Modern society is undergoing a digital transformation. Driven by increasing computational power, ubiquitous smart devices, and almost universal access to the Internet, we are entering the next industrial evolution. As society transforms, so too are our organisations. Digital businesses harness technology and the Internet to better serve customers and manage supply chains. These new opportunities also bring with them new threats. As the risk to organisations escalate, oversight of cyber security is rapidly shifting from management to the board of directors. The recency of this shift means there is currently limited pragmatic guidance available for directors to support them in effectively discharging their duties. This research proposal aims to address this gap through the development of a novel cyber security governance framework for company directors. The proposed research will be conducted using the action design research (ADR) methodology in the context of the researcher's own organisation. This approach combines the strengths of action research and design science research and will involve four-stages, namely: diagnosis, design, implementation, and review. Each stage results in artefacts that are generated through one or more ADR cycles predominantly involving collaboration between the researcher-participant and directors of the organisation. The novel cyber security governance framework will develop progressively through each of these cycles and stages. In the diagnosis stage, functional and non-functional requirements are developed from workshops. In the design stage, the framework emerges from integration of existing theory, subsequent workshops, and expert review. In the implementation stage, the framework is instantiated in software and then evaluated for utility and efficacy. Lastly, in the review stage, the framework is evaluated in practice across two live board risk committee meetings. Ethical considerations will be addressed through informed consent of both the organisation involved and its individual directors, including agreement in advance on what information might be considered commercial-in-confidence.
For more information, please contact the Graduate Research School.