{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T19:42:58Z","timestamp":1776109378494,"version":"3.50.1"},"reference-count":91,"publisher":"Emerald","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,6,8]]},"abstract":"\n Purpose<\/jats:title>\n This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG.<\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised.<\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with \u201cfrom the basement to the boardroom\u201d implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring.<\/jats:p>\n <\/jats:sec>\n \n Research limitations\/implications<\/jats:title>\n The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research.<\/jats:p>\n <\/jats:sec>\n \n Practical implications<\/jats:title>\n This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation.<\/jats:p>\n <\/jats:sec>\n \n Social implications<\/jats:title>\n This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to.<\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n This paper makes a novel contribution to ISG research. To the authors\u2019 knowledge, this is the first attempt to review and structure the ISG literature.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/ics-02-2019-0033","type":"journal-article","created":{"date-parts":[[2020,2,3]],"date-time":"2020-02-03T06:24:56Z","timestamp":1580711096000},"page":"261-292","source":"Crossref","is-referenced-by-count":39,"title":["What do we know about information security governance?"],"prefix":"10.1108","volume":"28","author":[{"given":"Stef","family":"Schinagl","sequence":"first","affiliation":[{"name":"Vrije Universiteit Amsterdam School of Business and Economics, , Amsterdam,","place":["The Netherlands"]}]},{"given":"Abbas","family":"Shahim","sequence":"additional","affiliation":[{"name":"Vrije Universiteit Amsterdam School of Business and Economics, , Amsterdam,","place":["The Netherlands"]}]}],"member":"140","published-online":{"date-parts":[[2020,1,25]]},"reference":[{"issue":"2","key":"2025081309503723100_ref001","doi-asserted-by":"publisher","first-page":"357","DOI":"10.1007\/s10845-012-0683-0","article-title":"Information security strategies: towards an organizational multi-strategy perspective","volume":"25","author":"Ahmad","year":"2014","journal-title":"Journal of Intelligent Manufacturing"},{"issue":"2","key":"2025081309503723100_ref002","doi-asserted-by":"publisher","first-page":"205","DOI":"10.1108\/ICS-01-2016-0006","article-title":"An information security risk-driven investment model for analysing human factors","volume":"24","author":"Alavi","year":"2016","journal-title":"Information and Computer Security"},{"key":"2025081309503723100_ref003","unstructured":"Atos (2017), \u201cThe currency of cyber trust: your customers\u2019 attitudes towards cyber security\u201d, available at: https:\/\/atos.net\/wp-content\/uploads\/2018\/03\/atos-currency-cyber-truth-research-programme-report.pdf"},{"key":"2025081309503723100_ref004","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1016\/j.cose.2016.02.007","article-title":"Information system security commitment: a study of external influences on senior management","volume":"59","author":"Barton","year":"2016","journal-title":"Computers and Security"},{"issue":"6","key":"2025081309503723100_ref005","doi-asserted-by":"publisher","first-page":"508","DOI":"10.1016\/j.jaccpubpol.2018.10.003","article-title":"Cybersecurity awareness and market valuations","volume":"37","author":"Berkman","year":"2018","journal-title":"Journal of Accounting and Public Policy"},{"key":"2025081309503723100_ref006","doi-asserted-by":"publisher","DOI":"10.4225\/75\/57b5595fb8768","article-title":"Information security governance and boards of directors: are they compatible?","author":"Bihari","year":"2008"},{"key":"2025081309503723100_ref007","volume-title":"Improving the Maturity of Business Information Security","author":"Bobbert","year":"2018"},{"key":"2025081309503723100_ref008","volume-title":"Who Can You Trust?: How Technology Brought Us Together and Why It Might Drive Us Apart","author":"Botsman","year":"2017"},{"key":"2025081309503723100_ref009","doi-asserted-by":"crossref","first-page":"157","DOI":"10.1016\/j.compind.2018.02.010","article-title":"Digital supply chain: literature review and