Information security governance in the electricity industry

Goal: This study aims to assess the importance and use of Information Security (IS) governance in the electricity industry and other segments, in order to propose IS governance guidelines for this industry. Design/methodology/approach: Literature review was made of scientific articles, frameworks and norms that supported the field research applied to managers, coordinators and experts from IS area, totaling 104 respondents from different countries. The data collected were analyzed by comparing the degree of importance with the use, and also by means of cross-analysis. Results: It was observed that most respondents agree with the importance of the themes approached, however, in practice, these concepts are not always used by the organization. Besides, it was observed that when security is directly responding for the high level of the organization, the maturity level is between optimized and managed. However, where security is subordinated to the technology area, the level appears with higher percentage, as repeatable. Limitations of the investigation: The sample size is a limiting factor as it was conditioned to questionnaire responses sent to IS experts through electronic means and social networks and it is not possible to generalize as the population size is not known. Practical implications: To assist the electricity industry in taking measures turned to IS governance, and, with that, increase consumer protection with regard to their classified data and the company’s reliability in power supply. Originality/value: The present research originality lies in the proposal of 10 IS governance guidelines obtained from the literature review and the field research applied to IS experts, aiming to raise, more and more, its level of maturity.