What do we know about information security governance? “From the basement to the boardroom”: towards digital security governance

Abstract Purpose – This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG. Design/methodology/approach – The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised. Findings – This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring. Research limitations/implications – The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research. Practical implications – This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation. Social implications – This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to. Originality/value – This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.


Introduction
The information security (from now on referred to as IS or just security) landscape has shifted "from the basement to the boardroom", that is, from a narrowly focused technical issue towards a strategic business issue and a top priority item for the board (McFadzean et al., 2007;Johnston and Hale, 2009;Kayworth and Whitten, 2012;Knapp et al., 2009;Soomro et al., 2016). The strategic approach towards the IS phenomenon is commonly referred to as information security governance (ISG) (Nicho, 2018). Today's organisations face increasingly dynamic environments and have to deal with a new and disruptive world that gladly embraces technology. This literature review reveals that in the context of the current ISG approaches, the technological impact dictates a need for change, mainly in the following ways (see also Table I).
First, organisations are rapidly adopting digital business strategies with a high level of technological deployment, e.g. the corporate utilisation of the cloud, blockchain, artificial intelligence, the internet of things (IoT), big data, mobile and social media technology (Carcary et al., 2016;Karanja, 2017). This way of working leads to a full embedding of IT into a company's businesses (Soomro et al., 2016;Wu and Saunders, 2016). Consider examples such as Airbnb, the "hotel broker"; Uber, a company that offers taxi services; and Alibaba, the e-commerce conglomerate. These current technology-driven business climates no longer leave room for distance between the traditional physical world and the new digital world (Soomro et al., 2016;Shahim, 2017). A long existing gap between IT and business and therefore between security and business has been eliminated. This technological change has transformed the face of security from being an isolated issue to a strategic business challenge and requires security to be governed accordingly (Von Solms, 2001b;Wu and Saunders, 2016).
Second, because of the total embedding of technology in business, IS incidents and breaches now directly impact the business and can seriously affect the organisation (Soomro et al., 2016;Horne et al., 2017;Kauspadiene et al., 2017;Stewart and Jürjens, 2017;Berkman et al., 2018). Successful cyberattacks may lead to client, partner, financial and reputational loss as well as litigation and government sanctions; these attacks therefore limit the firm's productivity, innovation capability and competitive edge (Goel and Shawky, 2009;Higgs et al., 2016;Kauspadiene et al., 2017;Hasbini et al., 2018). For example, IS breaches can cause negative market reactions and can materially affect a firm's financial position (Higgs et al., 2016;Berkman et al., 2018). Furthermore, scholars have found correlations between IS incidents and companies' performance (Georg, 2017). The announcement of an IS breach has a significant negative impact on market value, varying from 1 to 2.1 per cent (Goel and Shawky, 2009;Zafar and Clark, 2009). The increasing impact and costs of security attacks have forced corporate boards to think about alternative ways to govern security and stop the ever-increasing number of attacks. The commitment of senior executives and boards in this case is critical for effective ISG (Veiga and Eloff, 2007;Mukundan and Sai, 2014;Barton et al., 2016;Damenu and Beaumont, 2017).
Third, digitalisation demands that organisations adopt an inter-organisational perspective towards security. On the one hand, this is driven by social change. Different scandals such as "Dieselgate", revelations such as those in the "Panama Papers", fake news statements posted on social media platforms and certainly large data breaches have caused a so-called "trust leap" in the modern society (Botsman, 2017). Ongoing IS breaches increase customers' reasonable expectations that corporations will take steps to protect their security and privacy (Gillon et al., 2011). Upcoming laws and regulations, such as the General Data Protection Regulation, that aim to strengthen the rights of individuals stimulate these expectations even further (Romansky, 2017;Kemp, 2018). On the other hand, in a digital environment, organisations operate as a digital supply chain instead of as individual businesses (Büyüközkan and Göçer, 2018). Now, as security risks exist across boundaries, organisations have also become dependent on their partners' expertise to create security and expect these partners to be transparent about doing so (Matwyshyn, 2009;Karlsson et al., 2016). On the whole, effective ISG must incorporate transparent inter-organisational protection to retain the trust of customers and partners.
The technology-driven shift has revealed a need for a revamped approach that looks beyond the newest "best practice" and that provides a deeper understanding of the ISG phenomenon in the new digital business context (Holgate et al., 2012;Williams et al., 2013;Tan et al., 2017). However, the ISG literature lacks such an approach. ISG approaches mainly focus on security controls and common practices that are either generic or universal in scope and that are static (Siponen and Willison, 2009;Williams et al., 2013;Flores et al., 2014;Mishra, 2015). The emphasis on controls works well in a reasonably static technical environment but is insufficient in a rapid, agile and ever-changing digital environment (Holgate et al., 2012;Tan et al., 2017;Nicho, 2018).
Although a significant amount of research exists on security at different levels, studies regarding governing security are relatively thin (Nicho, 2018). In recent years, ISG studies have grown rapidly, leading to a growing diversity in ISG perspectives and changing contextual boundaries. However, these studies thus far have been neither structured nor synthesised. On the contrary, ISG has been poorly defined and discussed and means different things to different people (Moulton and Coles, 2003;Williams et al., 2013). Furthermore, the ISG literature is relatively immature, i.e. largely descriptive, expressed in normative standards and common frameworks, and provides limited empirical or theoretical guidance (Mishra, 2015;Williams et al., 2013). Therefore, analysing ISG literature by challenging the underlying assumptions and examining the tensions that exist at the intersection of the changing contextual boundaries and the current body of knowledge on ISG could be a powerful way to review prior ISG research and develop it further. This paper makes a novel contribution to ISG research. To our knowledge, this is the first attempt to review and structure the ISG literature. The paper provides direction for a new stream of research that addresses the need for change in the current ISG approaches towards digital security governance (DSG). In addition, the paper contributes to a recurring call for more theory building in ISG research (Williams et al., 2013) and urges scholars to draw on theories from related fields. We suggest a focus on the following organisational theories: high reliability, normal accidents, two-factor motivation and issue selling. These theories help provide a more in-depth understanding of the organisational factors that are critical for detecting and preventing security accidents (Leveson et al., 2009).
The paper continues with the following sections. Section 2 describes the methodology followed for the literature review, which precedes an exploratory Section 3 on ISG definitions, perspectives and models. In the Section 4, we discuss the main tensions that hinder the field's advancement towards business-oriented ISG. Section 5 contains a discussion and suggestions for further research. The paper ends with implications for research in Section 6 and conclusion in Section 7.