a proposed framework for future research","volume":"97","author":"B\u00fcy\u00fck\u00f6zkan","year":"2018","journal-title":"Computers in Industry"},{"issue":"2","key":"2025081309503723100_ref0010","doi-asserted-by":"crossref","first-page":"22","DOI":"10.1109\/MITP.2016.27","article-title":"A framework for information security governance and management","volume":"18","author":"Carcary","year":"2016","journal-title":"IT Professional"},{"issue":"5","key":"2025081309503723100_ref0011","doi-asserted-by":"publisher","first-page":"580","DOI":"10.1108\/ICS-02-2016-0015","article-title":"Escalation of commitment and information security: theories and implications","volume":"25","author":"Chulkov","year":"2017","journal-title":"Information and Computer Security"},{"issue":"6","key":"2025081309503723100_ref0012","doi-asserted-by":"publisher","first-page":"605","DOI":"10.1057\/s41303-017-0059-9","article-title":"Organizational information security policies: a review and research framework","volume":"26","author":"Cram","year":"2017","journal-title":"European Journal of Information Systems"},{"key":"2025081309503723100_ref0013","unstructured":"CU*Answers (2013), \u201cSense and reliability: do we have the right approach to risk management for our future \u2013 especially when it comes to cyber security?\u201d, available at: www.cuanswers.com\/wp-content\/uploads\/Cybersecurity-WhitePaper-SenseandReliability.pdf"},{"key":"2025081309503723100_ref0014","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1016\/j.cose.2014.12.006","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","author":"Da Veiga","year":"2015","journal-title":"Computers and Security"},{"issue":"3","key":"2025081309503723100_ref0015","doi-asserted-by":"publisher","first-page":"240","DOI":"10.1108\/ICS-07-2016-0053","article-title":"Analysing information security in a bank using soft systems methodology","volume":"25","author":"Damenu","year":"2017","journal-title":"Information and Computer Security"},{"key":"2025081309503723100_ref0016","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.cose.2017.03.010","article-title":"Applications of social network analysis in behavioural information security research: concepts and empirical analysis","volume":"68","author":"Dang-Pham","year":"2017","journal-title":"Computers and Security"},{"issue":"4","key":"2025081309503723100_ref0017","doi-asserted-by":"publisher","first-page":"452","DOI":"10.1016\/j.im.2016.10.002","article-title":"Information security concerns in IT outsourcing: identifying (in) congruence between clients and vendors","volume":"54","author":"Dhillon","year":"2017","journal-title":"Information and Management"},{"issue":"1","key":"2025081309503723100_ref0018","doi-asserted-by":"publisher","first-page":"83","DOI":"10.4018\/IRMJ.2018010104","article-title":"A risk management model for an academic institution's information system","volume":"31","author":"Dreyfuss","year":"2018","journal-title":"Information Resources Management Journal ( Journal"},{"issue":"1","key":"2025081309503723100_ref0019","doi-asserted-by":"publisher","first-page":"67","DOI":"10.2307\/41166154","article-title":"Management's role in information security in a cyber economy","volume":"45","author":"Dutta","year":"2002","journal-title":"California Management Review"},{"issue":"3","key":"2025081309503723100_ref0020","doi-asserted-by":"publisher","first-page":"397","DOI":"10.5465\/amr.1993.9309035145","article-title":"Selling issues to top management","volume":"18","author":"Dutton","year":"1993","journal-title":"Academy of Management Review"},{"issue":"2","key":"2025081309503723100_ref0021","doi-asserted-by":"publisher","first-page":"238","DOI":"10.1109\/TEM.2012.2185801","article-title":"Incentive alignment and risk perception: an information security application","volume":"60","author":"Farahmand","year":"2013","journal-title":"IEEE Transactions on Engineering Management"},{"key":"2025081309503723100_ref0022","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1016\/j.cose.2014.03.004","article-title":"Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture","volume":"43","author":"Flores","year":"2014","journal-title":"Computers and Security"},{"issue":"4","key":"2025081309503723100_ref0023","doi-asserted-by":"publisher","first-page":"793","DOI":"10.1007\/s10997-016-9358-0","article-title":"Information