IT governance enablers in relation to IoT implementation: a systematic literature review


Purpose
The purpose of this paper is to obtain a list of recommendations addressed by the information technology (IT) governance enablers in relation to IoT implementation. The reason behind this it is the lack of information about these instances which could the organizations to be more effective when implementing IoT.


Design/methodology/approach
The objectives will be obtained using the methodology – systematic literature review.


Findings
During the research, a list of recommendations was created on each IT governance enabler in relation to IoT implementation, showing the flaws that exist at the literature level for each enabler.


Originality/value
The state of art of this research is a creation of a list of recommendations according to IT governance enablers to be applied on an IoT implementation.



Introduction
Information technology (IT) governance is high on the agenda in many organisations, and highlevel IT governance (ITG) models are being raised within the organisations (De Haes and Van Grembergen, 2008). The ITG goals are to encourage desirable behavior in IT use and has capabilities to get the business level aligned with IT, the alignment of IT objectives to the overall business strategy, the measures of IT performance, and the competitive advantages provided by IT for the organisation (Higgins and Sinclair, 2008;Kude et al., 2017). ITG contains the roles and responsibilities to apply in information systems (IS) and related technologies and to manage and support the organisation's functions (Higgins and Sinclair, 2008). Also consists of the leadership and organisational structures and processes that ensure the organisation's IT sustains and extends the organisation's strategy and objectives (De Haes and Van Grembergen, 2008). ITG can be deployed using a mixture of various structures, processes and relational mechanisms (De Haes and Van Grembergen, 2008) and concentrates on performing and transforming IT to meet present and future demands of the business (De Haes, 2008).
IoT is being emerging as a new computing paradigm where the devices are interconnected with a range of communications solutions, and this can help improve the living standard of the citizens (Yaqoob et al., 2017). IoT it is defined as a global infrastructure, that enables advanced services by connecting the physical devices with the virtual applications (Wortmann and Flüchter, 2015). IoT innovation can bring up new ways to combine the physical and digital components making the appearance of new products and enabling novel business models (Wortmann and Flüchter, 2015).
ITG enablers it is referred in the framework COBIT5 as factors that, individually and collectively influence the governance and management of IT organization (Joshi et al., 2018).
Grounded in the previous paragraphs, SLR methodology was adopted since IoT is a recent concept and its relationship with ITG enablers are unexplored. The authors believe that SLR is then adequate to summarize and synthesize the scientific studies regarding ITG enablers in relation to IoT, checking the best recommendations for an IoT implementation according to each ITG enabler and identify the gaps in order to investigate them in the future work.
An SLR has great importance in research where few or none consensus exist about a specific concept. The SLR is the best approach to synthesize the existing work, find the related work that is not supported by the research questions as well to find the supported research questions information pretended (Tranfield, 2003). The SLR methodology is a systematic, explicit, comprehensive and reproducible method for identifying, evaluating and synthesizing the all information recorded by the authors during the research (Okoli and Schabram, 2010).
To sum up, this research aims to understand each enabler from an IoT perspective and how they can be useful during IoT implementation.
The remaining document is organized as follows: in section 2 (Background), in section 3 (Research Method), in section 4 (Results), in section 5 (Discussion and Insights) and in section 6 (Conclusions).

Background
The ITG enablers referred in this research must be assumed as the ones identified by COBIT5, and that can be applied in various practical situations or be used to implement effectiveness and efficiency information governance and information management within an organisation (ISACA, 2013).
COBIT5 enablers are introduced in the 4th principle "Enabling a Holistic Approach" to promote more efficient and effective governance and management of enterprise IT. COBIT5 defines seven categories of enablers to support the implementation of a comprehensive governance and management system for enterprise IT (ISACA, 2013). The ITG enablers are viewed as factors to help the IT-business alignment which is the core of ITG (Ndlovu and Kyobe, 2016). COBIT5 built these insights so-called enablers and they defined them as factors, influencing individually and collectively somethings that will work and in this case is under governance and management over enterprise IT (De Haes, Van Grembergen and Debreceny, 2013). The ITG enablers considered in this research are: principles, policies, and frameworks; processes; organisation structures; culture, ethics and behavior; information; services, infrastructures and applications; people, skills and competencies.
The enablers are factors that, individually and collectively, influence whether something will work in this case, governance and management over organisation IT (ISACA, 2013).
The first definition of IoT came from a "things oriented" perspective and evolved into a concept in which devices are connected to other devices over the internet, where they can communicate to each other using technologies such as Radio Frequency Identification (RFID), Bluetooth by sensors, actuators, etc., to reach common goals (Atzori, Iera and Morabito, 2010). IoT for De Cremer, Nguyen, and Simkin (2017) IoT is considered a network of interconnected devices, systems and services using the existing Internet infrastructure. IoT can also be defined as a global network of interconnected devices based on common standards communication protocols and also allows the interaction and communication with one another with a data exchange environment about the surrounding environment enabling the creation of services without direct human intervention (Gubbi et al., 2013).
This research has meant to contribute conceptually the worlds from ITG and IoT, combining them through a list of recommendations, providing more tools and capacities for the organisations to increase the success rate in their IoT projects.

