Information technology (IT) has become an integral part of everyday business. With new technologies giving rise to unprecedented functionality, information technology introduces new risks and environments that may be difficult to control. Higher dependency on information technology may lead to a high impact on the business when governance aspects relating to securing information of the enterprise may not be monitored and governed. For example, a security breach of competitive confidential information in the enterprise may have high impact on the business. To avoid the security breach of any such important information, enterprises may put in place the necessary information security governance structures and processes with adequate information security measures to control users accessing the information.
Enterprises may lose resources and reputation due to risks arising from inadequate measures taken to control users associated with information security. Risks associated with information security continue to be a problem for enterprises. In order to attain effectiveness and sustainability of enterprises with today's complex IT information and non-IT information, information security measures with governance foundations may be adopted by enterprises. Information security presents a combination of several challenges, such as a technical challenge, a business challenge, and a governance challenge. These challenges maybe resolved with adequate risk management, reporting of security breaches, and accountability of all users, whether controlling the security of the information or not. Effective information security requires the enterprise to assess emerging risks and its own measures in responding to the risks. To prevent risks, the enterprises may identify the risks and occurrences of the risks that affect information security.
Information security governance includes a system comprising a set of interconnected, interrelated, and interdependent information security governance elements. The elements' interactions may be coherently organized to provide continuous assurance for the protection of information and information assets with an emphasis on effectiveness, efficiency, accountability, and responsiveness that aids business sustainability. Researchers have proposed several methods for assessing the information security of the enterprises. However, the conventional methods are ineffective in assessing the information security governance of the enterprises.