Australasian Conference on
Information Systems
Horne et al.
2015, Adelaide, Australia
Information Security Strategy in Organisations
Information Security Strategy in Organisations:
Review, Discussion and Future Research Directions
Craig A. Horne
Department of Computing and Information Systems
The University
of Melbourne
Victoria, Australia
Email: chorne@student.unimelb.edu.au
Atif Ahmad
Department of Computing and Information Systems
The
University of Melbourne
Victoria, Australia
Email: atif@unimelb.edu.au
Sean B. Maynard
Department of Computing and Information Systems
The University of Melbourne
Victoria, Australia
Email: sean.maynard@unimelb.edu.au
Abstract
Dependence
on information, including for some of the world’s largest organisations such as
governments and multi-national corporations, has grown rapidly in recent years. However, reports of
information security breaches and their associated consequences continue to indicate that attacks are
still escalating on organisations when conducting these information-based activities. Clearly, more
research is needed to better understand how organisations should formulate strategy
to secure their
information. Through a thematic review of academic security literature, we (1) analyse the antecedent
conditions that motivate the potential adoption of a comprehensive information security strategy, (2)
the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-
adoption. Our contributions include a definition of information security strategy.
We argue for a
paradigm shift to extend from internally-focussed protection of organisation-wide information
towards a strategic view that considers the inter-organisational level. Our
findings are then used to
suggest future research directions.
