{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T08:06:04Z","timestamp":1780560364402,"version":"3.54.1"},"reference-count":105,"publisher":"Springer Science and Business Media LLC","license":[{"start":{"date-parts":[[2022,2,28]],"date-time":"2022-02-28T00:00:00Z","timestamp":1646006400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,2,28]],"date-time":"2022-02-28T00:00:00Z","timestamp":1646006400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Inf Syst Front"],"DOI":"10.1007\/s10796-022-10246-9","type":"journal-article","created":{"date-parts":[[2022,2,28]],"date-time":"2022-02-28T05:02:26Z","timestamp":1646024546000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3653-5643","authenticated-orcid":false,"given":"Tejaswini C.","family":"Herath","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hemantha S. B.","family":"Herath","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"David","family":"Cullum","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2022,2,28]]},"reference":[{"key":"10246_CR1","unstructured":"Ahuja, S., & Chan, Y. E. (2015). IT Security Governance: A Framework based on ISO 38500. In CONF-IRM 2015 Proceedings (Vol. 27, p. 15)."},{"issue":"4","key":"10246_CR2","doi-asserted-by":"publisher","first-page":"22","DOI":"10.4018\/ijisp.2013100103","volume":"7","author":"F Akowuah","year":"2013","unstructured":"Akowuah, F., Yuan, X., Xu, J., & Wang, H. (2013). A survey of security standards applicable to health information systems. International Journal of Information Security and Privacy (IJISP), 7(4), 22\u201336. https:\/\/doi.org\/10.4018\/ijisp.2013100103","journal-title":"International Journal of Information Security and Privacy (IJISP)"},{"key":"10246_CR3","doi-asserted-by":"publisher","first-page":"102030","DOI":"10.1016\/j.cose.2020.102030","volume":"99","author":"S AlGhamdi","year":"2020","unstructured":"AlGhamdi, S., Win, K. T., & Vlahu-Gjorgievska, E. (2020). Information security governance challenges and critical success factors: Systematic review. Computers & Security, 99, 102030. https:\/\/doi.org\/10.1016\/j.cose.2020.102030","journal-title":"Computers & Security"},{"key":"10246_CR4","unstructured":"Atkinson, M. (2004). Measuring the performance of the IT function in the UK health service using a balanced scorecard approach. Electronic Journal of Information Systems Evaluation, 1\u201310."},{"issue":"3","key":"10246_CR5","doi-asserted-by":"publisher","first-page":"111","DOI":"10.14257\/ijsia.2016.10.3.10","volume":"10","author":"I Atoum","year":"2016","unstructured":"Atoum, I., & Otoom, A. (2016). Holistic performance model for cyber security implementation frameworks. International Journal of Security and Its Applications, 10(3), 111\u2013120. https:\/\/doi.org\/10.14257\/ijsia.2016.10.3.10","journal-title":"International Journal of Security and Its Applications"},{"issue":"1","key":"10246_CR6","doi-asserted-by":"publisher","first-page":"37","DOI":"10.4018\/IJKM.2019010103","volume":"15","author":"CH Au","year":"2019","unstructured":"Au, C. H., & Fung, W. S. L. (2019). Integrating knowledge management into information security: From audit to practice. International Journal of Knowledge Management (IJKM), 15(1), 37\u201352. https:\/\/doi.org\/10.4018\/IJKM.2019010103","journal-title":"International Journal of Knowledge Management (IJKM)"},{"issue":"7","key":"10246_CR7","first-page":"91","volume":"6","author":"EA Awadallah","year":"2015","unstructured":"Awadallah, E. A., & Allam, A. (2015). A critique of the balanced scorecard as a performance measurement tool. International Journal of Business and Social Science, 6(7), 91\u201399.","journal-title":"International Journal of Business and Social Science"},{"key":"10246_CR8","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1016\/j.cose.2013.11.002","volume":"40","author":"D Bachlechner","year":"2014","unstructured":"Bachlechner, D., Thalmann, S., & Maier, R. (2014). Security and compliance challenges in complex IT outsourcing arrangements: A multi-stakeholder perspective. Computers & Security, 40, 38\u201359. https:\/\/doi.org\/10.1016\/j.cose.2013.11.002","journal-title":"Computers & Security"},{"key":"10246_CR9","first-page":"16","volume-title":"A comparison of IT governance and control frameworks in cloud computing","author":"E Bailey","year":"2014","unstructured":"Bailey, E., & Becker, J. D. (2014). A comparison of IT governance and control frameworks in cloud computing (p. 16). Presented at the Twentieth Americas Conference on Information Systems."},{"issue":"1","key":"10246_CR10","doi-asserted-by":"publisher","first-page":"138","DOI":"10.1016\/j.im.2013.11.004","volume":"51","author":"R Baskerville","year":"2014","unstructured":"Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138\u2013151. https:\/\/doi.org\/10.1016\/j.im.2013.11.004","journal-title":"Information & Management"},{"issue":"9","key":"10246_CR11","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1371\/journal.pone.0163050","volume":"11","author":"I Bernik","year":"2016","unstructured":"Bernik, I., & Prislan, K. (2016). Measuring information security performance with 10 by 10 model for holistic state evaluation. PLoS One, 11(9), 1\u201333. https:\/\/doi.org\/10.1371\/journal.pone.0163050","journal-title":"PLoS One"},{"issue":"4","key":"10246_CR12","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1016\/j.elerap.2005.07.001","volume":"4","author":"WG Bremser","year":"2005","unstructured":"Bremser, W. G., & Chung, Q. B. (2005). A framework for performance measurement in the e-business environment. Electronic Commerce Research and Applications, 4(4), 395\u2013412.","journal-title":"Electronic Commerce Research and Applications"},{"key":"10246_CR13","unstructured":"British Standards Institute (BSI). (2014). BSI transition guide: Moving from ISO\/IEC 27001:2005 to ISO\/IEC 27001:2013. https:\/\/www.bsigroup.com\/LocalFiles\/en-GB\/iso-iec-27001\/resources\/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf. Accessed 5 June 2018."