What do we know about information security governance?

Purpose This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG. Design/methodology/approach The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised. Findings This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring. Research limitations/implications The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research. Practical implications This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation. Social implications This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to. Originality/value This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.

• Publication year

  2020

• Venue

  Information and Computer Security

• Publication date

  2020-01-25

• Fields of study

  Business, Computer Science, Political Science

• Identifiers
  DOI 10.1108/ics-02-2019-0033
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• A process framework for information security management

  2022cited by this paper
• Algorithms that remember: model inversion attacks and data protection law

  2018cited by this paper
• Digital Supply Chain: Literature review and a proposed framework for future research

  2018cited by this paper
• A Risk Management Model for an Academic Institution's Information System

  2018cited by this paper
• A process model for implementing information systems security governance

  2018cited by this paper
• Cybersecurity and information security - what goes where?

  2018cited by this paper
• Investigating the information security management role in smart city organisations

  2018cited by this paper
• Legal aspects of cloud security

  2018cited by this paper
• 5-2011 Information Security and Privacy — Rethinking Governance Models

  2018cited by this paper
• Towards a Framework for Strategic Security Context in Information Security Governance

  2018cited by this paper
• Information security governance in big data environments: A systematic mapping

  2018cited by this paper
• Improving the Maturity of Business Information Security

  2018influential reference
• Cybersecurity awareness and market valuations

  2018cited by this paper
• Corporate Information Security Investment Decisions: A Qualitative Data Analysis Approach

  2018cited by this paper
• Understanding key skills for information security managers

  2018cited by this paper
• Information Security Governance: A Case Study of the Strategic Context of Information Security

  2017cited by this paper
• Organizational information security policies: a review and research framework

  2017cited by this paper
• Information security concerns in IT outsourcing: Identifying (in) congruence between clients and vendors

  2017cited by this paper
• Communication Barriers in the Decision-making Process: System Language and System Thinking

  2017cited by this paper
• Analysing information security in a bank using soft systems methodology

  2017cited by this paper
• Applications of social network analysis in behavioural information security research: Concepts and empirical analysis

  2017cited by this paper
• Personal control of privacy and data: Estonian experience

  2017cited by this paper
• Escalation of commitment and information security: theories and implications

  2017cited by this paper
• The role of the chief information security officer in the management of IT security

  2017cited by this paper
• Information security management and the human aspect in organizations

  2017cited by this paper
• High-Level Self-Sustaining Information Security Management Framework

  2017cited by this paper
• Organisational Information Security Strategy: Review, Discussion and Future Research

  2017cited by this paper
• A Survey of Digital World Opportunities and Challenges for User’s Privacy

  2017cited by this paper
• Who Can You Trust?: How Technology Brought Us Together and Why It Might Drive Us Apart

  2017cited by this paper
• Information system security commitment: A study of external influences on senior management

  2016cited by this paper
• Information security management needs more holistic approach: A literature review

  2016cited by this paper
• A Framework for Information Security Governance and Management

  2016cited by this paper
• The Relationship between Board-Level Technology Committees and Reported Security Breaches

  2016cited by this paper
• An information security risk-driven investment model for analysing human factors

  2016cited by this paper
• Inter-organisational information security: a systematic literature review

  2016cited by this paper
• Information security governance: pending legal responsibilities of non-executive boards

  2016cited by this paper
• Governing the fiduciary relationship in information security services

  2016cited by this paper
• Economic valuation for information security investment: a systematic literature review

  2016cited by this paper
• ISGcloud: a Security Governance Framework for Cloud Computing

  2015cited by this paper
• Improving the information security culture through monitoring and implementation actions illustrated through a case study

  2015cited by this paper
• Organizational objectives for information security governance: a value focused assessment

  2015cited by this paper
• Security in cloud computing: A mapping study

  2015cited by this paper
• Empirical evaluation of a cloud computing information security governance framework

  2015cited by this paper
• Perceived information security of internal users in Indian IT services industry

  2014cited by this paper
• Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture

  2014cited by this paper
• Incentive Alignment and Risk Perception: An Information Security Application

  2013cited by this paper
• Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective

  2013cited by this paper
• A Systematic Review of Information Security Governance Frameworks in the Cloud Computing Environment

  2012cited by this paper
• Effective Information Security Requires a Balance of Social and Technology Factors

  2012cited by this paper
• Information security strategies: towards an organizational multi-strategy perspective

