2144
A Model of Information Security Governance for E-Business
United States, where the Sarbanes-Oxley (SOX)
$FWRIDLPVWRUHVWRUHLQYHVWRUFRQ¿GHQFH
in U.S. markets by imposing codes of conduct
on corporations. The concept of corporate gov-
HUQDQFHLVPXFKTXRWHGDV³WKHV\VWHPE\ZKLFK
companies are directed and controlled” (Cadbury,
1992, p.15). The corporate governance structure,
WKHUHIRUHVSHFL¿HVWKHGLVWULEXWLRQRIULJKWVDQG
responsibilities among different participants in
the corporation, such as the board of directors
and management. By doing this, it provides the
structure by which the company objectives are
set and the means of attaining those objectives
and monitoring performance.
Corporate governance includes concerns for
information technology governance because
without effective information management, those
charged with corporate responsibilities would not
be able to perform effectively. eWeek (2004) make
the case for IT professionals to take a leading role in
corporate governance since they have control over
the processes underpinning governance activities.
They mention the example of the human resource
database providing information about employees’
compensation which, if the information is properly
monitored, could provide an early indication of
malpractice. This means that IT functions need
WREHVHFXUHVRWKDW³EXVLQHVVGDWDLVQRWDOWHUHG
by unscrupulous hands” (eWeek, 2004, p. 40).

With business increasingly utilising modern
digital technology in a variety of ways, effective
information security governance has, therefore,
become a key part of corporate governance.
In this chapter, the role of corporate gover-
nance in relation to the security of information
technology and information and communications
technology (ICT) will be examined. Current
developments and models such as those offered
by the IT Governance Institute and Standards
Australia will be outlined and the current lack of
model development in extending the governance
concept to information security in today’s world
RIHEXVLQHVVZLOOEHLGHQWL¿HGDQGGLVFXVVHG7KH
purpose of the chapter is thus to develop a model
that aligns IT governance with security manage-
ment in an e-business environment through a
review of existing approaches and synthesis of
concepts and principles.
NEED FOR GOVERNANCE
The case of Enron
®
H[HPSOL¿HVWKHQHHGIRUHI-
fective corporate governance. Enron
®
’s downfall
was brought about, as described in broad terms by
Zimmerman (2002) in USA TODAY
®
E\³RYHU-

aggressive strategies, combined with personal
greed.” He believes that there were two main
FDXVHVIRUWKLVIDLOXUH¿UVWEUHDNGRZQVFDXVHG
E\LJQRUHGRUÀDZHGHWKLFVDQGVHFRQG³%RDUG
of directors failed their governance.” He recom-
mends that in order to keep this from happening
again, corporate governance should no longer
EHWUHDWHGDV³VRIWVWXII´EXWUDWKHUDVWKH³KDUG
stuff” like product quality and customer service.
He quotes Business Week
®
of August 19-26, 2002
ZKHQKHFRQFOXGHVWKDW³DFRPSDQ\¶VYLDELOLW\
now depends less on making the numbers at any
cost and more on the integrity and trustworthiness
of its practices.” In other words, good corporate
governance.
The term corporate governance is often used
synonymously with the term enterprise gover-
nance since they are similar in scope as can be seen
I UR PW KH IRO O R Z LQ J G H ¿ Q L W L R Q V 7 KH \ E R W K D S S O \ W R
the role and responsibilities of management at the
highest level in the organisation. An example of a
framework for enterprise governance is one that
i s p r ov i de d b y t he Chartered Institute of Manage-
ment Accountants (CIMA) and the International
Federation of Accountants (IFAC) (2004):
[Enterprise governance is] the set of responsi-
bilities and practices exercised by the board and
executive management with the goal of providing

