You are here: Home Contents V18 N2 V18N2_Bierens.html
Personal tools

Are We Ready to Manage Digital Risks Today and Tomorrow?



Full text

Journal of Information Systems Security
Volume 18, Number 2 (2022)
Pages 83123
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Raymond Bierens — Amsterdam Business Research Institute, School of Business and Economics, VU Amsterdam, the Netherlands
Abbas Shahim — Amsterdam Business Research Institute, School of Business and Economics, VU Amsterdam, the Netherlands
Information Institute Publishing, Washington DC, USA




New digital technologies are quickly changing organizations. Many organisations begun their digital transformation without awareness of the dynamic nature and the dependencies that technology has engendered. However, little scientific research exists on digital risk to allow for the holistic management of risks triggered by the dynamically changing technological systems within an organisation, as well as the many external dependencies that each of these systems creates inside and outside the organisation both at home and abroad. This paper proposes to analyse, through a systematic literature review, the way in which the existing state of the art literature deals with digital risks. In particular, the authors focused on the security contexts associated with digital risk (i.e., information security, cybersecurity and digital security) and how their relatedness developed over time. The analysis shows that research on risk management is predominantly centred on the security of information and ensuring continuity based on the assumption of a static environment where organisations have full control over their systems and supply chain partners. This is contrary to the characteristics of digital risks created by today’s technologies. The literature review supports practitioners and decision-makers by showing that the use of security contexts that are incongruent with digital security risks, influences the assessment of risks and the resulting risk management strategies. This increases the likelihood that risks remain without sufficient attention, leaving organisations vulnerable to residual risks.




Technology, Information Security, Cyber Security, Digital Risk, Risk Management.




Abd Latif M.N., et al. (2021). Cyber Security in Supply Chain Management: A Systematic Review. Logforum 17(1), 49-57.

Abraham C., et al. (2019). Muddling through Cybersecurity: Insights from the Us Healthcare Industry. Business Horizons 62(4), 539-548.

Agrawal V. (2017). A Comparative Study on Information Security Risk Analysis Methods. Journal of Computers 12(1), 57-67.

Albakri S.H., et al. (2014). Security Risk Assessment Framework for Cloud Computing Environments. Security and Communication Networks 7(11), 2114-2124.

Ali S. (2021). Cybersecurity Management for Distributed Control System: Systematic Approach. Journal of Ambient Intelligence and Humanized Computing 12(11), 10091-10103.

Alyami A., et al. (2021). Exploring Is Security Themes: A Literature Analysis. Journal of Decision Systems, 13.

Anderson E.E. and Choobineh .J (2008). Enterprise Information Security Strategies. Computers & Security 27(1-2), 22-29.

Annarelli A., et al. (2020). Understanding the Management of Cyber Resilient Systems. Computers & Industrial Engineering 149, 18.

Arbanas K. and Hrustek N.Z. (2019). Key Success Factors of Information Systems Security. Journal of Information and Organizational Sciences 43(2), 131-144.

Aven T. (2013). Practical Implications of the New Risk Perspectives. Reliability Engineering & System Safety 115, 136-145.

Baranov P.A. (2015). Using Risk-Oriented Approaches to Solve Information Security Problems. Automatic Control and Computer Sciences 49(8), 643-647.

Barton K.A., et al. (2016). Information System Security Commitment: A Study of External Influences on Senior Management. Computers & Security 59, 9-25.

Baskerville R. (1991). Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security. European Journal of Information Systems 1,

Benaroch M., et al. (2012). An Internal Control Perspective on the Market Value Consequences of It Operational Risk Events. International Journal of Accounting Information Systems 13(4), 357-381.

Benz M. and Chatterjee D. (2020). Calculated Risk? A Cybersecurity Evaluation Tool for Smes. Business Horizons 63(4), 531-540.

Berg vdB. (2018). De Cyberrevolutie. Universiteit Leiden, Leiden.

Biener C., et al. (2015). Insurability of Cyber Risk: An Empirical Analysis. Geneva Papers on Risk and Insurance-Issues and Practice 40(1), 131-158.

