Title: A Process Model to Improve Information Security Governance in Organisations

Abstract: Information security governance (ISG) is a relatively new and under-researched topic. A review of literature shows the lack of an ISG framework or model that can help the implementation of ISG. This research aims to introduce an empirically grounded ISG process model as a practical reference to facilitate the implementation of ISG in organisations.
This research has adopted an exploratory research approach where a conceptual ISG process model was proposed based on synthesis of extant literature and detailed review of relevant frameworks and models. The conceptual ISG process model was subsequently refined based on empirical data gathered from 3 case study organisations. The refined ISG process model was finally validated in 6 expert interviews.
This research has developed an empirically grounded ISG process model identifying stakeholder groups and explaining how core ISG processes and sub-processes interact. Specifically, the research contributes by: (1) developing ISG process theory, as ISG is a series of events occurring within an organisational context; and (2) developing an information-processing perspective on ISG, as the process model identifies the information and communication flows, and the relationships among stakeholder groups. In addition, the research has: (3) empirically examined and validated the ISG process model based on how ISG is practised in real-world organisations; (4) examined corporate governance theories to provide additional perspectives to ensure that the ISG process model is aligned with corporate governance objectives; (5) identified additional factors that influence the implementation of ISG requiring further research; and finally (6) expanded existing seminal research by introducing an empirically grounded ISG process model that has been developed based on synthesis of cumulative knowledge from previous research and validated with empirical data.