{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,28]],"date-time":"2026-01-28T12:47:13Z","timestamp":1769604433362,"version":"3.49.0"},"reference-count":75,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2015,6,8]],"date-time":"2015-06-08T00:00:00Z","timestamp":1433721600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,6,8]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton\u2019s (1959) value theory and Keeney\u2019s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (\u201cestablish corporate control strategy\u201d, \u201cestablish punitive structure\u201d, \u201cestablish clear control development process\u201d, \u201censure formal control assessment functionality\u201d and \u201cmaximize group cohesiveness\u201d) have not been emphasized enough in security governance literature.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/ics-02-2014-0016","type":"journal-article","created":{"date-parts":[[2015,5,22]],"date-time":"2015-05-22T08:10:47Z","timestamp":1432282247000},"page":"122-144","source":"Crossref","is-referenced-by-count":19,"title":["Organizational objectives for information security governance: a value focused assessment"],"prefix":"10.1108","volume":"23","author":[{"given":"Sushma","family":"Mishra","sequence":"first","affiliation":[]}],"member":"140","reference":[{"key":"key2020122322022383200_b1","unstructured":"Allen, J.\n and \n Westby, J.\n (2007), \n Characteristics of Effective Security Governance\n , Governing for Enterprise Security (GES) Implementation Guide (CMU\/SEI-2007-TN-020), Carnegie Mellon University, Software Engineering Institute."},{"key":"key2020122322022383200_b3","unstructured":"Banks, D.G.\n (2004), \u201cThe fight against fraud\u201d, \n The Internal Auditor\n , Vol. 61 No. 2, pp. 34-39."},{"key":"key2020122322022383200_b4","doi-asserted-by":"crossref","unstructured":"Booker, R.\n (2006), \u201cRe-engineering enterprise security\u201d, \n Computers & Security\n , Vol. 25, pp. 13-17.","DOI":"10.1016\/j.cose.2005.12.005"},{"key":"key2020122322022383200_b5","doi-asserted-by":"crossref","unstructured":"Brotby, W.\n (2009), \n Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement\n , Taylor & Francis Group, FL.","DOI":"10.1201\/9781420052862"},{"key":"key2020122322022383200_b6","doi-asserted-by":"crossref","unstructured":"Brown, W.\n and \n Nasuti, F.\n (2005), \u201cSarbanes-oxley and enterprise security: IT governance-what it takes to get\u201d, \n Information Systems Security\n , Vol. 14 No. 5, pp. 15-28.","DOI":"10.1201\/1086.1065898X\/45654.14.5.20051101\/91010.4"},{"key":"key2020122322022383200_b7","doi-asserted-by":"crossref","unstructured":"Butler, J.K.\n (1991), \u201cToward understanding and measuring conditions of trust: evolution of a condition of trust inventory\u201d, \n Journal of Management\n , Vol. 17, pp. 643-663.","DOI":"10.1177\/014920639101700307"},{"key":"key2020122322022383200_b87","doi-asserted-by":"crossref","unstructured":"Catton, W.R.\n (1954), \u201cExploring techniques for measuring human values\u201d, \n American Sociological Review\n , Vol. 19 No. 1, pp. 49-55.","DOI":"10.2307\/2088172"},{"key":"key2020122322022383200_b8","doi-asserted-by":"crossref","unstructured":"Catton, W.R.\n (1959), \u201cA theory of value\u201d, \n American Sociological Review\n , Vol. 24 No. 3, pp. 310-317.","DOI":"10.2307\/2089379"},{"key":"key2020122322022383200_b9","unstructured":"Colarik, A.\n and \n Janczewski, L.\n (2012), \u201cA discussion on life systems security and the systems approach\u201d, \n CONF-IRM2012 Proceedings, Paper 56\n , available at: http:\/\/aisel.aisnet.org\/confirm2012\/56"},{"key":"key2020122322022383200_b10","unstructured":"COSO\n (2007), \u201cPutting COSO theory into practice: tone at the Top\u201d, Committee of Sponsoring Organization of the Treadway Commission, available at: www.coso.org (accessed 10 October 2008)."