Top

Information Systems Frontiers

Published in:

28-02-2022

An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

Authors: Tejaswini C. Herath, Hemantha S. B. Herath, David Cullum

Published in: Information Systems Frontiers | Issue 2/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners.

previous article The challenges of entering the metaverse: An experiment on the effect of extended reality on workload

next article Social Media Sustainability Communication: An Analysis of Firm Behaviour and Stakeholder Responses

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

“The current version is COBIT 5, which is the leading business framework for governance and management of enterprise IT (ISACA). COBIT 5 builds on the previous versions of COBIT (and Val IT and Risk IT), and without loss of information in this article, we focus on COBIT 4.1. COBIT 5 goals cascade stakeholder needs into specific actionable and customized goals within the context of enterprise, IT-related goals and enabler goals. The enterprise goals have been developed using the BSC dimensions and the list is not exhaustive (ISACA). COBIT 5 separates IT governance (evaluate stakeholder needs, set direction through prioritization, and monitor performance, compliance, and progress) and IT management (plan, build, run, and monitor activities with direction set by governance).

We would like to thank the two anonymous reviewers for giving us in-depth feedback on the mappings as well as constructive feedback related to methodology.

Ahuja, S., & Chan, Y. E. (2015). IT Security Governance: A Framework based on ISO 38500. In CONF-IRM 2015 Proceedings (Vol. 27, p. 15).

Akowuah, F., Yuan, X., Xu, J., & Wang, H. (2013). A survey of security standards applicable to health information systems. International Journal of Information Security and Privacy (IJISP), 7(4), 22–36. https://doi.org/10.4018/ijisp.2013100103CrossRef

AlGhamdi, S., Win, K. T., & Vlahu-Gjorgievska, E. (2020). Information security governance challenges and critical success factors: Systematic review. Computers & Security, 99, 102030. https://doi.org/10.1016/j.cose.2020.102030CrossRef

Atkinson, M. (2004). Measuring the performance of the IT function in the UK health service using a balanced scorecard approach. Electronic Journal of Information Systems Evaluation, 1–10.

Atoum, I., & Otoom, A. (2016). Holistic performance model for cyber security implementation frameworks. International Journal of Security and Its Applications, 10(3), 111–120. https://doi.org/10.14257/ijsia.2016.10.3.10CrossRef

Au, C. H., & Fung, W. S. L. (2019). Integrating knowledge management into information security: From audit to practice. International Journal of Knowledge Management (IJKM), 15(1), 37–52. https://doi.org/10.4018/IJKM.2019010103CrossRef

Awadallah, E. A., & Allam, A. (2015). A critique of the balanced scorecard as a performance measurement tool. International Journal of Business and Social Science, 6(7), 91–99.

Bachlechner, D., Thalmann, S., & Maier, R. (2014). Security and compliance challenges in complex IT outsourcing arrangements: A multi-stakeholder perspective. Computers & Security, 40, 38–59. https://doi.org/10.1016/j.cose.2013.11.002CrossRef

Bailey, E., & Becker, J. D. (2014). A comparison of IT governance and control frameworks in cloud computing (p. 16). Presented at the Twentieth Americas Conference on Information Systems.

Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138–151. https://doi.org/10.1016/j.im.2013.11.004CrossRef

Bernik, I., & Prislan, K. (2016). Measuring information security performance with 10 by 10 model for holistic state evaluation. PLoS One, 11(9), 1–33. https://doi.org/10.1371/journal.pone.0163050CrossRef

Bremser, W. G., & Chung, Q. B. (2005). A framework for performance measurement in the e-business environment. Electronic Commerce Research and Applications, 4(4), 395–412.CrossRef

British Standards Institute (BSI). (2014). BSI transition guide: Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013. https://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf. Accessed 5 June 2018.

Brothy, K. (2009). Information security governance: a practical development and implementation approach (Vol. 53). John Wiley & Sons.