Methodology
The intention of the authors was to conduct a systematic literature review of the ISG literature. However, given limited empirical papers in ISG research, this paper is more conceptually organised. The methodology used in this paper is as follows.

Searching the literature
The following steps were taken to conduct the literature review.
Inclusion criteria: The Web of Science database was used to search for potential papers. In this case, the authors searched with the term "information security governance". We checked whether other search terms, such as "cyber-", "business-" and "digital security governance", generated new papers, but this was not the case. The search was not restricted by the articles' age or the grade of the journal; instead, we preferred to examine each paper found for nuances that could shed light on our evolving understanding of the concept (Horne et al., 2017). This led to an initial set of 126 papers up until 2018. Exclusion criteria: By reading abstracts, papers were excluded from this review for multiple reasons. However, the main reasons for a paper's exclusion were either the paper's language, e.g., Spanish or Russian, or the relevancy of the paper's topic.
Relevant studies in the context of security governance were found in areas such as internet governance, data governance and e-governance. However, these papers were excluded. The intention of this paper was to focus more in-depth on how digitalisation impacts security at the organisational level. Including these topics would not have benefited the precision of the analyses with regard to this scope. "Snowball effect": By reading the introductions of the papers, we added relevant references. These were mainly in the context of "information security strategy" and "information security investment". In all, 17 relevant papers were added. Search results: A total of 76 papers were included in the final sample. By using predefined criteria, these papers were fully read, analysed and structured to provide the insights in this paper.

Analysing the identified literature
The first analysis of the literature led to four areas that aroused the interest of the authors. First, the papers on ISG have rapidly grown, especially in the past three years (Table II).     Table II.

Information security governance
Second, there are a variety of different journals represented on the list (Table II). The papers were collected from 46 different journals. The Computers and Security journal (18) and the Information and Computer Security (9) journal published the most papers on ISG. All of the other journals mostly delivered one or two papers. Third, ISG papers have low "research maturity". Following Karlsson et al. (2016), the research papers are classified by maturity; from emergent to mature (Figure 1). Figure 2 shows that over time, the ISG literature has become more mature. However, according to the above classification, only 41 per cent of the papers contain empirical data (theory generating and theory testing). Fourth, the authors are not aware and did not find any literature review that focused on ISG. These remarks indicate changing contextual boundaries and growing variety of ISG perspectives and interpretations that need to be structured. This showed the way and further motivated the authors to conduct the ISG literature review presented in this paper.

Definitions, perspectives and models
The lens provided in the introduction of this paper (Table I) demonstrates the change in the ISG contextual boundaries towards embedded business and inter-organisational ISG approaches. In this explorative section, the aim is to structure the current body of knowledge on the ISG concept and to examine its underlying definitions, perspectives and models. Reflects upon a phenomenon without data or reference to any theory T Theoretical Reflects upon a phenomenon based on some theory but without empirical data (or with anecdotal data) T Theory generating AƩempts to analyse/interpret quanƟtaƟve or qualitaƟve data in a systemaƟc manner for model building T Theory testing AƩempts to test a theory by using quanƟtaƟve or qualitaƟve data in a systemaƟc manner, i.e., not only strict theory tesƟng Source: Karlsson et al. (2016)