},{"key":"key2020122322022383200_b11","doi-asserted-by":"crossref","unstructured":"Da Veiga, A.\n and \n Eloff, J.H.P.\n (2007), \u201cAn information security governance framework\u201d, \n Information Systems Management\n , Vol. 24 No. 4, pp. 361-371.","DOI":"10.1080\/10580530701586136"},{"key":"key2020122322022383200_b14","doi-asserted-by":"crossref","unstructured":"Dhillon, G.\n and \n Backhouse, J.\n (2000), \u201cInformation system security management in the new millennium\u201d, \n Communications of the ACM\n , Vol. 43 No. 7, pp. 125-128.","DOI":"10.1145\/341852.341877"},{"key":"key2020122322022383200_b16","doi-asserted-by":"crossref","unstructured":"Dhillon, G.\n and \n Torkzadeh, G.\n (2006), \u201cValue-focused assessment of information systems security in organizations\u201d, \n Information Systems Journal\n , Vol. 16 No. 3, pp. 293-314.","DOI":"10.1111\/j.1365-2575.2006.00219.x"},{"key":"key2020122322022383200_b17","doi-asserted-by":"crossref","unstructured":"Drevin, L.\n , \n Kruger, H.A.\n and \n Steyn, T.\n (2007), \u201cValue-focussed assessment of ICT security awareness in an academic environment\u201d, \n Computer & Security\n , Vol. 26 No. 1, pp. 36-43.","DOI":"10.1016\/j.cose.2006.10.006"},{"key":"key2020122322022383200_b18","doi-asserted-by":"crossref","unstructured":"Drummond, H.\n (2003), \u201cDid Nick Leeson have an accomplice? The role of information technology in the collapse of Barings Bank\u201d, \n Journal of Information Technology\n , Vol. 18, pp. 93-101.","DOI":"10.1080\/0268396032000101153"},{"key":"key2020122322022383200_b19","doi-asserted-by":"crossref","unstructured":"Dutta, A.\n and \n McCrohan, K.\n (2002), \u201cManagement\u2019s role in information security in a cyber economy\u201d, \n California Management Review\n , Vol. 45 No. 1, pp. 67-87.","DOI":"10.2307\/41166154"},{"key":"key2020122322022383200_b20","doi-asserted-by":"crossref","unstructured":"Eloff, J.\n and \n Eloff, M.\n (2005), \u201cIntegrated information security architecture\u201d, \n Computer Fraud and Security\n , Vol. 11, pp. 10-16.","DOI":"10.1016\/S1361-3723(05)70275-X"},{"key":"key2020122322022383200_b21","doi-asserted-by":"crossref","unstructured":"Eloff, M.\n and \n von Solms, S.H.\n (2000), \u201cInformation security management: an approach to combine process certification and product evaluation\u201d, \n Computers & Security\n , Vol. 19, pp. 698-709.","DOI":"10.1016\/S0167-4048(00)08019-6"},{"key":"key2020122322022383200_b22","unstructured":"Ezingeard, J.\n , \n McFadzean, E.\n and \n Birchall, D.\n (2005), \u201cA model of information assurance benefits\u201d, \n Information Systems Management\n , Vol. 22 No. 2, p. 20."},{"key":"key2020122322022383200_b23","doi-asserted-by":"crossref","unstructured":"Finne, T.\n (1996), \u201cThe information security chain in a company\u201d, \n Computers & Security\n , Vol. 15 No. 4, pp. 297-316.","DOI":"10.1016\/0167-4048(96)88941-3"},{"key":"key2020122322022383200_b25","unstructured":"Flores, W.R.\n and \n Ekstedt, M.\n (2012), \u201cA model for investigating organizational impact on information security behavior\u201d, \n Pre-ICIS Workshop on Information Security and Privacy (SIGSEC)\n , available at: http:\/\/aisel.aisnet.org\/wisp2012\/12"},{"key":"key2020122322022383200_b26","doi-asserted-by":"crossref","unstructured":"Forte, D.\n and \n Power, R.