Thesis: A Cybersecurity-Driven GRC Framework for Data and AI Governance.
Brief description (only in case of student’s own proposal):
This project will examine how information security frameworks (e.g. ISO/IEC 27001, NIST
Cybersecurity Framework) and AI risk guidelines (e.g. the NIST AI Risk Management Framework, EU AI Act) can align with data quality, privacy and compliance. The outcome will be a theoretical framework that organizations can use to ensure data and AI remain trustworthy, legally compliant, and secure. The goal is to bridge GRC knowledge and AI governance issues, giving insight into how organizations can govern AI from a cybersecurity perspective.
PROJECT PLAN
This project will follow a thorough literature review and will be split into three parts: (
1) GRC and cybersecurity standards (e.g., ISO 27001, NIST CSF); (2) data governance best practices (data quality, privacy); and (3) AI governance principles (ethical AI guidelines, risk management frameworks). Based on sources from peer-reviewed papers and industry frameworks, we will analyze common GRC elements (governance structures, risk processes, compliance controls) that are relevant to data and AI contexts from a security perspective. The findings will be used to propose a structured framework.
Timeline (subject to change):
o: Literature review on GRC and cybersecurity (focusing on standards and regulations) and on existing data/AI governance models. Summarize key principles.
o Analyze the findings: identify overlaps between GRC processes and data/AI governance needs. For instance, examine how risk assessments from IT security can be translated to AI risks, or how compliance inform the use of AI. Outline the components of the proposed framework (governance roles, risk categories, control measures).
o Integrate the findings into a framework.
|
1. What is the aim of your study? What are the objectives for your study? The aim of this study is to explore how cybersecurity governance practices can strengthen the way organizations manage data and artificial intelligence systems. Primarily examining the bridge between GRC processes, data management, and AI risks, proposing a structured approach that supports secure and responsible adoption of AI technologies from a cybersecurity lens.
The objectives of this study are to: 1: To analyze cybersecurity and GRC standards, such as ISO/IEC 27001, COBIT, and the NIST Cybersecurity Framework.
2: To review existing models on data governance and AI governance, focusing on risk, accountability, and regulatory compliance.
3: To identify where cybersecurity governance principles intersect with data and AI governance requirements, including issues relating to data quality, privacy, model assurance, and system monitoring.
4: Use the findings into a framework that aligns cybersecurity GRC practices to governing data and AI.
5: To evaluate the proposed framework (e.g., risk reduction, compliance alignment, responsible AI practices) and discuss its potential application in real-world settings.
|
|
2. Explain the rationale for this study (refer to relevant research literature in your response).
Data-driven and AI systems in organizations have recently changed the risk landscape, creating a need for new governance policies. As AI and machine learning are integrated into our lives they introduce vulnerabilities like data poisoning, and privacy risks that amplify traditional cybersecurity risks. AI governance has a risk profile, where privacy, cybersecurity, and compliance need to be updated and renewed. This is driven by regulations (e.g. the EU AI Act, NIST AI RMF). In short, organizations today face a blend of technical and compliance challenges from AI a situation that exceeds what traditional IT governance was designed to handle.
This dissertation aims to explore examine how information security frameworks and AI risk guidelines can align with data quality privacy and compliance. The goal is to bridge GRC knowledge and AI governance issues, giving insight into how organizations can govern AI from a cybersecurity perspective.
Some relevant research literature is the following:
1. S. Saidin, S. I. Hisham, A. M. Jamil and N. A. Abdullah, "Comparative Analysis of Cybersecurity Awareness Frameworks: Effectiveness and Scope," 2025 IEEE International Conference on Industrial Technology & Computer Engineering (ICITCE), Penang, Malaysia, 2025, pp. 28-32, doi: 10.1109/ICITCE65255.2025.11210771. 2. H. Taherdoost, “Understanding cybersecurity frameworks and information security standards—A review and comprehensive overview,” Electronics, vol. 11, no. 14, p. 2181, Jul. 2022. [Online]. Available: https://www.mdpi.com/2079-9292/11/14/2181 3. S. M. Ali, A. Razzaque, M. Yousaf and R. U. Shan, "An Automated Compliance Framework for Critical Infrastructure Security Through Artificial Intelligence," in IEEE Access, vol. 13, pp. 4436-4459, 2025, doi: 10.1109/ACCESS.2024.3524496. 4. Batool, A., Zowghi, D. & Bano, M. AI governance: a systematic literature review. AI Ethics 5, 3265–3279 (2025). https://doi.org/10.1007/s43681-024-00653-w 5. IT Governance Publishing; Alan Calder; Steve G Watkins, IT Governance: An international guide to data security and ISO 27001/ISO 27002 , Packt Publishing, 2025. 6. IT Governance Publishing; Andrew Pattison, NIST CSF 2.0: Your essential introduction to managing cybersecurity risks , Packt Publishing, 2025. 7. S. J. Aljarrah, S. Cherbal, A. Mashaleh, J. A. Karaki and A. Gawanmeh, "On the Comparative Analysis of Trends in Cybersecurity Risk Assessment, Governance, and Compliance Frameworks," 2024 International Jordanian Cybersecurity Conference (IJCC), ΩAmman, Jordan, 2024, pp. 136-142, doi: 10.1109/IJCC64742.2024.10847280. keywords: 8. S. -A. Hwang and H. -Y. Kwon, "A Comparative Study on the Role of AI Safety Institutes in Shaping Global AI Governance," 2025 IEEE/ACIS 23rd International Conference on Software
9. Joshi, S. Hassani, D. Gandhi and L. Hartman, "Approaches to Responsible Governance of GenAI in Organizations : Peer-Reviewed and accepted in IEEE-ISTAS 2025," 2025 IEEE International Symposium on Technology and Society (ISTAS), Santa Clara, CA, USA, 2025, pp. 1-15, doi: 10.1109/ISTAS65609.2025.11269657 10. D. De Smet and N. Mayer, "Integration of it governance and security risk management: A systematic literature review," 2016 International Conference on Information Society (iSociety), Dublin, Ireland, 2016, pp. 143-148, doi: 10.1109/i-Society.2016.7854200.
|