications – It’s critical that all decision makers in an organization understand how decisions that are consistent with the three rules have contributed to past success as well as how they can apply the rules to difficult challenges they face today. Originality/value – This is the first case study written from a CEO’s perspective that looks at how the Three Rules approach of Michael Raynor and Mumtaz Ahmed can foster a firm’s growth and exceptional performance.

Download Full-text

Who’s making the decisions? How managers can harness artificial intelligence and remain in charge

Journal of Business Strategy ◽

10.1108/jbs-05-2021-0090 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Pooya Tabesh

Keyword(s):

Artificial Intelligence ◽

Machine Learning ◽

Decision Making ◽

Big Data ◽

Digital Transformation ◽

Decision Processes ◽

Decision Makers ◽

Content Type ◽

Human Decision ◽

Practical Implications

Purpose While it is evident that the introduction of machine learning and the availability of big data have revolutionized various organizational operations and processes, existing academic and practitioner research within decision process literature has mostly ignored the nuances of these influences on human decision-making. Building on existing research in this area, this paper aims to define these concepts from a decision-making perspective and elaborates on the influences of these emerging technologies on human analytical and intuitive decision-making processes. Design/methodology/approach The authors first provide a holistic understanding of important drivers of digital transformation. The authors then conceptualize the impact that analytics tools built on artificial intelligence (AI) and big data have on intuitive and analytical human decision processes in organizations. Findings The authors discuss similarities and differences between machine learning and two human decision processes, namely, analysis and intuition. While it is difficult to jump to any conclusions about the future of machine learning, human decision-makers seem to continue to monopolize the majority of intuitive decision tasks, which will help them keep the upper hand (vis-à-vis machines), at least in the near future. Research limitations/implications The work contributes to research on rational (analytical) and intuitive processes of decision-making at the individual, group and organization levels by theorizing about the way these processes are influenced by advanced AI algorithms such as machine learning. Practical implications Decisions are building blocks of organizational success. Therefore, a better understanding of the way human decision processes can be impacted by advanced technologies will prepare managers to better use these technologies and make better decisions. By clarifying the boundaries/overlaps among concepts such as AI, machine learning and big data, the authors contribute to their successful adoption by business practitioners. Social implications The work suggests that human decision-makers will not be replaced by machines if they continue to invest in what they do best: critical thinking, intuitive analysis and creative problem-solving. Originality/value The work elaborates on important drivers of digital transformation from a decision-making perspective and discusses their practical implications for managers.

Download Full-text

Information Security governance: COBIT or ISO 17799 or both?

Computers & Security ◽

10.1016/j.cose.2005.02.002 ◽

2005 ◽

Vol 24 (2) ◽

pp. 99-104 ◽

Cited By ~ 61

Author(s):

Basie von Solms

Keyword(s):

Information Security ◽

Security Governance ◽

Information Security Governance

Download Full-text