IT GOVERNANCE AND MANAGEMENT

A Framework
for Information
Security
Governance and
Management
Marian Carcary, Maynooth University, Ireland
Karen Renaud, University of Glasgow, Scotland
Stephen McLaughlin and Conor O’Brien, Maynooth University, Ireland

The capability maturity framework presented helps organizations

assess their maturity state and identify problem areas. It addresses
the technical, process, and human aspects of information security and
provides guidelines for implementing information security governance
and management processes.

T
he ongoing escalation of security threats
is driven by numerous factors, includ-
ing progressively more ubiquitous mo-
bile and cloud computing, social media
usage, and the increased digitization of business
processes.1 These and other emerging technolog-
ical developments, along with sophisticated inter-
nal and external attacks, ensure that a company’s
capacity to secure its information effectively re-
mains a critical requirement for business survival.
Over time, changes in the nature of security
threats have necessitated an evolution in the ap-
proaches organizations adopt toward information
security governance and management (ISGM).2,3
Initially, ISGM was regarded as a technical activity.
However, this view is shifting toward more open,
inclusive approaches that reflect the importance of
embedding information security within organiza-
tional structures,3,4 and approaches that empha-
size the development of an information security
culture embedded in employees’ day-to-day work
practices.5–7 Although many ISGM frameworks
exist that reflect this progressive thinking, they
are often high-level and theoretical, and do not
offer practical suggestions to support their opera-
tionalization or implementation by practitioners.
Here, we present a practitioner-oriented ISGM
capability maturity framework that incorporates

22 IT Pro March/April 2016 Published by the IEEE Computer Society 1520-9202/16/$33.00 © 2016 IEEE
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
 IT Capability Maturity Framework
T he IT Capability Maturity Framework (IT-CMF)1
is an action-oriented, IT capability toolset that
provides a modular view of 35 IT-related critical
capabilities. For each IT-CMF capability, a series of
management insights, maturity roadmaps, assess-
ment instruments, and improvement guidelines
has been developed. The framework’s five-level
maturity curve enables organizations to system-
atically assess and understand their current IT
capability maturity, strategically prioritize specific
technical, process, and human dimensions. The
framework is underpinned by the premise that
the pace and manner with which an organiza-
tion can proactively respond to new and emerg-
ing security threats depends on the maturity of
its ISGM capability. Approaches to ISGM must
be fluid and responsive to the changing infor-
mation security landscape; by developing their
capabilities to sense, evaluate, and react to new
and emerging security threats, organizations can
more proactively position themselves to effec-
tively and continually secure information assets.
An Information Security Capability
Maturity Framework
The Innovation Value Institute (IVI) is a research
entity supported by a diverse international con-
sortium of organizations, government agencies,
and academic institutions. It was formed to ad-
dress the challenges faced in optimizing the
business value derived from the application of IT.
Using an open innovation collaborative research
approach, IVI has developed a capability matu-
rity framework for ISGM that is a component of
its IT Capability Maturity Framework (IT-CMF;
see the sidebar for more information). Its devel-
opment was informed through
• comparisons with information security standards
and frameworks (COBIT 5.0 for information se-
curity,8 the Open Group’s Information Security
Management Maturity Model,9 the IT Security
Essential Body of Knowledge,10 and ISO 2700211);
• academic and practitioner literature analy-
sis5–7,12–14; and
• insights from subject matter experts and key
opinion leaders, including academic researchers,
industry-based practitioners, thought leaders,
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
capabilities, and move toward their desired target
maturity state. Since its inception, IT-CMF has
been adopted by more than 400 organizations,
and more than 500 formal assessments have been
undertaken. For more information, visit www.ivi.
nuim.ie.
Reference
1. M. Curley, Managing Information Technology for
Business Value, Intel Press, 2004.
and consultants, who collaborated in a work-
group setting to co-produce the ISGM body of
knowledge and maturity framework.
The resultant framework produced enables orga-
nizations to understand their key ISGM strengths,
weaknesses, and areas for improvement.
Framework Overview
The ISGM framework focuses on determining
an organization’s ability to direct, oversee, and
control the actions and processes required to
protect documented and digitized information
and information systems, and to guard against
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide
data confidentiality, integrity, availability, accessibil-
ity, and usability.15,16 The framework expands the
commonly cited triad of confidentiality, integrity,
and availability with the concepts of accessibil-
ity and usability. With respect to accessibility, a
failure to support and understand how security
can change work practices can impede how data
and information are accessed, shared, and acted
on in an increasingly dynamic, competitive en-
vironment. Similarly, usability is a key factor in
engaging stakeholders in core business process-
es; irrespective of the availability of technology
to support work practices, if the technology is
difficult to interact and engage with, users might
adopt other locally developed, less secure meth-
ods of access. The ISGM framework classifies
ISGM activities across the following six high-
level activity categories:
• Governance provides the oversight structures to
support ISGM; it implements information se-
curity strategy, policies, and controls; assigns
computer.org/ITPro 23
 IT GOVERNANCE AND Management