strategic direction, ensuring that objectives are
2145
A Model of Information Security Governance for E-Business
achieved, ascertaining that risks are managed
appropriately and verifying that the organization’s
resources are used responsibly.
The term corporate governance is used by the
Organisation for Economic Co-operation and
Development (OECD) (Brand & Boonen, 2003)
and understood to be:
the system by which business corporations are
directed and controlled. The corporate governance
VWUXFWXUHVSHFL¿HVWKHGLVWULEXWLRQRIULJKWVDQG
responsibilities, among different participants in
the corporation such as board, managers, share-
holders and other stakeholders and spells out the
rules and procedures for making decisions on
corporate affairs. By doing this, it also provides
the structure by which the company objectives are
set and the means of attaining those objectives and
monitoring performance. (pp. 15-16)
7KHDERYHGH¿QLWLRQVQRWRQO\UHYHDOFRPPRQ-
ality but also emphasize two dimensions, namely,
conformance and performance. Conformance
focuses on structure such as the existence of the
board and executive management, who in turn
communicate their perceptions of corporate objec-
tives. Performance, on the other hand, provides
expectations about the achievement of corporate
objectives and is associated with activities such

as risk management, resource utilisation, and
performance measurement. It could be argued
that the former has a greater corporate orientation
as it has a leadership role, unlike the latter that is
linked to the execution of business activities and
has more an operational orientation and could be
termed business governance.
IT systems contribute to the performance
dimension of the organisation as they support the
organisational processes by delivering IT services.
They are, therefore, most closely linked with the
business governance component of the above di-
c h o t o m y. H o w e v e r, a s I T i s i n c r e a si ng l y b e c o m i ng
an integral part of business, the responsibility for
IT becomes part of the responsibility of the board
o f d i r e ct or s, a n d t h e r e b y a l s o v e r y m u c h p a r t o f t h e
conformance aspects of governance. The latter is
much broader in scope, implying greater strategic
and diligence responsibilities on the part of the
board and executive management.
Figure 1 shows how the enterprise governance
framework extends to IT governance through the
LQÀXHQFHVRIFRUSRUDWHDQGEXVLQHVVJRYHUQDQFH
as outlined above. The two levels interact with IT
governance as follows: the key role for corporate
governance is to provide strategic objectives and
Figure 1. IT governance and enterprise governance
2146
A Model of Information Security Governance for E-Business
their monitoring, while business governance pro-

vides control and assessment of the operational
activities of IT. Both are required to make IT play
its intended role for the organisation.
The following section provides a more detailed
examination of IT governance by examining the
perspectives of a professional, government, and
research body. This will explain in more depth
the interaction between IT governance with the
higher levels of governance as well as the scope
of IT governance itself. With regard to the lat-
ter, attention will be given to IT security within
IT governance in line with the objectives of the
chapter.
IT GOVERNANCE
Perspectives on IT governance from three sig-
QL¿FDQWLQVWLWXWLRQVLQWKLV¿HOGDUHH[DPLQHG
below: they are the IT Governance Institute,
Standards Australia (SA), and National Cyber
Security Partnership. The analysis focuses on the
activities of IT governance and the integration
of IT security in the respective frameworks in
order to synthesis these views later into a model
of information security governance.
ITGI
®
(2 0 01) a r g u e d t h a t e x e c u t iv e s a r e g e t t i n g
more and more dependent on information technol-
ogy to run their businesses. Hence, IT governance
LVGH¿QHGE\WKH,QVWLWXWHDV
the responsibility of the board of directors and

executive management. It is an integral part of
enterprise governance and consists of the leader-
ship and organisational structures and processes
that ensure that the organization’s IT sustains
and extends the organization’s strategies and
objectives. (p.10)
According to ITGI
®
, IT governance has as
its main purposes the achievement of strategic
alignment, value delivery, risk management, and
performance management. The question of IT
security is addressed by providing emphasis to
risk management, as it is realised that with IT’s
EHQH¿WV DQG RSSRUWXQLWLHV FRPHV JUHDWHU ULVN
Mechanisms, therefore, are required to exercise
control over the use of IT in order to cope with
these risks. Risk management is perceived as the
appropriate management of threats relating to IT,
addressing the safeguarding of IT assets, disaster
recovery, and continuity of operations.
SA (2004), an Australian federal government
department, recently developed a detailed ap-
SURD FK IRU ,& 7 JRYH U QD QFHWRJ X LGHVHQ LRURI ¿F H -
holders in evaluating, directing, and monitoring
WKHRSHUDWLRQVRI,&7V\VWHPV7KH\GH¿QHGWKH
governance of ICT as:
the system by which the use of ICT is controlled.
It involves evaluating and directing the plans
for the use of ICT to support the organisation