security governance: pending legal responsibilities of non-executive boards","volume":"21","author":"Georg","year":"2017","journal-title":"Journal of Management and Governance"},{"key":"2025081309503723100_ref0024","doi-asserted-by":"publisher","first-page":"33","DOI":"10.17705\/1CAIS.02833","article-title":"Information security and privacy-rethinking governance models","volume":"28","author":"Gillon","year":"2011","journal-title":"Communications of the Association for Information Systems"},{"issue":"7","key":"2025081309503723100_ref0025","doi-asserted-by":"publisher","first-page":"404","DOI":"10.1016\/j.im.2009.06.005","article-title":"Estimating the market impact of security breach announcements on firm values","volume":"46","author":"Goel","year":"2009","journal-title":"Information and Management"},{"key":"2025081309503723100_ref0026","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1016\/j.ijinfomgt.2018.07.013","article-title":"Understanding key skills for information security managers","volume":"43","author":"Haqaf","year":"2018","journal-title":"International Journal of Information Management"},{"issue":"1","key":"2025081309503723100_ref0027","doi-asserted-by":"publisher","first-page":"86","DOI":"10.1108\/WJEMSD-07-2017-0042","article-title":"Investigating the information security management role in smart city organisations","volume":"14","author":"Hasbini","year":"2018","journal-title":"World Journal of Entrepreneurship, Management and Sustainable Development"},{"issue":"4","key":"2025081309503723100_ref0028","doi-asserted-by":"publisher","first-page":"27","DOI":"10.12821\/ijispm040402","article-title":"A process framework for information security management","volume":"4","author":"Haufe","year":"2016","journal-title":"International Journal of Information Systems and Project Management"},{"key":"2025081309503723100_ref0029a","first-page":"53","article-title":"One more time: how do you motivate employees?","volume":"46","author":"Herzberg","year":"1968","journal-title":"Harvard Business Review"},{"issue":"3","key":"2025081309503723100_ref0029","doi-asserted-by":"publisher","first-page":"79","DOI":"10.2308\/isys-51402","article-title":"The relationship between board-level technology committees and reported security breaches","volume":"30","author":"Higgs","year":"2016","journal-title":"Journal of Information Systems"},{"key":"2025081309503723100_ref0030","first-page":"13","article-title":"Information security governance: investigating diversity in critical infrastructure organizations","author":"Holgate","year":"2012"},{"key":"2025081309503723100_ref0031","doi-asserted-by":"publisher","DOI":"10.3127\/ajis.v21i0.1427","article-title":"Organisational information security strategy: review, discussion and future research","volume":"21","author":"Horne","year":"2017","journal-title":"Australasian Journal of Information Systems"},{"key":"2025081309503723100_ref0032","unstructured":"ISTR (2018), \u201cInformation Security Threat Report (ISTR)\u201d, Vol. 23, Symantec, available at: www.symantec.com\/security-center\/threat-report"},{"issue":"1","key":"2025081309503723100_ref0033","doi-asserted-by":"publisher","first-page":"126","DOI":"10.1145\/1435417.1435446","article-title":"Improved security through information security governance","volume":"52","author":"Johnston","year":"2009","journal-title":"Communications of the ACM"},{"issue":"3","key":"2025081309503723100_ref0034","doi-asserted-by":"publisher","first-page":"300","DOI":"10.1108\/ICS-02-2016-0013","article-title":"The role of the chief information security officer in the management of IT security","volume":"25","author":"Karanja","year":"2017","journal-title":"Information and Computer Security"},{"issue":"5","key":"2025081309503723100_ref0035","doi-asserted-by":"publisher","first-page":"418","DOI":"10.1108\/ICS-11-2016-091","article-title":"Inter-organisational information security: a systematic literature review","volume":"24","author":"Karlsson","year":"2016","journal-title":"Information and Computer Security"},{"issue":"1","key":"2025081309503723100_ref0036","doi-asserted-by":"publisher","first-page":"107","DOI":"10.22364\/bjmc.2017.5.1.07","article-title":"High-level