Information Security Management in High Quality IS Journals: A Review and Research Agenda

TL;DR

This review analyzes 30 years of high-quality IS journal research on Information Security Management, highlighting trends, emerging themes, and the shift towards empirical validation, while noting gaps in organizational practice engagement.

Contribution

It provides a comprehensive review of ISM research themes, methods, and theories over 30 years, and proposes a research agenda for future studies.

Findings

Increase in ISM publications over the past decade

Shift from subjective to empirically validated research

Dominance of survey methods over case studies

Abstract

In the digital age, the protection of information resources is critical to the viability of organizations. Information Security Management (ISM) is a protective function that preserves the confidentiality, integrity and availability of information resources in organizations operating in a complex and evolving security threat landscape. This paper analyses ISM research themes, methods, and theories in high quality IS journals over a period of 30 years (up to the end of 2017). Although our review found that less than 1 percent of papers to be in the area of ISM, there has been a dramatic increase in the number of ISM publications as well as new emerging themes in the past decade. Further, past trends towards subjective-argumentative papers have reversed in favour of empirically validated research. Our analysis of research methods and approaches found ISM studies to be dominated by one-time surveys rather than case studies and action research. The findings suggest that although ISM research has improved its empirical backing over the years, it remains relatively disengaged from organisational practice.