A quantification mechanism for assessing adherence to information security governance guidelines

Bongiovanni, Ivano and Renaud, Karen and Brydon, Humphrey and Blignaut, Renette and Cavallo, Angelo (2022) A quantification mechanism for assessing adherence to information security governance guidelines. Information and Computer Security, 30 (4). pp. 517-548. ISSN 2056-4961 (https://doi.org/10.1108/ICS-08-2021-0112)

[thumbnail of Bongiovanni-etal-ICS-2022-A-quantification-mechanism-for-assessing-adherence-to-information-security-governance-guidelines]
Text. Filename: Bongiovanni_etal_ICS_2022_A_quantification_mechanism_for_assessing_adherence_to_information_security_governance_guidelines.pdf
Accepted Author Manuscript
License: Creative Commons Attribution-NonCommercial 4.0 logo

Download (746kB)| Preview


Purpose: Boards of Directors and other organisational leaders make decisions about the information security governance systems to implement in their companies. The increasing number of cyber-breaches targeting businesses makes this activity inescapable. Recently, researchers have published comprehensive lists of recommended cyber measures, specifically to inform organisational boards. However, the young cybersecurity industry has still to confirm and refine these guidelines. As a starting point, it would be helpful for organisational leaders to know what other organisations are doing in terms of utilising these guidelines. In an ideal world, bespoke surveys would be developed to gauge adherence to guidelines, but this is not always feasible. What we often do have is data from existing cybersecurity surveys. We argue that such data could be repurposed to quantify adherence to existing information security guidelines, and we propose, and test, an original methodology to do so. Design/Methodology/Approach: We propose a quantification mechanism to measure the degree of adherence to a set of published information security governance recommendations and guidelines targeted at organisational leaders. We test our quantification mechanism using a dataset collected in a survey of 156 Italian companies on information security and privacy. Findings: The evaluation of the proposed mechanism appears to align with findings in the literature, indicating the validity of our approach. An analysis of how different industries rank in terms of their adherence to the selected set of recommendations and guidelines confirms the usability of our repurposed dataset to measure adherence. Originality: To the best of our knowledge, a quantification mechanism as the one proposed in this study has never been proposed, and tested, in the literature. It suggests a way to repurpose survey data to determine the extent to which companies are implementing measures recommended by published cyber security guidelines. This way, our mechanism responds to increasing calls for the adoption of research practices that minimise waste of resources and enhance research sustainability.