self-sustaining information security management framework","volume":"5","author":"Kauspadiene","year":"2017","journal-title":"Baltic Journal of Modern Computing"},{"issue":"3","key":"2025081309503723100_ref0037","first-page":"2012","article-title":"Effective information security requires a balance of social and technology factors","volume":"9","author":"Kayworth","year":"2012","journal-title":"MIS Quarterly Executive"},{"issue":"4","key":"2025081309503723100_ref0038","doi-asserted-by":"publisher","first-page":"928","DOI":"10.1016\/j.clsr.2018.06.001","article-title":"Legal aspects of cloud security","volume":"34","author":"Kemp","year":"2018","journal-title":"Computer Law and Security Review"},{"issue":"7","key":"2025081309503723100_ref0039","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1016\/j.cose.2009.07.001","article-title":"Information security policy: an organizational-level process model","volume":"28","author":"Knapp","year":"2009","journal-title":"Computers and Security"},{"issue":"2\/3","key":"2025081309503723100_ref0040","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1177\/0170840608101478","article-title":"Moving beyond normal accidents and high reliability organizations: a systems approach to safety in complex systems","volume":"30","author":"Leveson","year":"2009","journal-title":"Organization Studies"},{"issue":"6","key":"2025081309503723100_ref0041","doi-asserted-by":"publisher","first-page":"477","DOI":"10.1016\/S0167-4048(97)83121-5","article-title":"The role of information security in corporate governance","volume":"15","author":"Lindup","year":"1996","journal-title":"Computers and Security"},{"issue":"5","key":"2025081309503723100_ref0045","doi-asserted-by":"publisher","first-page":"622","DOI":"10.1108\/14684520710832333","article-title":"Perception of risk and the strategic impact of existing IT on information security strategy at board level","volume":"31","author":"McFadzean","year":"2007","journal-title":"Online Information Review"},{"issue":"6","key":"2025081309503723100_ref0042","first-page":"209","article-title":"CAFISGO: a capability assessment framework for information security governance in organizations","volume":"12","author":"Maleh","year":"2017","journal-title":"Journal of Information Assurance and Security"},{"key":"2025081309503723100_ref0043","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1007\/s10551-009-0312-9","article-title":"CSR and the corporate cyborg: ethical corporate information security practices","volume":"88","author":"Matwyshyn","year":"2009","journal-title":"Journal of Business Ethics"},{"issue":"4","key":"2025081309503723100_ref0044","doi-asserted-by":"publisher","DOI":"10.17705\/1pais.10403","article-title":"Towards a framework for strategic security context in information security governance","volume":"10","author":"Maynard","year":"2018","journal-title":"Pacific Asia Journal of the Association for Information Systems"},{"issue":"2","key":"2025081309503723100_ref0046","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1108\/ICS-02-2014-0016","article-title":"Organizational objectives for information security governance: a value focused assessment","volume":"23","author":"Mishra","year":"2015","journal-title":"Information and Computer Security"},{"key":"2025081309503723100_ref0047","doi-asserted-by":"publisher","first-page":"401","DOI":"10.1016\/j.procs.2018.10.057","article-title":"Information security governance in big data environments: a systematic mapping","volume":"138","author":"Moghadam","year":"2018","journal-title":"Procedia Computer Science"},{"issue":"7","key":"2025081309503723100_ref0048","doi-asserted-by":"publisher","first-page":"580","DOI":"10.1016\/S0167-4048(03)00705-3","article-title":"Applying information security governance","volume":"22","author":"Moulton","year":"2003","journal-title":"Computers and Security"},{"issue":"1","key":"2025081309503723100_ref0049","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10799-013-0156-y","article-title":"Perceived information security of internal users in Indian IT services industry","volume":"15","author":"Mukundan","year":"2014","journal-title":"Information Technology and Management"},{"key":"2025081309503723100_ref0050","unstructured":"Nash, C. and Hayden, L. (2016), \u201cWhat high reliability organizations can teach us about security\u201d, available at: www.oreilly.com\/ideas\/what-high-reliability-organizations-can-teach-us-about-security (13 September 2016)."