Butler, J., Henderson, S., & Raiborn, C. (2011). Sustainability and the balanced scorecard: Integrating green measures into business reporting. Management Accounting Quarterly, 12(2), 1–10.

Campara, D., & Mansourov, N. (2008). How to tackle security issues in large existing/legacy systems while maintaining development priorities. In 2008 IEEE Conference on Technologies for Homeland Security (pp. 167–172). Presented at the 2008 IEEE Conference on Technologies for Homeland Security. https://doi.org/10.1109/THS.2008.4534443.

Carcary, M., Renaud, K., McLaughlin, S., & O’Brien, C. (2016). A framework for information security governance and management. IT Professional, 18(2), 22–30. https://doi.org/10.1109/MITP.2016.27CrossRef

Cartlidge, A., Hanna, A., Rudd, C., Macfarlane, I., Windebank, J., & Rance, S. (2007). An introductory overview of ITIL V3. The IT Service Management Forum (itSMF) Ltd. https://itil.it.utah.edu/itilv3/docs/itSMF_ITILV3_Intro_Overview. Accessed 16 Feb 2022.

Cezar, A., Cavusoglu, H., & Raghunathan, S. (2014). Outsourcing information security: Contracting issues and security implications. Management Science, 60(3), 638–657. https://doi.org/10.1287/mnsc.2013.1763CrossRef

Chang, K., & Wang, C. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579–593. https://doi.org/10.1007/s10796-010-9232-6CrossRef

Chen, J. Q., & Benusa, A. (2017). HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management, 10(2), 135–146. https://doi.org/10.1080/20479700.2016.1270875CrossRef

Chew, E., Swanson, M. M., Stine, K. M., Bartol, N., Brown, A., & Robinson, W. (2008). Performance measurement guide for information security (800–55, Revision 1 ed.pp. 1–40). National Institute of Standards and Technology.CrossRef

Chun Tie, Y., Birks, M., & Francis, K. (2019). Grounded theory research: A design framework for novice researchers. SAGE Open Medicine, 7, 1–8. https://doi.org/10.1177/2050312118822927CrossRef

Clinch, J. (2009). ITIL V3 and information security. http://www.trainingcreatively.com/whitepaper/While-Paper-ITI-V3-and-Information-Security.pdf

Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: Literature review and theory-based research agenda. The TQM Journal, 33(7), 76–105. https://doi.org/10.1108/TQM-09-2020-0202CrossRef

Da Cruz, E., & Labuschagne, L. (2005). A new framework for bridging the gap between IT service management and IT governance from a security perspective (pp. 1–12). Academy of Information Technology at the University of Johannesburg.

Debreceny, R. S., & Gray, G. L. (2013). IT governance and process maturity: A multinational field study. Journal of Information Systems, 27(1), 157–188. https://doi.org/10.2308/isys-50418CrossRef

Ezhei, M., & Tork Ladani, B. (2020). Interdependency analysis in security investment against strategic attacks. Information Systems Frontiers, 22(1), 187–201. https://doi.org/10.1007/s10796-018-9845-8CrossRef

Garigue, R., & Stefaniu, M. (2003). Information security governance reporting. Information Systems Security Journal, 12(4), 36–40.CrossRef

Gashgari, G., Walters, R., & Wills, G. (2017). A Proposed Best-practice Framework for Information Security Governance: In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (pp. 295–301). Presented at the 2nd International Conference on Internet of Things, Big Data and Security, SCITEPRESS - Science and Technology Publications. https://doi.org/10.5220/0006303102950301.