Information security governance definitions
Various interpretations of the term ISG exist in the literature (Holgate et al., 2012;Williams et al., 2013). In contrast to Moulton and Coles (2003), the literature shows that the content of ISG definitions has been relatively steady over time, i.e. the definitions of ISG have always been related to the thought that senior executives and boards are responsible for security and the way it is incorporated into organisational structures (Posthumus and Von Solms, 2004;Von Solms and Von Solms, 2006a;McFadzean et al., 2007). Second, ISG definitions start with general descriptions of the ISG concept, leaving room for interpretation and discussion: "ISG means making sufficient rigor to safeguard your organisation" (Moulton and Coles, 2003;Park et al., 2006) or "the term ISG describes the process of how security is addressed at an executive level" (Posthumus and Von Solms, 2004). However, over time, the definitions have become specific about the detailed elements that are a part of ISG, e.g.: [. . .] corporate security governance focuses on setting the responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly (Tan et al., 2017).
Additionally, the understanding of ISG has changed over time. Initially, definitions mainly focused narrowly on IT: "ISG can be seen as the overall way in which Information Security as a discipline is deployed to mitigate IT risks" (Von Solms, 2006;Veiga and Eloff, 2007). Later, definitions expanded towards enterprise-wide or "business" risk, including terms such as "strategic direction" and "adjusting organisational structures" (Tan et al., 2017;Maynard et al., 2018;Nicho, 2018). Williams et al. (2013) argue that the meaning of ISG is fluid, dynamic and flexible because of the ongoing changing socio-technical environment. This change has not yet been clarified in the ISG literature. This paper moves away from strictly defining ISG and instead provides an overview of the different perspectives in the field.
3.2 Information security governance perspectives IS research has seen a steady progression, moving from a narrow focus on "technical controls" towards a more holistic approach, including organisational and behavioural or social elements (Veiga and Eloff, 2007;Flores et al., 2014;Soomro et al., 2016). Mainly at the individual level, IS research is supported by a wide range of topics and theories: deterrence, neutralisation, rational choice, reasoned action, planned behaviour and protection motivation (Cram et al., 2017). This field has mainly focused on why end users engage in risky behaviour such as employee non-compliance. (Flores et al., 2014;Barton et al., 2016;Chulkov, 2017). While knowledge about the individual level of security is increasingly being built, less is known about the "governance" level. The following governance perspectives are derived from the extant ISG literature.

3.2.1
The corporate governance perspective. Most scholars directly relate security to corporate governance, with a predominant view of ISG as a subset of IT governance (Von Solms, 2001b;Posthumus and Von Solms, 2004;Moulton and Coles, 2003;Von Solms and Von Solms, 2006a;Von Solms and Von Solms, 2006b). This early stream of scholars mainly frame ISG as being driven by compulsory forces within corporate governance and emphasise its (technical) controls. The first and perhaps most given reason for this perspective is that directors are responsible, often legally, for their organisation's risk management system and internal controls (McFadzean et al., 2007), such as the reporting on internal controls and compliance demanded by the Sarbanes-Oxley Act. In enterprise-wide risk management, ISG plays a pivotal role in ensuring that controls are implemented and that potential losses that could arise from these risks are managed.
Arising out of a company's moral duty to avoid knowingly causing harm to others, a second argument is that companies have ethical obligations to improve ISG (Matwyshyn, 2009). The expectations of ethical behaviour are at the core of most corporate governance theories (Bihari, 2008).
From this perspective, it has long been believed that as part of the company's corporate governance, ISG is the most suitable path by which to gain control of security processes and guarantee their alignment with business strategies (Rebollo et al., 2015b). However, the main concern of this perspective is that security is often relegated as a subset of IT governance, and limited attention is given to how the business context may affect the need for security (Williams et al., 2013). This approach emphasises technical controls that alone are not sufficient to achieve effective ISG in a socio-technical environment. Therefore, considering this line of reasoning, in rapidly changing environments, the traditional view of governance as a control and conformance mechanism turns out to be inadequate.
3.2.2 The socio-technical perspective. A second dominant perspective is that instead of focusing mainly on (technical) security controls, ISG should be governed from a holistic perspective and should accent the socio-technical elements, e.g. the organisational and human elements (Veiga and Eloff, 2007;Flores et al., 2014;Soomro et al., 2016). ISG approaches that ignore the human and individual levels often have little bearing on the organisations' objectives (Mishra, 2015). To this extent, researchers highlight the importance of achieving a supportive security culture, combining corporate governance and information security, as this approach takes into account the complex socio-technical system (Thomson and Von Solms, 2005;Veiga and Eloff, 2007;Ruighaver et al., 2007;Flores et al., 2014;Damenu and Beaumont, 2017).
The socio-technical perspective strives for a more holistic approach, encompassing explicit attention to the human element. However, owing to its increased focus on the individual level, this perspective of ISG often also has a bias. This creates a narrow view that does not provide insight into how ISG is related at the organisational level (Ruighaver et al., 2007). For instance, organisations that have lower requirements for security often are tolerant of change, while those organisations that have a high requirement for security have a tendency to favour stability over change (Ruighaver et al., 2007). In a rapidly changing digital environment, these organisational relationships are relevant for incorporating into ISG approaches and are often forgotten in the socio-technical perspective.
3.2.3 The resilient business perspective. A more recent consideration is that there is neither a predominant view that ISG is related to IT governance nor that the relationship of ISG with corporate governance is of decisive importance (Williams et al., 2013). It is more important to understand how ISG is related to business processes, e.g. how to align security with strategic drivers, such as the organisation's mission, goals and objectives, to enable organisational resilience (Williams et al., 2013).
The ISG literature is increasingly acknowledging the importance of a business-oriented approach, but this literature is still in a descriptive phase. Von  propose the term business security governance to better frame the integral part of wide business protection. Furthermore, instead of a preventive approach that is based on risk and controls, organisations should address IS objectives and strategies by developing a resilient business framework (Tan et al., 2017;Maynard et al., 2018). Security throughout the enterprise may be the key to improving the level of security in organisations (Maynard et al., 2018).

