From Information Security Management to Enterprise Risk Management

  • Margareth StollEmail author
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 313)


Organizations are faced with increasing complexity, uncertainty and enhanced threats from a wide range of forces. Depending on how this situation is handled, it can become risk or opportunity to erode or enhance business value. In addition, organizations have to meet most different stakeholders’, legal and regulatory risk management requirements. Thus, comprehensive enterprise risk management has become key challenge and core competence for organizations’ sustainable success. Given the central role of information security management and the common goals with enterprise risk management, organizations need guidance how to extend information security management in order to fulfill enterprise risk management requirements. Yet, interdisciplinary security research at the organizational level is still missing. Accordingly, we propose a systemic framework, which guides organizations to promote enterprise risk management starting from information security management. The results of our case studies in different small and medium-sized organizations suggest that the framework was useful to promote enterprise risk management in an effective, efficient, cost-effective and sustainable way. New insights for practice and future research are offered.


Information security management Risk management Enterprise risk management Framework ISO 27000 ISO 31000 COSO 



The research leading to these results was partially funded by the Tyrolean business development agency through the Stiftungsassistenz QE—Lab.


  1. 1.
    N. Taleb, The Black Swan, The Impact of the Highly Improbable, Random House, New York, 2007.Google Scholar
  2. 2.
    M. Power, Organized Uncertainty. Oxford University Press, New York, NY 2007.Google Scholar
  3. 3.
    International Standard Organization (ISO). ISO Survey of Certifications 2010,
  4. 4.
    I. Brown, A. Steen and J. Foreman, “Risk management in corporate governance: A review and proposal,” Corporate Governance: An International Review, vol. 17, no. 5, pp. 546-558 2009.CrossRefGoogle Scholar
  5. 5.
    B. Windram and J. Song, “Non-executive directors and the changing nature of audit committees”, Corporate Ownership and Control, vol. 1, pp. 108–115, 2004.Google Scholar
  6. 6.
  7. 7.
    Corporate Law and Governance, “Corporate Law and Governance”,
  8. 8.
    S. Gates, J. Nicolas and P.L. Walker, “Enterprise risk management: A process for enhanced management and improved performance,” Management Accounting Quarterly, vol. 13, no. 3, pp. 28-38 2012.Google Scholar
  9. 9.
    R.E. Hoyt and A.P. Liebenberg, “The value of enterprise risk management,” Journal of Risk & Insurance, vol. 78, no. 4, pp. 795–822 2011.CrossRefGoogle Scholar
  10. 10.
    V. Arnold, T.S. Benford, C. Hampton and S.G. Sutton, “Enterprise risk management as a strategic governance mechanism in B2B-enabled transnational supply chains,” J.Inf.Syst., vol. 26, no. 1, pp. 51–76 2012.Google Scholar
  11. 11.
    International Standard Organization (ISO), ISO 31000:2009, Risk management - Principles and Guidelines, 2009.Google Scholar
  12. 12.
    N. Taleb, D. Goldstein and M. Spitznagel, “The Six Mistakes Executives Make in Risk Management”, Harvard Business Review, vol. 87, pp. 78–81, Oct2009.Google Scholar
  13. 13.
    S.G. Sutton, V. Arnold, T. Benford and J. Canada, Why Enterprise Risk Management is Vital: Learning from Company Experiences with Sarbanes-Oxley Section 404 Compliance, Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2009.Google Scholar
  14. 14.
    L.K. Meulbroek “Integrated Risk Management for the Firm “, Journal of Applied Corporate Finance, vol. 14, pp. 56–70, 2002.Google Scholar
  15. 15.
    P.M. Collier, Fundamentals of Risk Management for Accountants and Managers, Elsevier, 2009.Google Scholar
  16. 16.
    M.K. McShane, A. Nair and E. Rustambekov, “Does enterprise risk management increase firm value?” Journal of Accounting, Auditing & Finance, vol. 26, no. 4, pp. 641-658 2011.CrossRefGoogle Scholar
  17. 17.
    D. Espersen, “Trends in enterprise risk management, Risk management. Bank Accounting and Finance, December: 45–50, 2002Google Scholar
  18. 18.
    C. McDonald, “Few firms see themselves as ‘advanced’ on use of enterprise risk management,” National Underwriter / P&C, vol. 114, no. 15, pp. 25–25 2010.Google Scholar
  19. 19.
    Ernst & Young. “Into the cloud, out of the fog, Ernst & Young’s 2011 Global Information Security Survey”
  20. 20.
    W.R. Ashby, Introduction to Cybernetics. Methuen, London, 1956.zbMATHGoogle Scholar
  21. 21.
    F. Bélanger and R.E. Crossler, “Privacy in the digital age,” MIS Quarterly, vol. 35, no. 4, pp. 1017–A36 2011.Google Scholar
  22. 22.
    P.A. Pavlou, “State of the information privacy literature : Where are we now and where should we go?” MIS Quarterly, vol. 35, no. 4, pp. 977-988 2011.Google Scholar
  23. 23.
    G. Dhillon and J. Backhouse, “Current directions in IS security research” Information Systems Journal, vol. 11, no. 2, pp. 127–153 2001.CrossRefGoogle Scholar
  24. 24.
    A.R. McGee, S.R. Vasireddy, S.R. Chen Xie, D.D. Picklesimer, U. Chandrashekhar and S.H. Richman, “A framework for ensuring network security,” Bell Labs Technical Journal, vol. 8, no. 4, pp. 7–27 2004.CrossRefGoogle Scholar
  25. 25.
    J. Sherwood, A. Clark and D. Lynas, Enterprise security architecture : a business-driven approach. San Francisco: CMP Books, 2005.Google Scholar
  26. 26.
    D. Trèek, “An integral framework for information systems security management,” Comput.Secur., vol. 22, no. 4, pp. 337-360 2003.Google Scholar
  27. 27.
    A. Da Veiga and J.H.P. Eloff, “An information security governance framework,” Inf.Syst.Manage., vol. 24, no. 4, pp. 361–372 2007.Google Scholar
  28. 28.
    S. Sowa, L. Tsinas and R. Gabriel, “BORIS –Business ORiented management of Information Security” in Managing Information Risk and the Economics of Security, E.M. Johnson, Ed. New York, NY: Springer US, 2009, pp. 81–97.CrossRefGoogle Scholar
  29. 29.
    S.H. von Solms and R.v. Solms , Information security governance. New York, NY: Springer, 2009.Google Scholar
  30. 30.
    Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, AICPA, New York, NY, 2009.Google Scholar
  31. 31.
    J. Rosenoer and W. Scherlis,” Risk Gone Wild”, Harvard Business Review, vol. 87, pp. 26, May2009.Google Scholar
  32. 32.
    G. Campbell, R. Lefler, Security Alert, Harvard Business Review, vol. 87, pp. 104-105, Jul/Aug2009Google Scholar
  33. 33.
    T. Bishop and F. Hydoski, “Mapping your fraud risks”, Harvard Business Review, vol. 87, pp. 76, Oct2009.Google Scholar
  34. 34.
    R. Kaplan, A. Mikes, R. Simons, P. Tufano and M. Hofmann, “Managing risk in the new world”, Harvard Business Review, vol. 87, pp. 69–75, Oct2009.Google Scholar
  35. 35.
    ISO/IEC27001, ISO/IEC 27001:2005, Information Technology, Security techniques, Information security management systems requirements. Geneva: International Standard Organization, 2005.Google Scholar
  36. 36.
    Y. Akao, Quality Function Deployment, integrating customer requirements into product design, Productivity Press, Portland, 1990.Google Scholar
  37. 37.
    R. Kaplan and D. Norton, The balanced scorecard, translating strategy into action, Harvard Business School Press, Boston, 2008.Google Scholar
  38. 38.
    T.H. Davenport, Process innovation. Boston, Mass: Harvard Business School Press, 1993.Google Scholar
  39. 39.
    B. Bulgurcu, H. Cavusoglu and I. Benbasat, “Information security policy compliance” MIS Quarterly, vol. 34, no. 3, pp. 523–A7 2010.Google Scholar
  40. 40.
    D.W. Straub and R.J. Welke, “Coping with systems risk: Security planning models for management decision making,” MIS Quarterly, vol. 22, no. 4, pp. 441–469 1998.CrossRefGoogle Scholar
  41. 41.
    G. Walsham, “Doing interpretive research,” European Journal of Information Systems, vol. 15, no. 3, pp. 320–330 2006.CrossRefGoogle Scholar
  42. 42.
    DelS. Delarosa, Cultivating the best board, Internal Auditor, August, pp. 69–75, 2006Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.University of InnsbruckInnsbruckAustria

Personalised recommendations