and monitoring this use to maintain that plan. It
includes the strategy and policies for using ICT
within an organisation. (p. 6)
6$LGHQW L ¿HGVHYH QNH\S U L QF LSOH V RIICT gov-
ernance, namely establishing clearly understood
responsibilities for ICT, planning ICT to best
support the organisation, acquiring ICT in a cost-
E H Q H ¿F L D O P DQ QH U H Q VX U L QJ , & 7 L V RI W KH U H TX L U H G 
quality, performs when required, conforms with
formal rules, and respects human factors.
7KHSULQFLSOH³HQVXUH,&7LVRIWKHUHTXLUHG
quality” refers to different tasks that are part of
IT security management, such as ensuring system
availability and security from attack, theft, and
m i s u se o f c r u c i a l b u s i ne s s d a t a . T h i s a l s o i n cl u d e s
the preparation of disaster recovery plans to ensure
business continuity. Additionally, it is suggested
that the organisation is able to monitor and report
all security breaches, including attacks and fraud.
Finally, accurate procedures for the measurement
of the effectiveness of security measures have
to be in place. SA advocates risk management
PHWKRGV IRU WKH LGHQWL¿FDWLRQ RI VHFXULW\ ULVN
its evaluation, and mitigation. It is essential for
2147
A Model of Information Security Governance for E-Business
the well-being and legal compliance of the or-
ganisation that upper management is informed
about security risks and their implications while
making decisions.

The Corporate Governance Task Force of
the National Cyber Security Partnership (2004)
a r g u e d t h at a l t ho u g h i n fo r m a t i o n s e c u r i t y i s o f t e n
considered a technical issue, it is also a gover-
nance challenge that involves risk management,
reporting, and accountability and, therefore,
requires the active engagement of executive
management. The managerial aspect of security
PDQDJHPHQWLVGH¿QHGDVinformation security
governance (ISG), a subset of an organisation’s
overall governance program. Within ISG, risk
management, reporting, and accountability are
considered key policies.
The National Cyber Security Partnership
(NCSP) made the topic of IT security contem-
porary by including cyber security for effective
ISG. It made a number of recommendations for
the adoption of ISG in the U.S. using the IDEAL
framework (initiating, diagnosing, establishing,
acting, and learning). Appendices of the NCSP
report provide extensive information on functions
and responsibilities, organisation and processes
for implementation, and ISG assessment tools.
While the above approaches provide an over-
view of IT governance and an acknowledgment
of its responsibilities with respect to information
security, they do not go as far as providing prescrip-
tions on how best to integrate security issues into
governance. Guidance in this respect is desirable
as IT security has become more complex with the

emergence of the e-business phenomenon.
E-BUSINESS AND SECURITY
(EXVLQHVV KDV EHHQ GH¿QHG E\ 0F.D\ DQG
Marshall (2004) as:
a business that creatively and intelligently utilises
and exploits the capabilities of IT and Internet
WHFKQRORJLHV WR FUHDWH HI¿FLHQFLHV WR DFKLHYH
HIIHFWLYHQHVVJDLQVVXFKDVÀH[LELOLW\DQGUHVSRQ-
siveness, and to create strategic opportunities
through competitive uses of IT to alter markets
and industry structures. (p. 5)
This type of business is a development of
e-commerce, a system that uses the Internet to
provide a new channel to conduct trade with cus-
tomers and suppliers. Further integration of ICT
into the business itself enabled value chains to be
developed with customers and suppliers. Inside
the organisation, enterprise resource planning
(ERP) software provided integration with new ap-
plications, such as supply chain management, and
between existing applications, such as accounting
DQG¿QDQFH:LWKHEXVLQHVVRUJDQLVDWLRQVKDYH
become even more dependent on the utilisation of
ICT to create and maintain business advantages,
albeit using technologies that are different from
previous ones (e.g., the Internet).
The e-business environment can be contrasted
from the traditional IT environment in three
major ways (Fink, 2004). First, under the new
approach, systems are open while previously they