Information security governance models
There are a variety of practitioners, research frameworks, models and normative standards that have assisted organisations with ISG. In this section, the models are examined in line with the perspectives in the previous section. The following overview is used to reflect on the different models and discuss their shortcomings.
3.3.1 Information security governance models in practice. Well-known ISG practical frameworks include ISO standards such as the 27001 and 38500 series, multiple standards from the National Institute of Standards and Technology (NIST), the Control Objectives for Information and related Technology methodology for IT controls and Information Technology Infrastructure Library practices for managing IT operations (Haufe et al., 2016;Bobbert, 2018). Many of these good practices are well established and are supported by a wide range of industry solutions. However, first, the well-known standards are generic in scope, while organisations need methods tailored to their environment and operations. Second, most ISG models have not been validated but are fostered by an appeal to common practice, which is an unsound basis for a true standard (Siponen and Willison, 2009). Third, the proposed standards and best practices are designed to guide organisations in their ISG strategy but do not define the practical framework to implement or measure the organisation's ISG strategy (Maleh et al., 2017). Therefore, the current practical frameworks not only lack theoretically grounded methods but also lack empirical evidence on their effectiveness (Flores et al., 2014).
3.3.2 Information security governance models in research. In this section, the existing ISG research models are further analysed. Thereafter, the model flaws are discussed.
Corporate governance-oriented models: Scholars have developed a variety of ISG models and frameworks that have mainly provided an objective, conceptual framework and building blocks for ISG. In their framework, Posthumus and Von Solms (2004) and Von Solms and Von Solms (2006a) assert that there is a need to integrate security into corporate governance. Park et al. (2006) provide a framework to structure ISG for corporate executives, thereby enabling the creation of greater productivity gains and cost efficiencies for security. Conceptual models of this nature are anecdotal, too broad in scope and lack supporting theory or empirical evidence (Mishra, 2015).
Socio-technically oriented (holistic): Because technical measures alone are not sufficient, several approaches focusing on the "human" side of holistic ISG have been proposed by researchers (Flores et al., 2014). Dutta and McCrohan (2002) propose an organisational security approach that recognises three cornerstones, namely, critical infrastructures, organisation, and technology, to help senior management address security as the socio-technical problem that it truly is. Veiga and Eloff (2007) propose a detailed framework towards a holistic and people-orientated approach. Maleh et al. (2017) suggest that it is essential to put in place an ISG approach adapted to the culture of the organisation. Their proposed capability maturity framework (CAFISGO) helps organisations assess their capability maturity state and address the procedural, technical and human aspects of ISG. The drawback of these frameworks mainly lies in the lack of emphasis placed on the integration of feedback and modification with changing business requirements (Mishra, 2015).
Process-oriented: To avoid the criticism that ISG has been viewed as a static process, some researchers have approached ISG as an ongoing process. Knapp et al. (2009) focus on the IS policy process by showing a larger organisational context that includes key external and internal influences that can materially impact organisational processes. Haufe et al. (2016) suggest a process framework to help focus on the operation of an Information Security Management System instead of focusing only on measures and controls. Carcary et al. (2016) explain that approaches to ISG must be fluid and responsive to the changing IS landscape. The authors present a practitioner-oriented capability maturity framework that helps organisations focus on continually evaluating, re-evaluating, and developing the ISGM capability in line with environmental changes and new opportunities and threats. Nicho (2018) construct and empirically validate an ISG process model using Deming's plando-check-act (PDCA) cycle model, which was continuously updated to align it with the highly dynamic nature of security. By using this model, the authors address the extant literature's gap due to the lack of studies on a methodological approach to implementing ISG in an organisation.
Cyber-oriented: Other studies are concerned with the increasing threats created by the digital landscape and therefore suggest improvements to existing ISG models or the development of topic-specific ISG models. For example, Kauspadiene et al. (2017) suggest that today's digital world requires a resilient view of security and must consider multiple partners, collaborative systems, outsourcing and other third parties. To increase the security level, the authors propose an integrated holistic methodology for construction of a highlevel, self-sustaining information security management framework. Rebollo et al. (2015a) present a framework focused on the ISG of the cloud-computing environment, as security risks hinder the development of cloud-computing services, and a comprehensive security governance process is needed to foster the adoption of cloud services. Moghadam and Colomo-Palacios (2018) provide an overview of ISG in big data environments. The authors conclude that ISG necessitates constant control associated with using governance techniques such as risk management, business process management and security process management to ensure business value.
3.3.3 Information security governance model flaws. The ISG literature provides multiple models. However, there is no common and general view on what and how it should be done to ensure unimpeded and resilient processes of security (Kauspadiene et al., 2017). Although researchers have answered the long-heard call for more empirical and validated models (Knapp et al., 2009;Maleh et al., 2017;Haufe et al., 2016;Nicho, 2018), most of the ISG models created up until now still lack theory and empirical validation, are generic or universal in scope, are static and do not acknowledge the importance of social and behavioural factors (McFadzean et al., 2007;Siponen and Willison, 2009;Williams et al., 2013;Flores et al., 2014;Mishra, 2015). This leads to two main general issues that hinder ISG in the digital business context. First, the contextual security governance challenges that an organisation faces are not considered. This point of organisational fit is critical, and ISG is not one size fits all. The challenges of ISG may be universal in terms of protecting information assets, but the way each organisation responds varies according to its specific business context, requirements and risk-tolerance levels (Holgate et al., 2012;Soomro et al., 2016;Damenu and Beaumont, 2017). Put simply, isolated organisation-wide security frameworks are inadequate today (Kauspadiene et al., 2017). Second, organisations that continue to use the same old isolated security approach overlook new challenges that exist in their security environment and that warrant new and unconventional approaches (Ruighaver et al., 2007). A paradigm shift is required to move from internally focused protection of organisation-wide information towards an embedded and resilient view that considers an organisation's collaborative business environment (Horne et al., 2017;Kauspadiene et al., 2017). Clear theoretical guidance on such an approach is currently lacking in the literature. For a summary of the common body of knowledge described in this chapter, see Table III. 4. Tensions "from the basement to the boardroom" in a digital era The analyses in the previous sections show the changing landscape of ISG. However, both ISG research and practice have adopted only a limited approach to address the challenges of  (2003), Posthumus and Von Solms (2004), Von Solms (2005) Table III. ICS 28,2 the digital era. This can be considered a "gap" that occurs between the intersection of the current common body of knowledge in ISG (state A) and the changing contextual boundaries towards a state B: DSG. Based on the literature review, an important insight is that ISG or is not the same as DSG. The latter is about achieving resilience by embedding security in the business and in all of the related business dimensions and organisational factors as a whole (machines, people, objects, processes, etc.). Frequently used terms such as integration and IT alignment become superfluous in such environments. To gain a deeper understanding of the gap between ISG and DSG, the authors observed the tensions that were revealed in the extant literature and that originate from the following three key challenges that are described in the introduction (Table I). Discussing the tensions facilitates cumulative knowledge building and contributes to further developing ISG research. The tensions are as follows (Table IV).

