{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T00:09:18Z","timestamp":1775606958845,"version":"3.50.1"},"reference-count":85,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T00:00:00Z","timestamp":1752624000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T00:00:00Z","timestamp":1752624000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100005967","name":"Linnaeus University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100005967","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,8]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Information security governance in the public sector involves risk management, accountability frameworks, network security, e-government systems infrastructure, mitigation plans, and alignment with corporate strategy. It equips organizations with the ability to deal with the security of their vital information assets systematically. However, several recent hacking incidents reveal the fact that substandard governance processes are among the common causes of weak security measures in most organizations. This study has been conducted following the established protocol outlined in the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines. Systematic Mapping Review (SMR) initially identified 1496 papers, and this reviews and reports on 41 papers. The reviewed literature emphasizes the adherence to recognized governance standard frameworks such as ISO\/IEC 27,001, EU General Data Protection Regulations (GDPR), and EU Network and Information Security Act (NIS) for providing effective information security guidance frameworks in the public sector. However, a general scarcity is found regarding the best practices followed in the area of information security compliance. There is a lack of employing key performance indicators, risk assessment measures, security maturity models in organizations, and compliance audits. Additionally, the study suggests that, to some extent, the adoption of appropriate information security governance procedures is linked with available budgeted resources for individual organizations. The study results can serve as a starting point for the research and practitioners\u2019 community in the area of information security governance.<\/jats:p>","DOI":"10.1007\/s10207-025-01097-x","type":"journal-article","created":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T13:36:04Z","timestamp":1752672964000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Information security governance in the public sector: investigations, approaches, measures, and trends"],"prefix":"10.1007","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-8265-0944","authenticated-orcid":false,"given":"Lars","family":"Magnusson","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4437-8297","authenticated-orcid":false,"given":"Sarfraz","family":"Iqbal","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6227-0290","authenticated-orcid":false,"given":"Patrik","family":"Elm","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7520-695X","authenticated-orcid":false,"given":"Fisnik","family":"Dalipi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,7,16]]},"reference":[{"key":"1097_CR1","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10916-019-1507-y","volume":"44","author":"SS Bhuyan","year":"2020","unstructured":"Bhuyan, S.S., et al.: Transforming healthcare cybersecurity from reactive to proactive: Current status and future recommendations. J. Med. Syst. 44, 1\u20139 (2020)","journal-title":"J. Med. Syst."},{"issue":"3","key":"1097_CR2","doi-asserted-by":"publisher","first-page":"1098","DOI":"10.1109\/TNET.2019.2912847","volume":"27","author":"Z Lin","year":"2019","unstructured":"Lin, Z., Lu, W., Xu, S.: Unified preventive and reactive cyber defense dynamics is still globally convergent. IEEE\/ACM Trans. Networking. 