Organisational Information Security Strategy: Review, Discussion and Future Research




Information security strategy, organisational strategy, security quality, strategic information systems, business management


Dependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences indicate that attacks are escalating on organisations conducting these information-based activities. Organisations need to formulate strategy to secure their information, however gaps exist in knowledge. Through a thematic review of academic security literature, (1) we analyse the antecedent conditions that motivate the adoption of a comprehensive information security strategy, (2) the conceptual elements of strategy and (3) the benefits that are enjoyed post-adoption. Our contributions include a definition of information security strategy that moves from an internally-focussed protection of information towards a strategic view that considers the organisation, its resources and capabilities, and its external environment. Our findings are then used to suggest future research directions.

Author Biographies

Craig A. Horne, The University of Melbourne

Craig Horne is an information systems practitioner with a military background and over twenty years in the IT industry. Fifteen of these years were spent in technical roles spanning hardware, software, operating systems, databases, networks and peripherals. Craig is currently studying a PhD at The University of Melbourne researching information security strategy in organisations. He holds a Bachelor of Science majoring in Computer Science from La Trobe University as well as a Master of Business Administration majoring in MIS and Entrepreneurship. He maintains his proficiency by undertaking a minimum of 30 hours continuing education annually, as reflected in his Certified Professional status with the Australian Computer Society.

Sean B. Maynard, The University of Melbourne

Dr. Sean Maynard is an academic in the Department of Computing Information Systems at the University of Melbourne. Starting his academic career in Information Systems focusing on the use of computing technology to aid senior management (EIS) and the evaluation of decision support systems, his research over the past decade has been in the area of information systems security, in particular focusing on the evaluation of security policy quality and on the investigation of security culture within organisations.  Dr Maynard has taught many aspects of Information Systems including: Programming, Database Systems, Data Warehousing and Business Analytics, Security, Analysis and Design, and Information Systems.

Atif Ahmad, The University of Melbourne

Dr. Atif Ahmad CPP is an academic based at the University of Melbourne where he has been teaching and researching information security and digital forensics for more than twelve years. He specializes in information security risk assessment, a field in which he has formal teaching, research and consulting experience. Atif also have an interest and consulting experience in Document Security and Leakage Prevention. Atif has applied his expertise to critical infrastructure installations through his association with WorleyParsons Ltd, Pinkerton Consulting Services (Australia) Ltd and other leading consulting firms. He has excellent writing and communication skills particularly suited to research, consulting and public speaking.




How to Cite

Horne, C. A., Maynard, S. B., & Ahmad, A. (2017). Organisational Information Security Strategy: Review, Discussion and Future Research. Australasian Journal of Information Systems, 21.



Research Articles