ABSTRACT

Information Security Risk Management (ISRM) in Information Technology Outsourcing (ITO) is among the most critical and under-studied areas of ITO research. This study investigates the body of knowledge focusing on ISRM in ITO by conducting a systematic literature review (SLR) and analyzes 63 papers published between 1994 and 2020. The findings suggest that developing conceptual models or providing commentary is the most popular methodology. Most studies collect data from secondary sources instead of industry. A majority of the studies neither investigate any specific industry nor ITO orientation, i.e., client or service providers. Information security risks (ISRs) from the literature are categorized into 27 types. Most ISRs belong to operations practice, while lack of staff loyalty is the least investigated type of ISRs. Theories, frameworks and models discussed in the literature are explored. A critical analysis of the findings is conducted to identify the gaps and future directions. Since most of the literature is based on conceptual work, it is hard for practitioners to apply this knowledge in the industry unless validated by further research. Specialized literature from the perspectives of ITO orientation, industry type and demographics is required to investigate focused issues and develop accurate knowledge of ISRM in ITO.

摘要

信息技术外包 (ITO) 中的信息安全风险管理 (ISRM) 是 ITO 研究中最关键和研究不足的领域之一。本研究通过系统文献综述 (SLR) 调查了 ITO 中专注于 ISRM 的知识体系，并分析了 1994 年至 2020 年间发表的 63 篇论文。研究结果表明，开发概念模型或提供评论是最流行的方法。大多数研究从二手来源而不是行业收集数据。大多数研究既没有调查任何特定行业，也没有调查 ITO 导向，即客户或服务提供商。文献中的信息安全风险 (ISR) 分为 27 种类型。大多数情监侦属于作战实践，而缺乏员工忠诚度是调查最少的情监侦类型。理论，探讨了文献中讨论的框架和模型。对调查结果进行批判性分析，以确定差距和未来方向。由于大多数文献都是基于概念性工作，因此除非经过进一步研究验证，否则从业者很难将这些知识应用到行业中。需要从 ITO 方向、行业类型和人口统计角度的专业文献来调查重点问题并发展 ITO 中 ISRM 的准确知识。