were considered closed. In other words, globally
networked systems are more accessible and open
to attack than systems kept strictly in-house
without Internet access. Second, assets are now
PRUHYLUWXDOWKDQWDQJLEOHDQGPRUHGLI¿FXOWWR
track as networks of cooperating organisations
emerge. The assets of such organisations largely
OLHLQLQWHOOHFWXDOSURSHUW\UDWKHUWKDQLQ³EULFNV
and mortar.” Third, in the past, emphasis was
placed on developing systems with the objective
of meeting users’ expectations, while now opera-
tions are critical since organisations are dependent
on the continued functioning of their IT systems.
For example, business is lost should the Web site
on the Internet cease to function and customer
may never return to the site.
The new environment has created new sets of
technological risks. Technological risks, despite
the name, are largely brought about by the actions
2148
A Model of Information Security Governance for E-Business
of humans. They attract the greatest attention
when brought about maliciously. Methods of at-
tack are numerous and include viruses that can
be introduced through data obtained from the
Internet. The opportunity for hacker attacks is
provided since the Internet enables others shar-
ing the network to penetrate information systems
in an unauthorised manner. Data and messages
being forwarded on this network are potentially

VXEMHFWWRLQWHUFHSWLRQDQGPRGL¿FDWLRQZKLOH
being transmitted. Systems themselves can be
brought down by denial-of-service attacks de-
VLJQHG WR SUHYHQW VHUYLFHV UHTXHVWV WR VSHFL¿F
services such as accessing a Web application on
the Internet.
In response to these concerns, e-business
should implement a system of security measures.
These measures include those that ensure the
availability of systems (to prevent system out-
ages), integrity (so that data can be relied upon
IRUGHFLVLRQPDNLQJFRQ¿GHQWLDOLW\WRSUHYHQW
unauthorised disclosure of information), and
authenticity (verifying that users are who they
claim to be). In addition, an organisation should
implement broad security approaches, including
the use of security policy, contingency planning,
and disaster recovery. These will ensure that the
HEXVLQHVV FRQWLQXHV WR RSHUDWH HI¿FLHQWO\ DQG
effectively.
MODEL FOR INFORMATION
SECURITY GOVERNANCE
The preceding sections provided an overview
of enterprise governance and highlighted the
Figure 2. Integration of IT governance and e-business security management
2149
A Model of Information Security Governance for E-Business
importance of IT governance at the corporate
(conformance) and business (performance)
levels. An overview was also provided of three

perspectives on IT governance itself. The three
approaches describe IT governance as an execu-
tive management task in which IT activities at
the highest level are strategically managed in
order to gain maximum alignment between IT
and business. At a more operational level, the role
of IT is perceived to be one of generating value
for the organisation, ameliorated by the need to
practice effective risk management in order to
secure the organisation from new and complex
technological and human threats.
This section proposes a model for information
s e c u r i t y g o ve r n a nc e , s h o w n i n F i g u r e 2 . I t c o n si s t s
of two major components, namely, information
security governance and e-business security
management. Within the former are strategic
high-level processes (e.g., setting objectives) as
well as lower-level operational processes (e.g., IT
YDOXHGHOLYHU\WKDWZHUHLGHQWL¿HGLQSUHYLRXV
discussions. However, it does not include risk
management, which performs the special function
of integrating the two major components as seen
in Fig ure 2. The e-busi ness secu rit y ma nage me nt
component deals with security issues, again at
a high level (e.g., developing a security policy)
and at a lower level (e.g., implementing security
to ensure system availability).
The approach adopted to develop the above
model was a methodical and structured one
since the objective was to achieve overall effec-