Digital business
The IS discipline in research and business has undergone an impressive development in recent decades (Georg, 2017;Moghadam and Colomo-Palacios, 2018). Historically, companies have followed a technically focused approach that emphasises the primary role of technology in designing effective security solutions (Lindup, 1996;Dutta and McCrohan, 2002;Ozkan and Karabacak, 2010;Kayworth and Whitten, 2012). The impact of technology on ISG described in this paper demands an embedded security and a resilient business approach that is at the core of the fabric of the organisation, while not hindering the business from conducting its activities (Ahmad et al., 2014;Kayworth and Whitten, 2012;Flores et al., 2014). However, security is still often seen by many organisations as a remote activity of a technical nature (Alavi et al., 2016). This view leads to the following tensions. 4.1.1 Preventive versus a continuous and resilient approach. IS strategic development is significantly lacking in many organisations (McFadzean et al., 2007;Barton et al., 2016). Ruighaver et al. (2007) found that security is ad hoc and focuses on things demanding immediate attention owing to incidents at the perimeter of the organisation (Johnston and Hale, 2009). Security is often only regarded as a strategic business issue if something goes wrong (Tan et al., 2017;Maynard et al., 2018). Often, such environments persist because organisations are used to focusing on preventing outside attacks (Rothrock et al., 2018). However, attacks are immutable features of the digital business environment, and some fraction of these attacks will inevitably result in breaches (Rothrock et al., 2018). For organisations, security in a digital environment means that the old challenge of detecting and neutralising threats to keep hackers out of their networks has expanded to include learning how to continue doing business during a breach and how to recover after one. In other words, the challenge has expanded from security alone to security and resilience (Rothrock et al., 2018).
4.1.2 From an isolated towards a collaborative security function. IS scholars have found that security continues to be driven from the bottom up rather than from the top down (Ahmad et al., 2014;Barton et al., 2016). Empirical studies show that the security function is often relegated to lower IT levels (Williams et al., 2013), as the highest ranking security role in the organisation often exists at a middle management level or lower (Ahmad et al., 2014). Devolving security to lower levels maintains the perception of security as a technical function operating independently from the business (McFadzean et al., 2007). The lack of integration between IS professionals and the operations of a business results in security policies and budgets not reflecting the needs of the business (Kayworth and Whitten, 2012 Dutta and McCrohan (2002), Schatz and Bashroush (2018), Chulkov (2017), Dreyfuss and Giat (2018) Interorganisational Security as a sticking point  Information security governance approach and include overall business management to act in line with business strategies (Soomro et al., 2016). Such a collaborative approach results in an IS strategy that is more aligned with business goals and that improves security assimilation, e.g. compliance, better policy alignment, the selection of more effective IS security controls and fewer security incidents (Kayworth and Whitten, 2012;Ahmad et al., 2014;Barton et al., 2016;Soomro et al., 2016Horne et al.,2017. 4.1.3 Non-functional security or security embedded by design. Business stakeholders mainly focus on the functionality of new technologies and how to generate value. They care about customer priorities, ease of use, product adoption rates, and legal compliance. Security must contribute value to these priorities. However, the focus often remains on the short-term benefits, e.g. on cheaply and quickly building technologies and products. In this process, security remains non-functional. To illustrate, between 2016 and 2017, the attacks on IoT devices increased by 600 per cent (ISTR, 2018). This shows the vulnerabilities of new technologies and the necessity of developing secure products in the long term. New technologies are often built as cheaply and quickly as possible, not taking security into account "by design". Security cannot be added after an IT environment is deployed (Farahmand et al., 2013); in the digital world, security must be embedded (Soomro et al., 2016).

