• Economic decision-analytic frameworks dominate information security investment research, integrating cost-benefit analyses, security-product tradeoffs, and defense-tree approaches to compare designs and their returns [1], [2], [13], [16], [7].

• Organizational governance and ISMS adoption emerge as core themes, stressing holistic information security management, organizational embedding, ISO-based best practices, process orientation, and policy standards [8], [12], [10], [14], [15].

• Policy effectiveness and human factors highlight the limits of formal policies, showing how visibility, social norms, and policy design influence breach incidence and compliance outcomes [6], [18], [5], [17].

• Knowledge-based risk assessment and information-centric security foreground formal representations of domain knowledge, organizational knowledge, and data-centric risk mapping to strengthen assessment and protection [3], [11], [20].

• Security measurement and assurance practices emphasize evaluating control value, defense of IT security architectures, and assurance-oriented approaches to security management [9], [17].