Cybersecurity governance influences the quality of strategic decision-making to ensure cyber risks are managed effectively. Board of Directors are the decisions-makers held accountable for managing this risk; however, they lack adequate and efficient information necessary for making such decisions. In addition to the myriad of challenges they face, they are often insufficiently versed in the technology or cybersecurity terminology or not provided with the correct tools to support them to make sound decisions to govern cybersecurity effectively. A different approach is needed to ensure BoDs are clear on the approach the business is taking to build a cyber resilient organization. This systematic literature review investigates the existing risk measurement instruments, cybersecurity metrics, and associated models for supporting BoDs. We identified seven conceptual themes through literature analysis that form the basis of this study's main contribution. The findings showed that, although sophisticated cybersecurity tools exist and are developing, there is limited information for Board of Directors to support them in terms of metrics and models to govern cybersecurity in a language they understand. The review also provides some recommendations on theories and models that can be further investigated to provide support to Board of Directors.

翻译：网络安全管理影响着战略决策质量，以确保网络风险得到有效管控。董事会作为负责管理此类风险的决策主体，却缺乏作出此类决策所需的充分且高效信息。除了面临诸多挑战外，他们往往对技术或网络安全术语掌握不足，或缺乏恰当的工具支持其做出合理决策以有效治理网络安全。需要采用不同方法来确保董事会明确企业构建网络韧性组织的路径。本系统文献综述调查了现有风险测量工具、网络安全指标及其相关模型，以支持董事会决策。通过文献分析，我们识别出七个构成该研究主要贡献的概念主题。研究结果表明，尽管存在并正在发展复杂的网络安全工具，但能支持董事会以他们理解的语言进行网络安全治理的指标和模型相关信息仍然有限。本综述还就可供进一步研究以支持董事会的理论与模型提出若干建议。