The event of cyber security in critical infrastructures has aroused the interest and the worry of energy utilities, government, regulatory agencies, and consumers as well as of the academic and research institutions. If on one hand it is prominent the vulnerability of the cyberspace, which augments the risk of attacks in the organizational environment, on the other hand, the research leading to alternatives for the governance and management of these critical structures are still too incipient. This study aims at building a theoretical-empirical model of cyber security governance and management and testing it along with academic experts and professionals from the energy sector. By using the Delphi method and statistics techniques for validation, an assessment instrument was developed based on both the constructs: governance and management; and nine dimensions with their respective variables that allowed for an analysis of the situation of the Brazilian energy utilities regarding the protection of their cyberspaces. The contribution of the article reaches two fronts: a conceptual and empirical one as it expands and systematizes the knowledge about aspects of the governance and management of cyberspaces; and a methodological one as it proposes measuring those dimensions in energy utilities.
Besides the extensive literature of technical and normative nature that deals with the critical technological structures aimed at the protection of security systems in organizations, the studies on cyber security governance and management are practically unknown, especially concerning the energy sector.
Energy provisioning is considered an essential service, and a key element for the improvement
of the quality of life of the population, enhancing social inclusion and sustainable development
(Coutinho, 2007). As the demand for energy has been raising at a higher rate compared to its capacity,
it is noticeable that over the last 50 years the energy provisioning system worldwide has used
technologies developed in the 40s and 50s as fundament; which frequently leads to the saturation of
the system (Gellings, 2009).