Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor

Can spending on information security be justified? Evaluating the security spending decision from... Purpose – The purpose of this paper is to investigate the optimality of various strategies for spending on information security. Being able to understand the strengths and weaknesses of spending strategies is useful to organizations. Design/methodology/approach – The author's analysis begins with a whole‐systems view of the security spending decision that encompasses people, technology, and economics and a taxonomy of justifications is presented for spending on information security. Each justification within the taxonomy is discussed, with that analysis used to examine the apparent rationality of a number of common spending strategies. A model is constructed that can be used in a practical manner to enable an organization to select a rational approach to spending on information security. Findings – The author describes two spending strategies intended to be simple and straightforward for an organization to employ in a practical manner. These strategies account for a number of weaknesses in common justifications for spending on information security. They also take into consideration the observation that a number of pressures push companies towards inefficiency in their spending. Originality/value – When faced with budgeting decisions, managers are bound by fiduciary duty to identify those investments that will maximize shareholder value. As such, decisions about spending must be carefully considered and evaluated in rational economic terms. This paper provides useful thinking on this important topic. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Information Management & Computer Security Emerald Publishing

Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor

Andrew Stewart
Information Management & Computer Security , Volume 20 (4): 15 – Oct 5, 2012
Download PDF
15 pages

Loading next page...
 
/lp/emerald-publishing/can-spending-on-information-security-be-justified-evaluating-the-ZiyJBITmJ9
Publisher
Emerald Publishing
Copyright
Copyright © 2012 Emerald Group Publishing Limited. All rights reserved.
ISSN
0968-5227
DOI
10.1108/09685221211267675
Publisher site
See Article on Publisher Site

Abstract

Purpose – The purpose of this paper is to investigate the optimality of various strategies for spending on information security. Being able to understand the strengths and weaknesses of spending strategies is useful to organizations. Design/methodology/approach – The author's analysis begins with a whole‐systems view of the security spending decision that encompasses people, technology, and economics and a taxonomy of justifications is presented for spending on information security. Each justification within the taxonomy is discussed, with that analysis used to examine the apparent rationality of a number of common spending strategies. A model is constructed that can be used in a practical manner to enable an organization to select a rational approach to spending on information security. Findings – The author describes two spending strategies intended to be simple and straightforward for an organization to employ in a practical manner. These strategies account for a number of weaknesses in common justifications for spending on information security. They also take into consideration the observation that a number of pressures push companies towards inefficiency in their spending. Originality/value – When faced with budgeting decisions, managers are bound by fiduciary duty to identify those investments that will maximize shareholder value. As such, decisions about spending must be carefully considered and evaluated in rational economic terms. This paper provides useful thinking on this important topic.

Journal

Information Management & Computer SecurityEmerald Publishing

Published: Oct 5, 2012

Keywords: Data security; Information management; Costs; Decision making; Information security; Information systems; Spending strategies; Efficiency; Incentives; Psychology; Economics

References

  • Defined security creates efficiencies
    @stake
  • Is there a cost to privacy breaches? An event study
    Acquisti, A.; Friedman, A.; Telang, R.
  • An insurance style model for determining the appropriate investment level against maximum loss arising from an information security breach
    Adkins, R.
  • Information security economics – and beyond
    Anderson, R.; Moore, T.
  • Information security and risk management
    Bodin, L.D.; Gordon, L.A.; Loeb, M.P.
  • The economic cost of publicly announced information security breaches: empirical evidence from the stock market
    Campbell, K.; Gordon, L.A.; Loeb, M.P.; Zhou, L.
  • Does IT Matter? Information Technology and the Corrosion of Competitive Advantage
    Carr, N.
  • The effect of internet security breach announcements on market value of breached firms and internet security developers
    Cavusoglu, H.; Mishra, B.; Raghunathan, S.
  • The value of intrusion detection systems in information technology security architecture
    Cavusoglu, H.; Mishra, B.; Raghunathan, S.
  • The impact of denial‐of‐service attack announcements on the market value of firms
    Hovava, A.; D'Arcy, J.
  • Prioritizing processes and controls for effective and measurable security
    Kim, G.
  • Alarmist decisions with divergent risk information
    Kip Viscusi, W.
  • Incentives and perceptions of information security risks
    Konsynski, B.; Farahmand, F.; Atallah, M.
  • WAN‐hacking with AutoHack – auditing security behind the firewall
    Muffet, A.
  • The use, misuse and abuse of statistics in information security research
    Ryan, J.J.C.H.; Jefferson, T.I.
  • The New School of Information Security
    Shostack, A.; Stewart, A.
  • The Perception of Risk
    Slovic, P.
  • Tangible ROI through secure software engineering
    Soohoo, K.; Sudbury, A.; Jaquith, A.
  • On the Gordon\&Loeb model for information security investment
    Willemson, J.