27(3), 1098\u20131111 (2019)","journal-title":"IEEE\/ACM Trans. Networking"},{"key":"1097_CR3","unstructured":"Jones, A.: Security Posture: A Systematic Review of Cyber Threats and Proactive Security.; (2022). Available from: https:\/\/digitalcommons.liberty.edu\/honors\/1147\/"},{"issue":"5","key":"1097_CR4","doi-asserted-by":"publisher","first-page":"537","DOI":"10.18280\/ijsse.110505","volume":"11","author":"J Mart\u00ednez","year":"2021","unstructured":"Mart\u00ednez, J., Dur\u00e1n, J.M.: Software supply chain attacks, a threat to global cybersecurity: SolarWinds\u2019 case study. Int. J. Saf. Secur. Eng. 11(5), 537\u2013545 (2021)","journal-title":"Int. J. Saf. Secur. Eng."},{"key":"1097_CR5","unstructured":"Bitzer, M., Brinz, N., Ollig, P.: Disentangling the Concept of Information Security Properties-Enabling Effective Information Security Governance. in ECIS. (2021)"},{"key":"1097_CR6","doi-asserted-by":"publisher","first-page":"97","DOI":"10.1016\/j.cose.2013.04.004","volume":"38","author":"R Von Solms","year":"2013","unstructured":"Von Solms, R., Van Niekerk, J.: From information security to cyber security. Computers Secur. 38, 97\u2013102 (2013)","journal-title":"Computers Secur."},{"key":"1097_CR7","unstructured":"ISO, I.: IEC 27000: 2018 (E) Information technology\u2013Security techniques\u2013Information security management systems\u2013Overview and vocabulary. International Organization for Standardization Std, 27(000): p. 2018. (2018)"},{"issue":"8","key":"1097_CR8","doi-asserted-by":"publisher","first-page":"638","DOI":"10.1016\/j.cose.2004.10.006","volume":"23","author":"S Posthumus","year":"2004","unstructured":"Posthumus, S., Von Solms, R.: A framework for the governance of information security. Computers Secur. 23(8), 638\u2013646 (2004)","journal-title":"Computers Secur."},{"key":"1097_CR9","unstructured":"Sajko, M., Hadjina, N., Sedini\u0107, I.: Information security governance and how to accomplish it. in 2011 Proceedings of the 34th International Convention MIPRO. IEEE. (2011)"},{"issue":"7","key":"1097_CR10","doi-asserted-by":"publisher","first-page":"580","DOI":"10.1016\/S0167-4048(03)00705-3","volume":"22","author":"R Moulton","year":"2003","unstructured":"Moulton, R., Coles, R.S.: Applying information security governance. Computers Secur. 22(7), 580\u2013584 (2003)","journal-title":"Computers Secur."},{"key":"1097_CR11","doi-asserted-by":"crossref","unstructured":"Magnusson, L., Dalipi, F., Elm, P.: Cybersecurity Compliance in the Public Sector: Are the Best Security Practices Properly Addressed? in International Conference on Human-Computer Interaction. Springer. (2023)","DOI":"10.1007\/978-3-031-36001-5_28"},{"key":"1097_CR12","doi-asserted-by":"crossref","unstructured":"Cole, M.D., Schmitz, S.: The interplay between the NIS directive and the GDPR in a cybersecurity threat landscape. University of Luxembourg law working paper, 2019(2019-017)","DOI":"10.2139\/ssrn.3512093"},{"key":"1097_CR13","volume-title":"General Data Protection Regulation (GDPR) - Regulation (EU) 2016\/679 on the Protection of Natural Persons with Regard To the Processing of Personal Data and the Free Movement of Such Data","author":"EU","year":"2016","unstructured":"EU: General Data Protection Regulation (GDPR) - Regulation (EU) 2016\/679 on the Protection of Natural Persons with Regard To the Processing of Personal Data and the Free Movement of Such Data. EU, Editor (2016)"},{"key":"#cr-split#-1097_CR14.1","unstructured":"EU. Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive): [cited 2024 April 18, 2024]"},{"key":"#cr-split#-1097_CR14.2","unstructured":"(2016). Available from: https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/nis2-directive"},{"key":"1097_CR15","doi-asserted-by":"crossref","unstructured":"Magnusson, L., Iqbal, S.: Post-Mortem of Mega Hacks-Signifying the Need for a Systemic Enterprise View on Information Security. in 7th International Conference on Cryptography, Security and Privacy (CSP). 2023. IEEE. (2023)","DOI":"10.1109\/CSP58884.2023.00014"},{"key":"1097_CR16","unstructured":"Rebollo, O., et al.: Comparative analysis of information security governance frameworks: a public sector approach. in The Proceedings of the11th European Conference on eGovernment\u2013ECEG. (2011)"},{"issue":"7","key":"1097_CR17","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1016\/S1361-3723(07)70091-X","volume":"2007","author":"A Pasquinucci","year":"2007","unstructured":"Pasquinucci, A.: Security, risk analysis and governance: A practical approach. Comput. Fraud Secur. 2007(7), 12\u201314 (2007)","journal-title":"Comput. Fraud Secur."},{"issue":"3","key":"1097_CR18","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1016\/S1363-4127(01)00309-0","volume":"6","author":"P Williams","year":"2001","unstructured":"Williams, P.: Information security governance. Inform. Secur. Tech. Rep. 6(3), 60\u201370 (2001)","journal-title":"Inform. Secur. Tech. Rep."},{"key":"#cr-split#-1097_CR19.1","unstructured":"KPMG. KPMG global tech report: Government and public sector insights: [cited 2024 2024-12-18]"},{"key":"#cr-split#-1097_CR19.2","unstructured":"(2023). Available from: https:\/\/kpmg.com\/xx\/en\/our-insights\/ai-and-technology\/kpmg-global-tech-report-government-and-public-sector-insights.html"},{"key":"1097_CR20","doi-asserted-by":"crossref","unstructured":"Sugiharti, I., et al.: E-Government Roadmap for Smart Governance: A Study from Banyuwangi Smart Village. in. International Conference on Computer Science, Information Technology, and Electrical Engineering (ICOMITEE). 2021. IEEE. (2021)","DOI":"10.1109\/ICOMITEE53461.2021.9650320"},{"key":"1097_CR21","unstructured":"Whitman, M.E., Mattord, H.J.: Management of Information Security. Cengage Learning (2019)"},{"key":"1097_CR22","first-page":"102090","volume":"52","author":"M Warkentin","year":"2020","unstructured":"Warkentin, M., Orgeron, C.: Using the security triad to assess blockchain technology in public sector applications. Int. J. Inf. Manag. 52, 102090 (2020)","journal-title":"Int. J. Inf. Manag."},{"key":"1097_CR23","doi-asserted-by":"publisher","first-page":"102030","DOI":"10.1016\/j.cose.2020.102030","volume":"99","author":"S AlGhamdi","year":"2020","unstructured":"AlGhamdi, S., Win, K.T., Vlahu-Gjorgievska, E.: Information security governance challenges and critical success factors: Systematic review. Computers Secur. 99, 102030 (2020)","journal-title":"Computers Secur."},{"issue":"7","key":"1097_CR24","doi-asserted-by":"publisher","first-page":"76","DOI":"10.1108\/TQM-09-2020-0202","volume":"33","author":"G Culot","year":"2021","unstructured":"Culot, G., et al.: The ISO\/IEC 27001 information security management standard: Literature review and theory-based research agenda. TQM J. 33(7), 76\u2013105 (2021)","journal-title":"TQM J."},{"key":"1097_CR25","doi-asserted-by":"publisher","first-page":"e934475","DOI":"10.12659\/MSM.934475","volume":"27","author":"DV Parums","year":"2021","unstructured":"Parums, D.V.: Review articles, systematic reviews, meta-analysis, and the updated preferred reporting items for systematic reviews and meta-analyses (PRISMA) 2020 guidelines. Med. Sci. Monitor: Int. Med. J. Experimental Clin. Res. 27, e934475\u2013e934471 (2021)","journal-title":"Med. Sci. Monitor: Int. Med. J. Experimental Clin. Res."