\n (2008), \u201cGuaranteeing governance to curb fraud-Societe Generale debate\u201d, \n Computer Fraud & Security\n , pp. 18-19.","DOI":"10.1016\/S1361-3723(08)70049-6"},{"key":"key2020122322022383200_b27","doi-asserted-by":"crossref","unstructured":"Hogg, M.\n and \n Terry, D.\n (2000), \u201cSocial identity and self-categorization processes in organizational contexts\u201d, \n The Academy of Management Review\n , Vol. 25 No. 1, pp. 121-140.","DOI":"10.5465\/amr.2000.2791606"},{"key":"key2020122322022383200_b28","unstructured":"IIA\n (2006), \n Organizational Governance: Guidance for Internal Auditors\n , The Institute of Internal Auditors, pp. 1-18."},{"key":"key2020122322022383200_b29","unstructured":"ISACA Information Systems Audit and Control Association\n (2012), \n COBIT 5 \u2013 A Business Framework for the Governance and Management of Enterprise IT\n , ISACA, Rolling Meadows."},{"key":"key2020122322022383200_b30","unstructured":"ISACA\n (2004), \n CISA Review Manual\n , Information Systems Audit and Control Association, Rolling Meadows, IL."},{"key":"key2020122322022383200_b34","unstructured":"ITIL\n (2007), \u201cITIL V3\u201d, available at: www.itlibrary.org\/ (accessed 10 October 2008)."},{"key":"key2020122322022383200_b35","doi-asserted-by":"crossref","unstructured":"Johnson, E.C.\n (2006), \u201cSecurity awareness: switch to a better programme\u201d, \n Network Security\n , pp. 15-18.","DOI":"10.1016\/S1353-4858(06)70337-3"},{"key":"key2020122322022383200_b36","doi-asserted-by":"crossref","unstructured":"Johnston, A.\n and \n Hale, R.\n (2009), \u201cImproved security through information security governance\u201d, \n Communications of the ACM\n , Vol. 52 No. 1, pp. 126-129.","DOI":"10.1145\/1435417.1435446"},{"key":"key2020122322022383200_b37","doi-asserted-by":"crossref","unstructured":"Jones, G.\n and \n George, J.\n (1998), \u201cThe experience and evolution of trust: implications for cooperation and teamwork\u201d, \n The Academy of Management Review\n , Vol. 23 No. 3, pp. 531-546.","DOI":"10.5465\/amr.1998.926625"},{"key":"key2020122322022383200_b38","unstructured":"Kayworth, T.\n and \n Whitten, D.\n (2010), \u201cEffective information security requires a balance of social and technology factors\u201d, \n MIS Quarterly Executive\n , Vol. 9 No. 3, pp. 303-315."},{"key":"key2020122322022383200_b84","unstructured":"Keeney, R.\n (1992), \n Value-Focussed Thinking: A Path to Creative Decision Making\n , Harvard University Press, Cambridge, MA."},{"key":"key2020122322022383200_b85","doi-asserted-by":"crossref","unstructured":"Keeney, R.\n (1999), \u201cThe value of internet commerce to the customer\u201d, \n Management Science\n , Vol. 45 No. 4, pp. 533-542.","DOI":"10.1287\/mnsc.45.4.533"},{"key":"key2020122322022383200_b39","doi-asserted-by":"crossref","unstructured":"Klein, H.\n and \n Myers, M.\n (1999), \u201cA set of principles for conducting and evaluating interpretive field studies in information systems\u201d, \n MIS Quarterly\n , Vol. 23 No. 1.","DOI":"10.2307\/249410"},{"key":"key2020122322022383200_b40","doi-asserted-by":"crossref","unstructured":"Kolokotronis, N.\n , \n Margaritis, C.\n , \n Papadopoulou, P.\n , \n Kanellis, P.\n and \n Martakos, D.\n (2002), \u201cAn integrated approach for securing electronic transactions over the web\u201d, \n Benchmarking\n , Vol. 9 No. 2, pp. 166-181.","DOI":"10.1108\/14635770210421836"},{"key":"key2020122322022383200_b41","unstructured":"Lange, L.\n (2007), \u201cWhy ITIL rules\u201d, available at: www.smartenterprisemag.com\/articles\/2007winter\/bestpractices.jhtml (accessed 10 December 2008)."},{"key":"key2020122322022383200_b42","doi-asserted-by":"crossref","unstructured":"Leach, J.