},{"issue":"1","key":"2025081309503723100_ref0051","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1108\/ICS-07-2016-0061","article-title":"A process model for implementing information systems security governance","volume":"26","author":"Nicho","year":"2018","journal-title":"Information and Computer Security"},{"issue":"6","key":"2025081309503723100_ref0052","doi-asserted-by":"publisher","first-page":"567","DOI":"10.1016\/j.ijinfomgt.2010.08.007","article-title":"Collaborative risk method for information security management practices: a case context within Turkey","volume":"30","author":"Ozkan","year":"2010","journal-title":"International Journal of Information Management"},{"key":"2025081309503723100_ref0053","first-page":"1234","article-title":"General drawing of the integrated framework for security governance","volume-title":"International Conference on Knowledge-Based and Intelligent Information and Engineering Systems, LNCS","author":"Park","year":"2006"},{"key":"2025081309503723100_ref0054a","volume-title":"Normal Accidents: Living with High-Risk Technologies","author":"Perrow","year":"1999","edition":"2nd ed."},{"issue":"8","key":"2025081309503723100_ref0054","doi-asserted-by":"publisher","first-page":"638","DOI":"10.1016\/j.cose.2004.10.006","article-title":"A framework for the governance of information security","volume":"23","author":"Posthumus","year":"2004","journal-title":"Computers and Security"},{"issue":"4","key":"2025081309503723100_ref0055","doi-asserted-by":"publisher","first-page":"441","DOI":"10.1007\/s12553-017-0195-1","article-title":"Personal control of privacy and data: Estonian experience","volume":"7","author":"Priisalu","year":"2017","journal-title":"Health and Technology"},{"key":"2025081309503723100_ref0056","unstructured":"PWC (2017), \u201cConsumer intelligence series: Protect.me, an in-depth look at what consumers want, what worries them, and how companies can earn their trust \u2013 and their business\u201d, available at: www.pwc.com\/us\/en\/advisory-services\/publications\/consumer-intelligence-series\/protect-me\/cis-protect-me-findings.pdf"},{"issue":"6","key":"2025081309503723100_ref0057","doi-asserted-by":"publisher","first-page":"798","DOI":"10.3217\/jucs-018-06-0798","article-title":"A systematic review of information security governance frameworks in the cloud computing environment","volume":"18","author":"Rebollo","year":"2012","journal-title":"J. Ucs"},{"issue":"10","key":"2025081309503723100_ref0058","doi-asserted-by":"publisher","first-page":"2233","DOI":"10.1093\/comjnl\/bxu141","article-title":"ISGcloud: a security governance framework for cloud computing","volume":"58","author":"Rebollo","year":"2015","journal-title":"The Computer Journal"},{"key":"2025081309503723100_ref0059","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1016\/j.infsof.2014.10.003","article-title":"Empirical evaluation of a cloud computing information security governance framework","volume":"58","author":"Rebollo","year":"2015","journal-title":"Information and Software Technology"},{"issue":"9","key":"2025081309503723100_ref0060","first-page":"97","article-title":"A survey on digital world opportunities and challenges for user\u2019s privacy","volume":"4","author":"Romansky","year":"2017","journal-title":"International Journal on Information Technologies and Security (Bulgaria)"},{"issue":"2","key":"2025081309503723100_ref0061","first-page":"12","article-title":"The board's role in managing cybersecurity risks","volume":"59","author":"Rothrock","year":"2018","journal-title":"MIT Sloan Management Review"},{"issue":"1","key":"2025081309503723100_ref0062","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1016\/j.cose.2006.10.008","article-title":"Organisational security culture: extending the end-user perspective","volume":"26","author":"Ruighaver","year":"2007","journal-title":"Computers and Security"},{"issue":"5","key":"2025081309503723100_ref0063","doi-asserted-by":"publisher","first-page":"1205","DOI":"10.1007\/s10796-016-9648-8","article-title":"Economic valuation for information