Australian Information Security Management Conference

Document Type

Conference Proceeding


Security Research Centre, School of Computer and Security Science, Edith Cowan University, Perth, Western Australia


Originally published in the Proceedings of the 6th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia, 1st to 3rd December 2008.


This paper presents a critique of emergent views on the roles of the boards of directors in relation to information security. The analysis highlights several concerns about the separation and validation of proper theory and business assertions of information security at board level. New requirements articulated by industry bodies – represented by a selected group of experts and evident in literature – are compared to the underlying theory of corporate governance to identify possible discrepancies. The discussion shows in particular the importance of staying within the theoretical underpinnings of corporate governance when discussing the topic of governance in general and in relation to boards of directors’ responsibilities. Our critique opens up more opportunities to clarify information security’s role and relationship to corporate governance. We seek to draw particular attention to the appropriate separation of governance and management. This latter point we hope will encourage academics and business practitioners to reflect on current corporate and individual biases and on the way terms such as information security governance are represented.