\n (2003), \u201cImproving user security behavior\u201d, \n Computers & Security\n , Vol. 22 No. 8, pp. 685-692.","DOI":"10.1016\/S0167-4048(03)00007-5"},{"key":"key2020122322022383200_b43","doi-asserted-by":"crossref","unstructured":"Lindup, K.\n (1996), \u201cThe role of information security in corporate governance\u201d, \n Computers & Security\n , Vol. 15, pp. 477-485.","DOI":"10.1016\/S0167-4048(97)83121-5"},{"key":"key2020122322022383200_b45","unstructured":"McCarthy, M.P.\n and \n Campbell, S.\n (2001), \n Security Transformation\n , McGraw-Hill, New York, NY."},{"key":"key2020122322022383200_b44","doi-asserted-by":"crossref","unstructured":"Marginson, D.\n (2002), \u201cManagement control systems and their effects on strategy formation at the middle-management levels: evidence from a UK\u201d, \n Organization Strategic Management Journal\n , Vol. 23, pp. 1019-1031.","DOI":"10.1002\/smj.271"},{"key":"key2020122322022383200_b47","doi-asserted-by":"crossref","unstructured":"Meglino, B.\n and \n Ravlin, E.\n (1998), \u201cIndividual values in organizations: concepts, controversies, and research\u201d, \n Journal of Management\n , Vol. 24 No. 3, pp. 351-389.","DOI":"10.1177\/014920639802400304"},{"key":"key2020122322022383200_b48","doi-asserted-by":"crossref","unstructured":"Merrick, J.\n , \n Grabowski, M.\n , \n Ayyalasomayajula, P.\n and \n Harrald, J.\n (2005), \u201cUnderstanding organizational safety using value-focused thinking\u201d, \n Risk Anal\n , Vol. 25 No. 4, pp. 1029-1041.","DOI":"10.1111\/j.1539-6924.2005.00654.x"},{"key":"key2020122322022383200_b49","doi-asserted-by":"crossref","unstructured":"Moulton, R.\n and \n Coles, R.\n (2003), \u201cApplying information security governance\u201d, \n Computers & Security\n , Vol. 22 No. 7, pp. 580-584.","DOI":"10.1016\/S0167-4048(03)00705-3"},{"key":"key2020122322022383200_b81","doi-asserted-by":"crossref","unstructured":"Peppard, J.\n and \n Ward, J.\n (2004), \u201cBeyond strategic information systems: toward an IS capability\u201d, \n Strategic Information Systems\n , Vol. 13, pp. 167-194.","DOI":"10.1016\/j.jsis.2004.02.002"},{"key":"key2020122322022383200_b52","doi-asserted-by":"crossref","unstructured":"Qiang, Y.\n and \n Hua-ying, S.\n (2007), \u201cA systematic research and simulation of the internet security governance\u201d, \n IEEE International Symposium on Technology and Society Proceedings of ISTAS 2007\n .","DOI":"10.1109\/ISTAS.2007.4362230"},{"key":"key2020122322022383200_b53","doi-asserted-by":"crossref","unstructured":"Ridley, G.\n , \n Young, J.\n and \n Carroll, P.\n (2004), \u201cCOBIT and its utilization: a framework from the literature\u201d, 37th Hawaii International Conference on System Sciences, IEEE, HI.","DOI":"10.1109\/HICSS.2004.1265566"},{"key":"key2020122322022383200_b54","unstructured":"Ross, J.\n and \n Weill, P.\n (2002), \u201cSix IT decisions your IT people shouldn\u2019t make\u201d, \n Harvard Business Review\n , November."},{"key":"key2020122322022383200_b55","doi-asserted-by":"crossref","unstructured":"Ruighaver, A.B.\n , \n Maynard, S.B.\n and \n Chang, S.\n (2007), \u201cOrganizational security culture: extending the end-user perspective\u201d, \n Computers & Security\n , Vol. 26, pp. 56-62.","DOI":"10.1016\/j.cose.2006.10.008"},{"key":"key2020122322022383200_b56","unstructured":"Sandhu, R.\n and \n Samrati, P.\n (1994), \n Access Control: Principles and Practice\n , IEEE Communications, pp. 40-48."},{"key":"key2020122322022383200_b57","doi-asserted-by":"crossref","unstructured":"Segev, A.\n , \n Porra, J.\n and \n Roldan, M.