Skip to main content
SpringerLink
Log in
Book cover

International United Information Systems Conference

UNISCON 2008: Information Systems and e-Business Technologies pp 445–456Cite as

Conceptual Design of a Method to Support IS Security Investment Decisions

  • Conference paper

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 5))

Abstract

Information Systems are part and parcel of critical infrastructures. In order to safeguard compliance of information systems private enterprises and governmental organizations can implement a large variety of distinct measures, ranging from technical measures (e.g. the employment of a firewall) to organizational measures (e.g. the implementation of a security awareness management). The realization of such measures requires investments with an uncertain prospective return that can hardly be determined. An appropriate method for the profitability assessment of alternative IS security measures has not been developed so far. With this article we propose a conceptual design for a method that enables the determination of the success of alternative security investments on the basis of a processoriented perspective. Within a design science approach we combine established artifacts of the field of IS security management with those of the field of process management and controlling. On that base we develop a concept that allows decision-makers to prioritize the investments for dedicated IS security measures.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. BSI: Kosten und Nutzen der IT-Sicherheit, Studie des BSI zur Technikfolgen-Abschätzung. SecuMedia, Ingelheim (2000)

    Google Scholar 

  2. Fettke, P.: State-of-the-Art des State-of-the-Art-Eine Untersuchung der Forschungsmethode “Review” innerhalb der Wirtschaftsinformatik. Wirtschaftsinformatik 48(4), 257–266 (2006)

    Article  Google Scholar 

  3. Kütz, M.: IS Controlling für die Praxis. Konzeption und Methoden. dpunkt, Heidelberg (2005)

    Google Scholar 

  4. Peltier, T.R.: Information security risk analysis. Auerbach Publications, Boca Raton (2001)

    Google Scholar 

  5. Pohlmann, N.: Wie wirtschaftlich sind IT-Sicherheitsmaßnahmen? HMD 43(248), 26–34 (2006)

    Google Scholar 

  6. Brynjolfsson, E.: The productivity paradox of information technology. Communications of the ACM 36(12), 66–77 (1993)

    Article  Google Scholar 

  7. Brynjolfsson, E., Hitt, L.: Paradox lost? Firm-level evidence on the returns to information systems spending. Management Science 42(4), 541–588 (1996)

    Article  MATH  Google Scholar 

  8. Carr, N.: IT doesn’t matter. Harvard Business Review 81(5), 41–49 (2003)

    Google Scholar 

  9. Luftman, J.N.: Key issues for IT executives. MIS Quarterly Executive 3(2), 1–18 (2004)

    Google Scholar 

  10. McCumber, J.: Assessing and managing security risk in IT systems: A structured methodology. Auerbach Publications, Boca Raton (2005)

    Google Scholar 

  11. Rodewald, G.: Aligning information security investments with a firm’s risk tolerance. In: Whitman, M.E. (ed.) 2nd annual conference on Information security curriculum development, pp. 139–141. ACM, Kennesaw, GA (2005)

    Chapter  Google Scholar 

  12. Vossbein, R.: Datenschutz-Controlling — Den Wirtschaftsfaktor Datenschutz effizient planen, steuern und kontrollieren. SecuMedia, Ingelheim (2002)

    Google Scholar 

  13. Soo Hoo, K.J.: How much is enough? A risk management approach to computer security. Consortium for Research on Information Security and Policy (CRISP). Working Paper Stanford University, Stanford (2000)

    Google Scholar 

  14. Bromme, R., Jucks, R., Rambow, R.: Wissenskommunikation über Fächergrenzen: Ein Trainingsprogramm. Wirtschaftspsychologie 5(3), 94–102 (2003)

    Google Scholar 

  15. Wilde, T., Hess, T.: Forschungsmethoden der Wirtschaftsinformatik. Eine empirische Untersuchung. Wirtschaftsinformatik. 49(4), 280–287 (2007)

    Article  Google Scholar 

  16. Tallon, P.: A Process-oriented Perspective on the Alignment of Information Technology and Business Strategy. Journal of Management Information Systems (JMIS) (forthcoming) (2008)

