Security Research Centre, School of Computer and Security Science, Edith Cowan University, Perth, Western Australia
This paper presents a critique of emergent views on the roles of the boards of directors in relation to information security. The analysis highlights several concerns about the separation and validation of proper theory and business assertions of information security at board level. New requirements articulated by industry bodies – represented by a selected group of experts and evident in literature – are compared to the underlying theory of corporate governance to identify possible discrepancies. The discussion shows in particular the importance of staying within the theoretical underpinnings of corporate governance when discussing the topic of governance in general and in relation to boards of directors’ responsibilities. Our critique opens up more opportunities to clarify information security’s role and relationship to corporate governance. We seek to draw particular attention to the appropriate separation of governance and management. This latter point we hope will encourage academics and business practitioners to reflect on current corporate and individual biases and on the way terms such as information security governance are represented.