Information Availability as Driver of Information Security Investments: A Systematic Review Approach

Despite that information security issues have started to gain managers' attention since computers were first put in use, information security management has not yet reached its maturity and is still requiring input from both the academia and industry. Indeed, today's businesses have still not been widely convinced to invest in information security initiatives, resulting in the shrinking budget allocated for organisational information security. One common finding shows that organisational awareness towards information security can serve as a great driver that would help firms realise the business values of such investments. In addition, such emphasis on the awareness suggests the essential role of training, education and dissemination of quality information. As a result, one could argue that the available information has an indirect influence on the adoption rate of information security, through the impact of awareness. This research analyses the possibility of whether information availability could directly drive the intention to invest in information security initiatives by removing the uncertainty surrounding such investments. In other words, information availability per se could drive investing intention by reducing the obstacle - its uncertainty - rather than stimulate business needs through the enforcing of another factor that is awareness. Through intensive reviews on the literature, this paper synthesises and reports on the definition of information availability and how it could drive the intention to invest in information security. Specifically, the researchers examine the driving force of internal information (risk management, staff suggestions), external information (consultants, external audit) and general information (white papers, security reports). By exploring the direct relationship between information availability and intention to invest in information security, more practical recommendations and directions to promote organisational information security can be suggested. Before that, the researchers aim to update the readers with an understanding of the role of information availability in information security management.