Project Details

Layman's description

Resilient Information Security Governance & Management

Extended description

Research topic

As data grows in volume and (strategic) importance, organizations are increasingly facing challenges related to its confidentiality, integrity and availability (Anderson et al., 2017). In this context, organizations have clear incentives to strive for effective information security governance and management (ISG&M), as this ultimately enables the protection of business value that is generated through the use of information and technology (Benaroch & Chernobai, 2017).

Contemporary organizations are facing an increasingly complex and dynamic environment. In the context of information security, this for instance manifests itself through a fast-evolving digital environment and, as a result, fast-evolving security challenges and an increasing threat complexity (Lee et al., 2016). Indeed, an increasing adoption of, and dependency on, IT results in a growing exposure to threats resulting from IT(-related) vulnerabilities, which ultimately leads to a pervasiveness of risks that threaten the confidentiality, integrity and availability of (business) information (Tarafdar & Bose, 2019). The present research focuses on how organizations can organize ISG&M to best prevent the materialization of these risks. To answer this question, a multidisciplinary perspective is required. More specifically, not only knowledge related to information science (e.g. related to organizing ISG&M) is required, but also an understanding of organizational behavior theories (e.g. Theory of Planned Behavior (Ajzen, 1991)) is important. Although organizations have to organize ISG&M on an organization level, it is essential to map processes at the individual level to fully understand drivers and obstacles in the organization and implementation of ISG&M. The Theory of Planned Behavior (TPB) poses that human behavior is determined by behavioral intentions, which in turn are shaped by attitude, subjective norm, and perceived behavioral control. It is essential to grasp the evolution in employee behavior (and its predictors) over time to determine whether an ISG&M implementation will become firmly rooted within the organization.

Given its turbulent environment, a static approach to ISG&M is ineffective, and potentially even detrimental for organizations. As such, extant research calls for a dynamic organizational approach that has the capacity of adaptation (Jalali et al., 2019). Such approach should ensure a resilient ISG&M, that has the ability to deal with the volatility of the cyber threat landscape. As such, it also represents a learning approach. Furthermore, ISG&M scholars tend to make use of theories that are applicable to a very limited range of the information security spectrum. This is linked to the fact that ISG&M research contributions tend to have a narrow scope, resulting in fragmented research efforts (Anderson et al., 2017). As a result, extant research also calls for a holistic approach that takes into account different aspects of ISG&M, including the underlying individual-level factors. Indeed, an organization’s ISG&M approach is only effective if all relevant aspects are addressed (Armenia et al., 2019).

However, despite both concerns, a holistic and dynamic organizational framework for ISG&M is lacking (Armenia et al., 2019; Jalali et al., 2019). As a result, it is difficult to explain from a theoretical viewpoint how ISG&M should be organized for it to be effective and resilient, and why.

In response, we aim to investigate the concept of ISG&M through Beer's (1981) Viable System Model (VSM), which is grounded in the general theory of (management) cybernetics, combined with Ajzen’s (1991) Theory of Planned Behavior (TPB). The VSM is particularly well-suited to address the organization-level problems articulated above. First, the VSM is rooted in systems thinking, as such enabling a holistic investigation of ISG&M. In other words, the VSM avoids missing the interconnectedness between parts (Beer, 1981). Furthermore, the VSM is a ‘theory of organization’ that emphasizes adaptation, and is therefore particularly useful for organizational systems that are operating in dynamic environments (Espejo & Reyes, 2011). Applied to ISG&M, the VSM as such has the potential to provide an answer of resilience to deal with a dynamic information security context. Our second theoretical lens, the TPB, can shed light on individual-level dynamics within organizations. As such, the TPB is complementary to the VSM, as the latter limits itself to providing a structural understanding of systems, while largely ignoring (human) individual actors within those systems.