security investment: a systematic literature review","volume":"19","author":"Schatz","year":"2017","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"2025081309503723100_ref0064","doi-asserted-by":"publisher","first-page":"1","DOI":"10.4018\/IJEIS.2018040101","article-title":"Corporate information security investment decisions: a qualitative data analysis approach","volume":"14","author":"Schatz","year":"2018","journal-title":"International Journal of Enterprise Information Systems (Systems)"},{"key":"2025081309503723100_ref0065","doi-asserted-by":"crossref","DOI":"10.24251\/HICSS.2017.738","article-title":"Communication barriers in the decision-making process: system language and system thinking","author":"Schinagl","year":"2017"},{"key":"2025081309503723100_ref0066","volume-title":"Think Technology: Towards an Orientation of IT Auditing","author":"Shahim","year":"2017"},{"issue":"9","key":"2025081309503723100_ref0067","doi-asserted-by":"publisher","first-page":"1357","DOI":"10.1177\/0018726709339117","article-title":"Normal accident theory versus high reliability theory: a resolution and call for an open systems view of accidents","volume":"62","author":"Shrivastava","year":"2009","journal-title":"Human Relations"},{"issue":"5","key":"2025081309503723100_ref0068","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1016\/j.im.2008.12.007","article-title":"Information security management standards: problems and solutions","volume":"46","author":"Siponen","year":"2009","journal-title":"Information and Management"},{"issue":"2","key":"2025081309503723100_ref0069","doi-asserted-by":"publisher","first-page":"215","DOI":"10.1016\/j.ijinfomgt.2015.11.009","article-title":"Information security management needs more holistic approach: a literature review","volume":"36","author":"Soomro","year":"2016","journal-title":"International Journal of Information Management"},{"issue":"5","key":"2025081309503723100_ref0070","doi-asserted-by":"publisher","first-page":"494","DOI":"10.1108\/ICS-07-2016-0054","article-title":"Information security management and the human aspect in organizations","volume":"25","author":"Stewart","year":"2017","journal-title":"Information and Computer Security"},{"key":"2025081309503723100_ref0071","first-page":"43","article-title":"Information security governance: a case study of the strategic context of information security","author":"Tan","year":"2017"},{"issue":"1","key":"2025081309503723100_ref0072","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1016\/j.cose.2004.10.005","article-title":"Information security obedience: a definition","volume":"24","author":"Thomson","year":"2005","journal-title":"Computers and Security"},{"issue":"2133","key":"2025081309503723100_ref0073","doi-asserted-by":"publisher","DOI":"10.1098\/rsta.2018.0083","article-title":"Algorithms that remember: model inversion attacks and data protection law","volume":"376","author":"Veale","year":"2018","journal-title":"Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences"},{"issue":"4","key":"2025081309503723100_ref0074","doi-asserted-by":"publisher","first-page":"361","DOI":"10.1080\/10580530701586136","article-title":"An information security governance framework","volume":"24","author":"Veiga","year":"2007","journal-title":"Information Systems Management"},{"issue":"3","key":"2025081309503723100_ref0075","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1016\/S0167-4048(01)00305-4","article-title":"Corporate governance and information security","volume":"20","author":"Von Solms","year":"2001","journal-title":"Computers and Security"},{"issue":"6","key":"2025081309503723100_ref0076","doi-asserted-by":"crossref","first-page":"504","DOI":"10.1016\/S0167-4048(01)00608-3","article-title":"Information security \u2013 a multidimensional discipline","volume":"20","author":"Von Solms","year":"2001","journal-title":"Computers and Security"},{"issue":"2","key":"2025081309503723100_ref0077","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1016\/j.cose.2005.02.002","article-title":"Information security governance: COBIT or ISO 17799 or both?","volume":"24","author":"Von Solms","year":"2005","journal-title":"Computers and Security"},{"issue":"3","key":"2025081309503723100_ref0078","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1016\/j.cose.2006.03.004","article-title":"Information