Goldman, J. E., & Ahuja, S. (2011). Integration of COBIT, balanced scorecard and SSE-CMM as an organizational & strategic information security management (ISM) framework. In In ICT ethics and security in the 21st century: New developments and applications (pp. 277–309). IGI Global.CrossRef

Gordon, L. A., & Loeb, M. P. (2007). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335–337. https://doi.org/10.1007/s10796-006-9010-7CrossRef

Gordon, L. A., Loeb, M. P., & Zhou, L. (2016). Investing in cybersecurity: Insights from the Gordon-Loeb model. Journal of Information Security, 7(2), 49–59. https://doi.org/10.4236/jis.2016.72004CrossRef

Hamdan, B. J. (2013). Evaluating the performance of information security: A balanced scorecard approach. In SAIS 2013Proceedings. Presented at the SAIS. https://www.aisel.aisnet.org/sais2013/11/

Hasan, S., Ali, M., Kurnia, S., & Thurasamy, R. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58, 102726. https://doi.org/10.1016/j.jisa.2020.102726CrossRef

Hasan, R., & Chyi, T. (2017). Practical application of balanced scorecard - a literature review. Journal of Strategy and Performance Management, 5, 87–103.

Heidt, M., Gerlach, J. P., & Buxmann, P. (2019). Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Information Systems Frontiers, 21(6), 1285–1305. https://doi.org/10.1007/s10796-019-09959-1CrossRef

Herath, H., Bremser, W., & Birnberg, J. (2019). Team-based employee remuneration: A balanced scorecard group target and weight selection-based bonus allocation. Accounting Research Journal, 32(2), 252–272.CrossRef

Herath, H., & Herath, T. (2008). Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems, 25(3), 337–375. https://doi.org/10.2753/MIS0742-1222250310CrossRef

Herath, H., & Herath, T. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57, 54–63. https://doi.org/10.1016/j.dss.2013.07.010CrossRef

Herath, H., & Herath, T. (2018). Post-audits for managing cyber security investments: Bayesian post-audit using Markov chain Monte Carlo (MCMC) simulation. Journal of Accounting and Public Policy, 37(6), 545–563. https://doi.org/10.1016/j.jaccpubpol.2018.10.005CrossRef

Herath, T., Herath, H., & Bremser, W. (2010). Balanced scorecard implementation of security strategies: A framework for IT security performance management. Information Systems Management, 27(1), 72–81. https://doi.org/10.1080/10580530903455247CrossRef

Hohan, A. I., Olaru, M., & Pirnea, I. C. (2015). Assessment and continuous improvement of information security based on TQM and business excellence principles. Procedia Economics and Finance, 32, 352–359. https://doi.org/10.1016/S2212-5671(15)01404-5CrossRef

Horne, C. A., Maynard, S. B., & Ahmad, A. (2017). Organisational information security strategy: Review, discussion and future research. Australasian Journal of Information Systems, 21, 1–17. https://doi.org/10.3127/ajis.v21i0.1427CrossRef

Huang, S.-M., Lee, C.-L., & Kao, A.-C. (2006). Balancing performance measures for information security management: A balanced scorecard framework. Industrial Management & Data Systems, 106(2), 242–255. https://doi.org/10.1108/02635570610649880CrossRef

Ireton, J. (2016). 1.5 million cybersecurity professionals needed globally by 2020, Ottawa conference hears | CBC News. CBC. https://www.cbc.ca/news/canada/ottawa/cybersecurity-talent-shortage-1.3831541. Accessed 19 October 2021.

ISO International Organization for Standardization. (n.d.). ISO/IEC 27001:2013. ISO. https://www.iso.org/standard/54534.html. Accessed 22 October 2020.

IT Governance Institute. (2006). Information security governance: Guidance for boards of directors and executive management. ISACA.

IT Governance Institute (Ed.). (2007). COBIT 4.1: Framework, control objectives, management guidelines, maturity models. IT Governance Institute.

Kaplan, R. S., & Norton, D. P. (1992). The balanced scorecard: Measures that drive performance. Harvard Business Review, 83, 71–79.

Kaplan, R. S., & Norton, D. P. (2005). The balanced scorecard: Measures that drive performance. Harvard Business Review, 83(7), 172.

