Abstract

Background: The rapidly evolving cybersecurity environment demands research that reflects the interconnected technical, organisational, and human factors shaping modern digital risk. IS, as a multidisciplinary discipline, is well positioned to address this complexity by integrating behavioural, managerial, economic, and technological perspectives. However, the current literature shows a tendency to rely on psychological theories and individual-level explanations, limiting the development of system-level insights that organisations require for effective cybersecurity governance and strategic decision-making.

Method: The study systematically reviewed 163 papers published in leading A and A* IS journals. Following established content-analysis procedures, articles were coded against CyBOK knowledge areas, theoretical foundations, and methodological approaches to ensure rigour, reliability, and transparency.

Results: The review indicates that IS cybersecurity research remains heavily weighted towards behavioural constructs, with comparatively little attention to organisational capabilities, governance structures, economic evaluation, or operational resilience. These gaps point to the need for theoretical expansion through lenses such as dynamic capabilities, institutional theory, and real-options reasoning. The findings also highlight the importance of methodological diversity, particularly qualitative studies, case research, and design science research, to produce knowledge that is both conceptually robust and directly applicable to practice.

Conclusions: A more comprehensive sociotechnical approach to IS cybersecurity research can strengthen theoretical development and improve practical relevance by addressing organisational realities, informing governance and investment decisions, and supporting actionable, practice-aligned improvements in cybersecurity resilience.

Download

Share

COinS