Publications

Papers, writeups, and longer-form work.

Things I've published or contributed to in venues outside this site. Where I can host the artifact directly I do; otherwise the link points to the publisher.

  • Fragmentation and Harmonization of Cybersecurity and IT Control Frameworks: An Integrative Review of U.S. Governance Practices

    Yirenkyi, William Asare · Magna Scientia Advanced Research and Reviews · Jul 8, 2026 · DOI: https://doi.org/10.30574/msarr.2026.17.2.0127

    Cybersecurity and information technology control frameworks in the United States exhibit significant fragmentation arising from overlapping regulatory mandates and duplicated controls. Audits and compliance activities in financial institutions and critical infrastructure sectors identify vulnerabilities but reveal limitations when applied as static mechanisms rather than adaptive processes. Mapping exercises between National Institute of Standards and Technology Cybersecurity Framework, Control Objectives for Information and Related Technology, and International Organization for Standardization 27001 consistently document both shared requirements and gaps that widen with the introduction of artificial intelligence and machine learning. Federal harmonization efforts have produced initial coordination yet face persistent barriers from agency-specific mandates and scarce longitudinal outcome data. Governance practices navigate these tensions through sector-specific applications that balance operational demands against systemic interoperability needs. The empirical studies highlight the need for continued attention to framework alignment, regulatory coordination, and empirical validation if resilience is to match evolving threats. Effective integration of controls requires addressing both practical implementation challenges and broader policy structures that shape cybersecurity governance across regulated industries. These dynamics underscore the importance of reducing unnecessary duplication while preserving essential specialization to support more resilient national cybersecurity posture. Ultimately, achieving meaningful harmonization will depend on sustained policy coordination and the development of robust evidence on post-alignment outcomes. This review synthesizes cross-sector evidence to identify structural, operational, and technological barriers to harmonization, while proposing an integrative governance perspective grounded in recent empirical and policy literature.

  • Governance, Risk, and Compliance (GRC) Engineering Approaches for IT and Cybersecurity Control Assurance: A Critical Review

    Yirenkyi, William Asare · Sarcouncil Journal of Multidisciplinary · May 10, 2026

    In the United States (U.S.), where escalating cyber threats such as ransomware and supply chain attacks increasingly imperil national security and economic stability, Governance, Risk, and Compliance (GRC) engineering has emerged as a critical mechanism for Information Technology (IT) and cybersecurity control assurance. This critical literature review examines peer reviewed academic studies, standards-informed research, and authoritative professional literature from 2020 to 2025, confined to U.S. regulatory contexts. Employing a critical review methodology, it inductively surfaces themes from recurring patterns, contrasts, and tensions across sources, viewed through lenses of functional integration, risk alignment, control effectiveness, auditability, and scalability in regulated environments. This involves thematic coding to derive patterns, evaluative comparison to assess strengths and weaknesses, and contradiction mapping to identify inconsistencies and gaps. The analysis reveals a dominant emphasis on hybridizing frameworks such as National Institute of Standards and Technology (NIST) and Control Objectives for Information and Related Technology (COBIT) to unify governance and risk functions, alongside risk-based control design and automation for monitoring and predictive analytics. While these approaches demonstrably bolster enterprise risk management and sectoral resilience particularly in finance and healthcare, they simultaneously expose persistent weaknesses. This can be in the form of limited adaptability, insufficient cultural integration, scalability constraints for smaller entities, and unresolved contradictions in AI adoption amid fragmented regulations like SOX, HIPAA, and CCPA. Empirical validation remains thin, and behavioral dimensions are largely overlooked. These findings carry significant implications for assurance quality, regulatory accountability, and institutional resilience. The review illuminates how current GRC engineering supports risk-based auditing yet falls short in addressing the full complexity of U.S. regulated environments, thereby clarifying both its contributions and its enduring limitations.