Artificial intelligence in information security policy management research: a scoping review

Abstract

Purpose Although existing literature has advanced the understanding of information security policy (ISP) management, it has not examined how artificial intelligence (AI) can support ISP activities across management phases. Moreover, no study has yet mapped the empirical domains studied. The purpose of this paper is to systematically map existing ISP management research to assess to what extent AI has been addressed or used. Design/methodology/approach This study follows the five-step scoping review framework proposed by Arksey and O’Malley (2005): identifying the research questions, finding relevant studies, selecting studies, charting the data and reporting the results. Findings The review reveals that very few ISP management papers address or use AI. These few papers focused mostly on operational ISPs and addressed different ISP phases and empirical domains. Most existing work focuses on construction or compliance, while no studies have addressed the technical level. Research methods dominated by experiments, with a notable absence of organizational fieldwork. Research on ethical aspects such as fairness, transparency, accountability and data sensitivity is rare in this area. Research limitations/implications Given the limited research in this area, there are significant opportunities to explore AI in ISP management and to use AI in studying ISP management. The authors suggest a research agenda divided into three-time horizons: short, medium and long term. Originality/value This paper provides the first scoping review of AI in ISP management research, offering a systematic mapping of ISP management phases, ISP levels, research methods and empirical domains. It identifies research gaps, thereby guiding future research.