growing need for businesses to ensure compliance of their information systems with various laws, standards as well as policies and contracts increasingly requires them to manage a plethora of data required for and produced by various governance, risk and compliance management activities. Additional effort by multiple stakeholders is required to consolidate this data with the current state of their organization due to the complexity of their information systems landscape, the complex regulatory and organizational environment and their frequent changes. Governance, risk and compliance tools seek to support these processes by integrating existing information sources and stakeholders. As empirical research in the domain of organizational security decision making and quality is scarce, a comprehensive analysis of how the data is managed in such tools and processes is missing and the impact of its quality on security decision making processes is still unknown.
Therefore, innovative approaches, which are grounded in empirical research that can be used in practice, are strongly required. In this cumulative PhD thesis, we built an empirical basis by investigating both the quality of data that is used in security management processes as well as the impact of data quality on the results of security management processes. To build an empirical basis, we conducted qualitative research in the form of interviews with information security managers responsible for governance, risk and compliance management activities in their organization as well as explorative research on organizational security management processes. As main scientific contribution we provide an innovative framework for security data quality management, an empirical analysis of data quality in governance, risk and compliance decision making processes as well as methodological support to integrate data quality measures in governance risk and compliance management tools and organizational processes.
To investigate all these tasks, a mix of empirical research methods is applied. Our research transfers knowledge between academia and industry resulting in concrete empirically well-founded guidelines for practice that have already been applied in organizations.