nach oben

Information Systems Frontiers

Erschienen in:

18.04.2016

Economic valuation for information security investment: a systematic literature review

verfasst von: Daniel Schatz, Rabih Bashroush

Erschienen in: Information Systems Frontiers | Ausgabe 5/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts.

Vorheriger Artikel Motivations for 21st century school children to bring their own device to school

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Alavi, M., & Henderson, J. C. (1981). An evolutionary strategy for implementing a decision support system. Management Science, 27(11), 1309–1323.CrossRef

Anderson, R. Why information security is hard - An economic perspective. 17th Annual Computer Security Applications Conference, Proceedings, Los Alamitos: IEEE Computer Society, 358–365.

Arora, A., Hall, D., Piato, C. A., Ramsey, D., & Telang, R. (2004). Measuring the risk-based value of IT security solutions. IT Professional, 6(6), 35–42.CrossRef

Badenhorst, K. P., & Eloff, J. H. P. (1990). Computer security methodology: risk analysis and project definition. Computers & Security, 9(4), 339–346.CrossRef

Beecham, S., Baddoo, N., Hall, T., Robinson, H. and Sharp, H. (2006). Protocol for a systematic literature review of motivation in software engineering. University of Hertfordshire.

Biolchini, J., Mian, P., Ana and Travassos, G. (2005). Systematic Review in Software Engineering.

Bistarelli, S., Dall'Aglio, M., & Peretti, P. (2007). Strategic games on defense trees. In Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., & Schneider, S. (eds.) Formal Aspects in security and trust lecture notes in computer science, pp. 1–15.

Blakley, B., McDermott, E. and Geer, D. Information security is information risk management. Proceedings of the 2001 workshop on New security paradigms, Cloudcroft, New Mexico. 508187: ACM, 97–104.

Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2005). Evaluating information security investments using the ANALYTIC HIERARCHY PROCESS. Communications of the ACM, 48(2), 79–83.CrossRef

Bojanc, R., & Jerman-Blažič, B. (2008). An economic modelling approach to information security risk management. International Journal of Information Management, 28(5), 413–422.CrossRef

Bojanc, R., & Jerman-Blazic, B. (2012). Quantitative model for economic analyses of information security investment in an enterprise information system. Organizacija, 45(6), 276–288.CrossRef

Brereton, P., Kitchenham, B. A., Budgen, D., Turner, M., & Khalil, M. (2007). Lessons from applying the systematic literature review process within the software engineering domain. Journal of Systems and Software, 80(4), 571–583.CrossRef

Capko, Z., Aksentijevic, S. and Tijan, E. (2014). Economic and financial analysis of investments in information security. 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1550–6.

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating IT security investments. Communications of the ACM, 47(7), 87–92.CrossRef

Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.CrossRef

Cremonini, M. (2005). Evaluating information security investments from attackers perspective: the return-on-attack (ROA).

Cronin, P., Ryan, F., & Coughlan, M. (2008). Undertaking a literature review: a step-by-step approach. British Journal of Nursing (Mark Allen Publishing), 17(1), 38–43.CrossRef

Cybersecurity Information Sharing Act of 2015. 2015.

Davis, A. (2005). Return on security investment – proving it's worth it. Network Security, 2005(11), 8–10.CrossRef

Demetz, L., & Bachlechner, D. (2013). To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool. In R. Böhme (Ed.), The economics of information security and privacy (pp. 25–47). Heidelberg: Springer Berlin.CrossRef

Dengpan, L., Yonghua, J., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107.CrossRef

Department of Justice 2014. Justice Department, Federal Trade Commission Issue Antitrust Policy Statement on Sharing Cybersecurity Information. Office of Public Affairs.