},{"key":"10246_CR14","unstructured":"Brothy, K. (2009). Information security governance: a practical development and implementation approach (Vol. 53). John Wiley & Sons."},{"issue":"2","key":"10246_CR15","first-page":"1","volume":"12","author":"J Butler","year":"2011","unstructured":"Butler, J., Henderson, S., & Raiborn, C. (2011). Sustainability and the balanced scorecard: Integrating green measures into business reporting. Management Accounting Quarterly, 12(2), 1\u201310.","journal-title":"Management Accounting Quarterly"},{"key":"10246_CR16","doi-asserted-by":"publisher","unstructured":"Campara, D., & Mansourov, N. (2008). How to tackle security issues in large existing\/legacy systems while maintaining development priorities. In 2008 IEEE Conference on Technologies for Homeland Security (pp. 167\u2013172). Presented at the 2008 IEEE Conference on Technologies for Homeland Security. https:\/\/doi.org\/10.1109\/THS.2008.4534443.","DOI":"10.1109\/THS.2008.4534443"},{"issue":"2","key":"10246_CR17","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1109\/MITP.2016.27","volume":"18","author":"M Carcary","year":"2016","unstructured":"Carcary, M., Renaud, K., McLaughlin, S., & O\u2019Brien, C. (2016). A framework for information security governance and management. IT Professional, 18(2), 22\u201330. https:\/\/doi.org\/10.1109\/MITP.2016.27","journal-title":"IT Professional"},{"key":"10246_CR18","unstructured":"Cartlidge, A., Hanna, A., Rudd, C., Macfarlane, I., Windebank, J., & Rance, S. (2007). An introductory overview of ITIL V3. The IT Service Management Forum (itSMF) Ltd.\u00a0https:\/\/itil.it.utah.edu\/itilv3\/docs\/itSMF_ITILV3_Intro_Overview. Accessed 16 Feb 2022."},{"issue":"3","key":"10246_CR19","doi-asserted-by":"publisher","first-page":"638","DOI":"10.1287\/mnsc.2013.1763","volume":"60","author":"A Cezar","year":"2014","unstructured":"Cezar, A., Cavusoglu, H., & Raghunathan, S. (2014). Outsourcing information security: Contracting issues and security implications. Management Science, 60(3), 638\u2013657. https:\/\/doi.org\/10.1287\/mnsc.2013.1763","journal-title":"Management Science"},{"issue":"4","key":"10246_CR20","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1007\/s10796-010-9232-6","volume":"13","author":"K Chang","year":"2011","unstructured":"Chang, K., & Wang, C. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579\u2013593. https:\/\/doi.org\/10.1007\/s10796-010-9232-6","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"10246_CR21","doi-asserted-by":"publisher","first-page":"135","DOI":"10.1080\/20479700.2016.1270875","volume":"10","author":"JQ Chen","year":"2017","unstructured":"Chen, J. Q., & Benusa, A. (2017). HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management, 10(2), 135\u2013146. https:\/\/doi.org\/10.1080\/20479700.2016.1270875","journal-title":"International Journal of Healthcare Management"},{"key":"10246_CR22","doi-asserted-by":"crossref","first-page":"1","DOI":"10.6028\/NIST.SP.800-55r1","volume-title":"Performance measurement guide for information security","author":"E Chew","year":"2008","unstructured":"Chew, E., Swanson, M. M., Stine, K. M., Bartol, N., Brown, A., & Robinson, W. (2008). Performance measurement guide for information security (800\u201355, Revision 1 ed.pp. 1\u201340). National Institute of Standards and Technology.","edition":"800\u201355, Revisio"},{"key":"10246_CR23","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1177\/2050312118822927","volume":"7","author":"Y Chun Tie","year":"2019","unstructured":"Chun Tie, Y., Birks, M., & Francis, K. (2019). Grounded theory research: A design framework for novice researchers. SAGE Open Medicine, 7, 1\u20138. https:\/\/doi.org\/10.1177\/2050312118822927","journal-title":"SAGE Open Medicine"},{"key":"10246_CR24","unstructured":"Clinch, J. (2009). ITIL V3 and information security. http:\/\/www.trainingcreatively.com\/whitepaper\/While-Paper-ITI-V3-and-Information-Security.pdf"},{"issue":"7","key":"10246_CR25","doi-asserted-by":"publisher","first-page":"76","DOI":"10.1108\/TQM-09-2020-0202","volume":"33","author":"G Culot","year":"2021","unstructured":"Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO\/IEC 27001 information security management standard: Literature review and theory-based research agenda. The TQM Journal, 33(7), 76\u2013105. https:\/\/doi.org\/10.1108\/TQM-09-2020-0202","journal-title":"The TQM Journal"},{"key":"10246_CR26","first-page":"1","volume-title":"A new framework for bridging the gap between IT service management and IT governance from a security perspective","author":"E Da Cruz","year":"2005","unstructured":"Da Cruz, E., & Labuschagne, L. (2005). A new framework for bridging the gap between IT service management and IT governance from a security perspective (pp. 1\u201312). Academy of Information Technology at the University of Johannesburg."