Unravelling the Three Lines Model in Cybersecurity: A Systematic Literature Review

49 Pages Posted: 21 Dec 2023

See all articles by Bert Valkenburg

Bert Valkenburg

University of Queensland

Ivano Bongiovanni

University of Queensland

Abstract

Enterprise risk management frameworks have gained popularity after the Global Financial Crisis for companies to be more in control of their risks. Since then, the Three Lines of Defence model (based on defence-in-depth approaches) has become one of the primary risk management frameworks in the Western world. Yet, its application in the cybersecurity space, one of the fastest-growing areas of risk for modern organisations, has been fragmented at best. In this article, we conducted a systematic literature review on the application of the Three Lines of Defence model in cybersecurity. The model has been recently renamed the Three Lines Model. After the seminal publication by the Institute of Internal Auditors in 2013, academics and practitioners have either referenced this model as the primary governance framework for risk management or analysed it in depth in various areas. To the best of our knowledge, this is the first systematic literature review on the topic. We have performed a methodical analysis of existing research using best practices in the field and adopted the grounded theory approach as the theoretical underpinning of our investigation. This way, we unravelled details, critiques and possible alternatives to the Three Lines Model in cybersecurity. Our study expands our understanding of the Three Lines Model and its application in cybersecurity, highlighting the status quo of research in the space and offering practical recommendations for organisations interested in exploring its implementation to mitigate the impact of cyber-risks.

Keywords: Three Lines Model, Cybersecurity governance, Risk Management, Literature Review, Grounded Theory, Compliance.

Suggested Citation

Valkenburg, Bert and Bongiovanni, Ivano, Unravelling the Three Lines Model in Cybersecurity: A Systematic Literature Review. Available at SSRN: https://ssrn.com/abstract=4671348 or http://dx.doi.org/10.2139/ssrn.4671348

Bert Valkenburg

University of Queensland ( email )

St Lucia
Brisbane, 4072
Australia

Ivano Bongiovanni (Contact Author)

University of Queensland

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
17
Abstract Views
73
PlumX Metrics