Bierens R., Klievink, B., and van den Berg, J. (2017). A Social Cyber Contract Theory Model for Understanding National Cyber Strategies. Lecture Notes in Computer Science 10428(Proceedings of International Conference on ElectronicGovernment 2017), 166-176.

BMBF FMoEaR (2010). High-Tech Strategy 2020 for Germany. Innovation Policy Framework Division, Bonn.

Bojanc R. and Jerman-Blazic B. (2008). An Economic Modelling Approach to Information Security Risk Management. International Journal of Information Management 28(5), 413-422.

Boyes H. (2015). Cybersecurity and Cyber-Resilient Supply Chains. Technology Innovation Management Review, 28-34.

Brantly A. (2014). A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 Edited by Jason Healy. American Foreign Policy Interests 36,

Brender N. and Markov I. (2013). Risk Perception and Risk Management in Cloud Computing: Results from a Case Study of Swiss Companies. International Journal of Information Management 33(5), 726-733.

Brunner M., et al. (2018). Towards Data-Driven Decision Support for Organizational It Security Audits. It-Information Technology 60(4), 207-217.

Burger O., et al. (2019). Estimating the Impact of It Security Incidents in Digitized Production Environments. Decision Support Systems 127, 11.

Burns A.J., et al. (2017). Organizational Information Security as a Complex Adaptive System: Insights from Three Agent-Based Models. Information Systems Frontiers 19(3), 509-524.

Caelli W.J. (2002). Trusted ... Or ... Trustworthy: The Search for a New Paradigm for Computer and Network Security. Computers & Security 21(5), 413-420.

Carr N.G. (2003). It Doesn't Matter. Harvard Business Review 81(5), 41-+.

Cegarra-Navarro J.G., et al. (2019). An Open-Minded Strategy Towards Eco-Innovation: A Key to Sustainable Growth in a Global Enterprise. Technological Forecasting and Social Change 148, 10.

Chatterjee D. (2019). Should Executives Go to Jail over Cybersecurity Breaches? Journal of Organizational Computing and Electronic Commerce 29(1), 1-3.

Cherdantseva Y., et al. (2016). A Review of Cyber Security Risk Assessment Methods for Scada Systems. Computers & Security 56, 1-27.

Chivers H., et al. (2009). Risk Profiles and Distributed Risk Assessment. Computers & Security 28(7), 521-535.

Ciechanowicz Z. (1997). Risk Analysis: Requirements, Conflicts and Problems. Computers & Security 16(3), 223-232.

Colicchia C., et al. (2019). Managing Cyber and Information Risks in Supply Chains: Insights from an Exploratory Analysis. Supply Chain Management-an International Journal 24(2), 215-240.

Collier Z.A. and Sarkis J. (2021). The Zero Trust Supply Chain: Managing Supply Chain Risk in the Absence of Trust. International Journal of Production Research 59(11), 3430-3445.

Creazza A., et al. (2021). Who Cares? Supply Chain Managers' Perceptions Regarding Cyber Supply Chain Risk Management in the Digital Transformation Era. Supply Chain Management-an International Journal, 24.

Da Veiga A. and Eloff JH., P. (2007). An Information Security Governance Framework. Information Systems Management 24(4), 361-372.

Dhillon G. and Backhouse J. (1996). Risks in the Use of Information Technology within Organizations. International Journal of Information Management 16(1), 65-74.

Dieguez M., et al. (2020). Mapping the Variations for Implementing Information Security Controls to Their Operational Research Solutions. Information Systems and E-Business Management 18(2), 157-186.

Diesch R., et al. (2020). A Comprehensive Model of Information Security Factors for Decision-Makers. Computers & Security 92, 21.

DuHadway S., et al. (2019). Understanding Risk Management for Intentional Supply Chain Disruptions: Risk Detection, Risk Mitigation, and Risk Recovery. Annals of Operations Research 283(1-2), 179-198.

Elhady A.M., et al. (2019). Comprehensive Risk Identification Model for Scada Systems. Security and Communication Networks 2019, 24.