\n (1998), \u201cInternet security and the case of Bank of America. Association for computing machinery\u201d, \n Communications of the ACM\n , Vol. 41 No. 10, pp. 81-87.","DOI":"10.1145\/286238.286251"},{"key":"key2020122322022383200_b58","doi-asserted-by":"crossref","unstructured":"Sheng, H.\n , \n Nah, F.\n and \n Siau, K.\n (2005), \u201cStrategic implications of mobile technology: a case study using value-focused thinking\u201d, \n Journal of Strategic Information Systems\n , Vol. 14 No. 3, pp. 269-290.","DOI":"10.1016\/j.jsis.2005.07.004"},{"key":"key2020122322022383200_b59","doi-asserted-by":"crossref","unstructured":"Sherwood, J.\n (1996), \u201cSALSA: a method for developing the enterprise security architecture and strategy\u201d, \n Computer Security\n , Vol. 15, pp. 501-506.","DOI":"10.1016\/S0167-4048(97)83124-0"},{"key":"key2020122322022383200_b60","doi-asserted-by":"crossref","unstructured":"Straub, D.\n (1998), \u201cCoping with systems risk: security planning models for management decision-making\u201d, \n MIS Quarterly\n , Vol. 22 No. 8, pp. 441-465.","DOI":"10.2307\/249551"},{"key":"key2020122322022383200_b61","doi-asserted-by":"crossref","unstructured":"Straub, D.W.\n and \n Welke, R.J.\n (1998), \u201cCoping with systems risks: security planning models for management decision-making\u201d, \n MIS Quarterly\n , Vol. 22 No. 4, pp. 441-469.","DOI":"10.2307\/249551"},{"key":"key2020122322022383200_b88","doi-asserted-by":"crossref","unstructured":"Torkzadeh, G.\n and \n Dhillon, G.\n (2002), \u201cMeasuring factors that influence the success of internet commerce\u201d, \n Information Systems Research\n , Vol. 13, pp. 187-204.","DOI":"10.1287\/isre.13.2.187.87"},{"key":"key2020122322022383200_b62","doi-asserted-by":"crossref","unstructured":"Tr\u010dek, D.\n (2003), \u201cAn integral framework for information systems security management\u201d, \n Computer & Security\n , Vol. 22 No. 4, pp. 337-360.","DOI":"10.1016\/S0167-4048(03)00413-9"},{"key":"key2020122322022383200_b63","doi-asserted-by":"crossref","unstructured":"Tsiakis, T.\n and \n Sthephanides, G.\n (2005), \u201cThe concept of security and trust electronic payments\u201d, \n Computers & Security\n , pp. 10-15.","DOI":"10.1016\/j.cose.2004.11.001"},{"key":"key2020122322022383200_b64","unstructured":"Tudor, J.K.\n (2000), \n Information Security Architecture-An Integrated Approach to Security in an Organization\n , Auerbach, Boca Raton, FL."},{"key":"key2020122322022383200_b65","unstructured":"Volino, B.\n (2006), \u201cExpect threats to get nastier as networks become more complex\u201d, \n Computerworld\n ."},{"key":"key2020122322022383200_b89","doi-asserted-by":"crossref","unstructured":"von Solms, B.V.\n (2006), \u201cInformation security-the fourth wave\u201d, \n Computers & Security\n , Vol. 25 No. 3, pp. 165-168.","DOI":"10.1016\/j.cose.2006.03.004"},{"key":"key2020122322022383200_b66","doi-asserted-by":"crossref","unstructured":"von Solms, B.\n and \n von Solms, R.\n (2005), \u201cFrom information security to business security?\u201d, \n Computers & Security\n , Vol. 24, pp. 271-273.","DOI":"10.1016\/j.cose.2005.04.004"},{"key":"key2020122322022383200_b67","unstructured":"Wagner, J.K.\n (2000), \u201cLeading the way\u201d, \n The Internal Auditor\n , Vol. 57 No. 4, pp. 34-39."},{"key":"key2020122322022383200_b69","doi-asserted-by":"crossref","unstructured":"Ward, P.\n and \n Smith, C.\n (2002), \u201cThe development of access control policies for information technology systems\u201d, \n Computers & Security\n , Vol. 21 No. 4, pp. 356-371.","DOI":"10.1016\/S0167-4048(02)00414-5"},{"key":"key2020122322022383200_b70","doi-asserted-by":"crossref","unstructured":"Workman, M.