},{"issue":"9","key":"1097_CR26","first-page":"889","volume":"7","author":"D Moher","year":"2009","unstructured":"Moher, D., et al.: Preferred reporting items for systematic reviews and meta-analyses: The PRISMA statement (Chinese edition). J. Integr. Med. 7(9), 889\u2013896 (2009)","journal-title":"J. Integr. Med."},{"issue":"2","key":"1097_CR27","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1191\/1478088706qp063oa","volume":"3","author":"V Braun","year":"2006","unstructured":"Braun, V., Clarke, V.: Using thematic analysis in psychology. Qualitative Res. Psychol. 3(2), 77\u2013101 (2006)","journal-title":"Qualitative Res. Psychol."},{"key":"1097_CR28","unstructured":"Creswell, J.W., Creswell, J.D.: Research Design: Qualitative, Quantitative, and Mixed Methods Approaches. Sage (2017)"},{"key":"1097_CR29","doi-asserted-by":"crossref","unstructured":"Al-Izki, F., Weir, G.R.: Management attitudes toward information security in Omani public sector organisations. in Cybersecurity and Cyberforensics Conference (CCC). 2016. IEEE. (2016)","DOI":"10.1109\/CCC.2016.28"},{"key":"1097_CR30","unstructured":"Gautama, H.: Information security readiness of government institution in Indonesia. in 2nd International Conference on Information and Communication Technology (ICoICT). 2014. IEEE. (2014)"},{"key":"1097_CR31","doi-asserted-by":"crossref","unstructured":"Srinivas, T., Vivek, G.: Cyber security: The state of the practice in public sector companies in India. in International Conference on Computing and Communication Technologies. IEEE. (2014)","DOI":"10.1109\/ICCCT2.2014.7066700"},{"key":"1097_CR32","doi-asserted-by":"crossref","unstructured":"Erastus, L., Jere, N., Shava, F.B.: A security model for Namibian Government Services. in 2017 IST-Africa Week Conference (IST-Africa). IEEE. (2017)","DOI":"10.23919\/ISTAFRICA.2017.8102380"},{"key":"1097_CR33","doi-asserted-by":"crossref","unstructured":"Coppolino, L., et al.: How to protect public administration from cybersecurity threats: The COMPACT project. in. 32nd International conference on advanced information networking and applications workshops (WAINA). 2018. IEEE. (2018)","DOI":"10.1109\/WAINA.2018.00147"},{"key":"1097_CR34","doi-asserted-by":"crossref","unstructured":"Craig, R., Tryfonas, T., May, J.: A viable systems approach towards cyber situational awareness. in IEEE International Conference on Systems, Man, and Cybernetics (SMC). 2014. IEEE. (2014)","DOI":"10.1109\/SMC.2014.6974112"},{"key":"1097_CR35","doi-asserted-by":"crossref","unstructured":"Sabillon, R., Higuera, J.R.B.: New Validation of a Cybersecurity Model to Audit the Cybersecurity Program in a Canadian Higher Education Institution. in 2023 Conference on Information Communications Technology and Society (ICTAS). IEEE. (2023)","DOI":"10.1109\/ICTAS56421.2023.10082731"},{"key":"1097_CR36","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.cose.2014.04.005","volume":"44","author":"J Webb","year":"2014","unstructured":"Webb, J., et al.: A situation awareness model for information security risk management. Computers Secur. 44, 1\u201315 (2014)","journal-title":"Computers Secur."},{"key":"1097_CR37","doi-asserted-by":"publisher","first-page":"102324","DOI":"10.1016\/j.cose.2021.102324","volume":"108","author":"C Topping","year":"2021","unstructured":"Topping, C., et al.: Beware suppliers bearing gifts! Analysing coverage of supply chain cyber security in critical National infrastructure sectorial and cross-sectorial frameworks. Computers Secur. 108, 102324 (2021)","journal-title":"Computers Secur."},{"key":"1097_CR38","first-page":"267","volume":"67","author":"F Karlsson","year":"2017","unstructured":"Karlsson, F., Hedstr\u00f6m, K., Goldkuhl, G.: Practice-based Discourse Anal. Inform. Secur. Policies Computers Secur. 67, 267\u2013279 (2017)","journal-title":"Practice-based Discourse Anal. Inform. Secur. Policies Computers Secur."