Eling M. (2020). Cyber Risk Research in Business and Actuarial Science. European Actuarial Journal 10(2), 303-333.

Eling M., et al. (2021). Cyber Risk Management: History and Future Research Directions. Risk Management and Insurance Review 24(1), 93-125.

Estay D.A.S, et al. (2020). A Systematic Review of Cyber-Resilience Assessment Frameworks. Computers & Security 97, 15.

Fang F., et al. (2012). An Economic Mechanism to Manage Operational Security Risks for Inter-Organizational Information Systems. Information Systems Frontiers 16(3), 399-416.

Feng C. and Wang T.W. (2019). Does Cio Risk Appetite Matter? Evidence from Information Security Breach Incidents. International Journal of Accounting Information Systems 32, 59-75.

Feng N., et al. (2013). A Security Risk Analysis Model for Information Systems: Causal Relationships of Risk Factors and Vulnerability Propagation Analysis. Information Sciences 256, 57-73.

Finne T. (2000). Information Systems Risk Management: Key Concepts and Business Processes. Computers & Security 19(3), 234-242.

Firoiu M. and Bacivarov IC (2019). A Quantitative Method for Multicriteria Analysis of the Assets of a Critical System in the Management Process of Information Security. Quality-Access to Success 20(173), 138-144.

Flora PER, S. (2015). Iiaarf Cbok - Navigating Technology’s Top 10 Risks. Global Internal Audit Common Body of Knowledge (CBOK), IIA Research Foundation, Altamonte Springs, Florida, USA, p 28.

Flowerday S.V. and Tuyikeze T. (2016). Information Security Policy Development and Implementation: The What, How and Who. Computers & Security 61, 169-183.

Ganin A.A., et al. (2020). Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management. Risk Analysis 40(1), 183-199.

Georg L. (2017). Information Security Governance: Pending Legal Responsibilities of Non-Executive Boards. Journal of Management & Governance 21(4), 793-814.

Gerber M. and von Solms R. (2005). Management of Risk in the Information Age. Computers & Security 24(1), 16-30.

Ghadge A., et al. (2020). Managing Cyber Risk in Supply Chains: A Review and Research Agenda. Supply Chain Management-an International Journal 25(2), 223-240.

Ghazawneh A. and Henfridsson O. (2013). Balancing Platform Control and External Contribution in Third-Party Development: The Boundary Resources Model. Information Systems Journal 23,

Gilliam D.P. (2004). Managing Information Technology Security Risk. In Software Security - Theories and Systems (Futatsugi K, Mizoguchi F and Yonezaki N, Eds), pp 296-317.

Goldstein J. (2007). Estonia’s Cyber Attacks: Lessons Learned. Wikileaks, Tallinn, Estona.

Guarro S.B. (1989). Risk Analysis and Risk Management Models for Information-Systems Security Applications. Reliability Engineering & System Safety 25(2), 109-130.

Haapamaki E. and Sihvonen J. (2019). Cybersecurity in Accounting Research. Managerial Auditing Journal 34(7), 808-834.

Hahn A. and Govindarasu M. (2011). Cyber Attack Exposure Evaluation Framework for the Smart Grid. Ieee Transactions on Smart Grid 2(4), 835-843.

Haislip J., et al. (2021). The Impact of Executives' It Expertise on Reported Data Security Breaches. Information Systems Research 32(2), 318-334.

Hamdi M. and Boudriga N. (2005). Computer and Network Security Risk Management: Theory, Challenges, and Countermeasures. International Journal of Communication Systems 18(8), 763-793.

Heath B. (2018). Before the Breach: The Role of Cyber Insurance in Incentivizing Data Security. George Washington Law Review 86(4), 1115-1151.

Huang K.M., et al. (2021). A Systematic Framework to Understand Transnational Governance for Cybersecurity Risks from Digital Trade. Global Policy, 14.

Islam M.S., et al. (2018). Factors Associated with Security/Cybersecurity Audit by Internal Audit Function. Managerial Auditing Journal 33(4), 377-409.

Jone.s A. (2007). A Framework for the Management of Information Security Risks. Bt Technology Journal 25(1), 30-36.

Jouini. M. and Ben Arfa Rabai L. (2017). A Security Risk Management Model for Cloud Computing Systems: Infrastructure as a Service. pp 594-608.

Kahyaoglu S.B. and Caliyurt K. (2018). Cyber Security Assurance Process from the Internal Audit Perspective. Managerial Auditing Journal 33(4), 360-376.

Kanoun W., et al. (2012). Towards Dynamic Risk Management: Success Likelihood of Ongoing Attacks. Bell Labs Technical Journal 17(3), 61-78.

Karabacak B. and Sogukpinar I. (2005). Isram: Information Security Risk Analysis Method. Computers & Security 24(2), 147-159.

Karlsson F., et al. (2016). Inter-Organisational Information Security: A Systematic Literature Review. Information and Computer Security 24(5), 418-451.

Kesan J.P. and Zhang L.F. (2020). Analysis of Cyber Incident Categories Based on Losses. Acm Transactions on Management Information Systems 11(4), 28.

Keskin O.F., et al. (2021). Cyber Third-Party Risk Management: A Comparison of Non-Intrusive Risk Scoring Reports. Electronics 10(10), 19.

Kim Y.G. and Cha S. (2012). Threat Scenario-Based Security Risk Analysis Using Use Case Modeling in Information Systems. Security and Communication Networks 5(3), 293-300.

Klievink B., et al. (2017). Een Gezamenlijke Rekening?: Over Digitale Innovatie En Samenwerking in Een Institutional Void. Bestuurskunde 26, 56-64.

Knowles W., et al. (2015). A Survey of Cyber Security Management in Industrial Control Systems. International Journal of Critical Infrastructure Protection 9, 52-80.

Kotulic A.G. and Clark J.G. (2004). Why There Aren't More Information Security Research Studies. Information & Management 41(5), 597-607.

Krishna B.C., et al. (2015). A Dependency Analysis for Information Security and Risk Management. International Journal of Security and Its Applications 9(8), 205-210.

Kumar S., et al. (2021). Antecedents for Enhanced Level of Cyber-Security in Organisations. Journal of Enterprise Information Management 34(6), 1597-1629.

Kuo K.M., et al. (2020). A Meta-Analysis of the Deterrence Theory in Security-Compliant and Security-Risk Behaviors. Computers & Security 96, 12.

Lee I. (2021). Cybersecurity: Risk Management Framework and Investment Cost Analysis. Business Horizons 64(5), 659-671.

Lenstra A. and Voss T. (2004). Information Security Risk Assessment, Aggregation, and Mitigation. In Information Security and Privacy, Proceedings (Wang HX and Varadharajan V, Eds), pp 391-401.

Leszczyna R. (2021). Review of Cybersecurity Assessment Methods: Applicability Perspective. Computers & Security 108, 28.

Lezzi M., et al. (2018). Cybersecurity for Industry 4.0 in the Current Literature: A Reference Framework. Computers in Industry 103, 97-110.

Li Z., et al. (2016). Overview of Risk Management System of Commercial Bank Data Center. International Journal of Security and Its Applications 10(3), 245-257.

Liaropoulos A. (2020.) A Social Contract for Cyberspace, Journal of Information Warfare, 19, 2 (2020). 29, 1-11.

Lloyds (2022). State Backed Cyber-Attack Exclusions. To set out Lloyd’s requirements for state backed cyber-attack exclusions in standalone cyber-attack policies, Lloyds, London, pp 1-3.

Lo C.C. and Chen W.J. (2012). A Hybrid Information Security Risk Assessment Procedure Considering Interdependences between Controls. Expert Systems with Applications 39(1), 247-257.

Loch K.D., et al. (1992). Threats to Information-Systems - Todays Reality, Yesterdays Understanding. Mis Quarterly 16(2), 173-186.

Luo Y.D. (2021). A General Framework of Digitization Risks in International Business. Journal of International Business Studies, 18.

Makhdoom I., et al. (2019). Anatomy of Threats to the Internet of Things. Ieee Communications Surveys and Tutorials 21(2), 1636-1675.