},{"issue":"1","key":"10246_CR27","doi-asserted-by":"publisher","first-page":"157","DOI":"10.2308\/isys-50418","volume":"27","author":"RS Debreceny","year":"2013","unstructured":"Debreceny, R. S., & Gray, G. L. (2013). IT governance and process maturity: A multinational field study. Journal of Information Systems, 27(1), 157\u2013188. https:\/\/doi.org\/10.2308\/isys-50418","journal-title":"Journal of Information Systems"},{"issue":"1","key":"10246_CR28","doi-asserted-by":"publisher","first-page":"187","DOI":"10.1007\/s10796-018-9845-8","volume":"22","author":"M Ezhei","year":"2020","unstructured":"Ezhei, M., & Tork Ladani, B. (2020). Interdependency analysis in security investment against strategic attacks. Information Systems Frontiers, 22(1), 187\u2013201. https:\/\/doi.org\/10.1007\/s10796-018-9845-8","journal-title":"Information Systems Frontiers"},{"issue":"4","key":"10246_CR29","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1201\/1086\/43648.12.4.20030901\/77304.7","volume":"12","author":"R Garigue","year":"2003","unstructured":"Garigue, R., & Stefaniu, M. (2003). Information security governance reporting. Information Systems Security Journal, 12(4), 36\u201340.","journal-title":"Information Systems Security Journal"},{"key":"10246_CR30","doi-asserted-by":"publisher","unstructured":"Gashgari, G., Walters, R., & Wills, G. (2017). A Proposed Best-practice Framework for Information Security Governance: In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (pp. 295\u2013301). Presented at the 2nd International Conference on Internet of Things, Big Data and Security, SCITEPRESS - Science and Technology Publications. https:\/\/doi.org\/10.5220\/0006303102950301.","DOI":"10.5220\/0006303102950301"},{"key":"10246_CR31","doi-asserted-by":"publisher","first-page":"277","DOI":"10.4018\/978-1-60960-573-5.ch014","volume-title":"In ICT ethics and security in the 21st century: New developments and applications","author":"JE Goldman","year":"2011","unstructured":"Goldman, J. E., & Ahuja, S. (2011). Integration of COBIT, balanced scorecard and SSE-CMM as an organizational & strategic information security management (ISM) framework. In In ICT ethics and security in the 21st century: New developments and applications (pp. 277\u2013309). IGI Global."},{"issue":"5","key":"10246_CR32","doi-asserted-by":"publisher","first-page":"335","DOI":"10.1007\/s10796-006-9010-7","volume":"8","author":"LA Gordon","year":"2007","unstructured":"Gordon, L. A., & Loeb, M. P. (2007). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335\u2013337. https:\/\/doi.org\/10.1007\/s10796-006-9010-7","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"10246_CR33","doi-asserted-by":"publisher","first-page":"49","DOI":"10.4236\/jis.2016.72004","volume":"7","author":"LA Gordon","year":"2016","unstructured":"Gordon, L. A., Loeb, M. P., & Zhou, L. (2016). Investing in cybersecurity: Insights from the Gordon-Loeb model. Journal of Information Security, 7(2), 49\u201359. https:\/\/doi.org\/10.4236\/jis.2016.72004","journal-title":"Journal of Information Security"},{"key":"10246_CR34","unstructured":"Hamdan, B. J. (2013). Evaluating the performance of information security: A balanced scorecard approach. In SAIS 2013Proceedings. Presented at the SAIS.\u00a0https:\/\/www.aisel.aisnet.org\/sais2013\/11\/"},{"key":"10246_CR35","doi-asserted-by":"publisher","first-page":"102726","DOI":"10.1016\/j.jisa.2020.102726","volume":"58","author":"S Hasan","year":"2021","unstructured":"Hasan, S., Ali, M., Kurnia, S., & Thurasamy, R. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58, 102726. https:\/\/doi.org\/10.1016\/j.jisa.2020.102726","journal-title":"Journal of Information Security and Applications"},{"key":"10246_CR36","first-page":"87","volume":"5","author":"R Hasan","year":"2017","unstructured":"Hasan, R., & Chyi, T. (2017). Practical application of balanced scorecard - a literature review. Journal of Strategy and Performance Management, 5, 87\u2013103.","journal-title":"Journal of Strategy and Performance Management"},{"issue":"6","key":"10246_CR37","doi-asserted-by":"publisher","first-page":"1285","DOI":"10.1007\/s10796-019-09959-1","volume":"21","author":"M Heidt","year":"2019","unstructured":"Heidt, M., Gerlach, J. P., & Buxmann, P. (2019). Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Information Systems Frontiers, 21(6), 1285\u20131305. https:\/\/doi.org\/10.1007\/s10796-019-09959-1","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"10246_CR38","doi-asserted-by":"publisher","first-page":"252","DOI":"10.1108\/ARJ-11-2016-0148","volume":"32","author":"H Herath","year":"2019","unstructured":"Herath, H., Bremser, W., & Birnberg, J. (2019). Team-based employee remuneration: A balanced scorecard group target and weight selection-based bonus allocation. Accounting Research Journal, 32(2), 252\u2013272.","journal-title":"Accounting Research Journal"},{"issue":"3","key":"10246_CR39","doi-asserted-by":"publisher","first-page":"337","DOI":"10.2753\/MIS0742-1222250310","volume":"25","author":"H Herath","year":"2008","unstructured":"Herath, H., & Herath, T. (2008). Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems, 25(3), 337\u2013375. https:\/\/doi.org\/10.2753\/MIS0742-1222250310","journal-title":"Journal of Management Information Systems"},{"key":"10246_CR40","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1016\/j.dss.2013.07.010","volume":"57","author":"H Herath","year":"2014","unstructured":"Herath, H., & Herath, T. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57, 54\u201363. https:\/\/doi.org\/10.1016\/j.dss.2013.07.010","journal-title":"Decision Support Systems"},{"issue":"6","key":"10246_CR41","doi-asserted-by":"publisher","first-page":"545","DOI":"10.1016\/j.jaccpubpol.2018.10.005","volume":"37","author":"H Herath","year":"2018","unstructured":"Herath, H., & Herath, T. (2018). Post-audits for managing cyber security investments: Bayesian post-audit using Markov chain Monte Carlo (MCMC) simulation. Journal of Accounting and Public Policy, 37(6), 545\u2013563. https:\/\/doi.org\/10.1016\/j.jaccpubpol.2018.10.005","journal-title":"Journal of Accounting and Public Policy"},{"issue":"1","key":"10246_CR42","doi-asserted-by":"publisher","first-page":"72","DOI":"10.1080\/10580530903455247","volume":"27","author":"T Herath","year":"2010","unstructured":"Herath, T., Herath, H., & Bremser, W. (2010). Balanced scorecard implementation of security strategies: A framework for IT security performance management. Information Systems Management, 27(1), 72\u201381. https:\/\/doi.org\/10.1080\/10580530903455247","journal-title":"Information Systems Management"},{"key":"10246_CR43","doi-asserted-by":"publisher","first-page":"352","DOI":"10.1016\/S2212-5671(15)01404-5","volume":"32","author":"AI Hohan","year":"2015","unstructured":"Hohan, A. I., Olaru, M., & Pirnea, I. C. (2015). Assessment and continuous improvement of information security based on TQM and business excellence principles. Procedia Economics and Finance, 32, 352\u2013359. https:\/\/doi.org\/10.1016\/S2212-5671(15)01404-5","journal-title":"Procedia Economics and Finance"},{"key":"10246_CR44","doi-asserted-by":"publisher","first-page":"1","DOI":"10.3127\/ajis.v21i0.1427","volume":"21","author":"CA Horne","year":"2017","unstructured":"Horne, C. A., Maynard, S. B., & Ahmad, A. (2017). Organisational information security strategy: Review, discussion and future research. Australasian Journal of Information Systems, 21, 1\u201317. https:\/\/doi.org\/10.3127\/ajis.v21i0.1427","journal-title":"Australasian Journal of Information Systems"},{"issue":"2","key":"10246_CR45","doi-asserted-by":"publisher","first-page":"242","DOI":"10.1108\/02635570610649880","volume":"106","author":"S-M Huang","year":"2006","unstructured":"Huang, S.-M., Lee, C.-L., & Kao, A.-C. (2006). Balancing performance measures for information security management: A balanced scorecard framework. Industrial Management & Data Systems, 106(2), 242\u2013255. https:\/\/doi.org\/10.1108\/02635570610649880","journal-title":"Industrial Management & Data Systems"},{"key":"10246_CR46","unstructured":"Ireton, J. (2016). 1.5 million cybersecurity professionals needed globally by 2020, Ottawa conference hears | CBC News. CBC. https:\/\/www.cbc.ca\/news\/canada\/ottawa\/cybersecurity-talent-shortage-1.3831541. Accessed 19 October 2021."},{"key":"10246_CR47","unstructured":"ISO International Organization for Standardization. (n.d.). ISO\/IEC 27001:2013. ISO. https:\/\/www.iso.org\/standard\/54534.html. Accessed 22 October 2020."},{"key":"10246_CR48","volume-title":"Information security governance: Guidance for boards of directors and executive management","author":"IT Governance Institute","year":"2006","unstructured":"IT Governance Institute. (2006). Information security governance: Guidance for boards of directors and executive management. ISACA."},{"key":"10246_CR49","volume-title":"COBIT 4.1: Framework, control objectives, management guidelines, maturity models","year":"2007","unstructured":"IT Governance Institute (Ed.). (2007). COBIT 4.1: Framework, control objectives, management guidelines, maturity models. IT Governance Institute."},{"key":"10246_CR50","first-page":"71","volume":"83","author":"RS Kaplan","year":"1992","unstructured":"Kaplan, R. S., & Norton, D. P. (1992). The balanced scorecard: Measures that drive performance. Harvard Business Review, 83, 71\u201379.","journal-title":"Harvard Business Review"},{"issue":"7","key":"10246_CR51","first-page":"172","volume":"83","author":"RS Kaplan","year":"2005","unstructured":"Kaplan, R. S., & Norton, D. P. (2005). The balanced scorecard: Measures that drive performance. Harvard Business Review, 83(7), 172.","journal-title":"Harvard Business Review"},{"key":"10246_CR52","doi-asserted-by":"publisher","first-page":"91","DOI":"10.1201\/9781420031348","volume-title":"Implementing the IT balanced scorecard: Aligning IT with corporate strategy","author":"J Keyes","year":"2016","unstructured":"Keyes, J. (2016). Chapter 4: Aligning IT to organizational strategy. In Implementing the IT balanced scorecard: Aligning IT with corporate strategy (pp. 91\u2013113). Auerbach Publications, Taylor and Francis Group."},{"issue":"4","key":"10246_CR53","doi-asserted-by":"publisher","first-page":"941","DOI":"10.1007\/s10845-010-0402-7","volume":"23","author":"H-K Kong","year":"2012","unstructured":"Kong, H.-K., Kim, T.-S., & Kim, J. (2012). An analysis on effects of information security investments: A BSC perspective. Journal of Intelligent Manufacturing, 23(4), 941\u2013953.","journal-title":"Journal of Intelligent Manufacturing"},{"key":"10246_CR54","doi-asserted-by":"publisher","first-page":"369","DOI":"10.1007\/978-3-030-03638-6_23","volume-title":"Secure IT systems","author":"B Krumay","year":"2018","unstructured":"Krumay, B., Bernroider, E. W. N., & Walser, R. (2018). Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework. In N. Gruschka (Ed.), Secure IT systems (pp. 369\u2013384). Springer International Publishing. https:\/\/doi.org\/10.1007\/978-3-030-03638-6_23"},{"key":"10246_CR55","doi-asserted-by":"publisher","first-page":"139","DOI":"10.13140\/RG.2.2.20925.15840","volume":"16","author":"E Kurniawan","year":"2018","unstructured":"Kurniawan, E., & Riadi, I. (2018). Security level analysis of academic information systems based on standard ISO 27002:2003 using SSE-CMM. International journal of computer science and information. Security, 16, 139\u2013147. https:\/\/doi.org\/10.13140\/RG.2.2.20925.15840","journal-title":"Security"},{"issue":"2","key":"10246_CR56","doi-asserted-by":"publisher","first-page":"361","DOI":"10.1007\/s10796-019-09977-z","volume":"23","author":"E Kweon","year":"2021","unstructured":"Kweon, E., Lee, H., Chai, S., & Yoo, K. (2021). The utility of information security training and education on cybersecurity incidents: An empirical evidence. Information Systems Frontiers, 23(2), 361\u2013373. https:\/\/doi.org\/10.1007\/s10796-019-09977-z","journal-title":"Information Systems Frontiers"},{"issue":"1","key":"10246_CR57","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1016\/j.im.2013.09.004","volume":"51","author":"H-CK Lin","year":"2014","unstructured":"Lin, H.-C. K., Chuang, T.-Y., Lin, I.-L., & Chen, H.-Y. (2014). Elucidating the role of IT\/IS assessment and resource allocation in IT\/IS performance in hospitals. Information & Management, 51(1), 104\u2013112. https:\/\/doi.org\/10.1016\/j.im.2013.09.004","journal-title":"Information & Management"},{"issue":"4","key":"10246_CR58","doi-asserted-by":"publisher","first-page":"587","DOI":"10.1111\/j.1468-2958.2002.tb00826.x","volume":"28","author":"M Lombard","year":"2002","unstructured":"Lombard, M., Snyder-Duch, J., & Bracken, C. C. (2002). Content analysis in mass communication: Assessment and reporting of Intercoder reliability. Human Communication Research, 28(4), 587\u2013604. https:\/\/doi.org\/10.1111\/j.1468-2958.2002.tb00826.x","journal-title":"Human Communication Research"},{"issue":"2","key":"10246_CR59","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1108\/ICS-03-2018-0031","volume":"27","author":"M Malatji","year":"2019","unstructured":"Malatji, M., Von Solms, S., & Marnewick, A. (2019). Socio-technical systems cybersecurity framework. Information & Computer Security, 27(2), 233\u2013272. https:\/\/doi.org\/10.1108\/ICS-03-2018-0031","journal-title":"Information & Computer Security"},{"issue":"1","key":"10246_CR60","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1016\/S0167-9236(98)00086-4","volume":"25","author":"M Martinsons","year":"1999","unstructured":"Martinsons, M., Davison, R., & Tse, D. (1999). The balanced scorecard: A foundation for the strategic management of information systems. Decision Support Systems, 25(1), 71\u201388.","journal-title":"Decision Support Systems"},{"key":"10246_CR61","doi-asserted-by":"publisher","unstructured":"Matthiesen, S., & Bj\u00f8rn, P. (2015). Why Replacing Legacy Systems Is So Hard in Global Software Development: An Information Infrastructure Perspective. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (pp. 876\u2013890). Presented at the CSCW \u201815: Computer Supported Cooperative Work and Social Computing, Vancouver BC Canada: ACM. https:\/\/doi.org\/10.1145\/2675133.2675232.","DOI":"10.1145\/2675133.2675232"},{"issue":"4","key":"10246_CR62","doi-asserted-by":"publisher","first-page":"65","DOI":"10.17705\/1pais.10403","volume":"10","author":"S Maynard","year":"2018","unstructured":"Maynard, S., Tan, T., Ahmad, A., & Ruighaver, T. (2018). Towards a framework for strategic security context in information security governance. Pacific Asia. Journal of the Association for Information Systems, 10(4), 65\u201388. https:\/\/doi.org\/10.17705\/1pais.10403","journal-title":"Journal of the Association for Information Systems"},{"key":"10246_CR63","volume-title":"Universities must take steps to protect against ransomware attacks","author":"S McGinn","year":"2017","unstructured":"McGinn, S. (2017). Universities must take steps to protect against ransomware attacks. University Affairs https:\/\/www.universityaffairs.ca\/news\/news-article\/universities-must-take-steps-protect-ransomware-attacks\/. Accessed 19 October 2021"},{"issue":"3","key":"10246_CR64","doi-asserted-by":"publisher","first-page":"276","DOI":"10.11613\/BM.2012.031","volume":"22","author":"ML McHugh","year":"2012","unstructured":"McHugh, M. L. (2012). Interrater reliability: The kappa statistic. Biochemia Medica, 22(3), 276\u2013282.","journal-title":"Biochemia Medica"},{"key":"10246_CR65","volume-title":"Colleges a \u2018juicy target\u2019 for Cyberextortion","author":"L McKenzie","year":"2021","unstructured":"McKenzie, L. (2021). Colleges a \u2018juicy target\u2019 for Cyberextortion. Inside Higher Ed https:\/\/www.insidehighered.com\/news\/2021\/03\/19\/targeting-colleges-and-other-educational-institutions-proving-be-good-business. Accessed 19 October 2021"},{"issue":"2","key":"10246_CR66","doi-asserted-by":"publisher","first-page":"261","DOI":"10.1007\/s10796-017-9745-3","volume":"21","author":"Y Miaoui","year":"2019","unstructured":"Miaoui, Y., & Boudriga, N. (2019). Enterprise security investment through time when facing different types of vulnerabilities. Information Systems Frontiers, 21(2), 261\u2013300. https:\/\/doi.org\/10.1007\/s10796-017-9745-3","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"10246_CR67","doi-asserted-by":"publisher","first-page":"147","DOI":"10.1016\/j.mar.2013.07.005","volume":"25","author":"P Micheli","year":"2014","unstructured":"Micheli, P., & Mari, L. (2014). The theory and practice of performance measurement. Management Accounting Research, 25(2), 147\u2013156. https:\/\/doi.org\/10.1016\/j.mar.2013.07.005","journal-title":"Management Accounting Research"},{"key":"10246_CR68","unstructured":"MicrosoftTechNet. (2007). Balanced Scorecard for Information Security Introduction | Microsoft Docs. https:\/\/technet.microsoft.com\/en-us\/library\/bb821240.aspx. Accessed 22 October 2020."