While traditionally being used to study organizations, researchers in the field of information systems have applied the VSM to study a variety of socio-technical systems, including IT governance (Huygh & De Haes, 2019). As (limited) prior research has merely implied the potential usefulness of the VSM for ISG&M, we aim to take a step further in rigorously drawing on the VSM to holistically investigate resilient ISG&M. As such, the question will be answered why ISG&M can continue to fulfil its general purpose of protecting IT business value, despite a changing environment (e.g. fast-evolving cyber threat landscape, and legal/regulatory developments). Furthermore, the VSM enables the identification of the required functions of a viable ISG&M implementation, which directly contributes to the practical perspective of how to organize effective and resilient ISG&M.


Our research has two overall aims: (1) to articulate a VSM-based theoretical approach for ISG&M which is combined with TPB on a micro-level, and (2) to study resilient ISG&M in practice, using the VSM and TPB as a lens. As such, this research project combines producing fundamental knowledge (theoretical rigor) with conducting applied research (practical relevance).

Within the VSM, viability is the central underlying concept - which refers to the capacity of a system to maintain a balance between internal stability (under stress) and adaptation to a changing environment (Espejo & Reyes, 2011). As such, a viable system is a resilient system, and this concept makes the VSM uniquely suited to theorize about resilient ISG&M. A VSM-based theoretical approach for ISG&M combined with insights from TPB will shed light on how resilient ISG&M can be enabled (e.g. what systemic functions are required and how are they interrelated), and how it can be maintained over time (e.g. how can ISG&M be organized to dynamically adapt to a changing cyber security environment). To counteract potential bias from the researchers and/or the literature, close collaboration with practice will be ensured by means of organizing interviews and focus groups with ISG&M practitioners (e.g. CISOs, IT risk managers etc.), to complement and validate the theoretical insights. Additionally, this will allow to translate the theoretical insights into tangible insights for practice, by means of identifying state-of-the-art ISG&M controls, mechanisms, and practices that may be used by organizations to instantiate the required systemic functions while acknowledging specific levels of complexity that an individual organization may face with respect to its cyber security environment, and to ensure the dynamic capacity of adaptation (e.g. how can a sense and respond capability be organized in the context of ISG&M to mitigate unforecastable exogenous shocks). Furthermore, a survey (experience sampling) will be used to probe individual-level aspects (engendered by TPB) that may fuel the acceptance and implementation of ISG&M. In this respect one may think of employees’ core beliefs, perception of control, coping capacity and regulatory focus.

A crucial aspect of a resilient system is the capacity to adapt and transform, given that it is confronted with a dynamic environment. As such, it is important to gain insights on the dynamism of the cyber security environment when studying resilient ISG&M. For that reason, we aim to map out trends like the quickly changing modus operandi of cyber criminals, and cyber security-related legal and regulatory developments. The relevant external environment for an organization’s ISG&M approach is inherently multi-faceted and requires a multi-disciplinary perspective. These insights allow us to provide an environmental context to the VSM-based approach for ISG&M, and the case studies.

To achieve the second aim, we plan to conduct a number of in-depth case studies accompanied by a multi-wave survey within each organization. Each individual case study will focus on (1) describing and (2) diagnosing the organization’s ISG&M approach through the lens of the VSM and TPB. As such, we move beyond simply leveraging the VSM for descriptive purposes, by effectively performing a VSM-based diagnosis of the viability of an organization’s ISG&M approach. Furthermore, at least one of these case studies should take a longitudinal approach, by studying how the organization’s ISG&M approach adapts over time in response to a changing environment. This will provide valuable empirical insights about how unforecastable exogenous shocks can be mitigated through a VSM-based ISG&M approach and will as such illustrate its effectiveness.
Short titleResilient Information Security Governance & Management
StatusNot started
Effective start/end date1/11/2131/08/25


  • Resilience
  • Information Security
  • Governance
  • Management
  • Viable System Model


Explore the research topics touched on by this project. These labels are generated based on the underlying awards/grants. Together they form a unique fingerprint.