Abstract
The main findings indicate that the existing literature on Information Security Governance (ISG) primarily focuses on "what" to implement, rather than providing guidance on "how" to do it. Another finding is the lack of emphasis on methods to gain oversight of the information security posture (ISP). This study highlights the inconsistent interpretation of ISP within the literature. It typically adopts an information security perspective rather than considering a holistic approach. To address this gap, this study proposes a new definition and conceptualisation of ISP that covers holistically and provides ideas on how to organise an ISG program. Additionally, the study introduces strategies for assessing and managing positive risks, which deviate from the conventional emphasis on threats or "what can go wrong," thereby supporting a holistic approach to information security. Furthermore, this study analyses existing research on the communication and reporting of information security activities. The main findings emphasise the significance of effective communication with the business, utilising a business language. However, there is limited discussion on how to learn this language. To bridge this gap, this study presents a theoretical framework for learning Business Language for Information Security (BLIS) and published a textbook as a resource for learning these domains.
List of papers
Paper I. Tran, Dinh Uy and Jøsang, Audun “Information Security Posture to Organize and Communicate the Information Security Governance Program”. In: Proceedings of the 18th European Conference on Management Leadership and Governance. (2022), pp. 515–522. DOI: 10.34190/ecmlg.18.1.729. The article is included in the thesis. Also available at: https://doi.org/10.34190/ecmlg.18.1.729 |
Paper II. Tran, Dinh Uy “Informasjonssikkerhetsledelse - En holistisk tilnærming”. Published by Cappelen Damm Akademisk, ISBN 978-82-02-75464-8. 236 s. The book is not available in DUO due to publisher restrictions. |
Paper III. Tran, Dinh Uy and Jøsang, Audun “Business Language for Information Security”. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham., pp. 57–68. DOI: 10.1007/978-3-031-38530-8_14. The article is included in the thesis. Also available at: https://doi.org/10.1007/978-3-031-38530-8_14 |
Paper IV. Tran, Dinh Uy and Selnes, Sigrid Haug and Jøsang, Audun and Hagen, Janne Merete (2024). "An Opportunity-Based Approach to Information Security Risk". In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14399. Springer, Cham. DOI: 10.1007/978-3-031-54129-2_1. (The 4th International Workshop on Cyber-Physical Security for Critical Infrastructures Protection (CPS4CIP 2023). The article is included in the thesis. Also available at: https://doi.org/10.1007/978-3-031-54129-2_1 |