  2012cited by this paper
• Normal Accidents Living with High-Risk Technologies

  2012influential reference
• Information Security Governance: Investigating Diversity in Critical Infrastructure Organizations

  2012cited by this paper
• Collaborative risk method for information security management practices: A case context within Turkey

  2010cited by this paper
• Information security policy: An organizational-level process model

  2009cited by this paper
• Current State of Information Security Research In IS

  2009cited by this paper
• An integrated view of human, organizational, and technological challenges of IT security management

  2009cited by this paper
• Estimating the market impact of security breach announcements on firm values

  2009cited by this paper
• Improved security through information security governance

  2009cited by this paper
• Normal Accident Theory versus High Reliability Theory: A resolution and call for an open systems view of accidents

  2009cited by this paper
• Moving Beyond Normal Accidents and High Reliability Organizations: A Systems Approach to Safety in Complex Systems

  2009cited by this paper
• CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices

  2009cited by this paper
• Information security management standards: Problems and solutions

  2009cited by this paper
• One More Time: How Do You Motivate Employees?

  2008cited by this paper
• Information security governance and Boards of directors: Are they compatible?

  2008cited by this paper
• Organisational security culture: Extending the end-user perspective

  2007cited by this paper
• Perception of risk and the strategic impact of existing IT on information security strategy at board level

  2007cited by this paper
• An Information Security Governance Framework

  2007cited by this paper
• Information Security - The Fourth Wave

  2006cited by this paper
• Information Security Governance: A model based on the Direct-Control Cycle

  2006cited by this paper
• Information security governance: Due care

  2006cited by this paper
• General Drawing of the Integrated Framework for Security Governance

  2006cited by this paper
• Information security obedience: a definition

  2005cited by this paper
• From information security to ... business security?

  2005cited by this paper
• A framework for the governance of information security

  2004cited by this paper
• Applying information security governance

  2003cited by this paper
• Management's Role in Information Security in a Cyber Economy

  2002cited by this paper
• Special features: Information Security - A Multidimensional Discipline

  2001cited by this paper
• Special Features: Corporate Governance and Information Security

  2001cited by this paper
• Corporate Governance and Information Security

  2001cited by this paper
• Organizing for high reliability: Processes of collective mindfulness.

  1999cited by this paper
• The role of information security in corporate governance

  1996cited by this paper
• SELLING ISSUES TO TOP MANAGEMENT

  1993cited by this paper
• [Motivation for work].

  1975cited by this paper
• One more time : How do you motivate your employees?

  1968cited by this paper

• On the path to cyber organizational resilience: shedding light on the context of SMEs

  2025cites this paper
• Knowledge Sharing Framework for Enhancing Information Security in South Africa's Banking Sector

  2025cites this paper
• A cost–benefit approach to optimizing security precaution adoption

  2025cites this paper
• An integrated framework for the security of e-learning systems in higher education institutions

  2025influential citation
• From compliance to security, responsibility beyond law

  2024cites this paper
• Does digitalization affect shariah supervisory board efficiency? Evidence from Islamic banks

  2024cites this paper
• Analysis of Digital Security Governance under the Objectives of Digital Ecology: A Three-Party Evolutionary Game Approach

  2024cites this paper
• Research on platform data security governance strategy based on three-party evolutionary game

  2024cites this paper
• A Dynamic and Adaptive Cybersecurity Governance Framework

  2023cites this paper
• Data Driven Approaches to Cybersecurity Governance for Board Decision-Making - A Systematic Review

  2023cites this paper
• THE TRANSFORMATION OF MANAGERIAL APPROACHES IN THE IMPLEMENTATION OF THE STATE DIGITAL POLICY OF COMMUNICATION AND INFORMATION TECHNOLOGY AT THE CURRENT STAGE

  2023cites this paper
• An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

  2022cites this paper
• Board engagement with digital technologies: A resource dependence framework

  2022cites this paper
• Governing cybersecurity from the boardroom: Challenges, drivers, and ways ahead

  2022cites this paper
• Paradoxical tensions in the implementation of digital security governance: Toward an ambidextrous approach to governing digital security

  2022cites this paper
• A quantification mechanism for assessing adherence to information security governance guidelines

  2022cites this paper
• Tensions that Hinder the Implementation of Digital Security Governance

  2021cites this paper
• Information security governance challenges and critical success factors: Systematic review

  2020cites this paper