EXPLORING INFORMATION SECURITY GOVERNANCE: PERSPECTIVES ON BOARD OF DIRECTORS ROLE AND EXPERTISE

Abstract

This study delves into the crucial role of the Board of Directors within Information Security (InfoSec), covering key themes such as board responsibilities, oversight mechanisms and stakeholder alignment, stakeholder perceptions and expectations, board composition and expertise and challenges impeding effective governance. Through a comprehensive systematic literature review, and a qualitative, inductive, and exploratory research approach, this study further analyzes stakeholder perspectives using thematic analysis (Braun & Clarke, 2006) and ATLAS.ti software for coding. A case study of a Dutch pension fund provider provides real-world insights into board-level InfoSec governance challenges and practices. The study highlights the importance of board members having security expertise, aligning security strategies with stakeholder interests, and addressing governance challenges. Findings reveal that while boards play a pivotal role in cybersecurity resilience, they often face knowledge gaps, regulatory compliance complexities, and stakeholder misalignment. Key mechanisms for strengthening board oversight include structured board education programs, enhanced stakeholder engagement, and the integration of cybersecurity frameworks (e.g., NIST, ISO, COBIT) into governance strategies. Future research recommendations include exploring how board expertise influences (cyber)security practices and developing frameworks to integrate (cyber)security proficiency into governance structures. Ultimately, this study highlights how boards significantly influence (cyber)security governance practices and foster a culture of cyber awareness within companies to mitigate risks in today's digital environment.

Date of Award	9 May 2025
Original language	English
Supervisor	Sara Nodehi (Examiner) & Laury Bollen (Co-assessor)