Information Security Governance Arrangements: The Devil is in the Details

Information security governance includes the governance aspect, which sets the information security direction and strategy of an organization, and, the management aspect, which addresses how the strategy is implemented and managed. In this article, we focus on the management aspect of information security governance. Different organizational arrangements (i.e., governance arrangements) are possible to manage and implement the security strategy. One arrangement involves the creation of an information security department with a chief information security officer (CISO), or equivalent, to highlight the importance of security. Unfortunately, this may also create the impression that security is the responsibility of a special group and has little to do with the average employee. At the other extreme, no special security department is created. Instead, all employees have a significant role in maintaining information security in the organization. Such an arrangement may be more suited to implement guidelines, which suggest that security features are better built into business processes and software, rather than incorporated as an add-on layer. This arrangement diffuses the responsibility for security, and has the potential for diluting top management attention to security. In this research-in-progress paper, we propose a study to examine the effects of different governance arrangements.