Table 1. Capability building blocks (CBBs) for the framework.15,16

Category CBBs Description

Governance Information security Develop, communicate, and support the organization’s information security
strategy objectives.
Security policies & Establish and maintain security policies and controls, taking into account
controls relevant security standards, regulatory and legislative security requirements,
and the organization’s security objectives.
Security roles, Establish responsibilities and accountabilities for information security roles,
responsibilities, & and check enforcement.
accountabilities
Communication & Disseminate security approaches, policies, and other relevant information to
training develop security awareness and skills.
Security performance Report on the effectiveness and efficiency of information security policies and
reporting activities, and the level of compliance with them.
Supplier security Define security requirements pertaining to the procurement and supply of
hardware, software, services, and data.
Technical Security architecture Build security criteria into the design of IT solutions—for example, by
security defining coding protocols, depth of defense, configuration of security
features, and so on.
IT component security Implement measures to protect all IT components, both physical and virtual,
such as client computing devices, servers, networks, storage devices, printers,
and smartphones.
Physical infrastructure Establish and maintain measures to safeguard the IT physical infrastructure
security from harm. Threats to be addressed include extremes of temperature,
malicious intent, and utility supply disruptions.
Security Budget for security Provide security-related budget criteria.
resource Tools & resources Specify and procure security tools/products and resources; manage the tools,
management security solutions, and staff assigned for security purposes.
Resource effectiveness Measure “value for money” from security investments; capture feedback
from stakeholders on the effectiveness of security resource management.
Security risk Security threat profiling Gather intelligence on IT security threats and vulnerabilities to better understand
control the IT security threat landscape within which the organization operates,
including the actors, scenarios, and campaigns that might pose a threat.
Security risk assessment Identify exposures to security-related risks, and quantify their likelihood and
potential impact.
Security risk prioritization Prioritize information security risks and risk-handling strategies based on
residual risks and the organization’s risk appetite.
Security risk handling Implement strategies for handling information security risk, including risk
acceptance, transfer, absorption, and mitigation, as appropriate. Promote
interaction with incident management functions.
Security risk monitoring Manage the ongoing efficacy of information security risk-handling strategies
and control options.
Security data Data identification & Define information security classes, and provide guidance on protection and
administration classifications access control appropriate to each class.
Access rights Manage user access rights to information throughout its life cycle, including
management granting, denying, and revoking access privileges.
Data life-cycle Provide the security expertise and guidance to ensure that data throughout
management its life cycle is appropriately available, adequately preserved, or destroyed to
meet business, regulatory, and other security requirements.
Business Business continuity Provide stakeholders throughout the organization with security advice to
continuity planning assist in the analysis of incidents and to ensure that data is secure before,
management during, and after the execution of the business continuity plan.
Incident management Manage security-related incidents and near incidents. Develop and
train incident response teams to identify and limit exposure, manage
communications, and coordinate with regulatory bodies as appropriate.

24 IT Pro March/April 2016

Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
 roles and responsibilities for ISGM activities;
provides communication and training; reports
on ISGM activities’ effectiveness; and manages
supplier security requirements.
• Technical security establishes a security architec-
ture and implements measures to manage IT
component and physical infrastructure security.
• Security resource management provides security
budgets, tools, and resources, and measures the
resource effectiveness of security investments.
• Security risk control profiles security threats and
assesses, prioritizes, handles, and monitors
security-related risks.
• Security data administration defines data security
classifications and provides guidance on man-
aging access rights and data throughout its life
cycle.
• Business continuity management plans and tests
the security of business continuity measures
and manages security inputs into incident
management.15,16
As Table 1 shows, these high-level activity catego-
ries are decomposed into 22 capability building
blocks (CBBs).
Framework Maturity Profile
With respect to each of the CBBs outlined in Ta-
ble 1, the framework defines a five-level maturity
curve15 that serves as the basis for understanding
an organization’s ISGM capability and provides a
foundation for capability improvement planning.
Initial. Level 1 maturity is characterized by the ad
hoc definition of an information security strat-
egy, policies, and standards. Physical environ-
ment and IT component security are only locally
addressed. There is no explicit consideration of
budget requirements for information security ac-
tivities, and no systematic management of secu-
rity risks. Access rights and the security of data
throughout its life cycle are managed at best us-
ing informal procedures. Similarly, security inci-
dents are managed in an ad hoc manner.
Basic. Level 2 maturity reflects the linking of a ba-
sic information security strategy to business and
IT strategies and risk appetite in response to indi-
vidual needs. It also involves the development and
review of information security policies and stan-
dards, typically after major incidents. IT compo-
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
nent and physical environment security guidelines
are emerging. There is some consideration of se-
curity budget requirements within IT, and require-
ments for high-level security features are specified
for major software and hardware purchases. A ba-
sic security risk-management process is established
within IT based on perceived risk. Access rights
management is dependent on vendor-supplied so-
lutions. Processes for managing the security of data
throughout its life cycle are emerging. Major secu-
rity incidents are tracked and recorded within IT.
Intermediate. Level 3 maturity reflects a detailed
information security strategy that’s regularly
aligned to business and IT strategies and risk ap-
petite across IT and some other business units.
Information security policies and standards are
developed and revised based on a defined process
and regular feedback. IT and some other business
units have agreed-on IT component and physical
environment security measures. IT budget pro-
cesses acknowledge and provide for the most im-
portant information security budget requests in
IT and some other business units. The security
risk-management process is proactive and jointly
shared with corporate collaboration. Access rights
are granted based on a formal and audited autho-
rization process. Detailed processes for managing
data security throughout its life cycle are imple-
mented. Security incidents are managed based on
the urgency to restore services, as agreed on by IT
and some other business units.
Advanced. Level 4 maturity is characterized
by regular, enterprise-wide improvement in the
alignment of the information security strategy,
policies, and standards with business and IT
strategies and compliance requirements. IT com-
ponent security measures on IT systems are im-
plemented and tested enterprise-wide for threat
detection and mitigation. Physical environment
security is integrated with access controls and
surveillance systems across the enterprise. De-
tailed security budget requirements are incor-
porated in enterprise-wide business planning
and budgeting activities. A standardized security
risk-management process is aligned with an en-
terprise risk-management process. Access rights
are implemented and audited across the enter-
prise. Data is effectively preserved throughout
its life cycle, and data availability is effectively
computer.org/ITPro 25
 IT GOVERNANCE AND Management

Maturity of capability building blocks Initial Basic Intermediate Advanced Optimizing

1.5 4.0
Information security strategy 2.0 3.3
Security policies & controls 2.0 4.0
Security roles, responsibilities 1.5 3.5
Governance
Communication & training 2.0 3.0
Security performance reporting 2.0 3.5
Supplier security 2.0 3.0
Security architecture 2.5 4.0
Technical security IT component security 2.0
Physical infrastructure security 1.0 3.0
Security budgeting 2.0
Security resource
Resource effectiveness 2.0 3.0
management
Tools & resources 1.0
Security threat profiling 2.0 4.0
Security risk assesment
Security risk Security risk prioritization
control 1.0 2.5
Security risk handling 2.0 4.0
Security risk monitoring 3.0
Data identification & classifications 1.5 3.5
Security data
Access rights management 2.0 3.0
administration
Data life-cycle management 3.0 4.0
Business continuity Business continuity planning 2.0 4.0
management Incident management

Current maturity Target maturity Average maturity for CC

Figure 1. Assessment results showing an organization’s maturity ratings across the capability building blocks (CBBs).

managed to meet business, regulatory, and secu-
rity requirements. Recurring incidents are sys-
tematically addressed enterprise-wide through
problem-management processes that are based
in root cause analysis.
Optimizing. Level 5 maturity reflects an informa-
tion security strategy that is regularly aligned to
business and IT strategies and risk appetite across
the business ecosystem. Information security pol-
icies and standards are periodically reviewed and
revised based on input from the business ecosys-
tem. The management of IT component security
is optimized across the security framework layers.
Physical access and environmental controls are
regularly improved. Security budget requirements
are improved to provide adequate funding for cur-
rent and future security purposes. The security
risk-management process is agile and adaptable,
and tools can be used to address the business eco-
system’s requirements. Access rights management
is dynamic and can effectively address organiza-
tional restructures, acquisitions, and divestments.
Processes for managing data security throughout
its life cycle are continuously improved. Automat-
ed incident prediction systems are in place, and
security incidents are effectively managed.
Assessing Capability Maturity
The framework’s assessment tool provides a
granular and focused view of an organization’s
current maturity state for each CBB, desired or
target maturity state for each CBB, and impor-
tance attributed to each CBB. These maturity and
importance scores are primarily determined by an
online survey undertaken by the organization’s
key IT and business stakeholders. The survey
typically takes each assessment participant 40–50
minutes to complete, and the data collected can be
augmented by qualitative interview insights that
focus on issues such as key information-security-
related business priorities, successes achieved,
and initiatives taken or planned. The assessment
provides valuable insight into the similarities and
differences in how key stakeholders view both the
importance and maturity of individual CBBs, as
well as the overall vision for success.
Figure 1 shows the results of an organization’s
ISGM capability maturity assessment, outlining
its current and target CBB maturity across all

26 IT Pro March/April 2016

Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
22 CBBs. For each CBB, the maturity results are
automatically generated by the IVI assessment
tool, based on averaging the scores of all survey
participants across all questions pertaining to
that CBB. Based on this average score achieved,
the organization highlighted in Figure 1 reflects
a level 1.8 (initial) current maturity status for
ISGM overall, but it is less mature in some CBBs,
such as security budgeting, resource effective-
ness, security threat profiling, and security risk
handling. Based on the average across all CBBs,
its desired target ISGM maturity state is maturity
level 3.6 (intermediate).
Plotting current and target levels of maturity
and strategic importance helps an organization
identify gaps in capabilities, and this becomes
the foundation for capability improvement plan-
ning. Figure 2 reflects the organization’s gap be-
tween current and target CBB maturity states,
mapped against the importance attributed to the
various CBBs. These results are automatically
generated by the IVI assessment tool, based on
averaging the current maturity scores, the tar-
get maturity scores, and the importance scores
of all survey participants, across all questions
pertaining to that CBB. The distance or gap be-
tween the averaged current maturity score and
the averaged target maturity score is plotted
against the averaged importance score. Those
CBBs reflected in the gray-shaded quadrant
of Figure 2—specifically, information security
strategy, security threat profiling, access rights
management, and incident management—are
highly important but have the largest gaps to
bridge, and as such are identified as priorities
for future improvement.

A1 Information security strategy

2.5 A1 A2 Security policies & controls

Governance A3 Security roles, responsibilities
A4 Communication & training
2.3 A5 Security performance reporting
A6 Supplier security
B1 Security architecture
2.1 Technical B2 IT component security
D5 security B3 Physical infrastructure security
A3 F2 D1
C1 D3 B3 A4
E2 Security C1 Security budgeting
1.9 D2 resource C2 Resource effectiveness
management C3 Tools & resources
D1 Security threat profiling
Maturity gap

1.7
Security risk D2 Security risk assessment

control D3 Security risk prioritization

D4 Security risk handling
A6 D4
1.5 B2 D5 Security risk monitoring

E1 Data identification &

Security data classifications
A2 E2 Access rights management
1.3 administration
E3 Data life-cycle management

Business F1 Business continuity planning

1.1 continuity F2 Incident management

management
A5 C3 E3
F1
C2 E1 B1
0.9

0.7
2.9 3.2 3.4 3.7 3.9 4.2 4.4 4.7 4.9
Importance

Figure 2. Assessment results showing an organization’s maturity gap vs. importance scores for all capability
building blocks.

computer.org/ITPro 27
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
 IT GOVERNANCE AND Management

Table 2. Example practices and metrics to drive improvement in specific capability building blocks (CBBs).15

Current Next-level Practices to increase CBB

CBB maturity maturity maturity level Metrics
Information 1.5 2 Develop basic information Existence and availability of security
security strategy security strategies that strategies that include business and
consider IT and business IT strategies and risk appetite
strategies and risk appetite. Number and percent of
stakeholders aware of and using
information security strategies
Security threat 1 2 Conduct basic intelligence Number of threat areas covered by
profiling gathering and create basic the threat profile
threat profiles. Number of threat agents identified

Access rights 1.5 2 Establish a process to withdraw
management employee access rights if abused.
Discourage sharing of credentials.
Provide employees with access
to a password-management
package.
Incident 2 3 Prioritize and manage security
management incidents based on the urgency
to restore services. Record
security incidents and handling
actions in IT and some other
business units.
Number of access rights audit
exceptions
Number of grant/revoke of access
rights by department
Number of business units that
contributed to prioritization
Number of incidents and percent
resolved

Developing Improvement Action Plans formation security consultants and practitioners.

The output from the framework’s assessment
supports understanding the actions necessary to
drive improvement and enable the organization to
systematically transition from its current to target
maturity state. This is achieved by implementing
a series of industry-validated practices that en-
able organizations to incrementally improve, and
monitoring and tracking progress over time using
a series of industry-validated metrics. Table 2 in-
cludes sample practices and metrics for the four
CBBs highlighted for prioritized improvement in
Figure 2. For each of these CBBs, the figure out-
lines the current reported maturity and the prac-
tices required to transition to the next maturity
state. Note that additional practices are available
to support transitioning to the desired maturity
state.
Framework Efficacy:
Insights from Industry
The framework we present is currently being ad-
opted by member organizations of the IVI Con-
sortium. The relevance of adopting and employing
this capability maturity approach to managing
and governing information security is reflected in
the following sample comments from several in-
They stated, for example, that the framework
• “provides a consistent, easy-to-use, and busi-
ness-focused framework and common language
to use across the organization”;
• “works for organizations across all sizes and
sectors by providing a structured yet flexible se-
curity framework and common language to set
agreed-on security targets specific to that busi-
ness and measure tangible improvement”; and
• “enables organizations to set the security stan-
dard appropriate to that individual business
and harness resources across the organization
to achieve a level of security to deliver business
confidence and advantage.”
One organization commented that “using the
framework to improve our capability is our com-
mitment to applying best practice to data stew-
ardship; safeguarding business data goes hand in
hand with safeguarding other business assets in
protecting the value of the business.”
Such comments reflect the value of applying a
capability maturity approach to identifying and
resolving ISGM problem areas to effectively pro-
tect against new and emerging security threats.

28 IT Pro March/April 2016

Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
T
he turbulent nature of the information se-
curity threat landscape, in a business envi-
ronment characterized by IT pervasiveness,
dictates the strategic imperative to effectively gov-
ern and manage information security. Within orga-
nizations, both business and IT stakeholders need
to focus on closing the gap between the current
and required level of ISGM capability to effective-
ly protect against new and emerging threats. The
capability approach helps focus organizations on
continually evaluating, re-evaluating, and develop-
ing the ISGM capability in line with environmental
changes and new opportunities and threats.
As we’ve highlighted, the ISGM framework
provides a practical and action-oriented toolkit
to assist organizations in driving and improving
ISGM capability maturity. Through periodically
assessing the ISGM capability and determining
aspects or building blocks for prioritized im-
provement based on their strategic importance,
an organization can measure over time its prog-
ress in transitioning to the desired capability
level and the value derived in so doing, as well
as develop a roadmap and action plan for future
­initiatives.
References
1. M. Suby, The 2013 (ISC)2 Global Information Security
Workforce Study, Frost and Sullivan Market Survey,
2013.
2. E. Alqurashi, G. Wills, and L. Gilbert, “A Viable System
Model for Information Security Governance: Estab-
lishing a Baseline of the Current Information Security
Operations System,” Security and Privacy Protection in In-
formation Processing Systems, Springer, 2013, pp. 245–256.
3. R. Reese, S. Chaudhry, and P.E. Chaudhry, “Devel-
oping a Model for Enterprise Information Systems
Security,” Economics, Management, and Financial Mar-
kets, vol. 4, 2012, pp. 587–599.
4. M.S. Saleh and A. Alfantookh, “A New Comprehen-
sive Framework for Enterprise Information Security
Risk Management,” Applied Computing and Informatics,
vol. 9, no. 2, 2011, pp. 107–118.
5. Q. Hu et al., “Managing Employee Compliance with
Information Security Policies: The Critical Role of
Top Management and Organizational Culture,” Deci-
sion Sciences, vol. 43, no. 4, 2012, pp. 615–660.
6. R. Hyeun-Suk, U.R. Young, and K. Cheong-Tag,
“Unrealistic Optimism on Information Security
Management,” Computers and Security, vol. 31, no. 2,
2012, pp. 221–232.
Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.
7. J. Spears and H. Barki, “User Participation in Infor-
mation Systems Security Risk Management,” MIS
Quarterly, vol. 34, no. 3, 2010, pp. 503–528.
8. COBIT 5—A Business Framework for the Governance and
Management of Enterprise IT, ISACA, 2012.
9. Open Information Security Management Maturity Model,
Open Group, Van Haren, 2011.
10. “IT Security Essential Body of Knowledge,” US Dept.
of Homeland Security, 2008; http://csrc.nist.gov/
groups/SMA /ispab/documents/minutes/2007-12/
ISPAB_Dec7-BOldfield.pdf.
11. ISO/IEC 27002:2013—Information Technology—Secu-
rity Techniques—Code of Practice for Information Secu-
rity Controls, Int’l Organization for Standardization,
2013.
12. S. Alfawaz, K. Nelson, and K. Mohannak, “Infor-
mation Security Culture: A Behaviour Compliance
Conceptual Framework,” Proc. 8th Australasian Conf.
Information Security, 2010, pp. 47–55.
13. A. Da Veiga and J.H.P. Eloff, “A Framework and
Assessment Instrument for Information Security
Culture,” Computers and Security, vol. 29, no. 2, 2010,
pp. 196–207.
14. J.F. Van Niekerk and R. Von Solms, “Information Se-
curity Culture: A Management Perspective,” Comput-
ers and Security, vol. 29, no. 4, 2010, pp. 476–486.
15. “Information Security Management,” Innovation
Value Institute, 2015; https://ivi.nuim.ie/it-cmf/
information-security-management.
16. The Information Technology Capability Maturity Framework
(IT-CMF)—The Body of Knowledge Guide, M. Curley, J.
Kenneally, and M. Carcary, eds., Van Haren, 2015.
Marian Carcary is a senior lead researcher with the Inno-
vation Value Institute at Maynooth University, Ireland. Her
research interests include design science, information security
management, and cloud computing. Carcary researches the
development and deployment of the IT Capability Matu-
rity Framework (IT-CMF), and has managed and worked
on national and European-funded projects in the areas of
e-skills and IT management for small and medium-sized en-
terprises. Contact her at marian.carcary@nuim.ie.
Karen Renaud is a computer scientist at the University of
Glasgow, Scotland. Her research interests include human-
centred security, knowledge visualization, and SMS-based
voting. Renaud has made contributions in the fields of us-
able security, technology adoption, email usage, electronic
voting, and design patterns, and has worked with organi-
zations in the field of security management. Contact her at
karen.renaud@glasgow.ac.uk.
computer.org/ITPro 29
 IT GOVERNANCE AND Management

Stephen McLaughlin is the former head of R&D for the His research interests are in adaptive self-auditing pro-
Innovation Value Institute and IT Competence Centre at cesses and understanding the contribution of knowledge
Maynooth University, Ireland. His research interests are sources to innovative practices in software development
in understanding how organizations can develop effec- environments. O’Brien is an accomplished IT profes-
tive performance-related knowledge transfer mechanisms. sional with extensive experience in business analysis,
McLaughlin has led research for IBM in identifying knowl- innovative solutions conceptualization, and solutions
edge and innovation barriers within complex organizations, design, development, test, and delivery. Contact him at
and developing frameworks for assessing service innovation conor.obrien@nuim.ie.
capability. Contact him at stephen.mclaughlin@nuim.ie.

Conor O’Brien is a senior researcher at the Innova- Selected CS articles and columns are available
tion Value Institute at Maynooth University, Ireland. for free at http://ComputingNow.computer.org.

MAY/JUNE 2015 WWW.COMPUTER.ORG/SOFTWARE

IEEE SOFTWARE
May/June 2015

IEEE Software offers

MARCH/APRIL 2015 WWW.COMPUTER.ORG/SOFTWARE

pioneering ideas,
SYSTEMS AND SOFTWARE VARIABILITY

IEEE SOFTWARE

expert analyses, and

thoughtful insights for
March/April 2015

software professionals
who need to keep up
Volume 32 Number 3

with rapid technology

RELEASE ENGINEERING

CO
DE
MA INFL A

change. It’s the authority

NA
GIN TION
GT //
ECH 10
NIC
AL
D EB
T //

on translating software
22
JANUARY/FEBRUARY 2015 WWW.COMPUTER.ORG/SOFTWARE
IEEE SOFTWARE

theory into practice.

www.computer.org/
Volume 32 Number 2
January/February 2015

software/subscribe
INTERNETWARE AND BEYOND

MEANINGFUL INDUSTRIAL—
ACADEMIC PARTNERSHIPS // 18
MOBILE MONEY IN TANZANIA // 29
Volume 32 Number 1

30 IT Pro March/April 2016

Authorized licensed use limited to: North West University. Downloaded on December 02,2020 at 22:14:56 UTC from IEEE Xplore. Restrictions apply.