IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v25y2023i2d10.1007_s10796-022-10246-9.html
   My bibliography  Save this article

An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

Author

Listed:
  • Tejaswini C. Herath

    (Brock University)

  • Hemantha S. B. Herath

    (Brock University)

  • David Cullum

    (Brock University)

Abstract

As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners.

Suggested Citation

  • Tejaswini C. Herath & Hemantha S. B. Herath & David Cullum, 2023. "An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks," Information Systems Frontiers, Springer, vol. 25(2), pages 681-721, April.
    • Handle: RePEc:spr:infosf:v:25:y:2023:i:2:d:10.1007_s10796-022-10246-9
    DOI: 10.1007/s10796-022-10246-9
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-022-10246-9
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s10796-022-10246-9?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Yu ’Andy’ Wu & Carol Stoak Saunders, 2011. "Governing Information Security: Governance Domains and Decision Rights Allocation Patterns," Information Resources Management Journal (IRMJ), IGI Global, vol. 24(1), pages 28-45, January.
    2. Eunkyung Kweon & Hansol Lee & Sangmi Chai & Kyeongwon Yoo, 2021. "The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence," Information Systems Frontiers, Springer, vol. 23(2), pages 361-373, April.
    3. Kuo-chung Chang & Chih-ping Wang, 2011. "Information systems resources and information security," Information Systems Frontiers, Springer, vol. 13(4), pages 579-593, September.
    4. Linda J. Tallau & Manish Gupta & Raj Sharman, 2010. "Information security investment decisions: evaluating the Balanced Scorecard method," International Journal of Business Information Systems, Inderscience Enterprises Ltd, vol. 5(1), pages 34-57.
    5. Hee-Kyung Kong & Tae-Sung Kim & Jungduk Kim, 2012. "An analysis on effects of information security investments: a BSC perspective," Journal of Intelligent Manufacturing, Springer, vol. 23(4), pages 941-953, August.
    6. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    7. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    8. Mansooreh Ezhei & Behrouz Tork Ladani, 2020. "Interdependency Analysis in Security Investment against Strategic Attacks," Information Systems Frontiers, Springer, vol. 22(1), pages 187-201, February.
    9. Feng Xu & Xin (Robert) Luo & Hongyun Zhang & Shan Liu & Wei (Wayne) Huang, 2019. "Do Strategy and Timing in IT Security Investments Matter? An Empirical Investigation of the Alignment Effect," Information Systems Frontiers, Springer, vol. 21(5), pages 1069-1083, October.
    10. Margareta Heidt & Jin P. Gerlach & Peter Buxmann, 2019. "Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments," Information Systems Frontiers, Springer, vol. 21(6), pages 1285-1305, December.
    11. Daniel Schatz & Rabih Bashroush, 2018. "A Structural Model Approach for Assessing Information Security Value in Organizations," International Journal of Strategic Decision Sciences (IJSDS), IGI Global, vol. 9(4), pages 47-69, October.
    12. Heidt, Margareta & Gerlach, Jin & Buxmann, Peter, 2019. "Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 118284, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    13. Cheuk Hang Au & Walter S. L. Fung, 2019. "Integrating Knowledge Management into Information Security: From Audit to Practice," International Journal of Knowledge Management (IJKM), IGI Global, vol. 15(1), pages 37-52, January.
    14. Igor Bernik & Kaja Prislan, 2016. "Measuring Information Security Performance with 10 by 10 Model for Holistic State Evaluation," PLOS ONE, Public Library of Science, vol. 11(9), pages 1-33, September.
    15. Geoff Walsham, 2006. "Doing interpretive research," European Journal of Information Systems, Taylor & Francis Journals, vol. 15(3), pages 320-330, June.
    16. Francis Akowuah & Xiaohong Yuan & Jinsheng Xu & Hong Wang, 2013. "A Survey of Security Standards Applicable to Health Information Systems," International Journal of Information Security and Privacy (IJISP), IGI Global, vol. 7(4), pages 22-36, October.
    17. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2014. "Outsourcing Information Security: Contracting Issues and Security Implications," Management Science, INFORMS, vol. 60(3), pages 638-657, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Kemendi Agnes & Michelberger Pal, 2024. "Process security methods and measurement in the context of standard management systems," Engineering Management in Production and Services, Sciendo, vol. 16(2), pages 148-165.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 0. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 0, pages 1-18.