},{"key":"1097_CR39","doi-asserted-by":"publisher","first-page":"101709","DOI":"10.1016\/j.cose.2019.101709","volume":"90","author":"EK Szczepaniuk","year":"2020","unstructured":"Szczepaniuk, E.K., et al.: Information security assessment in public administration. Computers Secur. 90, 101709 (2020)","journal-title":"Computers Secur."},{"key":"1097_CR40","doi-asserted-by":"crossref","unstructured":"Karvounidis, T., et al.: A Methodology for Adopting Security Management Principles in Health Sector Environments. in Proceedings of the 25th Pan-Hellenic Conference on Informatics. (2021)","DOI":"10.1145\/3503823.3503913"},{"issue":"4","key":"1097_CR41","doi-asserted-by":"publisher","first-page":"539","DOI":"10.1016\/j.bushor.2019.03.010","volume":"62","author":"C Abraham","year":"2019","unstructured":"Abraham, C., Chatterjee, D., Sims, R.R.: Muddling through cybersecurity: Insights from the US healthcare industry. Bus. Horiz. 62(4), 539\u2013548 (2019)","journal-title":"Bus. Horiz."},{"issue":"6","key":"1097_CR42","doi-asserted-by":"publisher","first-page":"105336","DOI":"10.1016\/j.clsr.2019.06.007","volume":"35","author":"D Markopoulou","year":"2019","unstructured":"Markopoulou, D., Papakonstantinou, V., De Hert, P.: The new EU cybersecurity framework: The NIS directive, enisa\u2019s role and the general data protection regulation. Comput. Law Secur. Rev. 35(6), 105336 (2019)","journal-title":"Comput. Law Secur. Rev."},{"key":"1097_CR43","doi-asserted-by":"publisher","first-page":"102657","DOI":"10.1016\/j.cose.2022.102657","volume":"116","author":"L Thomas","year":"2022","unstructured":"Thomas, L., et al.: A framework for data privacy and security accountability in data breach communications. Computers Secur. 116, 102657 (2022)","journal-title":"Computers Secur."},{"issue":"6","key":"1097_CR44","doi-asserted-by":"publisher","first-page":"3079","DOI":"10.1016\/j.jksuci.2020.09.011","volume":"34","author":"JN Al-Karaki","year":"2022","unstructured":"Al-Karaki, J.N., Gawanmeh, A., El-Yassami, S.: GoSafe: On the practical characterization of the overall security posture of an organization information system using smart auditing and ranking. J. King Saud University-Computer Inform. Sci. 34(6), 3079\u20133095 (2022)","journal-title":"J. King Saud University-Computer Inform. Sci."},{"key":"1097_CR45","doi-asserted-by":"crossref","unstructured":"Borgman, B., Mubarak, S., Choo, K.-K.R.: Cyber Security Readiness in the South Australian Government, vol. 37, pp. 1\u20138. Computer Standards & Interfaces (2015)","DOI":"10.1016\/j.csi.2014.06.002"},{"key":"1097_CR46","doi-asserted-by":"publisher","first-page":"47","DOI":"10.1016\/j.ijcip.2016.10.001","volume":"15","author":"B Karabacak","year":"2016","unstructured":"Karabacak, B., Yildirim, S.O., Baykal, N.: A vulnerability-driven cyber security maturity model for measuring National critical infrastructure protection preparedness. Int. J. Crit. Infrastruct. Prot. 15, 47\u201359 (2016)","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"issue":"3","key":"1097_CR47","doi-asserted-by":"publisher","first-page":"2315","DOI":"10.1007\/s10207-024-00847-7","volume":"23","author":"J Navajas-Ad\u00e1n","year":"2024","unstructured":"Navajas-Ad\u00e1n, J., et al.: Perceptions and dilemmas around cyber-security in a Spanish research center after a cyber-attack. Int. J. Inf. Secur. 23(3), 2315\u20132331 (2024)","journal-title":"Int. J. Inf. Secur."