Marotta A., et al. (2017). Cyber-Insurance Survey. Computer Science Review 24, 35-61.

Maynard S.B., et al. (2018). Towards a Framework for Strategic Security Context in Information Security Governance. Pacific Asia Journal of the Association for Information Systems 10(4), 65-88.

McFadzean E., et al. (2007). Perception of Risk and the Strategic Impact of Existing It on Information Security Strategy at Board Level. Online Information Review 31(5), 622-660.

Moreira F.R., et al. (2021). Evaluating the Performance of Nist's Framework Cybersecurity Controls through a Constructivist Multicriteria Methodology. Ieee Access 9, 129605-129618.

Moulton R.T. and Moulton M.E. (1996). Electronic Communications Risk Management: A Checklist for Business Managers. Computers & Security 15(5), 377-386.

Mukhopadhyay A., et al. (2013). Cyber-Risk Decision Models: To Insure It or Not? Decision Support Systems 56, 11-26.

Nicho M. (2018). A Process Model for Implementing Information Systems Security Governance. Information and Computer Security 26(1), 10-38.

Niemimaa M. (2016). Information Systems Continuity Process: Conceptual Foundations for the Study of the "Social". Computers & Security 65, 1-13.

Ocevcic H., et al. (2017). The Impact of Information System Risk Management on the Frequency and Intensity of Security Incidents. International Journal of Electrical and Computer Engineering Systems 8(2), 41-46.

OECD (2015). Digital Security Risk Management for Economic and Social Prosperity. OECD, Paris.

Ogbanufe O., et al. (2021). Informing Cybersecurity Strategic Commitment through Top Management Perceptions: The Role of Institutional Pressures. Information & Management 58(7), 18.

Orojloo H. and Azgomi M.A. (2016). Predicting the Behavior of Attackers and the Consequences of Attacks against Cyber-Physical Systems. Security and Communication Networks 9(18), 6111-6136.

Pal R., et al. (2021). Will Catastrophic Cyber-Risk Aggregation Thrive in the Iot Age? A Cautionary Economics Tale for (Re-)Insurers and Likes. Acm Transactions on Management Information Systems 12(2), 36.

Parn E.A. and Edwards D. (2019). Cyber Threats Confronting the Digital Built Environment Common Data Environment Vulnerabilities and Block Chain Deterrence. Engineering Construction and Architectural Management 26(2), 245-266.

Patel S.C., et al. (2008.) Quantitatively Assessing the Vulnerability of Critical Information Systems: A New Method for Evaluating Security Enhancements. International Journal of Information Management 28(6), 483-491.

Peltier T.R. (2005). Information Security Risk Analysis. Auerbach Publications.

Pereira J.V. (2009). The New Supply Chain's Frontier: Information Management. International Journal of Information Management 29(5), 372-379.

Pfeiffer S. (2017). The Vision of "Industrie 4.0" in the Making-a Case of Future Told, Tamed, and Traded. Nanoethics 11(1), 107-121.

Pham H.C., et al. (2019). Information Security Burnout: Identification of Sources and Mitigating Factors from Security Demands and Resources. Journal of Information Security and Applications 46, 96-107.

Plantin J-C., et al. (2016). Infrastructure Studies Meet Platform Studies in the Age of Google and Facebook. New Media & Society 20,

Posthumus S. and von Solms R. (2004). A Framework for the Governance of Information Security. Computers & Security 23(8), 638-646.

Prislan K., et al. (2020). A Real-World Information Security Performance Assessment Using a Multidimensional Socio-Technical Approach. Plos One 15(9), 28.

Qian Y., et al. (2012). Managing Information Security Risks During New Technology Adoption. Computers & Security 31(8), 859-869.

Quigley K., et al. (2015). 'Cyber Gurus': A Rhetorical Analysis of the Language of Cybersecurity Specialists and the Implications for Security Policy and Critical Infrastructure Protection. Government Information Quarterly 32(2), 108-117.

Ransbotham S. and Mitra S. (2009). Choice and Chance: A Conceptual Model of Paths to Information Security Compromise. Information Systems Research 20(1), 121-139.