tive information security management as part
of IT governance. The random introduction of
security software, tools, and techniques is likely
to be ineffective, as information can not be pro-
tected without considering all the activities that
impinge on security. The holistic point of view
that is required is within the broad objectives of
,7JRYHUQDQFHVLQFH³,7JRYHUQDQFHSURYLGHV
the processes to develop, direct, and control IT
resources” (Korac-Kakabadse & Kakabadse,
2001, p. 1). Therefore, effective IT governance
processes and mechanisms are seen as the enablers
of a structured approach to IT management and
thus are a precondition to effective information
security governance for e-business.
IT Governance
At the highest level, IT governance does not differ
from what would be expected to take place within
enterprise governance. The governance process
starts with setting objectives for the enterprise’s
IT, thereby providing the initial direction. From
then on, a continuous loop is established for mea-
suring IT performance, comparing outcomes to
objectives, and providing redirection of activities
where necessary and a change to objectives where
appropriate. To be effective, an iterative process
is most appropriate (ITGI
®
, 2003).
At the more detailed level, the key missions

of IT need to be accomplished. The IT Gover-
nance Institute (2003) states that the purpose of
IT governance is to direct IT endeavours and to
ensure that IT’s performance meets the following
objectives: strategic alignment, value delivery,
risk management, and performance measurement.
Strategic alignment refers to the leveraging of
IT into business activities, while value delivery
is the exploitation of business opportunities and
WKH PD[LPL]DWLRQ RI EHQH¿WV E\ WKH XVH RI ,7
The two activities are closely connected (ITGI
®
,
VLQFHEHQH¿WVZLOOHPHUJHLI,7LVVXF-
cessfully leveraged into business activities. The
performance of IT has to be managed according
WKHPRWWR³:KDW\RXFDQQRWPHDVXUH\RXFDQ
not manage,” and hence a system of performance
measurement metrics is required.
As discussed in a later section, risk manage-
PHQWSOD\VDVLJQL¿FDQWLQWHJUDWLQJUROHLQWKH
proposed model, as shown in Figure 2. Basically,
risk management integrates the management of
security measures in the governance processes of
an organisation, and consequently it can be seen
as the connecting link between IT governance
and e-business security management.
2150
A Model of Information Security Governance for E-Business
E-Business Security Management

To mitigate risk at the highest level requires the
establishment of an information security policy,
contingency planning, and the development of a
disaster recovery plan (Hong, Chi, Chao, & Tang,
2003). The purpose of a security policy is to articu-
late management’s expectations of good security
throughout the organisation. Polices should be
achievable and encourage employees to follow
them rather than viewing them as another odious
task to be performed. Contingency planning and
the disaster recovery plan should prevent an IT
disaster from becoming catastrophic. The latter
ensures that there is an arrangement to resume
QRUPDORSHUDWLRQVZLWKLQDGH¿QHGSHULRGRIWLPH
after a disaster has struck.
Underpinning the high-level management
approach is a system of security measures that
s h o u l d e n s u r e t h a t t h e o r g a n i s a t io n’s a s s e t s — p a r-
ticularly its information — are protected against
loss, misuse, disclosure, or damage (ITGI
®
, 2001).
0RUHVSHFL¿FDOO\%UDLWKZDLWHVWDWHV
E-business security represents an accumulation
and consolidation of information processing
threats that identify the need to protect the integrity
DQGFRQ¿GHQWLDOLW\RILQIRUPDWLRQDQGWKHQHHGWR
secure the underlying support technologies used
in the gathering, storage, processing, and delivery
of that information. (p. 1)

Measures are required to assure high levels of
DYDLODELOLW\LQWHJULW\FRQ¿GHQWLDOLW\DQGDXWKHQ-
ticity of business critical information (Halliday,
Badenhorst, & v. Solms, 1996).
• Availabilit y: this implies a number of
requirements, such as ensuring continuing
access to systems by users and the continued
RSHUDWLRQRIWKHV\VWHPV7KHXVHRID¿UH-
wall gateway will ensure that the internal,
trusted systems are secured from attacks
originating in outside, untrusted systems.
• Integrity: measures to ensure the com-
pleteness and unaltered form of data be-
ing processed in the organisation. Strong
organisational controls, such as the hiring
of competent staff and their supervision,
and application controls, such as reconcil-
ing balances between different business
applications as transactions are processed,
are required.
• &RQ¿GHQWLDOLW\: this ensures that data can
be read only by authorized people. In an
e-business environment, all sensitive and
FRQ¿GHQWLDOGDWDVKRXOGEHHQFU\SWHGZKLOH
it is being transmitted over networks and as
it is stored in the organisation’s databases.
• Authenticity: e-business systems enable
participants of the extended organisation
(like suppliers, employees and customers)
to be connected (Rodger, Yen, & Chou,