Eisenga, A., Jones, T. L., & Rodriguez, W. (2012). Investing in IT security: how to determine the maximum threshold. International Journal of Information Security and Privacy, 6(3), 75–87.CrossRef

Ekenberg, L., Oberoi, S., & Orci, I. (1995). A cost model for managing information security hazards. Computers & Security, 14(8), 707–717.CrossRef

Faisst, U., Prokein, O., & Wegmann, N. (2007). Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Zeitschrift für Betriebswirtschaft, 77(5), 511–538.CrossRef

Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.CrossRef

Gordon, L. A., & Loeb, M. P. (2006). Budgeting process for INFORMATION SECURITY EXPENDITURES. Communications of the ACM, 49(1), 121–125.CrossRef

Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: an economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485.CrossRef

Gordon, L. A., Loeb, M. P., Sohail, T., Tseng, C.-Y., & Zhou, L. (2008). Cybersecurity, capital allocations and management control systems. European Accounting Review, 17(2), 215–241.CrossRef

Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). The impact of information sharing on cybersecurity underinvestment: a real options perspective. Journal of Accounting and Public Policy, 34(5), 509–519.CrossRef

Harzing, A. W. (2007). Publish or Perish. Available at: http://www.harzing.com/pop.htm.

Hausken, K. (2006a). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665.CrossRef

Hausken, K. (2006b). Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.CrossRef

Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.CrossRef

Herath, H. S. B., & Herath, T. C. (2008). Investments in information security: a real options perspective with Bayesian Postaudit. Journal of Management Information Systems, 25(3), 337–375.CrossRef

Herath, H., & Herath, T. (2011). Copula-based actuarial model for pricing cyber-insurance policies. Insurance Markets and Companies: Analyses and Actuarial Computations, 2(1), 7–20.

Herath, H. S. B., & Herath, T. C. (2014). IT security auditing: a performance evaluation decision model. Decision Support Systems, 57, 54–63.CrossRef

Hertz, D. B. (1979). Risk analysis in capital investment. Harvard Business Review, 57(5), 169–181.

Hoo, K. J. S. (2000). How much is enough? A risk-management approach to computer security.

Huang, C. D., & Behara, R. S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), 255–268.CrossRef

Iheagwara, C., Blyth, A., Kevin, T., & Kinn, D. (2004). Cost effective management frameworks: the impact of IDS deployment technique on threat mitigation. Information and Software Technology, 46(10), 651–664.CrossRef

European Network and Information Security Agency (2012). Introduction to return on security investment, pp. 18. Available at: https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment.

Jingyue, L. and Xiaomeng, S. (2007). Making cost effective security decision with real option thinking. 2007 International Conference on Software Engineering Advances, pp. 1–9.

Keen, P. G. W. (1980). Adaptive design for decision support systems. ACM SIGOA Newsletter, 1(4–5), 15–25.CrossRef

Kesswani, N., & Kumar, S. Maintaining cyber security: Implications, cost and returns. Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, Newport Beach, California, USA. 2751976: ACM, 161–164.

Khansa, L., & Liginlal, D. (2009). Valuing the flexibility of investing in security process innovations. European Journal of Operational Research, 192(1), 216–235.CrossRef

Kitchenham, B. and Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering. Available at: http://www.dur.ac.uk/ebse/resources/Systematic-reviews-5-8.pdf.

Loch, K. D., Carr, H. H., & Warkentin, M. E. (1992). Threats to information-systems - todays reality, yesterdays understanding. MIS Quarterly, 16(2), 173–186.CrossRef

Matsuura, K. (2009). Productivity space of information security in an extension of the Gordon-Loeb’s InvestmentModel. Managing Information Risk and the Economics of Security: Springer US, pp. 99–119.

Meho, L. I., & Yang, K. (2006). A new era in citation and bibliometric analyses: Web of science, scopus, and google scholar. arXiv preprint cs/0612132.

Miaoui, Y., Boudriga, N., & Abaoub, E. Insurance versus investigation driven approach for the computation of optimal security investment. Pacific Asia Conference on Information Systems Singapore.

Miller, L. T., & Park, C. S. (2002). Decision making under uncertainty—real options to the rescue? The Engineering Economist, 47(2), 105–150.CrossRef

Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. pp. 32, Available: Southern Methodist University. Available at: http://blog.smu.edu/research/files/2015/10/SMU-IBM.pdf (Accessed 2015-12-14).

Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: to insure IT or not? Decision Support Systems, 56, 11–26.CrossRef

Neubauer, T., & Hartl, C (2009) On the singularity of valuating IT security investments. Computer and Information Science, 2009. ICIS 2009. Eighth IEEE/ACIS International Conference on, 1–3 June, 549–556.

Neumann, J. v., & Morgenstern, O. (1964). Theory of games and economic behaviour. Theory of games and economic behaviour., (3rd edition), pp. 641 pp.

Phillips, P. P., & Phillips, J. J. (2010). Return on investment. Handbook of Improving Performance in the Workplace: Volumes 1–3: Wiley, pp. 823–846.

Purser, S. A. (2004). Improving the ROI of the security management process. Computers & Security, 23(7), 542–546.CrossRef

Ross, S. A. (1995). Uses, abuses, and alternatives to the net-present-value rule. Financial Management, 24(3), 96–102.CrossRef

Rowe, B. R., & Gallaher, M. P. Private sector cyber security investment strategies: An empirical analysis. The fifth workshop on the economics of information security (WEIS06).

Saaty, T. L. (1994). How to make a decision: the analytic hierarchy process. Interfaces, 24(6), 19–43.CrossRef

Sheen, J. N. (2010). Fuzzy Economic decision-models for information security investment. Proceedings of the 9th WSEAS International Conference on Instrumentation Measurement Circuits and Systems (IMCAS 2010). Instrumentation, Measurement, Circuits and Systems, pp. 141–7.

Shirtz, D., & Elovici, Y. (2011). Optimizing investment decisions in selecting information security remedies. Information Management & Computer Security, 19(2), 95–112.CrossRef

Siponen, M. T., & Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. SIGMIS Database, 38(1), 60–80.CrossRef

Srinidhi, B., Yan, J., & Tayi, G. K. (2015). Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decision Support Systems, 75, 49–62.CrossRef

Strotz, R. H. (1955). Myopia and inconsistency in dynamic utility maximization. The Review of Economic Studies, 23(3), 165–180.CrossRef

Tatsumi, K.-i., & Goto, M. (2010). Optimal timing of information security investment: A real options approach. Economics of Information Security and Privacy.

Thaler, R. H., & Sunstein, C. R. (2003). Libertarian paternalism. The American Economic Review, 93(2), 175–179.CrossRef

The White House 2015. Executive Order -- Promoting private sector cybersecurity information sharing. Office of the Press Secretary.

Wei, L., Tanaka, H., & Matsuura, K. (2007). Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Transactions of the Information Processing Society of Japan, 48(9), 3204–3218.

Willemson, J. (2010). Extending the Gordon&Loeb model for information security investment. Proceedings of the Fifth International Conference on Availability, Reliability, and Security (ARES 2010), pp. 258–61.

Wood, C. C., & Parker, D. B. (2004). Why ROI and similar financial tools are not advisable for evaluating the merits of security projects. Computer Fraud & Security, 2004(5), 8–10.CrossRef

Yong Jick, L., Kauffman, R. J., & Sougstad, R. (2011). Profit-maximizing firm investments in customer information security. Decision Support Systems, 51(4), 904–920.CrossRef

Zikai, W., & Haitao, S. (2008). Towards an optimal information security investment strategy. 2008 I.E. International Conference on Networking, Sensing and Control (ICNSC '08), pp. 756–61.

Titel: Economic valuation for information security investment: a systematic literature review
verfasst von: Daniel Schatz
Rabih Bashroush
Publikationsdatum: 18.04.2016
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 5/2017
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-016-9648-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 5/2017

Index partitioning through a bipartite graph model for faster similarity search in recommendation systems

The resource allocation model for multi-process instances based on particle swarm optimization

Building spatial temporal relation graph of concepts pair using web repository

Motivations for 21st century school children to bring their own device to school

Data properties and the performance of sentiment classification for electronic commerce applications

An evolutionary system for ozone concentration forecasting

Premium Partner