Information Systems Frontiers

, Volume 19, Issue 5, pp 1205–1228 | Cite as

Economic valuation for information security investment: a systematic literature review

Article

Abstract

Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts.

Keywords

Information systems Information security Econometrics Return on security investment Systematic literature review Managerial risk accounting 

References

  1. Alavi, M., & Henderson, J. C. (1981). An evolutionary strategy for implementing a decision support system. Management Science, 27(11), 1309–1323.CrossRefGoogle Scholar
  2. Anderson, R. Why information security is hard - An economic perspective. 17th Annual Computer Security Applications Conference, Proceedings, Los Alamitos: IEEE Computer Society, 358–365.Google Scholar
  3. Arora, A., Hall, D., Piato, C. A., Ramsey, D., & Telang, R. (2004). Measuring the risk-based value of IT security solutions. IT Professional, 6(6), 35–42.CrossRefGoogle Scholar
  4. Badenhorst, K. P., & Eloff, J. H. P. (1990). Computer security methodology: risk analysis and project definition. Computers & Security, 9(4), 339–346.CrossRefGoogle Scholar
  5. Beecham, S., Baddoo, N., Hall, T., Robinson, H. and Sharp, H. (2006). Protocol for a systematic literature review of motivation in software engineering. University of Hertfordshire.Google Scholar
  6. Biolchini, J., Mian, P., Ana and Travassos, G. (2005). Systematic Review in Software Engineering.Google Scholar
  7. Bistarelli, S., Dall'Aglio, M., & Peretti, P. (2007). Strategic games on defense trees. In Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., & Schneider, S. (eds.) Formal Aspects in security and trust lecture notes in computer science, pp. 1–15.Google Scholar
  8. Blakley, B., McDermott, E. and Geer, D. Information security is information risk management. Proceedings of the 2001 workshop on New security paradigms, Cloudcroft, New Mexico. 508187: ACM, 97–104.Google Scholar
  9. Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2005). Evaluating information security investments using the ANALYTIC HIERARCHY PROCESS. Communications of the ACM, 48(2), 79–83.CrossRefGoogle Scholar
  10. Bojanc, R., & Jerman-Blažič, B. (2008). An economic modelling approach to information security risk management. International Journal of Information Management, 28(5), 413–422.CrossRefGoogle Scholar
  11. Bojanc, R., & Jerman-Blazic, B. (2012). Quantitative model for economic analyses of information security investment in an enterprise information system. Organizacija, 45(6), 276–288.CrossRefGoogle Scholar
  12. Brereton, P., Kitchenham, B. A., Budgen, D., Turner, M., & Khalil, M. (2007). Lessons from applying the systematic literature review process within the software engineering domain. Journal of Systems and Software, 80(4), 571–583.CrossRefGoogle Scholar
  13. Capko, Z., Aksentijevic, S. and Tijan, E. (2014). Economic and financial analysis of investments in information security. 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1550–6.Google Scholar
  14. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating IT security investments. Communications of the ACM, 47(7), 87–92.CrossRefGoogle Scholar
  15. Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.CrossRefGoogle Scholar
  16. Cremonini, M. (2005). Evaluating information security investments from attackers perspective: the return-on-attack (ROA).Google Scholar
  17. Cronin, P., Ryan, F., & Coughlan, M. (2008). Undertaking a literature review: a step-by-step approach. British Journal of Nursing (Mark Allen Publishing), 17(1), 38–43.CrossRefGoogle Scholar
  18. Cybersecurity Information Sharing Act of 2015. 2015.Google Scholar
  19. Davis, A. (2005). Return on security investment – proving it's worth it. Network Security, 2005(11), 8–10.CrossRefGoogle Scholar
  20. Demetz, L., & Bachlechner, D. (2013). To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool. In R. Böhme (Ed.), The economics of information security and privacy (pp. 25–47). Heidelberg: Springer Berlin.CrossRefGoogle Scholar
  21. Dengpan, L., Yonghua, J., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107.CrossRefGoogle Scholar
  22. Department of Justice 2014. Justice Department, Federal Trade Commission Issue Antitrust Policy Statement on Sharing Cybersecurity Information. Office of Public Affairs.Google Scholar
  23. Eisenga, A., Jones, T. L., & Rodriguez, W. (2012). Investing in IT security: how to determine the maximum threshold. International Journal of Information Security and Privacy, 6(3), 75–87.CrossRefGoogle Scholar
  24. Ekenberg, L., Oberoi, S., & Orci, I. (1995). A cost model for managing information security hazards. Computers & Security, 14(8), 707–717.CrossRefGoogle Scholar
  25. Faisst, U., Prokein, O., & Wegmann, N. (2007). Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Zeitschrift für Betriebswirtschaft, 77(5), 511–538.CrossRefGoogle Scholar
  26. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.CrossRefGoogle Scholar
  27. Gordon, L. A., & Loeb, M. P. (2006). Budgeting process for INFORMATION SECURITY EXPENDITURES. Communications of the ACM, 49(1), 121–125.CrossRefGoogle Scholar
  28. Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: an economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485.CrossRefGoogle Scholar
  29. Gordon, L. A., Loeb, M. P., Sohail, T., Tseng, C.-Y., & Zhou, L. (2008). Cybersecurity, capital allocations and management control systems. European Accounting Review, 17(2), 215–241.CrossRefGoogle Scholar
  30. Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). The impact of information sharing on cybersecurity underinvestment: a real options perspective. Journal of Accounting and Public Policy, 34(5), 509–519.CrossRefGoogle Scholar
  31. Harzing, A. W. (2007). Publish or Perish. Available at: http://www.harzing.com/pop.htm.
  32. Hausken, K. (2006a). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665.CrossRefGoogle Scholar
  33. Hausken, K. (2006b). Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.CrossRefGoogle Scholar
  34. Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.CrossRefGoogle Scholar
  35. Herath, H. S. B., & Herath, T. C. (2008). Investments in information security: a real options perspective with Bayesian Postaudit. Journal of Management Information Systems, 25(3), 337–375.CrossRefGoogle Scholar
  36. Herath, H., & Herath, T. (2011). Copula-based actuarial model for pricing cyber-insurance policies. Insurance Markets and Companies: Analyses and Actuarial Computations, 2(1), 7–20.Google Scholar
  37. Herath, H. S. B., & Herath, T. C. (2014). IT security auditing: a performance evaluation decision model. Decision Support Systems, 57, 54–63.CrossRefGoogle Scholar
  38. Hertz, D. B. (1979). Risk analysis in capital investment. Harvard Business Review, 57(5), 169–181.Google Scholar
  39. Hoo, K. J. S. (2000). How much is enough? A risk-management approach to computer security.Google Scholar
  40. Huang, C. D., & Behara, R. S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), 255–268.CrossRefGoogle Scholar
  41. Iheagwara, C., Blyth, A., Kevin, T., & Kinn, D. (2004). Cost effective management frameworks: the impact of IDS deployment technique on threat mitigation. Information and Software Technology, 46(10), 651–664.CrossRefGoogle Scholar
  42. European Network and Information Security Agency (2012). Introduction to return on security investment, pp. 18. Available at: https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment.
  43. Jingyue, L. and Xiaomeng, S. (2007). Making cost effective security decision with real option thinking. 2007 International Conference on Software Engineering Advances, pp. 1–9.Google Scholar
  44. Keen, P. G. W. (1980). Adaptive design for decision support systems. ACM SIGOA Newsletter, 1(4–5), 15–25.CrossRefGoogle Scholar
  45. Kesswani, N., & Kumar, S. Maintaining cyber security: Implications, cost and returns. Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, Newport Beach, California, USA. 2751976: ACM, 161–164.Google Scholar
  46. Khansa, L., & Liginlal, D. (2009). Valuing the flexibility of investing in security process innovations. European Journal of Operational Research, 192(1), 216–235.CrossRefGoogle Scholar
  47. Kitchenham, B. and Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering. Available at: http://www.dur.ac.uk/ebse/resources/Systematic-reviews-5-8.pdf.
  48. Loch, K. D., Carr, H. H., & Warkentin, M. E. (1992). Threats to information-systems - todays reality, yesterdays understanding. MIS Quarterly, 16(2), 173–186.CrossRefGoogle Scholar
  49. Matsuura, K. (2009). Productivity space of information security in an extension of the Gordon-Loeb’s InvestmentModel. Managing Information Risk and the Economics of Security: Springer US, pp. 99–119.Google Scholar
  50. Meho, L. I., & Yang, K. (2006). A new era in citation and bibliometric analyses: Web of science, scopus, and google scholar. arXiv preprint cs/0612132.Google Scholar
  51. Miaoui, Y., Boudriga, N., & Abaoub, E. Insurance versus investigation driven approach for the computation of optimal security investment. Pacific Asia Conference on Information Systems Singapore.Google Scholar
  52. Miller, L. T., & Park, C. S. (2002). Decision making under uncertainty—real options to the rescue? The Engineering Economist, 47(2), 105–150.CrossRefGoogle Scholar
  53. Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. pp. 32, Available: Southern Methodist University. Available at: http://blog.smu.edu/research/files/2015/10/SMU-IBM.pdf (Accessed 2015-12-14).
  54. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: to insure IT or not? Decision Support Systems, 56, 11–26.CrossRefGoogle Scholar
  55. Neubauer, T., & Hartl, C (2009) On the singularity of valuating IT security investments. Computer and Information Science, 2009. ICIS 2009. Eighth IEEE/ACIS International Conference on, 1–3 June, 549–556.Google Scholar
  56. Neumann, J. v., & Morgenstern, O. (1964). Theory of games and economic behaviour. Theory of games and economic behaviour., (3rd edition), pp. 641 pp.Google Scholar
  57. Phillips, P. P., & Phillips, J. J. (2010). Return on investment. Handbook of Improving Performance in the Workplace: Volumes 1–3: Wiley, pp. 823–846.Google Scholar
  58. Purser, S. A. (2004). Improving the ROI of the security management process. Computers & Security, 23(7), 542–546.CrossRefGoogle Scholar
  59. Ross, S. A. (1995). Uses, abuses, and alternatives to the net-present-value rule. Financial Management, 24(3), 96–102.CrossRefGoogle Scholar
  60. Rowe, B. R., & Gallaher, M. P. Private sector cyber security investment strategies: An empirical analysis. The fifth workshop on the economics of information security (WEIS06).Google Scholar
  61. Saaty, T. L. (1994). How to make a decision: the analytic hierarchy process. Interfaces, 24(6), 19–43.CrossRefGoogle Scholar
  62. Sheen, J. N. (2010). Fuzzy Economic decision-models for information security investment. Proceedings of the 9th WSEAS International Conference on Instrumentation Measurement Circuits and Systems (IMCAS 2010). Instrumentation, Measurement, Circuits and Systems, pp. 141–7.Google Scholar
  63. Shirtz, D., & Elovici, Y. (2011). Optimizing investment decisions in selecting information security remedies. Information Management & Computer Security, 19(2), 95–112.CrossRefGoogle Scholar
  64. Siponen, M. T., & Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. SIGMIS Database, 38(1), 60–80.CrossRefGoogle Scholar
  65. Srinidhi, B., Yan, J., & Tayi, G. K. (2015). Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decision Support Systems, 75, 49–62.CrossRefGoogle Scholar
  66. Strotz, R. H. (1955). Myopia and inconsistency in dynamic utility maximization. The Review of Economic Studies, 23(3), 165–180.CrossRefGoogle Scholar
  67. Tatsumi, K.-i., & Goto, M. (2010). Optimal timing of information security investment: A real options approach. Economics of Information Security and Privacy.Google Scholar
  68. Thaler, R. H., & Sunstein, C. R. (2003). Libertarian paternalism. The American Economic Review, 93(2), 175–179.CrossRefGoogle Scholar
  69. The White House 2015. Executive Order -- Promoting private sector cybersecurity information sharing. Office of the Press Secretary.Google Scholar
  70. Wei, L., Tanaka, H., & Matsuura, K. (2007). Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Transactions of the Information Processing Society of Japan, 48(9), 3204–3218.Google Scholar
  71. Willemson, J. (2010). Extending the Gordon&Loeb model for information security investment. Proceedings of the Fifth International Conference on Availability, Reliability, and Security (ARES 2010), pp. 258–61.Google Scholar
  72. Wood, C. C., & Parker, D. B. (2004). Why ROI and similar financial tools are not advisable for evaluating the merits of security projects. Computer Fraud & Security, 2004(5), 8–10.CrossRefGoogle Scholar
  73. Yong Jick, L., Kauffman, R. J., & Sougstad, R. (2011). Profit-maximizing firm investments in customer information security. Decision Support Systems, 51(4), 904–920.CrossRefGoogle Scholar
  74. Zikai, W., & Haitao, S. (2008). Towards an optimal information security investment strategy. 2008 I.E. International Conference on Networking, Sensing and Control (ICNSC '08), pp. 756–61.Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Thomson ReutersLondonUK
  2. 2.University of East LondonLondonUK

Personalised recommendations