Research Method
This research applied a systematic literature review approach to identify and summarize the knowledge publish about IoT and ITG enablers defined by the COBIT 5 framework. The stages detailed in Figure 1 were constituted using as reference the article (Qumer Gill et al., 2018).

Stage 1. Inclusion and exclusion criteria
The inclusion and exclusion criteria for this review guides the following research questions:

RQ1:
The article was published in a journal with a classification of Q1, Q2?

RQ2:
The article selected for the review is from a conference proceeding with an ERA classification of A or B, or Qualis classification of A1, A2 or B1?

Stage 2. Selection of data sources and search strategies
The search for this review was performed using the Google Scholar database to retrieve the articles and the proceedings included in the review.
The selected data sources provided sufficient literature coverage in relation to the subject of the review. The search for this review began on October 10th, 2018 and finished on December 15th, 2018. The data sources were systematically searched using carefully selected search terms or keywords (see Table 1). For instance, we include the term IoT along with enablers. We separate the search by categories ("IoT", "IoT Enablers"). Inside of these categories we selected several keywords which were combined using Boolean "AND", e.g., between IoT "AND" principles. It was also used some other keywords to enforce the search in several enablers. For the research process, a filtration process was used that brought us to the number of 38 articles selected for the literature review. In Table 2 below is the description of each filtration iteration to help select the relevant articles.
In the first filtration iteration, was used to filter the search terms described in Table 10 using "".
In the second filtration iteration, it was used to filter the condition title keywords "-title" to retrieve the results only with the keywords in the title. In the third filtration iteration, the "-abstract" condition was used to check if the keywords were within the abstract of the article. For the final filtration iteration, the relevant articles were chosen for the literature review, checking the articles that matched to the research questions mentioned before.

Stage 3. Quality Assessment
In the quality assessment, some questions to guarantee the relevance and quality of the selected articles. The assessment criteria were developed (Table 4) and applied to ensure the quality, relevance, and credibility of the articles included in this review. Table 5 details which articles are aligned to the quality criteria questions applied to this literature review. It verifies selected articles to provide more information on compiling points to consider in each ITG enabler with IoT. Table 3 describes the filtration iterations for each term used to search the relevant articles selected for the literature review. The analysis performed in Table 3 makes the conclusions that several enablers have very few relations with IoT. As you can see the enabler organizational structures only had 1 article with the necessary information regarding the relation between IoT. Also for the enabler people, skills, and competencies very few options appeared in the literature to guides constructing a relation between IoT. In Table 4 there is the quality criteria questions that were used to filter the selection of articles during the search process, making more consistent the selection itself.
In Table 5 there is a separation of the articles selected that answered to the quality criteria questions mentioned in Table 4.    Table 6 presents the journals and conferences of each article selected and what the classification consists of. The classification of the journals selected for this review is between Q1 and Q2 classification, and for the conferences, the classification is between A, B, A1, A2, and B1, according to the inclusion criteria mentioned above.  Table 7 there is a separation of the references by classification, was check how many citations each classification has and in the end there is a count to check which classification has more articles and which rank has more citations.