8VHU LGHQWL¿FDWLRQDQG DXWKHQWLFD-
WLRQYLDGLJLWDOVLJQDWXUHVDQGFHUWL¿FDWHV
DUHWKHUHIRUHDVSHFL¿FUHTXLUHPHQWIRUWKLV
networked business environment (Wright,
2001).
When aligning governance with security, a
number of issues emerge. They essentially focus on
incorporating governance practices into security
via effective risk management and reconciling
WKHFRQÀLFWLQJREMHFWLYHVRIYDOXHGHOLYHU\DQG
security.
Risk Management
As observed in the preceding discussions, ef-
fective risk management is a key objective of IT
governance (ITGI
®
, 2004; Standards Australia,
2004) and is required to minimise the IT risks
associated with operating an e-business. In the
proposed model, it can furthermore be seen as an
integrating force, linking IT governance processes
with e-business security management. It can also
be viewed as a way of integrating security into the
2151
A Model of Information Security Governance for E-Business
processes of an organisation — an important but
also a very challenging task (McAdams, 2004).
* U H HQ V W H L Q D QG 9D V D UK H O\ L    S    G H ¿ QH 
ULVNDV³WKHSRVVLELOLW\RIORVVRULQMXU\´DQGULVN
management as a methodology, which assesses

¿UVW³WKHSRWHQWLDORIIXW X UHHYHQWVWKDWFDQFDXVH
adverse affects,” and second, the implementation
of strategies that mitigate these risks in a cost-ef-
¿FLHQWZD\(ORII/DEXVFKDJQHDQG%DGHQKRUVW
(1993) propose a risk management life cycle and
G H ¿ QH L W D VD S U R F H V V RI U LV N L G H QW L ¿F D W L R Q D QD O \ V L V  
assessment, resolution, and monitoring.
The elements of the traditional risk manage-
ment life cycle are important for e-business, but
GXHWRHEXVLQHVV¶LQKHUHQWQHHGVIRUÀH[LELOLW\
and responsiveness (e.g., to react to emerging
customer demands), an ongoing and more dynamic
risk management approach is required (Mann,
2004). This implies the capability to quickly
adapt IT structures, including security, to busi-
ness conditions while being able to adequately
monitor the changing risk environment. Further-
more, Internet-based technologies are subject to
rapid change in an increasingly complex threat
landscape. This may require the deployment of
a real-time risk management approach in which
ULVNVDUHLGHQWL¿HGDQGUHSRUWHGDVWUDQVDFWLRQV
are processed in real-time (see Labuschagne &
Eloff, 2000).
Fink (2004) reviewed existing risk manage-
ment methodologies as to their suitability for
WKH,QWHUQHWHQYLURQPHQWDQGIRXQGVLJQL¿FDQW
shortcomings among some well-known products.
He recommended that an effective methodology
should be able to meet the following criteria:

• Comprehensive: the methodology must
cover both the technological (e.g., Internet)
and business (trading partners) scenarios of
an e-business.
• Inclusive: the methodology must cover all
types of assets (physical and virtual) and all
types of vulnerabilities and threats that can
be encountered in an e-business environ-
ment.
• Flexible: it must offer a variety of techniques
(quantitative and qualitative) that can be ap-
plied across all types of e-business models
(e.g., supply chain management, ERP).
• Relevant: the application of the methodology
V K R X OG O H D GW R W KH L G H Q W L ¿ F D W LR Q D Q G V X F F H V V -
ful implementation of security measures
relevant to e-business (e.g., digital signatures
DQGFHUWL¿FDWHVIRUWUDGLQJSDUWQHUV
A key aspect of risk management is making
trade-offs. For example, the greater the desired
level of security, the more administration and
control are required and the greater the tendency to
reduce the ability to access data and information.
Consequently, more security comes along with an
increased cost and a reduction in the initiatives
that employees are allowed to use in creating op-
portunities for their organisation. Hence, e-busi-
QHVVVHFXULW\PLJKWFRQÀLFWZLWKWKHREMHFWLYHRI
value delivery in IT governance.
Some, however, have argued that security

