Abstract
Organizations are faced with increasing complexity, uncertainty and enhanced threats from a wide range of forces. Depending on how this situation is handled, it can become risk or opportunity to erode or enhance business value. In addition, organizations have to meet most different stakeholders’, legal and regulatory risk management requirements. Thus, comprehensive enterprise risk management has become key challenge and core competence for organizations’ sustainable success. Given the central role of information security management and the common goals with enterprise risk management, organizations need guidance how to extend information security management in order to fulfill enterprise risk management requirements. Yet, interdisciplinary security research at the organizational level is still missing. Accordingly, we propose a systemic framework, which guides organizations to promote enterprise risk management starting from information security management. The results of our case studies in different small and medium-sized organizations suggest that the framework was useful to promote enterprise risk management in an effective, efficient, cost-effective and sustainable way. New insights for practice and future research are offered.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
N. Taleb, The Black Swan, The Impact of the Highly Improbable, Random House, New York, 2007.
M. Power, Organized Uncertainty. Oxford University Press, New York, NY 2007.
International Standard Organization (ISO). ISO Survey of Certifications 2010, http://www.iso.org/iso/iso-survey2010.pdf.
I. Brown, A. Steen and J. Foreman, “Risk management in corporate governance: A review and proposal,” Corporate Governance: An International Review, vol. 17, no. 5, pp. 546-558 2009.
B. Windram and J. Song, “Non-executive directors and the changing nature of audit committees”, Corporate Ownership and Control, vol. 1, pp. 108–115, 2004.
European Commission. “Company laws”, http://ec.europa.eu/internal_market/company/official/index_en.html.
Corporate Law and Governance, “Corporate Law and Governance”, http://corporatelawandgovernance.blogspot.it/.
S. Gates, J. Nicolas and P.L. Walker, “Enterprise risk management: A process for enhanced management and improved performance,” Management Accounting Quarterly, vol. 13, no. 3, pp. 28-38 2012.
R.E. Hoyt and A.P. Liebenberg, “The value of enterprise risk management,” Journal of Risk & Insurance, vol. 78, no. 4, pp. 795–822 2011.
V. Arnold, T.S. Benford, C. Hampton and S.G. Sutton, “Enterprise risk management as a strategic governance mechanism in B2B-enabled transnational supply chains,” J.Inf.Syst., vol. 26, no. 1, pp. 51–76 2012.
International Standard Organization (ISO), ISO 31000:2009, Risk management - Principles and Guidelines, 2009.
N. Taleb, D. Goldstein and M. Spitznagel, “The Six Mistakes Executives Make in Risk Management”, Harvard Business Review, vol. 87, pp. 78–81, Oct2009.
S.G. Sutton, V. Arnold, T. Benford and J. Canada, Why Enterprise Risk Management is Vital: Learning from Company Experiences with Sarbanes-Oxley Section 404 Compliance, Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2009.
L.K. Meulbroek “Integrated Risk Management for the Firm “, Journal of Applied Corporate Finance, vol. 14, pp. 56–70, 2002.
P.M. Collier, Fundamentals of Risk Management for Accountants and Managers, Elsevier, 2009.
M.K. McShane, A. Nair and E. Rustambekov, “Does enterprise risk management increase firm value?” Journal of Accounting, Auditing & Finance, vol. 26, no. 4, pp. 641-658 2011.
D. Espersen, “Trends in enterprise risk management, Risk management. Bank Accounting and Finance, December: 45–50, 2002
C. McDonald, “Few firms see themselves as ‘advanced’ on use of enterprise risk management,” National Underwriter / P&C, vol. 114, no. 15, pp. 25–25 2010.
Ernst & Young. “Into the cloud, out of the fog, Ernst & Young’s 2011 Global Information Security Survey” http://www.ey.com/Publication.
W.R. Ashby, Introduction to Cybernetics. Methuen, London, 1956.
F. Bélanger and R.E. Crossler, “Privacy in the digital age,” MIS Quarterly, vol. 35, no. 4, pp. 1017–A36 2011.
P.A. Pavlou, “State of the information privacy literature : Where are we now and where should we go?” MIS Quarterly, vol. 35, no. 4, pp. 977-988 2011.
G. Dhillon and J. Backhouse, “Current directions in IS security research” Information Systems Journal, vol. 11, no. 2, pp. 127–153 2001.
A.R. McGee, S.R. Vasireddy, S.R. Chen Xie, D.D. Picklesimer, U. Chandrashekhar and S.H. Richman, “A framework for ensuring network security,” Bell Labs Technical Journal, vol. 8, no. 4, pp. 7–27 2004.
J. Sherwood, A. Clark and D. Lynas, Enterprise security architecture : a business-driven approach. San Francisco: CMP Books, 2005.
D. Trèek, “An integral framework for information systems security management,” Comput.Secur., vol. 22, no. 4, pp. 337-360 2003.
A. Da Veiga and J.H.P. Eloff, “An information security governance framework,” Inf.Syst.Manage., vol. 24, no. 4, pp. 361–372 2007.
S. Sowa, L. Tsinas and R. Gabriel, “BORIS –Business ORiented management of Information Security” in Managing Information Risk and the Economics of Security, E.M. Johnson, Ed. New York, NY: Springer US, 2009, pp. 81–97.
S.H. von Solms and R.v. Solms , Information security governance. New York, NY: Springer, 2009.
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, AICPA, New York, NY, 2009.
J. Rosenoer and W. Scherlis,” Risk Gone Wild”, Harvard Business Review, vol. 87, pp. 26, May2009.
G. Campbell, R. Lefler, Security Alert, Harvard Business Review, vol. 87, pp. 104-105, Jul/Aug2009
T. Bishop and F. Hydoski, “Mapping your fraud risks”, Harvard Business Review, vol. 87, pp. 76, Oct2009.
R. Kaplan, A. Mikes, R. Simons, P. Tufano and M. Hofmann, “Managing risk in the new world”, Harvard Business Review, vol. 87, pp. 69–75, Oct2009.
ISO/IEC27001, ISO/IEC 27001:2005, Information Technology, Security techniques, Information security management systems requirements. Geneva: International Standard Organization, 2005.
Y. Akao, Quality Function Deployment, integrating customer requirements into product design, Productivity Press, Portland, 1990.
R. Kaplan and D. Norton, The balanced scorecard, translating strategy into action, Harvard Business School Press, Boston, 2008.
T.H. Davenport, Process innovation. Boston, Mass: Harvard Business School Press, 1993.
B. Bulgurcu, H. Cavusoglu and I. Benbasat, “Information security policy compliance” MIS Quarterly, vol. 34, no. 3, pp. 523–A7 2010.
D.W. Straub and R.J. Welke, “Coping with systems risk: Security planning models for management decision making,” MIS Quarterly, vol. 22, no. 4, pp. 441–469 1998.
G. Walsham, “Doing interpretive research,” European Journal of Information Systems, vol. 15, no. 3, pp. 320–330 2006.
DelS. Delarosa, Cultivating the best board, Internal Auditor, August, pp. 69–75, 2006
Acknowledgment
The research leading to these results was partially funded by the Tyrolean business development agency through the Stiftungsassistenz QE—Lab.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Stoll, M. (2015). From Information Security Management to Enterprise Risk Management. In: Sobh, T., Elleithy, K. (eds) Innovations and Advances in Computing, Informatics, Systems Sciences, Networking and Engineering. Lecture Notes in Electrical Engineering, vol 313. Springer, Cham. https://doi.org/10.1007/978-3-319-06773-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-06773-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06772-8
Online ISBN: 978-3-319-06773-5
eBook Packages: EngineeringEngineering (R0)