},{"key":"1097_CR48","doi-asserted-by":"crossref","unstructured":"Mustafa, G., et al.: Blockchain-based governance models in e-government: A comprehensive framework for legal, technicthical and security considerations. Int. J. Law Manage., (2024)","DOI":"10.1108\/IJLMA-08-2023-0172"},{"key":"1097_CR49","doi-asserted-by":"crossref","unstructured":"Williams, K., Axelsen, M., Brea, E.: Navigating data governance challenges in healthcare. J. Inform. Technol. Teach. Cases,: p. 20438869241240493. (2024)","DOI":"10.1177\/20438869241240493"},{"key":"1097_CR50","doi-asserted-by":"crossref","unstructured":"Andreasson, A., et al.: A census of Swedish public sector employee communication on cybersecurity during the COVID-19 pandemic. in. International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). 2021. IEEE. (2021)","DOI":"10.1109\/CyberSA52016.2021.9478241"},{"issue":"4","key":"1097_CR51","doi-asserted-by":"publisher","first-page":"192","DOI":"10.3390\/info13040192","volume":"13","author":"EC Cheng","year":"2022","unstructured":"Cheng, E.C., Wang, T.: Institutional strategies for cybersecurity in higher education institutions. Information. 13(4), 192 (2022)","journal-title":"Information"},{"issue":"9","key":"1097_CR52","doi-asserted-by":"publisher","first-page":"404","DOI":"10.3390\/info13090404","volume":"13","author":"I Lee","year":"2022","unstructured":"Lee, I.: Analysis of insider threats in the healthcare industry: A text mining approach. Information. 13(9), 404 (2022)","journal-title":"Information"},{"issue":"10","key":"1097_CR53","first-page":"37","volume":"10","author":"K Min","year":"2016","unstructured":"Min, K., Chai, S.-W.: An analytic study of cyber security strategies of Japan. Int. J. Secur. Its Appl. 10(10), 37\u201346 (2016)","journal-title":"Int. J. Secur. Its Appl."},{"key":"1097_CR54","doi-asserted-by":"crossref","unstructured":"Dang-Pham, D., Pittayachawan, S.: Comparing Intention To Avoid Malware across Contexts in a BYOD-enabled Australian University: A Protection Motivation Theory Approach, vol. 48, pp. 281\u2013297. Computers & Security (2015)","DOI":"10.1016\/j.cose.2014.11.002"},{"issue":"3","key":"1097_CR55","doi-asserted-by":"publisher","first-page":"101703","DOI":"10.1016\/j.giq.2022.101703","volume":"39","author":"M Caldarulo","year":"2022","unstructured":"Caldarulo, M., Welch, E.W., Feeney, M.K.: Determinants of cyber-incidents among small and medium US cities. Government Inform. Q. 39(3), 101703 (2022)","journal-title":"Government Inform. Q."},{"key":"1097_CR56","doi-asserted-by":"publisher","first-page":"102387","DOI":"10.1016\/j.cose.2021.102387","volume":"109","author":"B Uchendu","year":"2021","unstructured":"Uchendu, B., et al.: Developing a cyber security culture: Current practices and future needs. Computers Secur. 109, 102387 (2021)","journal-title":"Computers Secur."},{"issue":"5","key":"1097_CR57","doi-asserted-by":"publisher","first-page":"1077","DOI":"10.1016\/j.clsr.2018.04.009","volume":"34","author":"MG Porcedda","year":"2018","unstructured":"Porcedda, M.G.: Patching the patchwork: Appraising the EU regulatory framework on cyber security breaches. Comput. Law Secur. Rev. 34(5), 1077\u20131098 (2018)","journal-title":"Comput. Law Secur. Rev."},{"issue":"4","key":"1097_CR58","doi-asserted-by":"publisher","first-page":"538","DOI":"10.1016\/j.clsr.2015.05.004","volume":"31","author":"R Clarke","year":"2015","unstructured":"Clarke, R.: The prospects of easier security for small organisations and consumers. Comput. Law Secur. Rev. 31(4), 538\u2013552 (2015)","journal-title":"Comput. Law Secur. Rev."},{"key":"1097_CR59","doi-asserted-by":"publisher","first-page":"102639","DOI":"10.1016\/j.cose.2022.102639","volume":"116","author":"B Jung","year":"2022","unstructured":"Jung, B., Li, Y., Bechor, T.: CAVP: A context-aware vulnerability prioritization model. Computers Secur. 116, 102639 (2022)","journal-title":"Computers Secur."},{"issue":"4","key":"1097_CR60","doi-asserted-by":"publisher","first-page":"928","DOI":"10.1016\/j.clsr.2018.06.001","volume":"34","author":"R Kemp","year":"2018","unstructured":"Kemp, R.: Legal aspects of cloud security. Comput. Law Secur. Rev. 34(4), 928\u2013932 (2018)","journal-title":"Comput. Law Secur. Rev."