To read this content please select one of the options below:

A quantification mechanism for assessing adherence to information security governance guidelines

Ivano Bongiovanni (The University of Queensland, Brisbane, Australia)
Karen Renaud (Department of Computer and Information Sciences, University of Strathclyde, Glasgow, UK and Information Systems, Rhodes University, Grahamstown, South Africa)
Humphrey Brydon (University of the Western Cape, Cape Town, South Africa)
Renette Blignaut (University of the Western Cape, Cape Town, South Africa)
Angelo Cavallo (Politecnico di Milano, Milan, Italy)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 9 February 2022

Issue publication date: 20 October 2022




Boards of Directors and other organisational leaders make decisions about the information security governance systems to implement in their companies. The increasing number of cyber-breaches targeting businesses makes this activity inescapable. Recently, researchers have published comprehensive lists of recommended cyber measures, specifically to inform organisational boards. However, the young cybersecurity industry has still to confirm and refine these guidelines. As a starting point, it would be helpful for organisational leaders to know what other organisations are doing in terms of using these guidelines. In an ideal world, bespoke surveys would be developed to gauge adherence to guidelines, but this is not always feasible. What we often do have is data from existing cybersecurity surveys. The authors argue that such data could be repurposed to quantify adherence to existing information security guidelines, and this paper aims to propose, and test, an original methodology to do so.


The authors propose a quantification mechanism to measure the degree of adherence to a set of published information security governance recommendations and guidelines targeted at organisational leaders. The authors test their quantification mechanism using a data set collected in a survey of 156 Italian companies on information security and privacy.


The evaluation of the proposed mechanism appears to align with findings in the literature, indicating the validity of the present approach. An analysis of how different industries rank in terms of their adherence to the selected set of recommendations and guidelines confirms the usability of our repurposed data set to measure adherence.


To the best of the authors’ knowledge, a quantification mechanism as the one proposed in this study has never been proposed, and tested, in the literature. It suggests a way to repurpose survey data to determine the extent to which companies are implementing measures recommended by published cybersecurity guidelines. This way, the proposed mechanism responds to increasing calls for the adoption of research practices that minimise waste of resources and enhance research sustainability.



This research did not receive any specific grant from funding agencies in the public, commercial or not-for-profit sectors. The authors also declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.


Bongiovanni, I., Renaud, K., Brydon, H., Blignaut, R. and Cavallo, A. (2022), "A quantification mechanism for assessing adherence to information security governance guidelines", Information and Computer Security, Vol. 30 No. 4, pp. 517-548.



Emerald Publishing Limited

Copyright © 2022, Emerald Publishing Limited

Related articles