Current issue
Modern Management Systems
Topics of next issues
Current issue
Archive
About the Journal
Editorial Office
International Scientific Board
Reviewers
Open Access policy
Indexation
Publisher
Journal revenues
Publication Ethics and Malpractice Statement (PEMS)
For authors
Procedure securing the originality of the publication
Principles of developing a scientific publication
Review procedure
Rules for submitting articles
Fees
For reviewers
Ethical standards
ORIGINAL PAPER
Cybersecurity management in organizations as a component of modern management systems: Integrating governance, risk, and continuous improvement
1
University of Warsaw, Poland
A - Research concept and design; B - Collection and/or assembly of data; C - Data analysis and interpretation; D - Writing the article; E - Critical revision of the article; F - Final approval of article
Submission date: 2026-01-28
Acceptance date: 2026-02-20
Online publication date: 2026-02-28
Publication date: 2026-02-28
NSZ 2026;21(1):41-52
KEYWORDS
cybersecuritycorporate governancerisk managementorganizational maturityinformation security management
ABSTRACT
Research objectives and hypothesis/research questions:
The primary objective of this study is to identify the key success factors for embedding digital asset protection within the broader framework of corporate governance. The research is founded on the hypothesis that the effectiveness of digital protection is significantly higher in organizations where cybersecurity is managed as a strategic risk rather than a technical cost.
Research methods:
This study is grounded in Systems Theory and the Socio-Technical Systems (STS) perspective, which views cybersecurity as an interaction between technology, people, and organizational hierarchy. The research procedure was executed in three distinct stages: a systematic review of contemporary literature on the subject, a comparative analysis of international security frameworks (specifically ISO/IEC 27001 and NIST), and the subsequent synthesis of an integrated four-layer management model. The methodology relies on qualitative research methods, specifically qualitative content analysis of academic journals and industry standards. The research instruments utilized include standardized data extraction sheets for thematic coding and the Capability Maturity Model Integration (CMMI) framework to evaluate organizational progress. By employing these qualitative tools, the study identifies the intersection points where technical controls become strategic management assets, ensuring that the resulting model is both theoretically sound and practically applicable to modern organizations.
Main results:
The research concludes that a lack of executive level engagement and „siloed” IT structures are the primary barriers to effective defense, leading to the development of a four-layer model that integrates governance, end-to-end processes, performance measurement, and maturity-based continuous improvement.
Implications for theory and practice:
Theoretically, this study shifts the academic focus from infrastructure protection to cybersecurity governance by treating security decisions as fundamental business resource allocations. Practically, it mandates that organizations integrate digital risk into Enterprise Risk Management frameworks, prioritize cyber resilience over simple prevention, and move away from „paper-based” compliance toward a functional security culture.
The primary objective of this study is to identify the key success factors for embedding digital asset protection within the broader framework of corporate governance. The research is founded on the hypothesis that the effectiveness of digital protection is significantly higher in organizations where cybersecurity is managed as a strategic risk rather than a technical cost.
Research methods:
This study is grounded in Systems Theory and the Socio-Technical Systems (STS) perspective, which views cybersecurity as an interaction between technology, people, and organizational hierarchy. The research procedure was executed in three distinct stages: a systematic review of contemporary literature on the subject, a comparative analysis of international security frameworks (specifically ISO/IEC 27001 and NIST), and the subsequent synthesis of an integrated four-layer management model. The methodology relies on qualitative research methods, specifically qualitative content analysis of academic journals and industry standards. The research instruments utilized include standardized data extraction sheets for thematic coding and the Capability Maturity Model Integration (CMMI) framework to evaluate organizational progress. By employing these qualitative tools, the study identifies the intersection points where technical controls become strategic management assets, ensuring that the resulting model is both theoretically sound and practically applicable to modern organizations.
Main results:
The research concludes that a lack of executive level engagement and „siloed” IT structures are the primary barriers to effective defense, leading to the development of a four-layer model that integrates governance, end-to-end processes, performance measurement, and maturity-based continuous improvement.
Implications for theory and practice:
Theoretically, this study shifts the academic focus from infrastructure protection to cybersecurity governance by treating security decisions as fundamental business resource allocations. Practically, it mandates that organizations integrate digital risk into Enterprise Risk Management frameworks, prioritize cyber resilience over simple prevention, and move away from „paper-based” compliance toward a functional security culture.
REFERENCES (7)
1.
ANDERSON, R., MOORE, T., 2006. The economics of information security, Science, No. 314 (5799), pp. 610-613.
2.
BULGURCU, B., CAVUSOGLU, H., BENBASAT, I., 2010. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness, MIS Quarterly, No. 34 (3), pp. 523-548.
3.
DE HAES, S., VAN GREMBERGEN, W., 2009. An exploratory study into IT governance implementations and its impact on business/IT align, Computers & Security, No. 31 (1), pp. 83-95.
4.
DHILLON, G., BACKHOUSE, J., 2001. Current directions in IS security research: Towards socio-organizational perspectives, Information Systems Journal, No. 11 (2), pp. 127-153.
5.
SIPONEN, M., 2000. A conceptual foundation for organizational information security awareness, Information Management & Computer Security, No. 8 (1), pp. 31-41.
6.
VON SOLMS, R., VAN NIEKERK, J., 2013. From information security to cyber security, Computers & Security, No. 38, pp. 97-102.
7.
WEILL, P., ROSS, J.W., 2004. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Brighton: Harvard Business School Press.
Share
RELATED ARTICLE
| eISSN: | 2719-860X |
| ISSN: | 1896-9380 |
We process personal data collected when visiting the website. The function of obtaining information about users and their behavior is carried out by voluntarily entered information in forms and saving cookies in end devices. Data, including cookies, are used to provide services, improve the user experience and to analyze the traffic in accordance with the Privacy policy. Data are also collected and processed by Google Analytics tool (more).
You can change cookies settings in your browser. Restricted use of cookies in the browser configuration may affect some functionalities of the website.
You can change cookies settings in your browser. Restricted use of cookies in the browser configuration may affect some functionalities of the website.