},{"issue":"1","key":"1097_CR61","doi-asserted-by":"publisher","first-page":"101419","DOI":"10.1016\/j.giq.2019.101419","volume":"37","author":"O Ali","year":"2020","unstructured":"Ali, O., et al.: Assessing information security risks in the cloud: A case study of Australian local government authorities. Government Inform. Q. 37(1), 101419 (2020)","journal-title":"Government Inform. Q."},{"key":"1097_CR62","doi-asserted-by":"crossref","unstructured":"Mutemwa, M., Masango, M.G., Gcaza, N.: Managing the Shift in the Enterprise Perimeter in order to delay a Cybersecurity Breach. in Proceedings of the International Conference on Artificial Intelligence and its Applications. (2021)","DOI":"10.1145\/3487923.3487925"},{"issue":"5","key":"1097_CR63","doi-asserted-by":"publisher","first-page":"1019","DOI":"10.1016\/j.clsr.2018.04.006","volume":"34","author":"M Naarttij\u00e4rvi","year":"2018","unstructured":"Naarttij\u00e4rvi, M.: Balancing data protection and privacy\u2013The case of information security sensor systems. Comput. Law Secur. Rev. 34(5), 1019\u20131038 (2018)","journal-title":"Comput. Law Secur. Rev."},{"issue":"2","key":"1097_CR64","first-page":"13","volume":"9","author":"K-S Min","year":"2015","unstructured":"Min, K.-S., Chai, S.-W., Han, M.: An international comparative study on cyber security strategy. Int. J. Secur. Its Appl. 9(2), 13\u201320 (2015)","journal-title":"Int. J. Secur. Its Appl."},{"issue":"10","key":"1097_CR65","doi-asserted-by":"publisher","first-page":"417","DOI":"10.3390\/info12100417","volume":"12","author":"M Khader","year":"2021","unstructured":"Khader, M., Karam, M., Fares, H.: Cybersecurity awareness framework for academia. Information. 12(10), 417 (2021)","journal-title":"Information"},{"key":"1097_CR66","doi-asserted-by":"publisher","first-page":"102267","DOI":"10.1016\/j.cose.2021.102267","volume":"106","author":"K Khando","year":"2021","unstructured":"Khando, K., et al.: Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers Secur. 106, 102267 (2021)","journal-title":"Computers Secur."},{"issue":"1","key":"1097_CR67","first-page":"100075","volume":"2","author":"RK Lomotey","year":"2022","unstructured":"Lomotey, R.K., Kumi, S., Deters, R.: Data trusts as a service: Providing a platform for multi-party data sharing. Int. J. Inform. Manage. Data Insights. 2(1), 100075 (2022)","journal-title":"Int. J. Inform. Manage. Data Insights"},{"issue":"1","key":"1097_CR68","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1080\/1097198X.2023.2297634","volume":"27","author":"S Tenzin","year":"2024","unstructured":"Tenzin, S., McGill, T., Dixon, M.: An investigation of the factors that influence information security culture in government organizations in Bhutan. J. Global Inform. Technol. Manage. 27(1), 37\u201362 (2024)","journal-title":"J. Global Inform. Technol. Manage."},{"key":"1097_CR69","doi-asserted-by":"publisher","first-page":"105758","DOI":"10.1016\/j.clsr.2022.105758","volume":"47","author":"Z He","year":"2022","unstructured":"He, Z.: When data protection norms Meet digital health technology: China\u2019s regulatory approaches to health data protection. Comput. Law Secur. Rev. 47, 105758 (2022)","journal-title":"Comput. Law Secur. Rev."},{"key":"1097_CR70","unstructured":"Morris, H., Gallacher, L.: ITIL Intermediate Certification Companion Study Guide: Intermediate ITIL Service Capability Exams. Wiley (2017)"},{"issue":"3","key":"1097_CR71","doi-asserted-by":"publisher","first-page":"23","DOI":"10.4102\/sajbm.v41i3.522","volume":"41","author":"S Posthumus","year":"2010","unstructured":"Posthumus, S., Von, R., Solms, King, M.: The board and IT governance: The what, who and how. South. Afr. J. Bus. Manage. 