Obstructive security versus business innovation (the embedding of controls).
On the other hand, the penalty of becoming too "secure" is to lose effectiveness and time to market; e.g. security patches decrease the performance of certain applications (Werlinger et al., 2009). Schatz and Bashroush (2018) found that negative user experience with "obstructive" security controls will encourage people to work around them. The requirement to balance the need to increase the functionality of the business against the need to secure information assets is a major challenge (Kayworth and Whitten, 2012). The efforts must not only focus on technological tools (Dreyfuss and Giat, 2018). Instead, the efforts should be to embed the required security controls into the business services such that there is a compromise between business resilience and security, with an emphasis on innovative approaches that enhance the customers' experience (McFadzean et al., 2007;Schatz and Bashroush, 2018). To move at the speed of digitalisation, a business focus on resilience over security becomes even more relevant in DSG (Rothrock et al., 2018).

Management commitment
IS scholars widely believe that senior executive and board commitment is critical for effective ISG (Veiga and Eloff, 2007;Mukundan and Sai, 2014;Barton et al., 2016;Damenu and Beaumont, 2017). Fortunately, the staggering number of IS breaches (see introduction) has made executives and boards more aware of the need to protect the business and their corporate information assets (Kayworth and Whitten, 2012;Georg, 2017;Von Solms and Von Solms, 2018). However, this level of attention by senior business leaders is relatively new for both executives and security professionals (Schatz and Bashroush, 2018). Therefore, the main tensions in achieving management commitment are defined and discussed in the following sections.
4.2.1 Delegate or commit: why boards and executives are responsible. A major obstacle is convincing boards and executives that they are actually responsible for ISG. Scholars argue that governance is the senior management's primary role in security (Barton et al., 2016). However, there is a continuous debate regarding the role of executives and boards in ISG. Boards see security as "operational" and feel that they are not IT literate enough to take responsibility. They prefer to delegate it to the security specialists in their organisations (McFadzean et al., 2007;Bihari, 2008;Holgate et al., 2012).
In addition to the common argument of being legally responsible for ISG (see the earlier explanation in 3.2.1), devolving security to lower levels not only leads to isolation and insufficient security programmes but also affects the security culture. Johnston and Hale (2009) found that the more active and supportive is the role played by boards and senior executives, the more security-related influence is felt throughout the firm. The result is a culture in which security is the norm rather than the exception and in which security is engrained in the very processes that drive the organisation (Johnston and Hale, 2009).
4.2.2 Communication barriers: technical or business language. The inability of IS experts to express the necessity of ISG leads to poor communication regarding threats and risks and hinders the commitment of management. Scholars have found that IS experts do not have clear arguments about why the board should truly take responsibility (Bihari, 2008). By their nature, experts have a strong interest in operational details and a limited insight into an organisations' business (Farahmand et al., 2013). As the IS discourse used by experts tends to be held in technical language, overusing systems language and systems thinking, many board members find this discourse difficult to engage in (McFadzean et al., 2007;Schinagl and Paans, 2017). The result is that decision makers are not able to make carefully considered risk-based decisions (Schinagl and Paans, 2017). However, the importance of communication skills as part of the key skills needed by IS professionals is underestimated in IS research (Haqaf and Koyuncu, 2018).
If IS professionals want to engage with senior management and boards, the technical message should be redirected. The message should not be about the full scope of IS-related aspects, e.g. physical security, authentication, and logical access. The message should be presented at a level and in a format that is accessible to non-technical corporate directors (Rothrock et al., 2018) and should focus on modern business risks that impact the digital strategy (Von Solms and Von Solms, 2018).
4.2.3 Budgetary constraints: security as an expense or an investment. Another obstacle to engaging senior executives to address security is the difficulty of connecting security expenditures to profitability (Dutta and McCrohan, 2002). Businesses still think of IT security as an expense, not as an investment (Georg, 2017). The evaluation of IS investments, e.g. the tangible return on an IS investment, is complicated by the fact that it is perceived that IS investments do not result in direct financial benefits but are rather designed to prevent losses (Chulkov, 2017;Schatz and Bashroush, 2018). In addition, security measures are viewed as a redundant outlay because security breaches and losses occur despite the investment (Schatz and Bashroush, 2018). This leads to budgetary constraints as an obstacle to ISG (Soomro et al., 2016).
Conventional budgeting approaches (security as an expense) comprise checklist exercises to direct funds towards a "minimum protection/maximum compliance" strategy rather than being initiatives that contribute to the value of the organisation (Dreyfuss and Giat, 2018). Relying heavily on the work of Schatz and Bashroush (2018), we assert that the key principle of IS investments is that they are only seen as business enablers when the selected controls support the businesses to safely innovate, increase market agility, and enhance customer trust. Without appropriately considering the business environment, security programmes will fail to add value. To add value, security controls must be accepted by users and customers. For this to occur, security teams must work with business stakeholders to understand what "acceptable investment" means in a given context.