Discussion and Insights
The Table 8 shows the articles selected for the literature review by each ITG enabler related with IoT.
Below is a description of each term of the ITG enabler with IoT, for example: "IoT AND IT governance principles", which has been decided to define as "IoT principles". Information was collected from the various articles selected for this literature review: Principles, Policies, and Frameworks: In IoT, according to (Roman, Zhou, & Lopez, 2013) it is considered principle the collaboration between several organisations to achieve common goals. In IoT, according to (Buyya & Vahid Dastjerdi, 2016) should exists transparency despite the heterogeneous environment of the IoT system. Ability to have mechanisms for policy generation and enforcement of the governance in the IoT (Buyya & Vahid Dastjerdi, 2016). For (Weber, 2009) the principles in IoT are related to architecture with decentralized management.  Proportionality in IoT should be included by governance to help make decisions, and such decisions must maximize the overall state of the IoT system (Buyya & Vahid Dastjerdi, 2016). The outcomes of the principles should reflect stakeholder values (Weber, 2009). Accountability would be necessary to keep a record of decisions and factors to contribute to the decisions of the past (Buyya & Vahid Dastjerdi, 2016). The principles need to contribute to contextualize IoT as part of global resources (Almeida, Goh and Doneda, 2017). The (Ruggieri et al., 2013) says that should be considered as a principle the perceived risk associated with IoT technology when we are making an IoT adoption within an organisation (Jayashankar et al., 2018).
The relationship between perceived risk, technology adoption, purchasing decisions and behaviors should be verified (Jayashankar et al., 2018). It is recommended by (Weber, 2013) to create principles and operational procedures in IoT. The (Suo et al., 2012) says countries should implement new IoT-specific legislation to promote the development of IoT. IoT policies are associated with privacy mechanisms to guarantee safe authentication (Neisse et al., 2015). According to (Almeida, Goh, & Doneda, 2017) the principles in IoT must bring together different interests in an environment that must be effective and a legitimate governance framework. The IoT devices in an IoT system must manage and deploy privacy policies to control the flow of data to service providers (Neisse et al., 2015). According to (Chatfield and Reddick, 2018) at IoT, public policies consist of cybersecurity policies and digital technology policies and should behave as complements to each other (Chatfield & Reddick, 2018).
For industry 4.0 industries such as smart manufacturing, operations require the development of guidelines, strategic policies to enhance the adoption (Chatfield & Reddick, 2018). For (Weber, 2013) IoT should consider the requirements of cooperation, policy, coordination, standards, and laws to create rules to extend governance among the IoT's structural issues. In IoT business, it is necessary to have harmonized standards, for example in Europe there are organisations that join forces to create such harmonization of standards (Weber, 2013). A framework in IoT is a set of principles, protocols, and standards where enables the implementation of IoT in an organisation (Derhamy et al., 2015).
The frameworks in IoT have the possibility to accelerate the implementation, interoperability, maintainability, and security of the system (Derhamy et al., 2015). For (Wirtz, Weyerer and Schichtel, 2018) an IoT framework provides an overview of the elemental and central aspects of the IoT concept, where it contributes to a better understanding and helps to organize and structure the system. A framework in IoT must materialize governance structures and needs to be driven by stakeholder requirements (Wirtz, Weyerer, & Schichtel, 2018). An IoT framework in terms of governance should equal opportunities for all stakeholders towards progress in governance procedures and these frameworks need to be agile to change requirements (Wirtz, Weyerer, & Schichtel, 2018). The (De Cremer, Nguyen and Simkin, 2017) defends that a framework should be holistic, and process-oriented to provide a useful checklist for managers through the iterations of the IoT implementation (De Cremer, Nguyen and Simkin, 2017). A framework in IoT should help the organisations develop and expand IoT-related policies and procedures and ensure openness and transparency (Almeida, Goh, & Doneda, 2017).

Processes:
The governance processes in an IoT system can bring elasticity strategies needed to provide more coordination throughout the system (Truong et al., 2015). The processes in IoT enable the capabilities of the IoT entities and the implementation of software in these entities (Truong et al., 2015). The data obtained by the IoT system, if managed locally by the IoT nodes, will make the processes more feasible to be managed by the users (Carretero and García, 2014). According to (De Cremer, Nguyen andSimkin, 2017)(De Cremer, Nguyen andSimkin, 2017), it is critical to identify the main strategic processes in IoT in the organisation.
The processes in IoT when they have a holistic approach can help guide organisations to a more enlightened practice (De Cremer, Nguyen, & Simkin, 2017). The processes in IoT must take into count the business processes models that exist in the organisation (Ruggieri et al., 2013). According to (Ruggieri et al., 2013) governance decomposes and decentralize the existing business processes, increase scalability and performance allowing better decision making to create more business value (Ruggieri et al., 2013).

Organisational Structures:
The organisational structures can provide a framework for activities and interactions, defining roles, tasks, groups, standards, and relationships within the IoT system (Shen et al., 2018). As the search demonstrated there was only one article according to our criteria that provided information regarding the enabler organizational structures, which only has one reference.
Culture, Ethics, and Behavior: An organisation should have a level of micro management of activities to spread social culture during the implementation of IoT (Shin, 2014). IoT culture and complexities are related parts in terms of diversity characteristics, with the aim of increasing people's adoption to new services (Shin, 2014).
Ethics in IoT refers to enforce the social behavior standards, information privacy, access to information, information integrity and property rights (Abobakr and A. Azer, 2017). According (Bowen et al., 2017) ethics should focus on how organisations will use personal data and how they will access it. In terms of ethics, must pay attention during IoT implementation to the policies used, to the diffusion and access to IoT technology (Pereira, Benessia and Curvelo, 2013). IoT ethics should separate privacy from ethical issues because privacy is widely regulated by law (Baldini et al., 2015).
Ethics in IoT need to focus on identity, autonomy, trust as specific concerns and treated separately (Baldini et al., 2015).
The IoT system needs to enhance IoT's "smart" behaviours to provide better interfaces and interaction experiences (Cervantes-Solis and Baber, 2017). IoT ethics must be following human rights to ensure privacy safety (Almeida, Doneda and Monteiro, 2015). On behavior is important the IoT system have human behavior recognition, modeling, and representation (Shin, 2014).

