Economic valuation for information security investment: a systematic literature review
- 612 Downloads
Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts.
KeywordsInformation systems Information security Econometrics Return on security investment Systematic literature review Managerial risk accounting
- Anderson, R. Why information security is hard - An economic perspective. 17th Annual Computer Security Applications Conference, Proceedings, Los Alamitos: IEEE Computer Society, 358–365.Google Scholar
- Beecham, S., Baddoo, N., Hall, T., Robinson, H. and Sharp, H. (2006). Protocol for a systematic literature review of motivation in software engineering. University of Hertfordshire.Google Scholar
- Biolchini, J., Mian, P., Ana and Travassos, G. (2005). Systematic Review in Software Engineering.Google Scholar
- Bistarelli, S., Dall'Aglio, M., & Peretti, P. (2007). Strategic games on defense trees. In Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., & Schneider, S. (eds.) Formal Aspects in security and trust lecture notes in computer science, pp. 1–15.Google Scholar
- Blakley, B., McDermott, E. and Geer, D. Information security is information risk management. Proceedings of the 2001 workshop on New security paradigms, Cloudcroft, New Mexico. 508187: ACM, 97–104.Google Scholar
- Capko, Z., Aksentijevic, S. and Tijan, E. (2014). Economic and financial analysis of investments in information security. 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1550–6.Google Scholar
- Cremonini, M. (2005). Evaluating information security investments from attackers perspective: the return-on-attack (ROA).Google Scholar
- Cybersecurity Information Sharing Act of 2015. 2015.Google Scholar
- Department of Justice 2014. Justice Department, Federal Trade Commission Issue Antitrust Policy Statement on Sharing Cybersecurity Information. Office of Public Affairs.Google Scholar
- Harzing, A. W. (2007). Publish or Perish. Available at: http://www.harzing.com/pop.htm.
- Herath, H., & Herath, T. (2011). Copula-based actuarial model for pricing cyber-insurance policies. Insurance Markets and Companies: Analyses and Actuarial Computations, 2(1), 7–20.Google Scholar
- Hertz, D. B. (1979). Risk analysis in capital investment. Harvard Business Review, 57(5), 169–181.Google Scholar
- Hoo, K. J. S. (2000). How much is enough? A risk-management approach to computer security.Google Scholar
- European Network and Information Security Agency (2012). Introduction to return on security investment, pp. 18. Available at: https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment.
- Jingyue, L. and Xiaomeng, S. (2007). Making cost effective security decision with real option thinking. 2007 International Conference on Software Engineering Advances, pp. 1–9.Google Scholar
- Kesswani, N., & Kumar, S. Maintaining cyber security: Implications, cost and returns. Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, Newport Beach, California, USA. 2751976: ACM, 161–164.Google Scholar
- Kitchenham, B. and Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering. Available at: http://www.dur.ac.uk/ebse/resources/Systematic-reviews-5-8.pdf.
- Matsuura, K. (2009). Productivity space of information security in an extension of the Gordon-Loeb’s InvestmentModel. Managing Information Risk and the Economics of Security: Springer US, pp. 99–119.Google Scholar
- Meho, L. I., & Yang, K. (2006). A new era in citation and bibliometric analyses: Web of science, scopus, and google scholar. arXiv preprint cs/0612132.Google Scholar
- Miaoui, Y., Boudriga, N., & Abaoub, E. Insurance versus investigation driven approach for the computation of optimal security investment. Pacific Asia Conference on Information Systems Singapore.Google Scholar
- Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. pp. 32, Available: Southern Methodist University. Available at: http://blog.smu.edu/research/files/2015/10/SMU-IBM.pdf (Accessed 2015-12-14).
- Neubauer, T., & Hartl, C (2009) On the singularity of valuating IT security investments. Computer and Information Science, 2009. ICIS 2009. Eighth IEEE/ACIS International Conference on, 1–3 June, 549–556.Google Scholar
- Neumann, J. v., & Morgenstern, O. (1964). Theory of games and economic behaviour. Theory of games and economic behaviour., (3rd edition), pp. 641 pp.Google Scholar
- Phillips, P. P., & Phillips, J. J. (2010). Return on investment. Handbook of Improving Performance in the Workplace: Volumes 1–3: Wiley, pp. 823–846.Google Scholar
- Rowe, B. R., & Gallaher, M. P. Private sector cyber security investment strategies: An empirical analysis. The fifth workshop on the economics of information security (WEIS06).Google Scholar
- Sheen, J. N. (2010). Fuzzy Economic decision-models for information security investment. Proceedings of the 9th WSEAS International Conference on Instrumentation Measurement Circuits and Systems (IMCAS 2010). Instrumentation, Measurement, Circuits and Systems, pp. 141–7.Google Scholar
- Tatsumi, K.-i., & Goto, M. (2010). Optimal timing of information security investment: A real options approach. Economics of Information Security and Privacy.Google Scholar
- The White House 2015. Executive Order -- Promoting private sector cybersecurity information sharing. Office of the Press Secretary.Google Scholar
- Wei, L., Tanaka, H., & Matsuura, K. (2007). Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Transactions of the Information Processing Society of Japan, 48(9), 3204–3218.Google Scholar
- Willemson, J. (2010). Extending the Gordon&Loeb model for information security investment. Proceedings of the Fifth International Conference on Availability, Reliability, and Security (ARES 2010), pp. 258–61.Google Scholar
- Zikai, W., & Haitao, S. (2008). Towards an optimal information security investment strategy. 2008 I.E. International Conference on Networking, Sensing and Control (ICNSC '08), pp. 756–61.Google Scholar