Keyes, J. (2016). Chapter 4: Aligning IT to organizational strategy. In Implementing the IT balanced scorecard: Aligning IT with corporate strategy (pp. 91–113). Auerbach Publications, Taylor and Francis Group.CrossRef

Kong, H.-K., Kim, T.-S., & Kim, J. (2012). An analysis on effects of information security investments: A BSC perspective. Journal of Intelligent Manufacturing, 23(4), 941–953.CrossRef

Krumay, B., Bernroider, E. W. N., & Walser, R. (2018). Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework. In N. Gruschka (Ed.), Secure IT systems (pp. 369–384). Springer International Publishing. https://doi.org/10.1007/978-3-030-03638-6_23CrossRef

Kurniawan, E., & Riadi, I. (2018). Security level analysis of academic information systems based on standard ISO 27002:2003 using SSE-CMM. International journal of computer science and information. Security, 16, 139–147. https://doi.org/10.13140/RG.2.2.20925.15840CrossRef

Kweon, E., Lee, H., Chai, S., & Yoo, K. (2021). The utility of information security training and education on cybersecurity incidents: An empirical evidence. Information Systems Frontiers, 23(2), 361–373. https://doi.org/10.1007/s10796-019-09977-zCrossRef

Lin, H.-C. K., Chuang, T.-Y., Lin, I.-L., & Chen, H.-Y. (2014). Elucidating the role of IT/IS assessment and resource allocation in IT/IS performance in hospitals. Information & Management, 51(1), 104–112. https://doi.org/10.1016/j.im.2013.09.004CrossRef

Lombard, M., Snyder-Duch, J., & Bracken, C. C. (2002). Content analysis in mass communication: Assessment and reporting of Intercoder reliability. Human Communication Research, 28(4), 587–604. https://doi.org/10.1111/j.1468-2958.2002.tb00826.xCrossRef

Malatji, M., Von Solms, S., & Marnewick, A. (2019). Socio-technical systems cybersecurity framework. Information & Computer Security, 27(2), 233–272. https://doi.org/10.1108/ICS-03-2018-0031CrossRef

Martinsons, M., Davison, R., & Tse, D. (1999). The balanced scorecard: A foundation for the strategic management of information systems. Decision Support Systems, 25(1), 71–88.CrossRef

Matthiesen, S., & Bjørn, P. (2015). Why Replacing Legacy Systems Is So Hard in Global Software Development: An Information Infrastructure Perspective. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (pp. 876–890). Presented at the CSCW ‘15: Computer Supported Cooperative Work and Social Computing, Vancouver BC Canada: ACM. https://doi.org/10.1145/2675133.2675232.

Maynard, S., Tan, T., Ahmad, A., & Ruighaver, T. (2018). Towards a framework for strategic security context in information security governance. Pacific Asia. Journal of the Association for Information Systems, 10(4), 65–88. https://doi.org/10.17705/1pais.10403CrossRef

McGinn, S. (2017). Universities must take steps to protect against ransomware attacks. University Affairs https://www.universityaffairs.ca/news/news-article/universities-must-take-steps-protect-ransomware-attacks/. Accessed 19 October 2021

McHugh, M. L. (2012). Interrater reliability: The kappa statistic. Biochemia Medica, 22(3), 276–282.CrossRef

McKenzie, L. (2021). Colleges a ‘juicy target’ for Cyberextortion. Inside Higher Ed https://www.insidehighered.com/news/2021/03/19/targeting-colleges-and-other-educational-institutions-proving-be-good-business. Accessed 19 October 2021

Miaoui, Y., & Boudriga, N. (2019). Enterprise security investment through time when facing different types of vulnerabilities. Information Systems Frontiers, 21(2), 261–300. https://doi.org/10.1007/s10796-017-9745-3CrossRef

Micheli, P., & Mari, L. (2014). The theory and practice of performance measurement. Management Accounting Research, 25(2), 147–156. https://doi.org/10.1016/j.mar.2013.07.005CrossRef

MicrosoftTechNet. (2007). Balanced Scorecard for Information Security Introduction | Microsoft Docs. https://technet.microsoft.com/en-us/library/bb821240.aspx. Accessed 22 October 2020.