},{"issue":"2","key":"10246_CR69","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1108\/ICS-02-2014-0016","volume":"23","author":"S Mishra","year":"2015","unstructured":"Mishra, S. (2015). Organizational objectives for information security governance: A value focused assessment. Information & Computer Security, 23(2), 122\u2013144. https:\/\/doi.org\/10.1108\/ICS-02-2014-0016","journal-title":"Information & Computer Security"},{"issue":"1","key":"10246_CR70","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1108\/ICS-07-2016-0061","volume":"26","author":"M Nicho","year":"2018","unstructured":"Nicho, M. (2018). A process model for implementing information systems security governance. Information & Computer Security, 26(1), 10\u201338. https:\/\/doi.org\/10.1108\/ICS-07-2016-0061","journal-title":"Information & Computer Security"},{"key":"10246_CR71","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1109\/BDIM.2006.1649213","volume-title":"In 2006 IEEE\/IFIP business driven IT management","author":"GA de Oliveira Alves","year":"2006","unstructured":"de Oliveira Alves, G. A., da Costa Carmo, L. F. R., & de Almeida, A. C. R. D. (2006). Enterprise security governance; a practical guide to implement and control information security governance (ISG). In In 2006 IEEE\/IFIP business driven IT management (pp. 71\u201380). Presented at the 2006 IEEE\/IFIP Business Driven IT Management. https:\/\/doi.org\/10.1109\/BDIM.2006.1649213"},{"issue":"3","key":"10246_CR72","first-page":"50","volume":"22","author":"BO Omoyiola","year":"2020","unstructured":"Omoyiola, B. O. (2020). The evolution of information security measurement and testing. IOSR Journal of Computer Engineering, 22(3), 50\u201354.","journal-title":"IOSR Journal of Computer Engineering"},{"issue":"7","key":"10246_CR73","doi-asserted-by":"publisher","first-page":"785","DOI":"10.1016\/j.cose.2010.03.002","volume":"29","author":"AJ Palmer","year":"2010","unstructured":"Palmer, A. J. (2010). Approach for selecting the most suitable automated personal identification mechanism (ASMSA). Computers & Security, 29(7), 785\u2013806. https:\/\/doi.org\/10.1016\/j.cose.2010.03.002","journal-title":"Computers & Security"},{"key":"10246_CR74","unstructured":"Patnayakuni, R., & Patnayakuni, N. (2014). Information Security in Value Chains: A Governance Perspective."},{"issue":"5","key":"10246_CR75","doi-asserted-by":"publisher","first-page":"1262","DOI":"10.1108\/ITP-06-2018-0261","volume":"32","author":"D P\u00e9rez-Gonz\u00e1lez","year":"2019","unstructured":"P\u00e9rez-Gonz\u00e1lez, D., Preciado, S. T., & Solana-Gonzalez, P. (2019). Organizational practices as antecedents of the information security management performance: An empirical investigation. Information Technology & People, 32(5), 1262\u20131275. https:\/\/doi.org\/10.1108\/ITP-06-2018-0261","journal-title":"Information Technology & People"},{"key":"10246_CR76","first-page":"32","volume":"231","author":"V Pirttimaki","year":"2006","unstructured":"Pirttimaki, V., & Lonnqvist, A. (2006). The measurement of business intelligence. Information Systems Management, 231, 32\u201340.","journal-title":"Information Systems Management"},{"issue":"1","key":"10246_CR77","first-page":"83","volume":"4","author":"V Pirttim\u00e4ki","year":"2006","unstructured":"Pirttim\u00e4ki, V., L\u00f6nnqvist, A., & Karjaluoto, A. (2006). Measurement of business intelligence in a Finnish telecommunications company. The Electronic Journal of Knowledge Management, 4(1), 83\u201390.","journal-title":"The Electronic Journal of Knowledge Management"},{"key":"10246_CR78","unstructured":"PWC IT Consulting Service. (2013). New Release of ISO27001:13 and 27002:13. https:\/\/www.pwc.com.cy\/en\/publications\/assets\/iso27001-27002-2013.pdf. Accessed 7 May 2018."},{"key":"10246_CR79","doi-asserted-by":"publisher","first-page":"223","DOI":"10.1007\/0-387-31167-X_14","volume-title":"Security management, integrity, and internal control in information systems","author":"R Rastogi","year":"2005","unstructured":"Rastogi, R., & von Solms, R. (2005). Information security governance - a re-definition. In P. Dowland, S. Furnell, B. Thuraisingham, & X. S. Wang (Eds.), Security management, integrity, and internal control in information systems (pp. 223\u2013236). Springer US. https:\/\/doi.org\/10.1007\/0-387-31167-X_14"},{"key":"10246_CR80","doi-asserted-by":"publisher","first-page":"975","DOI":"10.5120\/ijca2016907930","volume":"141","author":"Rosmiati","year":"2016","unstructured":"Rosmiati, Riadi, I., & Prayudi, Y. (2016). A maturity level framework for measurement of information security performance. International Journal of Computer Applications, 141, 975\u20138887. https:\/\/doi.org\/10.5120\/ijca2016907930","journal-title":"International Journal of Computer Applications"},{"issue":"1","key":"10246_CR81","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1108\/RMJ-03-2016-0007","volume":"27","author":"M