Rasouli M.R., et al. (2016). Information Governance Requirements in Dynamic Business Networking. Industrial Management & Data Systems 116(7), 1356-1379.

Rees J. and Allen J. (2008). The State of Risk Assessment Practices in Information Security: An Exploratory Investigation. Journal of Organizational Computing and Electronic Commerce 18(4), 255-277.

Rees L.P., et al. (2011). Decision Support for Cybersecurity Risk Planning. Decision Support Systems 51(3), 493-505.

Rhee H.S., et al. (2012). Unrealistic Optimism on Information Security Management. Computers & Security 31(2), 221-232.

Roberts D.W. (1998). Security Management - the Process. In State of the Art in Applied Cryptography (Preneel B and Rijmen V, Eds), pp 366-376.

Rosati P., et al. (2019). Audit Firm Assessments of Cyber-Security Risk: Evidence from Audit Fees and Sec Comment Letters. International Journal of Accounting 54(3), 56.

Ryan J. and Ryan D.J. (2008). Performance Metrics for Information Security Risk Management. Ieee Security & Privacy 6(5), 38-44.

Salmela H. (2008). Analysing Business Losses Caused by Information Systems Risk: A Business Process Analysis Approach. Journal of Information Technology 23(3), 185-202.

Schinagl S. and Shahim A. (2019). What Do We Know About Information Security Governance? "From the Basement to the Boardroom": Towards Digital Security Governance. Information and Computer Security, 32.

Schlarman S.W., J.; Abdulnabi, A.; Sutherland, M.; Norris, T.; Bleau. H.; Karam, T. (2020). Rsa Digital Risk Report 2020 - Second Edition. p 28.

Schlarman S.W., J; Bergman, S.; Patteson, C.; DeLoach, M.; Hofberg, M.; Grant, A. (2019) Rsa Digital Risk Report 2019 - First Edition. RSA, p 32.

Schley J.L. (1929). Some Notes on the World War. The Military Engineer,

Schwarzer R. (1994). Optimism, Vulnerability, and Self-Beliefs as Health-Related Cognitions: A Systematic Overview. Psychology & Health - PSYCHOL HEALTH 9, 161-180.

Sen R. and Heim G.R. (2016). Managing Enterprise Risks of Technological Systems: An Exploratory Empirical Analysis of Vulnerability Characteristics as Drivers of Exploit Publication. Decision Sciences 47(6), 1073-1102.

Shahim A. (2017). Think Technology - Towards an Orientation of It Auditing. Unpublished Oratie Thesis. University of Amsterdam. Amsterdam.

Shakibazad M. and Rashidi A.J. (2020). New Method for Assets Sensitivity Calculation and Technical Risks Assessment in the Information Systems. Iet Information Security 14(1), 133-145.

Shameli-Sendi A., et al. (2016). Taxonomy of Information Security Risk Assessment (Isra). Computers & Security 57, 14-30.

Shedden P., et al. (2016). Asset Identification in Information Security Risk Assessment: A Business Practice Approach. Communications of the Association for Information Systems 39, 297-320.

Shetty S., et al. (2018). Reducing Informational Disadvantages to Improve Cyber Risk Management. Geneva Papers on Risk and Insurance-Issues and Practice 43(2), 224-238.

Sicari S., et al. (2018). A Risk Assessment Methodology for the Internet of Things. Computer Communications 129, 67-79.

Sillaber C., et al. (2019). Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management. Acm Journal of Data and Information Quality 11(2), 14.

Siponen M.T. (2005). An Analysis of the Traditional Is Security Approaches: Implications for Research and Practice. European Journal of Information Systems 14(3), 303-315.

Smith M. (1989). Computer Security - Threats, Vulnerabilities and Countermeasures. Information Age (UK), 205-210.

Sobb T., et al. (2020). Supply Chain 4.0: A Survey of Cyber Security Challenges, Solutions and Future Directions. Electronics 9(11), 31.

Solms B. (2001). Corporate Governance and Information Security. Computers & Security 20, 215-218.

