Governing Information Security: Governance Domains and Decision Rights Allocation Patterns

Governing Information Security: Governance Domains and Decision Rights Allocation Patterns

Yu ’Andy’ Wu (University of North Texas, USA) and Carol Stoak Saunders (University of Central Florida, USA)
Copyright: © 2011 |Pages: 18
DOI: 10.4018/irmj.2011010103
OnDemand PDF Download:
No Current Special Offers


Governance of the information security function is critical to effective security. In this paper, the authors present a conceptual model for security governance from the perspective of decision rights allocation. Based on Da Veiga and Eloff’s (2007) framework for security governance and two high-level information security documents published by the National Institute of Standards and Technology (NIST), the authors present seven domains of information security governance. For each of the governance domains, they propose a main decision type, using the taxonomy of information technology decisions defined by Weill and Ross (2004). This framework recommends the selection of decision rights allocation patterns that are proper to those decision types to ensure good security decisions. As a result, a balance can be achieved between decisional authority and responsibility for information security.
Article Preview


Increasingly, the advantages of information technology (IT) governance are being recognized. Good IT governance can promote empowerment and control of IT professionals. Decision making authority as an area of IT governance has been examined by some researchers (e.g., Grover, Henry, & Thatcher, 2007; Weill, 2004; Weill & Ross, 2004). However, more scrutiny is needed of the extension of governance concepts to information security. For instance, Grover et al. (2007) do not specifically address security and Weill and Ross (2004) treat “security and risk” simply as a cluster in “IT infrastructure services.” This classification reflects the traditional view of information security as a mere technical issue. Fresh considerations of information security call for a more fine-grained treatment of governance of security decisions. In particular, while some decisions have a clear technology orientation, others must address strategic, business-oriented goals. Still others lie somewhere in between. None can be ignored.

To aid the study and practice of information security governance, we propose a conceptual governance framework (Figure 1). It specifically deals with security decision rights and is based on the synthesis of a number of relevant concepts, principles, and taxonomies: (a) The concept of “structures of responsibilities” in information security (Backhouse & Dhillon, 1996); (b) The principle of harmonizing responsibility (accountability) with commensurate decision authority (Grover et al., 2007); (c) The principle of giving decision authority to the organizational unit with the best information for the decision (Galbraith, 1973, 1993; Simon, 1960); (d) A taxonomy of IT decision types (Weill, 2004; Weill & Ross, 2004); (e) A taxonomy of key domains in information security derived from Da Veiga and Eloff (2007) and two high-level information security documents published by the National Institute of Standards and Technology (NIST), SP 800-35 and SP 800-100; and (f) The tested practice of applying patterns to recurrent problems (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, & Sommerlad, 2006; Weill, 2004; Weill & Ross, 2004).

Figure 1.

Information Security Governance Model


In the following sections, we elaborate on each of these as we build our information security governance framework. Tables 1 and 2 summarize its major components.

Table 1.
Weill and Ross (2004) Governance archetypes
ArchetypeDecision Rights Allocation MechanismsInteraction Pattern Between Business Management and IT Departments
Business monarchySenior business executives make IT decisions for the entire enterprise. The IT executive is considered as one voice in the decision making.Business executives make decisions about IT. The enterprise IT head, the CIO, is an equal partner with other executives.
IT monarchyIT professionals make the IT decisions.IT monarchy may be implemented in different flavors, involving IT professionals at enterprise IT function or business unit IT function to variable degrees.
FeudalBusiness unit management makes IT decisions.IT function may implement these decisions at the enterprise or business unit level.
FederalBoth the enterprise and business unit leaders are involved in making IT decisions.Either enterprise IT function or business unit IT function or both can be involved in decision making.
IT duopolyDecisions are made by the duo of IT executives and either enterprise business executives or business unit leaders.This archetype also incarnate in one of these two forms:
(a) “Bicycle wheel” with the enterprise IT function sitting at the hub. Sitting at the rim are the business units, each of which forms a spoke together with the hub; or
(b) “T” arrangement, with the enterprise IT head having overlapping memberships in an executive committee and an IT committee.
AnarchyNo IT governance.

Complete Article List

Search this Journal:
Open Access Articles
Volume 35: 4 Issues (2022): 3 Released, 1 Forthcoming
Volume 34: 4 Issues (2021)
Volume 33: 4 Issues (2020)
Volume 32: 4 Issues (2019)
Volume 31: 4 Issues (2018)
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing