Integrating information security policy management with corporate risk management for strategic alignment

Corpuz, Maria & Barnes, Paul H. (2010) Integrating information security policy management with corporate risk management for strategic alignment. In Proceedings of the 14th World Multi-Conference on Systemics, Cybernetics and Informatics (WMSCI 2010), Orlando, Florida.

View at publisher


Information security policy defines the governance and implementation strategy for information security in alignment with the corporate risk policy objectives and strategies. Research has established that alignment between corporate concerns may be enhanced when strategies are developed concurrently using the same development process as an integrative relationship is established. Utilizing the corporate risk management framework for security policy management establishes such an integrative relationship between information security and corporate risk management objectives and strategies. There is however limitation in the current literature on presenting a definitive approach that fully integrates security policy management with the corporate risk management framework. This paper presents an approach that adopts a conventional corporate risk management framework for security policy development and management to achieve alignment with the corporate risk policy. A case example is examined to illustrate the alignment achieved in each process step with a security policy structure being consequently derived in the process. It is shown that information security policy management outcomes become both integral drivers and major elements of the corporate-level risk management considerations. Further study should involve assessing the impact of the use of the proposed framework in enhancing alignment as perceived in this paper.

Impact and interest:

7 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

515 since deposited on 27 Oct 2010
47 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 38217
Item Type: Conference Paper
Refereed: Yes
Keywords: Information Security, Security Management, Security Policy, Risk Management, Risk Policy
Subjects: Australian and New Zealand Standard Research Classification > COMMERCE MANAGEMENT TOURISM AND SERVICES (150000) > BUSINESS AND MANAGEMENT (150300) > Business Information Systems (150302)
Divisions: Current > QUT Faculties and Divisions > QUT Business School
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2010 [please consult the authors]
Deposited On: 27 Oct 2010 21:49
Last Modified: 21 Jun 2017 14:44

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page