Information:
IoT system is a way of accessing, exchanging and manipulating information between digital and physical items and, to process this amount of information the data must flow synchronously (Yao, Z. Sheng and Dustdar, 2015). IoT networks delivered real-time information to improve and support the organisation's operations (Vlahogianni et al., 2016). According to (Almeida, Doneda and Moreira Da Costa, 2018) it is crucial to have good information retrieval and search techniques in an IoT system to deal with a large amount of data exchanged. For (Almeida, Doneda, & Moreira Da Costa, 2018) the information processed at IoT will help organisations make better and transparent decisions if all stakeholders are involved in the decision-making processes.
Services, Infrastructures, and Applications: IoT services are composed of sensors, devices, compute resources and aim to improve the quality of life by improving the efficiency of services to meet business needs (Wen et al., 2017). According to (Wen et al., 2017) IoT services should be built on robust standards and protocols to reach a global ecosystem of interconnected devices. The (Wen et al., 2017) argues that IoT services need to be able to evolve and dynamically change the workflow composition. For (Cao et al., 2016) IoT services are smart services that enhancing the IoT sensing data to present better results from the data collected by the services. The IoT services play a major role in developing a sustainable society and improving people's living conditions (Cao et al., 2016).
In an IoT system, infrastructures must include data management, processing, and analytics to deploy large-scale independent platforms (Gubbi et al., 2013). An IoT infrastructure should be thought of as an interoperable ecosystem where is capable of interacting with other infrastructures regardless of the underlying hardware and software (Dautov et al., 2018). According to (Gubbi et al., 2013) the infrastructures in IoT should be centralized to support storage and analysis requirements.
According to (Shin, 2014) it is recommended continuity of investment in the core of IT infrastructure.
IoT applications should explore various possibilities to provide meaningful information about the data collected from the system (Almeida, Doneda and Monteiro, 2015).
IoT application can be a platform that allows the development and execution of new IoT applications, helps to define, execute and monitor all the data exchanged by the IoT devices and is software that guides the interaction between people, systems and devices in the context of the IoT system (Wortmann and Flüchter, 2015). For IoT applications, it is very important, according to (Wortmann & Flüchter, 2015) to have a set of application-independent functionalities to be used to build the IoT applications. The (Almeida, Goh, & Doneda, 2017) says that IoT applications increase vulnerabilities in software and hardware, so he defends that IoT applications should draw attention to security and privacy protection. For (Piccialli and Chianese, 2017) the applications aim to provide useful and contextualized information on the business needs.
People, Skills and Competencies: People in IoT are not only end-users but, also an integral part of the system, so it is important to pay attention to improving human interaction in the IoT system (Shin, 2014). It will be important in an IoT system that is carefully implemented in relation to the acceptance of the system by the people who will benefit (Shin, 2014). According to (Soro et al., 2017) during the IoT conceptualization, there is a lack of human-oriented vision. People's attitude and motivation toward IoT are important to successful implementation, where there must be incentives for sociotechnical literacy (Shin and Jin Park, 2017).
According to (Van Deursen and Mossberger, 2018) on skills it is necessary to have strategic skills to decide what kind of data is applied and shared, also it is necessary information skills to visualize the data collected by the IoT system and communication skills are needed to share the data for the purpose of creating knowledge. Organisations should develop managerial skills to improve the IoT implementation focusing on strategic orientation (De Cremer, Nguyen, & Simkin, 2017).
After gathering the information related to IoT and the enablers of the ITG, a list of recommendations to be considered during the adoption of IoT in each enabler was elaborated, as shown in Table 9. Table 9. Initial list of recommendations between ITG enablers and IoT.

Recommendations
References from literature

Conclusion
This research proposes to investigate which are the suitable IoT enablers to help organization in future IoT implementations. From 38 articles selected in Google Scholar database several findings were withdrawn. A list of IoT enablers were elicited (Table 9) which may help organization in future IoT implementations.
Our attention was drawn to the fact that the information regarding IoT enablers among the literature is in an early stage. The information is scarce despite their relevance to the field. IoT is a recent field of study which may in part justify the scarcity of information in literature. For instance, little or none information exist about organisational structures, culture, behavior, and competencies enablers.
Plus, literature demonstrate that most of the studies regarding IoT are focused on technology approach instead business and strategy perspectives. Technology may not exist without a business meaning so this is a clear statement for future research.
Future researchers should lay their efforts investigating the implications of IoT technology and respective application on the business. Moreover, enablers with less information must be further investigated to increase awareness and knowledge about the topic. The authors will continue this research by using the elicited list of ITG enablers for IoT implementation as a baseline for a delphi study with several IoT experts to increase the list also with expert's knowledge.