41(3), 23\u201332 (2010)","journal-title":"South. Afr. J. Bus. Manage."},{"issue":"5","key":"1097_CR72","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1016\/j.cose.2004.05.002","volume":"23","author":"B Von Solms","year":"2004","unstructured":"Von Solms, B., Von, R., Solms: The 10 deadly sins of information security management. Computers Secur. 23(5), 371\u2013376 (2004)","journal-title":"Computers Secur."},{"issue":"2","key":"1097_CR73","doi-asserted-by":"publisher","first-page":"261","DOI":"10.1108\/ICS-02-2019-0033","volume":"28","author":"S Schinagl","year":"2020","unstructured":"Schinagl, S., Shahim, A.: What do we know about information security governance? From the basement to the boardroom: Towards digital security governance. Inform. Comput. Secur. 28(2), 261\u2013292 (2020)","journal-title":"Inform. Comput. Secur."},{"key":"1097_CR74","doi-asserted-by":"crossref","unstructured":"Connolly, L.Y., Lang, M., Tygar, D.J.: Employee Security Behaviour: the Importance of Education and Policies In Organisational settings. In Advances In Information Systems Development: Methods, Tools and Management. Springer (2018)","DOI":"10.1007\/978-3-319-74817-7_6"},{"key":"1097_CR75","unstructured":"(GAO): U.S.G.A.O., Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements. (2011)"},{"key":"1097_CR76","doi-asserted-by":"crossref","unstructured":"Disterer, G.: ISO\/IEC 27000, 27001 and 27002 for information security management. J. Inform. Secur., 4(2). (2013)","DOI":"10.4236\/jis.2013.42011"},{"key":"1097_CR77","unstructured":"Shu, X., et al.: Breaking the target: An analysis of target data breach and lessons learned. arXiv preprint arXiv:1701.04940, (2017)"},{"key":"1097_CR78","unstructured":"Cyert, R., March, J.: Behavioral Theory of the firm, in Organizational Behavior 2, pp. 60\u201377. Routledge (2015)"},{"key":"1097_CR79","unstructured":"Weill, P., Ross, J.W.: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business (2004)"},{"key":"1097_CR80","unstructured":"Spafford, E.H.: Testimony before the Senate Committee on Commerce, Science, and Transportation Hearing on. (2009)"},{"key":"1097_CR81","doi-asserted-by":"crossref","unstructured":"Landoll, D.J.: Information Security Policies, Procedures, and Standards: A Practitioner\u2019s Reference. Auerbach (2017)","DOI":"10.1201\/9781315372785"},{"issue":"6","key":"1097_CR82","doi-asserted-by":"publisher","first-page":"703","DOI":"10.2501\/IJMR-2017-050","volume":"59","author":"M Goddard","year":"2017","unstructured":"Goddard, M.: The EU general data protection regulation (GDPR): European regulation that has a global impact. Int. J. Market Res. 59(6), 703\u2013705 (2017)","journal-title":"Int. J. Market Res."},{"key":"1097_CR83","doi-asserted-by":"crossref","unstructured":"Malatji, M.: Management of enterprise cyber security: A review of ISO\/IEC 27001: 2022. in 2023 International conference on cyber management and engineering (CyMaEn). IEEE. (2023)","DOI":"10.1109\/CyMaEn57228.2023.10051114"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01097-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01097-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01097-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,5]],"date-time":"2025-09-05T12:03:32Z","timestamp":1757073812000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01097-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,16]]},"references-count":85,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,8]]}},"alternative-id":["1097"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01097-x","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,16]]},"assertion":[{"value":"16 July 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"177"}}