Governance in Information Systems and Cybersecurity

In a world where technology is as omnipresent as it is in ours, cybersecurity and information systems fields are booming. The topic at hand is governance or management as it applies to information systems and cybersecurity. While the popular research journals, such as Management Information Systems Quarterly and Information Systems Management, naturally have articles on the topic, it would be pertinent to synthesize and review the common threads in these journals.

Monthly Information Systems Quarterly has a wealth of information on cybersecurity and information systems. When determining the key issues in the cybersecurity and information systems fields in 1987, Brancheau and Wetherbe’s study found that “improving strategic planning was ranked first in importance” (25). Other items of interest included using information systems for competitive advantages, facilitating organizational learning, and increasing the role and contribution of information systems. More recent studies show that research is still being done to determine what to focus on. Chiasson and Davidson hold that the type of industry involved with information systems is often ignored, saying that of the research articles they examined in their study, “most (58 percent) did not identify an industry in which the study was conducted” (592). In other words, they identified a gap in the research. Reich and Bensabat’s study provides a way of tying the research together by researching measurements of linkage between business and information technology objectives along a social dimension, with the researchers concluding that understanding of current objectives and similarity in visions for IT among executives were workable measures for that linkage (72). There is more research on social-like dimensions of information systems than simply the connection between executives, however. Von Alan et al. mentioned that behavioral science and design science both inform the creation of information systems frameworks, though the focus is on creating tools for aiding information systems processes (75). Wade and Hulland similarly note that the field draws upon social concepts and sciences (107). Further breaking down the processes needed to understand information systems governance is the idea of factors outside the final decision maker in a governance framework. Xue et al. noted that “governance of the pre-decision initiation and development stages is found to be jointly affected by several contextual factors,” (67) with those factors relating to a concept called IT monarchy, a type of separation of IT decision making from other decision making areas. It should be noted that even though that separation has been pinpointed, other studies point to other factors impacting governance and decision making in a similar way (Sambamurthy and Zmud 261). All of the above studies coalesce in a common thread of a certain amount of common understanding being needed when setting up governance frameworks, whether the understanding is between IT executives and business executives or between executives and the industry itself.

Information Systems Management is another journal with a breadth of information on the cybersecurity and information systems fields. It keeps readers abreast of new developments in information technology. While there is information on implementation of governance, it may be wise to observe a model of governance first. Peterson’s study ran through the various capabilities of IT governance before concluding with an assessment model for the effectiveness of IT governance. On a top-down level, the model “distinguishes between the organizations IT value drivers and the organizations IT value realization,” (19) while on a horizontal level the model outlines aspects of the architecture of IT governance. Said architecture pertains to who has what responsibilities in decision making and what integration mechanisms coordinate the governance. On the topic of implementation, De Haes et al. conducted a study on the implementation of governance and noted that “some of the addressed practices [were] perceived as being more effective or easy to implement than others” (128). Those practices included IT steering committees and CIOs reporting to COOs/CEOs. Conversely, benefits management and reporting, along with chargeback arrangements, were considered highly effective but difficult to implement. De Haes would later go on to examine the practices directly through the Dutch airline KLM with a different group (De Haes and Van Grembergen 109). Other studies, meanwhile, focused on the effectiveness and components of what was implemented in itself. Simonsson et al., when analyzing the relationship between the internal structure of an IT organization (“IT governance maturity”) and the impact of that structure of the external business (“IT governance performance”), found that “the results… [confirmed] the hypotheses of a positive correlation between IT governance maturity and IT governance performance” (10). On the other hand, the maturity of project management and service level management showed little to no correlation with IT governance performance, possibly indicating a disconnection between those types of management with IT governance. Reinforcing the point is a study that finds that IT executives’ managerial capabilities allow for achieving stronger adaptability (Heart et al. 42). It would seem that Information Systems Management’s information is more directly related to governance itself than MIS Quarterly’s is, given its focus on performance, implementation, and other practical aspects.

Before proceeding, it should be noted that there is a thread of research on the generalizability of information systems field findings. It is entirely possible that the idea of information systems governance can generalize to national information infrastructure and development in this way. Indeed, a study in the European Journal of Information Systems posits that point (Meso et al. 52). Williams and Karahanna similarly apply findings in the field to federated information technology governance through the lens of critical realism, hunting for causal explanations for phenomena (933). Application and generalization in the field appear to be items of note for future research.

