Information security governance in the public sector: investigations, approaches, measures, and trends

Information security governance in the public sector involves risk management, accountability frameworks, network security, e-government systems infrastructure, mitigation plans, and alignment with corporate strategy. It equips organizations with the ability to deal with the security of their vital information assets systematically. However, several recent hacking incidents reveal the fact that substandard governance processes are among the common causes of weak security measures in most organizations. This study has been conducted following the established protocol outlined in the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines. Systematic Mapping Review (SMR) initially identified 1496 papers, and this reviews and reports on 41 papers. The reviewed literature emphasizes the adherence to recognized governance standard frameworks such as ISO/IEC 27,001, EU General Data Protection Regulations (GDPR), and EU Network and Information Security Act (NIS) for providing effective information security guidance frameworks in the public sector. However, a general scarcity is found regarding the best practices followed in the area of information security compliance. There is a lack of employing key performance indicators, risk assessment measures, security maturity models in organizations, and compliance audits. Additionally, the study suggests that, to some extent, the adoption of appropriate information security governance procedures is linked with available budgeted resources for individual organizations. The study results can serve as a starting point for the research and practitioners' community in the area of information security governance.