From intra-to inter-organisational security
In the digital era, organisations are more collaboratively enabled by technology. In this inter-organisational environment, IS risk crosses boundaries and introduces new forms of risks by opening opportunities for intrusion, non-compliance and exposure (Karlsson et al., 2016). The tensions derived from the literature related to the inter-organisational perspective are discussed below.
4.3.1 Partners: security as a sticking point or as the basis of trust. Security is perceived as a significant sticking point in establishing a relationship between IT-outsourcing vendors and clients (Zapata et al., 2017;Dhillon et al., 2017;Kemp, 2018). This hinders the trend of adopting vendor-based technologies such as cloud computing (Rebollo et al., 2012). Cloudcomputing environments, similar to other outsourcing approaches, provide organisations with great benefits, e.g. approximately 30 per cent more economic savings due to higher productivity and standardisation that support digital business strategies (Rebollo et al., 2015b). However, despite the benefits, it also leads to new organisational risks (Rebollo et al., 2012, Kemp, 2018. The main concern is that cloud computing extends computing resources across the organisation's perimeter, resulting in control being lost over the organisation's information assets (Matwyshyn, 2009;Rebollo et al., 2012;Rebollo et al., 2015a). Dhillon et al. (2017) found that one of the highest concerns is trusting that the outsourcing vendor will apply appropriate security controls, especially in the context of different country regulatory environments.
As these new threats need to be managed at a governance level, ISG therefore becomes a process of paramount importance. ISG can help client organisations when they intend to maintain control over cloud services and create trust. ISG is the most suitable path by which to gain control of security processes and to guarantee an alignment with business strategies. ISG frameworks must lead and guide the adoption of technologies such as cloud services; however, the literature in this area is still meagre (Rebollo et al., 2015a;Rebollo et al., 2015b).
4.3.2 Increased reasonable expectations of security by the customer: poor orientation or trust. Technology and digital business activities create a significant change in the way organisations interact with customers. No technology or security strategy will be successful if the customer experience is poor. However, public awareness of today's cyber security threats has grown, and customers' trust in organisations has been decreasing (Botsman, 2017). High-profile incidents have alerted consumers to the potential consequences of their personal information falling into the wrong hands (Atos, 2017).
Today, customers are ready to take their business elsewhere or to ultimately stop using the digital technologies that public sector organisations promote (Atos, 2017;Priisalu and Ottis, 2017;PWC, 2017). Companies must put cyber security and privacy at the forefront of their business strategy to win the customers' hearts and to earn their trust (Atos, 2017). Based on the literature review results, the customer is an under-represented element in the current ISG approaches.

Discussion and agenda for further research
The literature review indicates that ISG demands a digital business-oriented approach. ISG approaches should adapt to changing boundaries, i.e. technology-driven organisations that leave no room for distance between security and business (Soomro et al., 2016;Shahim, 2017). Through this lens, most of the relevant practices of ISG potentially lie in disciplines other than IT and security (Bobbert, 2018). Hence, ISG research should broaden its horizons and borrow relevant theories from related research fields. Organisational theories are especially suggested for gaining a deeper understanding of organisational factors that play a role in almost any security breach (Leveson et al., 2009). The following theories are suggested.