can be seen as value itself. McAdams (2004, p.
 IRU H[DPSOH VWDWHV WKDW ³DQ RUJDQL]DWLRQ
could embrace security as a core value much
like customer service rather than merely as an
adjunct support activity.” Indeed, the previously
discussed objectives of e-business security man-
DJHPHQW DYDLODELOLW\ FRQ¿GHQWLDOLW\ LQWHJULW\
and authenticity) are connected with positive
outcomes for the organisation. However, the
YDOXHUHVXOWLQJIURPVHFXULW\PHDVXUHVLV¿QLWH
as eventually additional efforts for security are not
rewarded with additional value for the business.
Hence, it is important to determine the required
level of security during risk management so as
to ensure that costs of security are balanced by
UHVXOWDQWEHQH¿WV
,QSUDFWLFHWKLVWDVNLVGLI¿FXOWDVWKHFRVWRI
V H FX U L W \L V H LW K H U X Q N QRZ QR U G LI ¿F X OW W R P H D V X UH  
This problem is demonstrated by a recent study
2152
A Model of Information Security Governance for E-Business
RI)RUUHVWHU5HVHDUFK7KHVXUYH\³+RZ
much security is enough” was conducted in August
2003 among 50 security executives at organisa-
tions with more than $1 billion in revenue. The
results are illustrative of the problem: 40% of the
respondents stated that their organisation’s secu-
rity spending was improperly focused, and 42%
stated that it was inadequate for 2003. However,
60% of respondents said that they did not even

know how much security incidents cost their
businesses every year. Thus, determining the
ULJKWOHYHORIVHFXULW\LVGLI¿FXOWEXWFUXFLDOLQ
R U G H U W R D FK L H Y H E H QH ¿ W VI UR P , 7 Z K LO H D G H T X DW HO \ 
managing security.
GUIDELINES FOR
IMPLEMENTATION
While the above discussions provide the theo-
retical background and rational for the proposed
information security model, this section provides
guidelines for the organisation on how such a
model can best be implemented.
• A clear understanding needs to exist within
the organisation on the responsibilities of
governance at the enterprise level and how
IT governance integrates into this. The ap-
proach recommended for the information
security model is two-pronged, namely,
ensuring conformance via corporate gov-
ernance and performance through business
governance.
• For an e-business, information security
has become an important consideration.
The organisation has to understand the
QDWXUHDQGVLJQL¿FDQFHRIFXUUHQWDQGSRV-
sible future threats and risks as well as the
counter measures that are available to an
e-business. Risk in this environment can
be of a business nature (e.g., unresponsive
trading partners) and technological nature

(e.g., malicious attacks via the Internet).
Risk is complex and specialist advice may
be required from professionals such as IT
security analysts and IT auditors.
• Risk management plays the key role in
EDODQFLQJ ZKDW DSSHDUV WR EH FRQÀLFWLQJ
objectives when applying ICT, namely,
value realisation and security. A suitable
risk management methodology needs to be
acquired that recognises these two compet-
ing functions of ICT and takes into account
the characteristics of e-business. The criteria
for such a methodology were outlined in an
earlier section.
• A program of education to raise competence
and awareness should be implemented across
all levels of management to ensure that
the requirements for effective information
security governance are well understood.
Such a program should be delivered in
stages, as the concepts are complex, and
regularly reviewed in response to changes
in technology and the business environment.
By being systematic and structured, organic
management behaviour is encouraged.
• It is recommended that an adaptable and
ÀH[LEOHDWWLWXGHEHDGRSWHGGXULQJLPSOH-
mentation in that the model needs to integrate
i n t o t he e x i s t i ng I C T, a nd o r g a n i s a t io n a l a n d
management structures. Current organisa-