\n (2008), \u201cA test of interventions for security threats from social engineering\u201d, \n Information Management & Computer Security\n , Vol. 16 No. 5, pp. 463-483.","DOI":"10.1108\/09685220810920549"},{"key":"key2020122322022383200_b71","unstructured":"Zafar, H.\n and \n Clark, J.G.\n (2009), \u201cCurrent state of information security research in IS\u201d, \n Communications of the Association for Information Systems\n , Vol. 24, available at: http:\/\/aisel.aisnet.org\/cais\/vol24\/iss1\/34"},{"key":"key2020122322022383200_frd1","doi-asserted-by":"crossref","unstructured":"Backhouse, J.\n and \n Dhillon, G.\n (1996), \u201cStructures of responsibility and security of information systems\u201d, \n European Journal of Information Systems\n , Vol. 5 No. 1, pp. 2-9.","DOI":"10.1057\/ejis.1996.7"},{"key":"key2020122322022383200_frd2","doi-asserted-by":"crossref","unstructured":"Dhillon, G.\n (2001), \u201cViolation of safeguards by trusted personnel and understanding related information security concerns\u201d, \n Computers & Security\n , Vol. 20 No. 2, pp. 165-172.","DOI":"10.1016\/S0167-4048(01)00209-7"},{"key":"key2020122322022383200_frd3","doi-asserted-by":"crossref","unstructured":"Dhillon, G.\n and \n Backhouse, J.\n (2001), \u201cCurrent directions in IS security research: towards socio-organizational perspectives\u201d, \n Information Systems Journal\n , Vol. 11, pp. 127-153.","DOI":"10.1046\/j.1365-2575.2001.00099.x"},{"key":"key2020122322022383200_frd4","unstructured":"Dhillon, G.\n and \n Mishra, S.\n (2006), \u201cThe impact of Sarbanes-Oxley (SOX) act on information security governance\u201d, in \n Warkentin, M.\n and \n Vaughan, R.\n (Eds), \n Enterprise Information Security Assurance and System Security: Managerial and Technical Issues\n , Idea Group Publishing, Hershey, PA, pp. 62-79."},{"key":"key2020122322022383200_frd5","unstructured":"ISO\n (2005), \u201cISO\/IEC 17799\u201d, International Organization for Standardization."},{"key":"key2020122322022383200_frd6","unstructured":"ITGI\n (2003), \n IT Control Objectives for Sarbanes-Oxley\n , IT Governance Institute, Rolling Meadows, IL."},{"key":"key2020122322022383200_frd7","unstructured":"ITGI and OGC\n \u201cAligning CobiT, ITIL and ISO 17799 for business benefit\u201d, Information Technology Governance Institute and Office of Government Commerce, pp. 1-62."},{"key":"key2020122322022383200_frd8","unstructured":"McFadzean, E.\n , \n Ezingeard, J.\n and \n Birchall, D.\n (2006), \u201cAnchoring information security sociological groundings and future directions\u201d, \n Journal of Information System Security\n , Vol. 2 No. 3."},{"key":"key2020122322022383200_frd9","unstructured":"Nicho, M.\n (2012), \u201cAn optimized dynamic process model of IS security governance implementation\u201d, \n CONF-IRM 2012Proceedings\n , available at: http:\/\/aisel.aisnet.org\/confirm2012\/38"},{"key":"key2020122322022383200_frd11","unstructured":"Ward, J.\n and \n Peppard, J.\n (2002), \n Strategic Planning for Information Systems\n , John Wiley & Sons, Baffins Lane, Chichester."}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-02-2014-0016","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2014-0016\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2014-0016\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:40Z","timestamp":1753406560000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/23\/2\/122-144\/119719"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,6,8]]},"references-count":75,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2015,6,8]]}},"alternative-id":["10.1108\/ICS-02-2014-0016"],"URL":"https:\/\/doi.org\/10.1108\/ics-02-2014-0016","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2015,6,8]]}}}