Resilient Information Security Governance & Management
As data grows in volume and (strategic) importance, organizations are increasingly facing challenges related to its confidentiality, integrity and availability (Anderson et al., 2017). In this context, organizations have clear incentives to strive for effective information security governance and management (ISG&M), as this ultimately enables the protection of business value that is generated through the use of information and technology (Benaroch & Chernobai, 2017). Contemporary organizations are facing an increasingly complex and dynamic environment. In the context of information security, this for instance manifests itself through a fast-evolving digital environment and, as a result, fast-evolving security challenges and an increasing threat complexity (Lee et al., 2016). Indeed, an increasing adoption of, and dependency on, IT results in a growing exposure to threats resulting from IT(-related) vulnerabilities, which ultimately leads to a pervasiveness of risks that threaten the confidentiality, integrity and availability of (business) information (Tarafdar & Bose, 2019). The present research focuses on how organizations can organize ISG&M to best prevent the materialization of these risks. To answer this question, a multidisciplinary perspective is required. More specifically, not only knowledge related to information science (e.g. related to organizing ISG&M) is required, but also an understanding of organizational behavior theories (e.g. Theory of Planned Behavior (Ajzen, 1991)) is important. Although organizations have to organize ISG&M on an organization level, it is essential to map processes at the individual level to fully understand drivers and obstacles in the organization and implementation of ISG&M. The Theory of Planned Behavior (TPB) poses that human behavior is determined by behavioral intentions, which in turn are shaped by attitude, subjective norm, and perceived behavioral control. It is essential to grasp the evolution in employee behavior (and its predictors) over time to determine whether an ISG&M implementation will become firmly rooted within the organization. Given its turbulent environment, a static approach to ISG&M is ineffective, and potentially even detrimental for organizations. As such, extant research calls for a dynamic organizational approach that has the capacity of adaptation (Jalali et al., 2019). Such approach should ensure a resilient ISG&M, that has the ability to deal with the volatility of the cyber threat landscape. As such, it also represents a learning approach. Furthermore, ISG&M scholars tend to make use of theories that are applicable to a very limited range of the information security spectrum. This is linked to the fact that ISG&M research contributions tend to have a narrow scope, resulting in fragmented research efforts (Anderson et al., 2017). As a result, extant research also calls for a holistic approach that takes into account different aspects of ISG&M, including the underlying individual-level factors. Indeed, an organization’s ISG&M approach is only effective if all relevant aspects are addressed (Armenia et al., 2019). However, despite both concerns, a holistic and dynamic organizational framework for ISG&M is lacking (Armenia et al., 2019; Jalali et al., 2019). As a result, it is difficult to explain from a theoretical viewpoint how ISG&M should be organized for it to be effective and resilient, and why. In response, we aim to investigate the concept of ISG&M through Beer's (1981) Viable System Model (VSM), which is grounded in the general theory of (management) cybernetics, combined with Ajzen’s (1991) Theory of Planned Behavior (TPB). The VSM is particularly well-suited to address the organization-level problems articulated above. First, the VSM is rooted in systems thinking, as such enabling a holistic investigation of ISG&M. In other words, the VSM avoids missing the interconnectedness between parts (Beer, 1981). Furthermore, the VSM is a ‘theory of organization’ that emphasizes adaptation, and is therefore particularly useful for organizational systems that are operating in dynamic environments (Espejo & Reyes, 2011). Applied to ISG&M, the VSM as such has the potential to provide an answer of resilience to deal with a dynamic information security context. Our second theoretical lens, the TPB, can shed light on individual-level dynamics within organizations. As such, the TPB is complementary to the VSM, as the latter limits itself to providing a structural understanding of systems, while largely ignoring (human) individual actors within those systems. While traditionally being used to study organizations, researchers in the field of information systems have applied the VSM to study a variety of socio-technical systems, including IT governance (Huygh & De Haes, 2019). As (limited) prior research has merely implied the potential usefulness of the VSM for ISG&M, we aim to take a step further in rigorously drawing on the VSM to holistically investigate resilient ISG&M. As such, the question will be answered why ISG&M can continue to fulfil its general purpose of protecting IT business value, despite a changing environment (e.g. fast-evolving cyber threat landscape, and legal/regulatory developments). Furthermore, the VSM enables the identification of the required functions of a viable ISG&M implementation, which directly contributes to the practical perspective of how to organize effective and resilient ISG&M. Our research thus has two overall aims: (1) to articulate a VSM-based theoretical approach for ISG&M which is combined with TPB on a micro-level, and (2) to study resilient ISG&M in practice, using the VSM and TPB as a lens.
|Short title||Resilient Information Security Governance & Management|
|Effective start/end date||1/12/21 → 30/11/25|
- Information Security
- Viable System Model
Explore the research topics touched on by this project. These labels are generated based on the underlying awards/grants. Together they form a unique fingerprint.