A process model for implementing information systems security governance

Research on platform data security governance strategy based on three-party evolutionary game

With the implementation of the overall national security concept, data security governance rises to a new strategic height. In this paper, for the incomplete status quo of digital service platforms, third-party testing organizations and government regulators in the construction of digital security, an evolutionary game model based on the above three parties is constructed. The model examines the strategic decision-making process, behavioral influences, and evolutionary stability of the three players, and is simulated and analyzed using MATLAB. The results show that the evolutionary system will reach the ideal stable state E ( 1 , 1 , 1 ) , which corresponds to the combination of strategies: providing high-quality products, refusing to rent-seeking, and strict regulation. In order to guide the evolving system to reach the ideal stable state, this study puts forward some policy recommendations in terms of establishing a data security assessment mechanism, collaborative technology governance, and optimizing the governance architecture.

Systematic Literature Review on Variables Impacting Organization’s Zero Accident Vision in Occupational Safety and Health Perspectives

The zero-accident vision has sparked debate in the fields of occupational safety and health. While many organizations and policymakers have successfully implemented the zero-accident vision, numerous notable occupational safety and health scholars from various backgrounds argue against its use and success in theory and practice. This article aimed to analyze the existing literature on the variables impacting an organization’s zero-accident vision. A systematic review of the Scopus and Web of Science databases revealed 25 related studies using the PRISMA statement (preferred reporting items for systematic reviews and meta-analyses) review method. Following a thorough review of these articles, seven main themes emerged: the occupational safety and health management system, organizational leadership, safety culture, training, communication, risk, and legislation. These seven themes resulted in a total of 28 sub-themes. Several recommendations are emphasized, including the use of a specific and standard systematic review method to guide research synthesis in the frame of reference of variables impacting the organization’s zero-accident vision and to practice complementary searching techniques, such as citation tracking, reference searching, snowballing, and contacting experts.

A quantification mechanism for assessing adherence to information security governance guidelines

Purpose

Boards of Directors and other organisational leaders make decisions about the information security governance systems to implement in their companies. The increasing number of cyber-breaches targeting businesses makes this activity inescapable. Recently, researchers have published comprehensive lists of recommended cyber measures, specifically to inform organisational boards. However, the young cybersecurity industry has still to confirm and refine these guidelines. As a starting point, it would be helpful for organisational leaders to know what other organisations are doing in terms of using these guidelines. In an ideal world, bespoke surveys would be developed to gauge adherence to guidelines, but this is not always feasible. What we often do have is data from existing cybersecurity surveys. The authors argue that such data could be repurposed to quantify adherence to existing information security guidelines, and this paper aims to propose, and test, an original methodology to do so.

Design/methodology/approach

The authors propose a quantification mechanism to measure the degree of adherence to a set of published information security governance recommendations and guidelines targeted at organisational leaders. The authors test their quantification mechanism using a data set collected in a survey of 156 Italian companies on information security and privacy.

Findings

The evaluation of the proposed mechanism appears to align with findings in the literature, indicating the validity of the present approach. An analysis of how different industries rank in terms of their adherence to the selected set of recommendations and guidelines confirms the usability of our repurposed data set to measure adherence.

Originality/value

To the best of the authors’ knowledge, a quantification mechanism as the one proposed in this study has never been proposed, and tested, in the literature. It suggests a way to repurpose survey data to determine the extent to which companies are implementing measures recommended by published cybersecurity guidelines. This way, the proposed mechanism responds to increasing calls for the adoption of research practices that minimise waste of resources and enhance research sustainability.

Developing a Risk Analysis Strategy Framework for Impact Assessment in Information Security Management Systems: A Case Study in IT Consulting Industry

Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

What do we know about information security governance?

Purpose

This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG.

Design/methodology/approach

The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised.

Findings

This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring.

Research limitations/implications

The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research.

Practical implications

This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation.

Social implications

This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to.

Originality/value

This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.