Mishra, S. (2015). Organizational objectives for information security governance: A value focused assessment. Information & Computer Security, 23(2), 122–144. https://doi.org/10.1108/ICS-02-2014-0016CrossRef

Nicho, M. (2018). A process model for implementing information systems security governance. Information & Computer Security, 26(1), 10–38. https://doi.org/10.1108/ICS-07-2016-0061CrossRef

de Oliveira Alves, G. A., da Costa Carmo, L. F. R., & de Almeida, A. C. R. D. (2006). Enterprise security governance; a practical guide to implement and control information security governance (ISG). In In 2006 IEEE/IFIP business driven IT management (pp. 71–80). Presented at the 2006 IEEE/IFIP Business Driven IT Management. https://doi.org/10.1109/BDIM.2006.1649213CrossRef

Omoyiola, B. O. (2020). The evolution of information security measurement and testing. IOSR Journal of Computer Engineering, 22(3), 50–54.

Palmer, A. J. (2010). Approach for selecting the most suitable automated personal identification mechanism (ASMSA). Computers & Security, 29(7), 785–806. https://doi.org/10.1016/j.cose.2010.03.002CrossRef

Patnayakuni, R., & Patnayakuni, N. (2014). Information Security in Value Chains: A Governance Perspective.

Pérez-González, D., Preciado, S. T., & Solana-Gonzalez, P. (2019). Organizational practices as antecedents of the information security management performance: An empirical investigation. Information Technology & People, 32(5), 1262–1275. https://doi.org/10.1108/ITP-06-2018-0261CrossRef

Pirttimaki, V., & Lonnqvist, A. (2006). The measurement of business intelligence. Information Systems Management, 231, 32–40.

Pirttimäki, V., Lönnqvist, A., & Karjaluoto, A. (2006). Measurement of business intelligence in a Finnish telecommunications company. The Electronic Journal of Knowledge Management, 4(1), 83–90.

PWC IT Consulting Service. (2013). New Release of ISO27001:13 and 27002:13. https://www.pwc.com.cy/en/publications/assets/iso27001-27002-2013.pdf. Accessed 7 May 2018.

Rastogi, R., & von Solms, R. (2005). Information security governance - a re-definition. In P. Dowland, S. Furnell, B. Thuraisingham, & X. S. Wang (Eds.), Security management, integrity, and internal control in information systems (pp. 223–236). Springer US. https://doi.org/10.1007/0-387-31167-X_14CrossRef

Rosmiati, Riadi, I., & Prayudi, Y. (2016). A maturity level framework for measurement of information security performance. International Journal of Computer Applications, 141, 975–8887. https://doi.org/10.5120/ijca2016907930CrossRef

Rubino, M., Vitolla, F., & Garzoni, A. (2017). The impact of an IT governance framework on the internal control environment. Records Management Journal, 27(1), 19–41. https://doi.org/10.1108/RMJ-03-2016-0007CrossRef

Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: A critical review and some guiding principles. MIS Quarterly, 37(4), iii–xviii.

Savola, R. M. (2013). Quality of security metrics and measurements. Computers & Security, 37, 78–90. https://doi.org/10.1016/j.cose.2013.05.002CrossRef

Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: A systematic literature review. Information Systems Frontiers, 19(5), 1205–1228. https://doi.org/10.1007/s10796-016-9648-8CrossRef

Schatz, D., & Bashroush, R. (2018). A structural model approach for assessing information security value in organizations. International Journal of Strategic Decision Sciences (IJSDS), 9(4), 47–69. https://doi.org/10.4018/IJSDS.2018100104CrossRef

Schinagl, S., & Shahim, A. (2020). What do we know about information security governance? “From the basement to the boardroom”: Towards digital security governance. Information & Computer Security, 28(2), 261–292. https://doi.org/10.1108/ICS-02-2019-0033CrossRef

Sheikhpour, R., & Modiri, N. (2012). An approach to map COBIT processes to ISO/IEC 27001 information security management controls. International Journal of Security and Its Applications, 6(2), 16.

