Data Driven Approaches to Cybersecurity Governance for Board Decision-Making -- A Systematic Review

TL;DR

This systematic review examines existing cybersecurity governance tools and metrics to support Board of Directors in making informed decisions, highlighting gaps in understandable information and proposing future research directions.

Contribution

It identifies key themes and gaps in current risk measurement instruments and models, suggesting areas for developing Board-friendly cybersecurity metrics.

Findings

Limited Board-accessible cybersecurity metrics exist.

Sophisticated tools are developing but lack Board-oriented communication.

Recommendations for future theoretical and model-based support for Boards.

Abstract

Cybersecurity governance influences the quality of strategic decision-making to ensure cyber risks are managed effectively. Board of Directors are the decisions-makers held accountable for managing this risk; however, they lack adequate and efficient information necessary for making such decisions. In addition to the myriad of challenges they face, they are often insufficiently versed in the technology or cybersecurity terminology or not provided with the correct tools to support them to make sound decisions to govern cybersecurity effectively. A different approach is needed to ensure BoDs are clear on the approach the business is taking to build a cyber resilient organization. This systematic literature review investigates the existing risk measurement instruments, cybersecurity metrics, and associated models for supporting BoDs. We identified seven conceptual themes through literature analysis that form the basis of this study's main contribution. The findings showed that, although sophisticated cybersecurity tools exist and are developing, there is limited information for Board of Directors to support them in terms of metrics and models to govern cybersecurity in a language they understand. The review also provides some recommendations on theories and models that can be further investigated to provide support to Board of Directors.