Organisational Information Security Strategy: Review, Discussion and Future Research
AbstractDependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences indicate that attacks are escalating on organisations conducting these information-based activities. Organisations need to formulate strategy to secure their information, however gaps exist in knowledge. Through a thematic review of academic security literature, (1) we analyse the antecedent conditions that motivate the adoption of a comprehensive information security strategy, (2) the conceptual elements of strategy and (3) the benefits that are enjoyed post-adoption. Our contributions include a definition of information security strategy that moves from an internally-focussed protection of information towards a strategic view that considers the organisation, its resources and capabilities, and its external environment. Our findings are then used to suggest future research directions.
Copyright (c) 2017 Craig A. Horne, Sean B. Maynard, Atif Ahmad
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
AJIS publishes open-access articles distributed under the terms of a Creative Commons Non-Commercial and Attribution License which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited. All other rights including granting permissions beyond those in the above license remain the property of the author(s).