Selecting IT control objectives and measuring IT control capital
COBIT is a well-known framework for IT governance, and provides an extensive list of control objectives for IT managers. However, anecdotal evidence shows that many organizations that use COBIT do not implement the entire framework. Instead, they focus their efforts on only some of COBIT’s control objectives. We argue that this could be due to the bounded rationality of IT managers, which affects their ability to assess the outcomes of control, and the diminishing returns from implementing controls, because of enforcement costs incurred to control shirking. Managers would thus find it useful if the various control objectives could be ranked, so that they could prioritize their efforts. We use network analysis to identify the most central control objectives in COBIT. We also discuss the development of a measure of “control capital” to capture the level of control an organization achieves after implementing a particular set of controls. Future research will test the empirical validity of this measure.