tional culture and resource constraints need
to be taken into account to achieve the best
¿WSRVVLEOHDQG WR PDQDJH DQ\UHVLVWDQFH
to change successfully. For example, a new
ethos in support of governance may have to
emerge.
• Lastly, implementation progress should be
reviewed and monitored on a regular basis
applying the well accepted feedback loop.
It is recommended that a project sponsor
IURP VHQLRU PDQDJHPHQW EH LGHQWL¿HG WR
guide implementation and to ensure that
the model receives strong commitment from
executive management.
2153
A Model of Information Security Governance for E-Business
CONCLUSION
This chapter has shown the need for governance
and suggested a concept for the integration of IT
governance with enterprise governance. It then
LGHQWL¿HGWKUHHPDMRUDSSURDFKHVWR,7JRYHUQDQFH
and their management of IT security. The latter
was shown to be critical for the operation of an
e-business. Hence, a framework was developed
in which IT governance and e-business security
operate together in an integrated, structured, yet
holistic manner. The proposed model recognises
that IT governance aims to optimise the value
delivery of ICT while e-business security ensures
WKDWLGHQWL¿HGULVNVDUHFRQWUROOHGLQDQHI¿FLHQW

manner. This model emphasizes the importance
of risk management as the method that links IT
governance and e-business security and thereby
U H V RO Y H V W KH R I W H Q F R Q À L F W L Q J R EM H F W LY H VRI V H F X U LW \ 
and value delivery.
REFERENCES
Braithwaite, T. (2002). Securing e-business sys-
tems: A guide for managers and executives. New
York: John Wiley & Sons.
Brand, K., & Boonen, H. (2004). IT governance - A
pocket guide based on COBIT. The Netherlands:
Van Haren Publishing.
Cadbury, A. (1992). Report of the committee on
WKH¿QDQFLDO DVSHFWV RIFRUSRUDWHJRYHUQDQFH.
London: The Committee on the Financial Aspects
of Corporate Governance.
CIMA/ IFAC. (2004). Enterprise governance:
Getting the balance right. Retrieved January 3,
2005, from />loads/enterprise_ governance.pdf
Eloff, J. H. P., Labuschagne, L., & Badenhorst,
K. P. (1993). A comparative framework for risk
analysis methods. Computers & Security, 12(6),
597-603.
eWeek (2004). The governance edge. 21(42), 40.
Fink, D. (2004). Identifying and managing
new forms of commerce risk and security. In
M. Khosrow-Pour (Ed.), E-commerce security
advice from experts (pp. 112-121). Hershey, PA:
CyberTech Publishing.
Forrester Research. (2004). How much security

is enough. Retrieved September 6, 2004, from
/>Greenstein, M., & Vasarhelyi, M. A. (2002). Elec-
tronic commerce: Security, risk management, and
control (2
nd
ed.). Boston: McGraw-Hill.
Halliday, S., Badenhorst, K., & v. Solms, R.
(1996). A business approach to effective informa-
tion technology risk analysis and management.
Information Management & Computer Security,
4(1), 19-31.
Hong, K S., Chi, Y P., Chao, L. R., & Tang, J H.
(2003). An integrated system theory of informa-
tion security management. Information Manage-
ment & Computer Security, 11(5), 243-248.
ITGI
®
- IT Governance Institute. (2001). Informa-
tion security governance. Retrieved September
6, 2004, from www.ITgovernance.org/resources.
htm
ITGI
®
- IT Governance Institute. (2003). Board
EULH¿QJRQ,7JRYHUQDQFH. Retrieved September
6, 2004, from www.ITgovernance.org/resources.
htm
ITGI
®
- IT Governance Institute. (2004). IT con-

trol objectives for Sarbanes-Oxley. Retrieved
September 6, 2004, from www.ITgovernance.
org/resources.htm
Korac-Kakabadse, N., & Kakabadse, A. (2001).
IS/IT governance: Need for an integrated model.
Corporate Governance, 1(4), 9-11.
Labuschagne, L., & Eloff, J. H. P. (2000). Elec-
tronic commerce: The information-security