Rubino","year":"2017","unstructured":"Rubino, M., Vitolla, F., & Garzoni, A. (2017). The impact of an IT governance framework on the internal control environment. Records Management Journal, 27(1), 19\u201341. https:\/\/doi.org\/10.1108\/RMJ-03-2016-0007","journal-title":"Records Management Journal"},{"issue":"4","key":"10246_CR82","first-page":"iii","volume":"37","author":"S Sarker","year":"2013","unstructured":"Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: A critical review and some guiding principles. MIS Quarterly, 37(4), iii\u2013xviii.","journal-title":"MIS Quarterly"},{"key":"10246_CR83","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1016\/j.cose.2013.05.002","volume":"37","author":"RM Savola","year":"2013","unstructured":"Savola, R. M. (2013). Quality of security metrics and measurements. Computers & Security, 37, 78\u201390. https:\/\/doi.org\/10.1016\/j.cose.2013.05.002","journal-title":"Computers & Security"},{"issue":"5","key":"10246_CR84","doi-asserted-by":"publisher","first-page":"1205","DOI":"10.1007\/s10796-016-9648-8","volume":"19","author":"D Schatz","year":"2017","unstructured":"Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: A systematic literature review. Information Systems Frontiers, 19(5), 1205\u20131228. https:\/\/doi.org\/10.1007\/s10796-016-9648-8","journal-title":"Information Systems Frontiers"},{"issue":"4","key":"10246_CR85","doi-asserted-by":"publisher","first-page":"47","DOI":"10.4018\/IJSDS.2018100104","volume":"9","author":"D Schatz","year":"2018","unstructured":"Schatz, D., & Bashroush, R. (2018). A structural model approach for assessing information security value in organizations. International Journal of Strategic Decision Sciences (IJSDS), 9(4), 47\u201369. https:\/\/doi.org\/10.4018\/IJSDS.2018100104","journal-title":"International Journal of Strategic Decision Sciences (IJSDS)"},{"issue":"2","key":"10246_CR86","doi-asserted-by":"publisher","first-page":"261","DOI":"10.1108\/ICS-02-2019-0033","volume":"28","author":"S Schinagl","year":"2020","unstructured":"Schinagl, S., & Shahim, A. (2020). What do we know about information security governance? \u201cFrom the basement to the boardroom\u201d: Towards digital security governance. Information & Computer Security, 28(2), 261\u2013292. https:\/\/doi.org\/10.1108\/ICS-02-2019-0033","journal-title":"Information & Computer Security"},{"issue":"2","key":"10246_CR87","first-page":"16","volume":"6","author":"R Sheikhpour","year":"2012","unstructured":"Sheikhpour, R., & Modiri, N. (2012). An approach to map COBIT processes to ISO\/IEC 27001 information security management controls. International Journal of Security and Its Applications, 6(2), 16.","journal-title":"International Journal of Security and Its Applications"},{"key":"10246_CR88","unstructured":"Sherwood, J., Clark, A., & Lynas, D. (1995). Enterprise security architecture. SABSA, White paper, 2009."},{"issue":"3","key":"10246_CR89","first-page":"20","volume":"72","author":"KH Shih-Jen","year":"2002","unstructured":"Shih-Jen, K. H., & McKay, R. (2002). Balanced scorecard: Two perspectives: Certified public accountant. The CPA Journal, 72(3), 20.","journal-title":"The CPA Journal"},{"key":"10246_CR90","first-page":"144","volume-title":"In world congress on internet security (WorldCIS-2012)","author":"AN Shivashankarappa","year":"2012","unstructured":"Shivashankarappa, A. N., Smalov, L., Dharmalingam, R., & Anbazhagan, N. (2012). Implementing it governance using COBIT: A case study focusing on critical success factors. In In world congress on internet security (WorldCIS-2012) (pp. 144\u2013149). Presented at the World Congress on Internet Security (WorldCIS-2012)."},{"issue":"1","key":"10246_CR91","first-page":"14","volume":"2","author":"N Sklavos","year":"2006","unstructured":"Sklavos, N., & Souras, P. (2006). Economic models and approaches in information security for computer networks. International Journal of Network Security, 2(1), 14\u201320.","journal-title":"International Journal of Network Security"},{"issue":"2","key":"10246_CR92","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1016\/j.cose.2005.02.002","volume":"24","author":"B von Solms","year":"2005","unstructured":"von Solms, B. (2005). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24(2), 99\u2013104. https:\/\/doi.org\/10.1016\/j.cose.2005.02.002","journal-title":"Computers & Security"},{"issue":"1","key":"10246_CR93","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1504\/IJBIS.2010.029479","volume":"5","author":"LJ Tallau","year":"2010","unstructured":"Tallau, L. J., Gupta, M., & Sharman, R. (2010). Information security investment decisions: Evaluating the balanced scorecard method. International Journal of Business Information Systems, 5(1), 34\u201357.","journal-title":"International Journal of Business Information Systems"},{"issue":"5","key":"10246_CR94","doi-asserted-by":"publisher","first-page":"549","DOI":"10.1016\/0306-4573(88)90024-6","volume":"24","author":"M Telem","year":"1988","unstructured":"Telem, M. (1988). Information requirements specification I: Brainstorming collective decision-making approach. Information Processing & Management, 24(5), 549\u2013557. https:\/\/doi.org\/10.1016\/0306-4573(88)90024-6","journal-title":"Information Processing & Management"},{"issue":"2","key":"10246_CR95","doi-asserted-by":"publisher","first-page":"150","DOI":"10.1108\/ICS-06-2017-0042","volume":"26","author":"CZ Tu","year":"2018","unstructured":"Tu, C. Z., Yuan, Y., Archer, N., & Connelly, C. E. (2018). Strategic value alignment for information security management: A critical success factor analysis. Information & Computer Security, 26(2), 150\u2013170. https:\/\/doi.org\/10.1108\/ICS-06-2017-0042","journal-title":"Information & Computer Security"},{"issue":"1","key":"10246_CR96","first-page":"35","volume":"2","author":"W Van Grembergen","year":"2005","unstructured":"Van Grembergen, W., & De Haes, S. (2005). Measuring and improving IT governance through the balanced scorecard. Information Systems Control Journal, 2(1), 35\u201342.","journal-title":"Information Systems Control Journal"},{"key":"10246_CR97","doi-asserted-by":"crossref","unstructured":"Veiga, AD., Eloff, JH. (2007). An information security governance framework. Information systems management, 24(4):361\u2013372.","DOI":"10.1080\/10580530701586136"},{"issue":"3","key":"10246_CR98","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1057\/palgrave.ejis.3000589","volume":"15","author":"G Walsham","year":"2006","unstructured":"Walsham, G. (2006). Doing interpretive research. European Journal of Information Systems, 15(3), 320\u2013330. https:\/\/doi.org\/10.1057\/palgrave.ejis.3000589","journal-title":"European Journal of Information Systems"},{"key":"10246_CR99","volume-title":"Principles of information security","author":"ME Whitman","year":"2011","unstructured":"Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage Learning."},{"issue":"1","key":"10246_CR100","first-page":"17","volume":"11","author":"M Whitman","year":"2014","unstructured":"Whitman, M., & Mattord, H. J. (2014). Information security governance for the non-security business executive. Journal of Executive Education, 11(1), 17.","journal-title":"Journal of Executive Education"},{"key":"10246_CR101","unstructured":"Williams, P. (2006). The role of standards in medical information. Security Management, 415\u2013420."},{"key":"10246_CR102","doi-asserted-by":"publisher","unstructured":"Williams, P. (2007). Information governance: A model for security in medical practice. Journal of Digital Forensics, Security, and Law. https:\/\/doi.org\/10.15394\/jdfsl.2007.1017","DOI":"10.15394\/jdfsl.2007.1017"},{"issue":"2","key":"10246_CR103","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1016\/0040-1625(91)90002-W","volume":"40","author":"F Woudenberg","year":"1991","unstructured":"Woudenberg, F. (1991). An evaluation of Delphi. Technological Forecasting and Social Change, 40(2), 131\u2013150.","journal-title":"Technological Forecasting and Social Change"},{"issue":"1","key":"10246_CR104","doi-asserted-by":"publisher","first-page":"28","DOI":"10.4018\/irmj.2011010103","volume":"24","author":"YA Wu","year":"2011","unstructured":"Wu, Y. A., & Saunders, C. S. (2011). Governing information security: Governance domains and decision rights allocation patterns. Information Resources Management Journal (IRMJ), 24(1), 28\u201345. https:\/\/doi.org\/10.4018\/irmj.2011010103","journal-title":"Information Resources Management Journal (IRMJ)"},{"issue":"5","key":"10246_CR105","doi-asserted-by":"publisher","first-page":"1069","DOI":"10.1007\/s10796-017-9807-6","volume":"21","author":"F Xu","year":"2019","unstructured":"Xu, F., Luo, X. R., Zhang, H., Liu, S., & Huang, W. W. (2019). Do strategy and timing in IT security investments matter? An empirical investigation of the alignment effect. Information Systems Frontiers, 21(5), 1069\u20131083. https:\/\/doi.org\/10.1007\/s10796-017-9807-6","journal-title":"Information Systems Frontiers"}],"container-title":["Information Systems Frontiers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10796-022-10246-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10796-022-10246-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10796-022-10246-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,28]],"date-time":"2023-01-28T00:50:16Z","timestamp":1674867016000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10796-022-10246-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,2,28]]},"references-count":105,"alternative-id":["10246"],"URL":"https:\/\/doi.org\/10.1007\/s10796-022-10246-9","relation":{},"ISSN":["1387-3326","1572-9419"],"issn-type":[{"value":"1387-3326","type":"print"},{"value":"1572-9419","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,2,28]]},"assertion":[{"value":"12 January 2022","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"28 February 2022","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"Appropriate ethics approval was obtained through Research Ethics Board (REB) at Brock University.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors acknowledge generous financial support provided by the Institute for International Issues in Accounting (IIIA). Dr. Teju Herath acknowledges partial research funding from the Social Sciences and Humanities Research Council (SSHRC) of Canada (Grant no: 410\u20132010-1848). The usual disclaimers apply. The authors would like to acknowledge research support provided by Carla Avard, Dustin Secord, Farook Alyassin, and Hilary Elliott. The authors also thank Daniel Garcia, Michael Tisi, Russ Fisenko, and Andy Morgan for their assistance.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no other relevant financial or non-financial or competing interests to declare that are relevant to the content of this article.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}}]}}