    2. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 2021. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 23(3), pages 773-790, June.
    3. You-Shyang Chen & Jerome Chih-Lung Chou & Yu-Sheng Lin & Ying-Hsun Hung & Xuan-Han Chen, 2023. "Identification of SMEs in the Critical Factors of an IS Backup System Using a Three-Stage Advanced Hybrid MDM–AHP Model," Sustainability, MDPI, vol. 15(4), pages 1-29, February.
    4. Abderrazak Laghouag & Faiz bin Zafrah & Mohamed Rafik Noor Mohamed Qureshi & Alhussain Ali Sahli, 2024. "Eliminating Non-Value-Added Activities and Optimizing Manufacturing Processes Using Process Mining: A Stock of Challenges for Family SMEs," Sustainability, MDPI, vol. 16(4), pages 1-20, February.
    5. Simon Kratzer & Andreas Drechsler & Markus Westner & Susanne Strahringer, 2022. "The Fractional CIO in SMEs: conceptualization and research agenda," Information Systems and e-Business Management, Springer, vol. 20(3), pages 581-611, September.
    6. Federico Iannacci & Colm Fearon & Kristine Pole, 2021. "From Acceptance to Adaptive Acceptance of Social Media Policy Change: a Set-Theoretic Analysis of B2B SMEs," Information Systems Frontiers, Springer, vol. 23(3), pages 663-680, June.
    7. Alessandro Acquisti & Tamara Dinev & Mark Keil, 2019. "Editorial: Special issue on cyber security, privacy and ethics of information systems," Information Systems Frontiers, Springer, vol. 21(6), pages 1203-1205, December.
    8. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    9. Kjell Hausken & Jonathan W. Welburn, 2021. "Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits," Information Systems Frontiers, Springer, vol. 23(6), pages 1609-1620, December.
    10. Petar Radanliev & David Roure & Max Kleek & Uchenna Ani & Pete Burnap & Eirini Anthi & Jason R. C. Nurse & Omar Santos & Rafael Mantilla Montalvo & La’Treall Maddox, 2021. "Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems: cyber risk at the edge," Environment Systems and Decisions, Springer, vol. 41(2), pages 236-247, June.
    11. Elvira Ismagilova & Laurie Hughes & Nripendra P. Rana & Yogesh K. Dwivedi, 2022. "Security, Privacy and Risks Within Smart Cities: Literature Review and Development of a Smart City Interaction Framework," Information Systems Frontiers, Springer, vol. 24(2), pages 393-414, April.
    12. Roozmehr Safi & Glenn J. Browne, 2023. "Detecting Cybersecurity Threats: The Role of the Recency and Risk Compensating Effects," Information Systems Frontiers, Springer, vol. 25(3), pages 1277-1292, June.
    13. Marcel Rolf Pfeifer, 2021. "Development of a Smart Manufacturing Execution System Architecture for SMEs: A Czech Case Study," Sustainability, MDPI, vol. 13(18), pages 1-23, September.
    14. Charlotte Wendt & Martin Adam & Alexander Benlian & Sascha Kraus, 2022. "Let’s Connect to Keep the Distance: How SMEs Leverage Information and Communication Technologies to Address the COVID-19 Crisis," Information Systems Frontiers, Springer, vol. 24(4), pages 1061-1079, August.
    15. Krishnan S. Anand & Manu Goyal, 2019. "Ethics, Bounded Rationality, and IP Sharing in IT Outsourcing," Management Science, INFORMS, vol. 65(11), pages 5252-5267, November.
    16. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    17. David M. Goldberg & Jason K. Deane & Terry R. Rakes & Loren Paul Rees, 2022. "3D Printing Technology and the Market Value of the Firm," Information Systems Frontiers, Springer, vol. 24(4), pages 1379-1392, August.
    18. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    19. Arvin Sahaym & Joseph Vithayathil & Suprateek Sarker & Saonee Sarker & Niels Bjørn-Andersen, 2023. "Value Destruction in Information Technology Ecosystems: A Mixed-Method Investigation with Interpretive Case Study and Analytical Modeling," Information Systems Research, INFORMS, vol. 34(2), pages 508-531, June.
    20. Jingmei Gao & Zahid Sarwar, 2024. "How do firms create business value and dynamic capabilities by leveraging big data analytics management capability?," Information Technology and Management, Springer, vol. 25(3), pages 283-304, September.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:25:y:2023:i:2:d:10.1007_s10796-022-10246-9. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.