Normal accident and high reliability theory
A possible approach to address the concept of DSG is to focus on organisational factors that play a role in governing security (Leveson et al., 2009). At least two streams of work in organisational theory have addressed organising around high-hazard technologies within organisations: the normal accidents theory (NAT) (Perrow, 1999) and the high reliability theory (HRT) (Weick et al., 2008).
The basic argument of NAT is that the interactive complexity and tight coupling in some technological systems leads to unpredictability of interactions and hence system accidents that are inevitable or "normal" for these technologies (Perrow, 1999;Leveson et al., 2009Shrivastava et al., 2009. This clearly shows parallels with security. In today's tightly coupled and highly complex technology-based world, it is not possible to fully predict how an update might create a security vulnerability where none existed before or where one technological behemoth might let the world know a vulnerability exists before a patch is ready (CU*Answers, 2013).
HRT also considers high-risk technologies but focuses on a subset of high-risk organisations, namely, high reliability organisations (HROs). HROs are harbingers of adaptive organisational forms for an increasingly complex environment that strives for error-free performance (Weick et al., 2008;Shrivastava et al., 2009). HROs are characterised by a preoccupation with failure, a reluctance to simplify interpretations, a sensitivity to operations, a commitment to resilience, and underspecified structuring (Weick et al., 2008).
The HRO concept can be illustrative of why so many security failures occur these days. Organisations insufficiently follow HRO principles, including ignoring problems until they grow unavoidable, mistaking security policy/compliance with operational reality, relying on oversimplified risk management tools and security frameworks, and inadequately preparing for security events and incidents. Security studied via HRO characteristics can significantly contribute to the existing research by providing a fundamental understanding of security governance from an organisational perspective (Nash and Hayden, 2016).

Issue selling and two-factor motivation theory
The literature review indicates that senior management commitment is critical to successful ISG (Veiga and Eloff, 2007;Mukundan and Sai, 2014;Barton et al., 2016;Damenu and Beaumont, 2017). However, the literature that explains how senior managers are motivated to participate in ISG is limited (Barton et al., 2016). By understanding the factors that increase senior management's belief and participation in governing security, ISG can be assimilated in organisations more effectively (Barton et al., 2016). In the context of DSG, issue selling is a theory that can be studied and is central to understanding the process in which top management allocates its time and attention to some issues and not to others (Dutton and Ashford, 1993). Issue selling is crucial in this age of rapid change. However, this literature review shows that there are also (communication) barriers to "selling" the importance of security that demand further research.
Additionally, another suggested area of research is the examination of the phenomenon "from the basement to the boardroom" in the context of the motivation theory proposed by Herzberg, known as the two-factor theory of job satisfaction (Herzberg, 1968). The concept and assumptions of this theory can be applied to structure the shift from the ISG phenomenon towards DSG. For example, the traditional factors of ISG, e.g. strategy, laws and regulation, risk management, resources and operations, are dissatisfiers (hygiene factors). These factors are necessary; for example, organisations are required to comply with laws and regulation. However, this literature review shows that this approach is insufficient in meeting the current IS challenge and that these factors are not the ones that "motivate" the organisation to develop an IS strategy or to bring security to a higher level. To increase the professionalism of security within the organisation, further clarity needs to be provided on the relationship between security satisfiers and the DSG construct.

Implications
The objective of this study is to examine and structure the ISG literature. We have fulfilled this objective by emphasising the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge in ISG. The originality of the paper is mainly demonstrated by providing a novel "digital lens" for studying and further understanding the ISG concept in the current digital era.
6.1 Implications for practice Accordingly, this research has implications for practice because "digital" is currently one of hottest buzzwords (Büyüközkan and Göçer, 2018). The findings of this paper show that within the digital context, security must be seen as an indispensable feature. This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation. As they continue to confront the discussed tensions and begin to embrace the principles of "Digital Security Governance", organisations can start adapting their current security approaches. We believe that our research findings are especially useful in helping practitioners and senior executives understand that DSG is not an excessive technical issue that hinders business goals. Instead, DSG is about pursuing resilient approaches that support digital business strategies and business innovation (Holgate et al., 2012;Williams et al., 2013;Tan et al., 2017;Nicho, 2018;Rothrock et al., 2018).

Implications for research
The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context (see tensions in Table IV). To this extent, theories are suggested that to the knowledge of the authors have not yet been discovered in IS research. Doing so will help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research. In addition, the line of reasoning in this paper, i.e. the impact of the digital context on specific areas and a stronger theoretical grounding by borrowing theories from related fields, should be taken in a wider sense and is also relevant for other IS research areas and beyond, e.g. customer orientation in ISG approaches, communication barriers between IS experts and decision makers and especially the theoretical relation to other governance domains that are not included in this scope (internet, data, network and e-governance).

Implications for society
Because digitalisation has touched almost every aspect of human life all over the world (Büyüközkan and Göçer, 2018), there are also implications for society. Participating in this technologically driven world means dealing not only with great benefits but also with potential risks. People in this risky environment have to be aware of how this digital change impacts them. This paper helps individuals understand that they have increasing rights with regards to privacy and security and a say in what parties they do business with. We argue that people still often make decisions based on the functionalities of services instead of making critical privacy-and security-considered decisions when doing business. An increased awareness with regard to this external force can be very beneficial in stimulating organisations to transparently govern security.

Concluding remarks
Our literature review shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with "from the basement to the boardroom" implications. Tensions are identified and considered "gaps" that occur between DSG and the current common body of knowledge in ISG. We believe that, by studying ISG through a "digital lens", we have challenged underlying assumptions that lead to the introduction of the DSG concept. Our key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring.     Case study Thomson and von Solms (2005) IS obedience