Information Security Risk Management in IT Outsourcing – A Quarter-century Systematic Literature Review

Abstract

ABSTRACT Information Security Risk Management (ISRM) in Information Technology Outsourcing (ITO) is among the most critical and under-studied areas of ITO research. This study investigates the body of knowledge focusing on ISRM in ITO by conducting a systematic literature review (SLR) and analyzes 63 papers published between 1994 and 2020. The findings suggest that developing conceptual models or providing commentary is the most popular methodology. Most studies collect data from secondary sources instead of industry. A majority of the studies neither investigate any specific industry nor ITO orientation, i.e., client or service providers. Information security risks (ISRs) from the literature are categorized into 27 types. Most ISRs belong to operations practice, while lack of staff loyalty is the least investigated type of ISRs. Theories, frameworks and models discussed in the literature are explored. A critical analysis of the findings is conducted to identify the gaps and future directions. Since most of the literature is based on conceptual work, it is hard for practitioners to apply this knowledge in the industry unless validated by further research. Specialized literature from the perspectives of ITO orientation, industry type and demographics is required to investigate focused issues and develop accurate knowledge of ISRM in ITO.