Soomro Z.A., et al. (2016). Information Security Management Needs More Holistic Approach: A Literature Review. International Journal of Information Management 36(2), 215-225.

Stafford T., et al. (2018). The Role of Internal Audit and User Training in Information Security Policy Compliance. Managerial Auditing Journal 33(4), 410-424.

Steinbart P.J., et al. (2012). The Relationship between Internal Audit and Information Security: An Exploratory Investigation. International Journal of Accounting Information Systems 13(3), 228-243.

Stewart A. (2004). On Risk: Perception and Direction. Computers & Security 23(5), 362-370.

Stewart A. (2018). A Utilitarian Re-Examination of Enterprise-Scale Information Security Management. Information and Computer Security 26(1), 39-57.

Stiles P. and Taylor B. (2001). Boards at Work: How Directors View Their Roles and Responsibilities.

Stoll C. and Damron W. (1987). The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage.

Straub D.W. (1990.) Effective Is Security: An Empirical Study. Information Systems Research 1(3), 255-276.

Straub D.W. and Welke R.J. (1998). Coping with Systems Risk: Security Planning Models for Management Decision Making. Mis Quarterly 22(4), 441-469.

Strupczewski G. (2021). Defining Cyber Risk. Safety Science 135, 10.

Sun J., et al. (2011). The More Secure the Better? A Study of Information Security Readiness. Industrial Management & Data Systems 111(3-4), 570-588.

Sveen F.O., et al. (2009). Blind Information Security Strategy. International Journal of Critical Infrastructure Protection 2(3), 95-109.

Szakal A.R. and Pearsall K.J. (2014). Open Industry Standards for Mitigating Risks to Global Supply Chains. Ibm Journal of Research and Development 58(1),

Talabeigi E. and Naeeini SG., J. (2016). Information Security Risk Management and Incompatible Parts of Organization. Journal of Industrial Engineering and Management-Jiem 9(4), 964-977.

Talesh S.A. (2018). Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as "Compliance Managers" for Businesses. Law and Social Inquiry-Journal of the American Bar Foundation 43(2), 417-440.

Taylor R.G. (2015). Potential Problems with Information Security Risk Assessments. Information Security Journal 24(4-6), 177-184.

Technology NIoSa (2014). Framework for Improving Critical Infrastructure Cybersecurity: Version 1.0. pp 55-98.

Technology NIoSa (2018). Framework for Improving Critical Infrastructure Cybersecurity: Version 1.1.

Tiganoaia B. (2015). Some Aspects Regarding the Information Security Management System within Organizations - Adopting the Iso/Iec 27001:2013 Standard. Studies in Informatics and Control 24(2), 201-210.

Tilson D., et al. (2011). The Paradoxes of Change and Control in Digital Infrastructures: The Mobile Operating Systems Case.

Tiwana A., et al. (2010). Research Commentary —Platform Evolution: Coevolution of Platform Architecture, Governance, and Environmental Dynamics. Information Systems Research 21, 675-687.

Topping C., et al. (2021). Beware Suppliers Bearing Gifts!: Analysing Coverage of Supply Chain Cyber Security in Critical National Infrastructure Sectorial and Cross-Sectorial Frameworks. Computers & Security 108, 17.

Tsaregorodtsev A.V., et al. (2018). Information Security Risk Estimation for Cloud Infrastructure. International Journal on Information Technologies and Security 10(4), 67-76.

Tsohou A., et al. (2015). Analyzing the Role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Computers & Security 52, 128-141.

Tu C.Z., et al. (2018). Strategic Value Alignment for Information Security Management: A Critical Success Factor Analysis. Information and Computer Security 26(2), 150-170

Turner H., et al. (2015.) Bad Parts: Are Our Manufacturing Systems at Risk of Silent Cyberattacks? Ieee Security & Privacy 13(3), 40-47.

Tweneboah-Koduah S., et al. (2021). Quantitative Estimate of Infrastructure Interdependence. Wireless Personal Communications 118(1), 261-280.

