Information Security Strategy in Organisations: Review, Discussion and Future Research Directions
This work provides a foundational review and definition for information security strategy, targeting organizations like governments and corporations to improve security practices, but it is incremental as it builds on existing literature without introducing new empirical results.
The paper addresses the need for organizations to develop effective information security strategies by conducting a thematic review of academic literature, analyzing motivations for adoption, current perspectives, and potential benefits, and proposing a paradigm shift towards inter-organizational considerations.
Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.