Sherwood, J., Clark, A., & Lynas, D. (1995). Enterprise security architecture. SABSA, White paper, 2009.

Shih-Jen, K. H., & McKay, R. (2002). Balanced scorecard: Two perspectives: Certified public accountant. The CPA Journal, 72(3), 20.

Shivashankarappa, A. N., Smalov, L., Dharmalingam, R., & Anbazhagan, N. (2012). Implementing it governance using COBIT: A case study focusing on critical success factors. In In world congress on internet security (WorldCIS-2012) (pp. 144–149). Presented at the World Congress on Internet Security (WorldCIS-2012).

Sklavos, N., & Souras, P. (2006). Economic models and approaches in information security for computer networks. International Journal of Network Security, 2(1), 14–20.

von Solms, B. (2005). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24(2), 99–104. https://doi.org/10.1016/j.cose.2005.02.002CrossRef

Tallau, L. J., Gupta, M., & Sharman, R. (2010). Information security investment decisions: Evaluating the balanced scorecard method. International Journal of Business Information Systems, 5(1), 34–57.CrossRef

Telem, M. (1988). Information requirements specification I: Brainstorming collective decision-making approach. Information Processing & Management, 24(5), 549–557. https://doi.org/10.1016/0306-4573(88)90024-6CrossRef

Tu, C. Z., Yuan, Y., Archer, N., & Connelly, C. E. (2018). Strategic value alignment for information security management: A critical success factor analysis. Information & Computer Security, 26(2), 150–170. https://doi.org/10.1108/ICS-06-2017-0042CrossRef

Van Grembergen, W., & De Haes, S. (2005). Measuring and improving IT governance through the balanced scorecard. Information Systems Control Journal, 2(1), 35–42.

Veiga, AD., Eloff, JH. (2007). An information security governance framework. Information systems management, 24(4):361–372.

Walsham, G. (2006). Doing interpretive research. European Journal of Information Systems, 15(3), 320–330. https://doi.org/10.1057/palgrave.ejis.3000589CrossRef

Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage Learning.

Whitman, M., & Mattord, H. J. (2014). Information security governance for the non-security business executive. Journal of Executive Education, 11(1), 17.

Williams, P. (2006). The role of standards in medical information. Security Management, 415–420.

Williams, P. (2007). Information governance: A model for security in medical practice. Journal of Digital Forensics, Security, and Law. https://doi.org/10.15394/jdfsl.2007.1017

Woudenberg, F. (1991). An evaluation of Delphi. Technological Forecasting and Social Change, 40(2), 131–150.CrossRef

Wu, Y. A., & Saunders, C. S. (2011). Governing information security: Governance domains and decision rights allocation patterns. Information Resources Management Journal (IRMJ), 24(1), 28–45. https://doi.org/10.4018/irmj.2011010103CrossRef

Xu, F., Luo, X. R., Zhang, H., Liu, S., & Huang, W. W. (2019). Do strategy and timing in IT security investments matter? An empirical investigation of the alignment effect. Information Systems Frontiers, 21(5), 1069–1083. https://doi.org/10.1007/s10796-017-9807-6CrossRef

Title: An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks
Authors: Tejaswini C. Herath
Hemantha S. B. Herath
David Cullum
Publication date: 28-02-2022
Publisher: Springer US
Published in: Information Systems Frontiers / Issue 2/2023
Print ISSN: 1387-3326
Electronic ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-022-10246-9

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 2/2023

Design Principles for User Interfaces in AI-Based Decision Support Systems: The Case of Explainable Hate Speech Detection

The challenges of entering the metaverse: An experiment on the effect of extended reality on workload

Heterogeneous Information Fusion based Topic Detection from Social Media Data

RQ Labs: A Cybersecurity Workforce Skills Development Framework

Password and Passphrase Guessing with Recurrent Neural Networks

Social Media Sustainability Communication: An Analysis of Firm Behaviour and Stakeholder Responses

Premium Partner