security\u2013the fourth wave","volume":"25","author":"Von Solms","year":"2006","journal-title":"Computers and Security"},{"issue":"4","key":"2025081309503723100_ref0079","doi-asserted-by":"publisher","first-page":"271","DOI":"10.1016\/j.cose.2005.04.004","article-title":"From information security too business security?","volume":"24","author":"Von Solms","year":"2005","journal-title":"Computers and Security"},{"issue":"1","key":"2025081309503723100_ref0080","doi-asserted-by":"publisher","first-page":"2","DOI":"10.1108\/ICS-04-2017-0025","article-title":"Cybersecurity and information security\u2013what goes where?","volume":"26","author":"Von Solms","year":"2018","journal-title":"Information and Computer Security"},{"issue":"6","key":"2025081309503723100_ref0081","doi-asserted-by":"publisher","first-page":"408","DOI":"10.1016\/j.cose.2006.07.005","article-title":"Information security governance: a model based on the direct\u2013control cycle","volume":"25","author":"Von Solms","year":"2006","journal-title":"Computers and Security"},{"issue":"7","key":"2025081309503723100_ref0082","doi-asserted-by":"publisher","first-page":"494","DOI":"10.1016\/j.cose.2006.08.013","article-title":"Information security governance: due care","volume":"25","author":"Von Solms","year":"2006","journal-title":"Computers and Security"},{"key":"2025081309503723100_ref0089","first-page":"81","article-title":"Organizing for high reliability: processes of collective mindfulness","volume-title":"Research in Organizational Behavior","author":"Weick","year":"2008"},{"issue":"1","key":"2025081309503723100_ref0083","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1108\/09685220910944722","article-title":"An integrated view of human, organizational, and technological challenges of IT security management","volume":"17","author":"Werlinger","year":"2009","journal-title":"Information Management and Computer Security"},{"issue":"4","key":"2025081309503723100_ref0084","doi-asserted-by":"publisher","first-page":"341","DOI":"10.1007\/s12525-013-0137-3","article-title":"Information security governance practices in critical infrastructure organizations: a socio-technical and institutional logic perspective","volume":"23","author":"Williams","year":"2013","journal-title":"Electronic Markets"},{"key":"2025081309503723100_ref0085","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1016\/j.dss.2016.09.008","article-title":"Governing the fiduciary relationship in information security services","volume":"92","author":"Wu","year":"2016","journal-title":"Decision Support Systems"},{"issue":"1","key":"2025081309503723100_ref0086","doi-asserted-by":"publisher","first-page":"34","DOI":"10.17705\/1CAIS.02434","article-title":"Current state of information security research in IS","volume":"24","author":"Zafar","year":"2009","journal-title":"Communications of the Association for Information Systems"},{"issue":"1","key":"2025081309503723100_ref0087","doi-asserted-by":"publisher","first-page":"161","DOI":"10.2298\/CSIS140205086C","article-title":"Security in cloud computing: a mapping study","volume":"12","author":"Zapata","year":"2017","journal-title":"Computer Science and Information Systems"},{"key":"2025081309503723100_ref0088","volume-title":"The Motivation to Work","author":"Herzberg","year":"1993"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2019-0033\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/ics\/article-pdf\/28\/2\/261\/10066849\/ics-02-2019-0033.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/www.emerald.com\/ics\/article-pdf\/28\/2\/261\/10066849\/ics-02-2019-0033.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T13:50:46Z","timestamp":1755093046000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.emerald.com\/ics\/article\/28\/2\/261\/1274394\/What-do-we-know-about-information-security"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,25]]},"references-count":91,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2020,6,8]]}},"URL":"https:\/\/doi.org\/10.1108\/ics-02-2019-0033","relation":{},"ISSN":["2056-4961","2056-497X"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-497X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,1,25]]}}}