![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
ABSTRACT
Governments around the world routinely regulate the activities of private enterprises to guide the behaviour of individuals and organisations towards acceptable norms. This holds true in a cybersecurity context. However, practitioners report that cybersecurity regulations are often out of date and compliance is confusing, expensive, and time consuming. As a result, organisational leaders are often uncertain about the practicalities of adopting and implementing the various rules, which can lead to trickle-down effects on the robustness of lower-level cybersecurity controls and compliance activities. In this research, we aim to clarify how cybersecurity regulations are operationalised in organisations, as well as reveal the compliance and performance consequences of cybersecurity regulations. To do so, we interviewed 22 senior leaders with expertise in cybersecurity regulations. Our analysis reveals 7 distinct themes (i.e., concept groupings) that are ordered within four phases (i.e., temporal stages), which we use to create the Institutional Cybersecurity Regulations Model (ICRM). The results provide a holistic view of the cybersecurity regulations process in organisations that can serve to clarify current theory relationships and inform future research. As well, the ICRM can provide a practical roadmap for managers to navigate regulatory cybersecurity challenges in their own companies.
Acknowledgements
The research reported in this article was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium. https://cams.mit.edu/
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1. ISO 27000 (International Organization for Standardization) is a set of standards and best practices organisations can use to help manage cyber risks.
2. PCI DSS (Payment Card Industry Data Security Standard) is a standard organisations use to help secure payment card transactions and avoid fraud.
3. COBIT (Control Objectives for Information and Related Technology) is an information technology and governance framework created by the Information Systems Audit and Control Association (ISACA). COBIT helps organisations manage technology-related issues focusing on compliance, risk, and strategy.
4. ITIL (Information Technology Infrastructure Library) is a set of best practices for managing IT and aligning it with business strategy.
5. We acknowledge that the IT Governance Cube (Tiwana et al. Citation2013) includes strategic implications; however, our work focuses more on its operational dimensions (i.e., the “who”, “what”, and “how” components). In particular, we strongly emphasise the “how” dimension in our work, as it aligns with our discussion of the processes organisations use to operationalise cybersecurity regulations.
6. This quantity of participants is in line with research in top information systems journals that use a similar design. For example, see Bagayogo et al. (Citation2014); Chan et al. (Citation2019); Kude et al. (Citation2018); Lansing et al. (Citation2018); Trier and Richter (Citation2015).
7. We solicited participants from an interdisciplinary consortium of organisations interested in researching and responding to cybersecurity issues.
8. We conducted a pilot data collection with 12 interviewees to form an initial conceptualisation of this topic area before commencing with the core data collection. Our findings from these preliminary interviews were used as a basis for a segment of our semi-structured interview protocol. This approach of leveraging a smaller initial dataset to inform a subsequent, larger data collection protocol has been utilised in prior scholarship for this type of research (e.g., Bagayogo et al., Citation2014).
9. This project was issued “Exempt Category 2 – Educational Testing, Surveys, Interviews, or Observation” status by the Committee on the Use of Humas as Experimental Subjects (COUHES) at the Massachusetts Institute of Technology (MIT). The COUHES ID for this project is E-3037.
10. Financial Industry Regulatory Authority.
11. TBEST is an intelligence-driven simulated attack framework.