Unit42 (2020). Unit 42 Iot Threat Report. Palo Alto Networks, Santa Clara.

van Haastrecht M et al. (2021). Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics. Applied Sciences-Basel 11(15), 28.

Vincent N.E., et al. (2019). Board and Management-Level Factors Affecting the Maturity of It Risk Management Practices. Journal of Information Systems 33(3), 117-135.

Vitunskaite M., et al. (2019). Smart Cities and Cyber Security: Are We There Yet?A Comparative Study on the Role of Standards, Third Party Risk Management and Security Ownership. Computers & Security 83, 313-331.

von Solms B. (2006). Information Security - the Fourth Wave. Computers & Security 25(3), 165-168.

von Solms B. and von Solms R. (2004). The 10 Deadly Sins of Information Security Management. Computers & Security 23(5), 371-376.

von Solms B. and von Solms R. (2005). From Information Security to…Business Security? Computers & Security 24(4), 271-273.

Von Solms R., et al. (1994). A Framework for Information Security Evaluation. Information & Management 26(3), 143-153.

von Solms S.H. (2005). Information Security Governance - Compliance Management Vs Operational Management. Computers & Security 24(6), 443-447.

Wallace L., et al. (2011). Information Security and Sarbanes-Oxley Compliance: An Exploratory Study. Journal of Information Systems 25, 185-211.

Walton S., et al. (2021). An Integrative Review and Analysis of Cybersecurity Research: Current State and Future Directions. Journal of Information Systems 35(1), 155-186.

Wangen G., et al. (2018). A Framework for Estimating Information Security Risk Assessment Method Completeness: Core Unified Risk Framework, Curf. International Journal of Information Security 17(6), 681-699.

Webb J., et al. (2014). A Situation Awareness Model for Information Security Risk Management. Computers & Security 44, 1-15.

Weintraub E. and Cohen Y. (2016). Security Risk Assessment of Cloud Computing Services in a Networked Environment. International Journal of Advanced Computer Science and Applications 7(11), 79-90.

White G. (2009). Strategic, Tactical, & Operational Management Security Model. Journal of Computer Information Systems 49(3), 71-75.

Wilding R. and Wheatley M. (2015). Q&A How Can I Secure My Digital Supply Chain? Technology Innovation Management Review, 40-43.

Windelberg M. (2016). Objectives for Managing Cyber Supply Chain Risk. International Journal of Critical Infrastructure Protection 12, 4-11.

Wood M.D., et al. (2019.) Quantifying and Mapping Resilience within Large Organizations. Omega-International Journal of Management Science 87, 117-126.

Woods D., et al. (2017). Mapping the Coverage of Security Controls in Cyber Insurance Proposal Forms. Journal of Internet Services and Applications 8, 13.

WRR (2020). Voorbereiden Op Digitale Ontwrichting.

Wu Y., et al. (2021). Information Security Decisions of Firms Considering Security Risk Interdependency. Expert Systems with Applications 178, 15.

Yang Z.C. and Lui JC., S (2014). Security Adoption and Influence of Cyber-Insurance Markets in Heterogeneous Networks. Performance Evaluation 74, 1-17.

Young D., et al. (2016). A Framework for Incorporating Insurance in Critical Infrastructure Cyber Risk Strategies. International Journal of Critical Infrastructure Protection 14, 43-57.

Youssef A.E. (2019). A Framework for Cloud Security Risk Management Based on the Business Objectives of Organizations. International Journal of Advanced Computer Science and Applications 10(12), 186-194.

Zahid M., et al. (2020). A Security Risk Mitigation Framework for Cyber Physical Systems. Journal of Software-Evolution and Process 32(2), 15.

Zammani M., et al. (2019). Factors Contributing to the Success of Information Security Management Implementation. International Journal of Advanced Computer Science and Applications 10(11), 384-391.

Zhang H., et al. (2018). Decision Support for the Optimal Allocation of Security Controls. Decision Support Systems 115, 92-104.

Zhao X., et al. (2013). Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements. Journal of Management Information Systems 30(1), 123-152.

Zio E. (2018). The Future of Risk Assessment. Reliability Engineering & System Safety 177, 176-190