There is one aspect of the topic that has been missing throughout this entire review. There has been a great deal of focus on information systems governance, with little to nothing about cybersecurity governance. The overall focus is largely on information systems. That is not to say that cybersecurity governance is completely missing from the literature, but it seems to have been neglected somewhat. Culnan and Williams, in MIS Quarterly, hold that building a company culture of integrity could aid cybersecurity governance, arguing that “organizations have a moral responsibility to [consumers] to avoid causing harm” due to consumers’ lack of control over their own information (673). An element of company compliance comes into the picture here, and that seems to be a recurring element in the literature. Goo et al. created a proposal focusing on the importance of service level agreements to governance, stating, “well-developed SLAs not only provide a way to measure the service provider’s performance but also enable effective management of outsourcing engagements through the development of partnership-style relationships” (119-120). Service level agreements imply a level of company compliance needed to execute the agreement. Such implications indirectly invoke the moral responsibility that Culnan and Williams mentioned when it comes to the concept of integrity. Meanwhile, in the 2014 SIM IT Key Issues and Trends Study, a kind of movement towards being business-focused is noted. Kappelman et al. mention that “[IT organizations’] focus is shifting away from tactical and operational IT issues like efficiency… to more strategic and organizational priorities like business agility, innovation… and the value of IT to the business” (237). The focus shift pertains to cybersecurity in that, when the focus is on organizational priorities and not operational ones, there is room to focus on the moral issues pertaining to governance. A study of IT governance at Intel displays similar themes of transition from pure risk containment through restriction to a balance between protecting data and making it available for decision making (Tallon et al. 189). The research on cybersecurity governance seems to be fixed on internal structures and concepts, which raises a question of what other concepts revolve around cybersecurity governance.

In summation, information systems governance is a concept that is well researched. Its neighboring concept, cybersecurity governance, is less supported in the research, and the general lack of studies on the concept leaves many questions unanswered. The amount of potential directions for future research is staggering due to that lack of study, though that is not to say that the field is left directionless by a paucity of information. Providing a few suggestions for future research may not be amiss. Perhaps examining the external factors of cybersecurity governance so that the research is not focused entirely on internal and moral obligations would be a decent future research path. An alternative could be studying the factors that are not shared between cybersecurity and information systems governance as a method of differentiating the two and highlighting what concepts need to be focused on in both fields. With the way the information intertwines, the fields seem to be flourishing together, and more information on cybersecurity governance is bound to arrive.

(Table 1 omitted for preview. Available via download)

Works Cited

Brancheau, James C., and James C. Wetherbe. "Key issues in information systems management." MIS Quarterly, 1987, pp. 23-45.

Chiasson, Mike W., and Elizabeth Davidson. "Taking industry seriously in information systems research." MIS Quarterly, 2005, pp. 591-605.

Culnan, Mary J., and Cynthia Clark Williams. "How ethics can enhance organizational privacy: lessons from the choicepoint and TJX data breaches." Mis Quarterly (2009): 673-687.

De Haes, Steven, and Wim Van Grembergen. "An exploratory study into IT governance implementations and its impact on business/IT alignment." Information Systems Management, vol. 26, no. 2, 2009, pp. 123-137.

De Haes, Steven, et al. "KLM's enterprise governance of IT journey: From managing IT costs to managing business value." MIS Quarterly Executive vol. 10, no. 3, 2011.

Goo, Jahyun, et al. "The role of service level agreements in relational management of information technology outsourcing: an empirical study." MIS Quarterly, 2009, pp. 119-145.

Heart, Tsipi, Hanan Maoz, and Nava Pliskin. "From governance to adaptability: The mediating effect of IT executives' managerial capabilities." Information Systems Management vol. 27, no. 1, 2010, pp. 42-60.

Kappelman, Leon, et al. "The 2014 SIM IT key issues and trends study." MIS Quarterly Executive vol. 13, no. 4, 2014, pp. 237-263.

Meso, Peter, et al. "Information infrastructure, governance, and socio-economic development in developing countries." European Journal of Information Systems vol. 18, no. 1, 2009, pp. 52-65.

Peterson, Ryan. "Crafting information technology governance." Information Systems Management vol. 21, no. 4, 2004, pp. 7-22.

Reich, Blaize Horner, and Izak Benbasat. "Measuring the linkage between business and information technology objectives." MIS Quarterly, 1996, pp. 55-81.

Sambamurthy, Vallabhajosyula, and Robert W. Zmud. "Arrangements for information technology governance: A theory of multiple contingencies." MIS Quarterly, 1999, pp. 261-290.

Simonsson, Mårten, Pontus Johnson, and Mathias Ekstedt. "The effect of IT governance maturity on IT governance performance." Information Systems Management vol. 27, no. 1, 2010, pp. 10-24.

Tallon, Paul P., James E. Short, and Malcolm W. Harkins. "The Evolution of Information Governance at Intel." MIS Quarterly Executive vol. 12, no. 4, 2013, pp.

Von Alan, R. Hevner, et al. "Design science in information systems research." MIS quarterly vol. 28, no. 1, 2004, pp. 75-105.

Wade, Michael, and John Hulland. "The resource-based view and information systems research: Review, extension, and suggestions for future research." MIS quarterly vol. 28, no. 1, 2004, pp. 107-142.

Williams, Clay K., and Elena Karahanna. "Causal explanation in the coordinating process: A critical realist case study of federated IT governance structures." Mis Quarterly, 2013, pp. 933-964.

Xue, Yajiong, Huigang Liang, and William R. Boulton. "Information technology governance in information technology investment decision processes: The impact of investment characteristics, external environment, and internal context." Mis Quarterly, 2008, pp. 67-96.