Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor

被引:6
作者
Stewart, Andrew
机构
来源
Information Management and Computer Security | 2012年 / 20卷 / 04期
关键词
Costs; Data security; Decision making; Economics; Efficiency; Incentives; Information management; Information security; Information systems; Psychology; Spending strategies;
D O I
10.1108/09685221211267675
中图分类号
学科分类号
摘要
Purpose - The purpose of this paper is to investigate the optimality of various strategies for spending on information security. Being able to understand the strengths and weaknesses of spending strategies is useful to organizations. Design/methodology/approach - The author's analysis begins with a whole-systems view of the security spending decision that encompasses people, technology, and economics and a taxonomy of justifications is presented for spending on information security. Each justification within the taxonomy is discussed, with that analysis used to examine the apparent rationality of a number of common spending strategies. A model is constructed that can be used in a practical manner to enable an organization to select a rational approach to spending on information security. Findings - The author describes two spending strategies intended to be simple and straightforward for an organization to employ in a practical manner. These strategies account for a number of weaknesses in common justifications for spending on information security. They also take into consideration the observation that a number of pressures push companies towards inefficiency in their spending. Originality/value - When faced with budgeting decisions, managers are bound by fiduciary duty to identify those investments that will maximize shareholder value. As such, decisions about spending must be carefully considered and evaluated in rational economic terms. This paper provides useful thinking on this important topic. © Emerald Group Publishing Limited.
引用
收藏
页码:312 / 326
页数:14
相关论文
共 19 条
[1]  
Defined security creates efficiencies, Secure Business Quarterly, 1, 2, (2001)
[2]  
Acquisti A., Friedman A., Telang R., Is there a cost to privacy breaches? An event study, Proceedings of the Workshop on the Economics of Information Security, Robinson College, University of Cambridge, England, June 26-28, (2006)
[3]  
Adkins R., An insurance style model for determining the appropriate investment level against maximum loss arising from an information security breach, Proceedings of the Workshop on the Economics of Information Security, University of Minnesota Digital Technology Center, May 13-14, (2004)
[4]  
Anderson R., Moore T., Information Security Economics - And beyond, (2008)
[5]  
Bodin L.D., Gordon L.A., Loeb M.P., Information security and risk management, Communications of the ACM, 51, 4, pp. 64-68, (2008)
[6]  
Campbell K., Gordon L.A., Loeb M.P., Zhou L., The economic cost of publicly announced information security breaches: Empirical evidence from the stock market, Journal of Computer Security, 11, pp. 431-448, (2003)
[7]  
Carr N., Does IT Matter? Information Technology and the Corrosion of Competitive Advantage, (2004)
[8]  
Cavusoglu H., Mishra B., Raghunathan S., The effect of internet security breach announcements on market value of breached firms and internet security developers, International Journal of Electronic Commerce, 9, (2002)
[9]  
Cavusoglu H., Mishra B., Raghunathan S., The value of intrusion detection systems in information technology security architecture, Information Systems Research, 16, 1, pp. 28-46, (2005)
[10]  
Hovava A., D'Arcy J., The impact of denial-of-service attack announcements on the market value of firms, The American Risk and Insurance Review, 6, 2, (2003)
12