    Google Scholar 

  17. FIPS: Guideline for automatic data processing risk analysis. National Bureau of Standards, US Department of Commerce (1979)

    Google Scholar 

  18. Mercury, R.T.: Analysing security costs. Communications of the ACM 46(6), 15–18 (2003)

    Article  Google Scholar 

  19. Nowey, T., Federrath, H., Klein, C., Plößl, K.: Ansätze zur Evaluierung von Sicherheitsinvestitionen. In: Federrath, H. (ed.) Sicherheit 2005. 2. Jahrestagung des GI-Fachbereichs Sicherheit. Lecture Notes in Informatics, vol. P-62, pp. 15–26. Köllen-Verlag, Bonn (2005)

    Google Scholar 

  20. Wang, A.J.A.: Information security models and metrics. In: Guimaraes, M. (ed.) Proceedings of the 43rd annual southeast regional conference, pp. 178–184. ACM, New York (2005)

    Chapter  Google Scholar 

  21. Cavusoglu, H., Mishra, B., Raghunathan, P.: A model for evaluating IT security investments. Communications of the ACM 47(1), 87–92 (2004)

    Article  Google Scholar 

  22. Cremonini, M., Martini, B.: Evaluating information security investments from attackers perspective: the return on attack. Fourth Workshop on the Economics of Information Security (WEIS 05), Boston (2005), http://infosecon.net/workshop/pdf/23.pdf

    Google Scholar 

  23. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)

    Article  Google Scholar 

  24. Mayer, B.: Rosi-Return on Security Investment. Eine notwendige Rechnung (2006), http://www.it-daily.net

    Google Scholar 

  25. Berinato, S.: Finally, a real return on security spending (2002), http://www.cio.de/technik/806049/

    Google Scholar 

  26. Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI). A practical quantitative model. Journal of Research and Practice in Information Technology 38(1) (2006)

    Google Scholar 

  27. vom Brocke, J.: Service Portfolio Measurement (SPM), A Decision Support System for the Management of Service-Oriented Information Systems. In: Qiu, R. (ed.) Enterprise Service Computing from Concept to Deploymen, pp. 58–90. IGI Publishing, Hershey (2006)

    Google Scholar 

  28. Faisst, U., Prokein, O., Wegmann, N.: Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Zeitschrift für Betriebswirtschaft 77(5), 511–538 (2007)

    Article  Google Scholar 

  29. Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Tracz, W. (ed.) 24th International Conference on Software Engineering (ICESE2002), pp. 232–240. IEEE Press, Orlando (2002)

    Google Scholar 

  30. Gordon, L.A., Loeb, M.P.: Budgeting process for information security expenditures. Communications of the ACM 49(1), 121–125 (2005)

    Article  Google Scholar 

  31. Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, Maryland (2006)

    Google Scholar 

  32. Landoll, D.J.: The security risk assessment handbook: a complete guide for performing security risk assessments. Auerbach Publications, Boca Raton (2006)

    Google Scholar 

  33. Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating Information Security Investments Using the Analytic Hierarchy Process. Communications of the ACM 48(2), 79–83 (2005)

    Article  Google Scholar 

  34. Conrad, J.R.: Analyzing the Risks of Information Security Investments with Monte Carlo Simulations. Fourth Workshop on the Economics of Information Security (WEIS 05), Boston (2005), http://www.infosecon.net/workshop/pdf/13.pdf

    Google Scholar 

  35. Longstaff, T.A., Chittister, C., Pethia, R., Haimes, Y.Y.: Are we forgetting the risks of information technology? IEEE Computer 33(12), 43–51 (2000)

    Google Scholar 

  36. Kaplan, R.P.: CIM-Investitionen sind keine Glaubensfragen. Harvard Manager 9(3), 78–85 (1986)

    Google Scholar 

  37. Jakoubi, S., Tjoa, S., Quirchmayr, G.: Rope: A Methodology for Enabling the Risk-Aware Modelling and Simulation of Business Processes. In: Österle, H., Schelp, J., Winter, R. (eds.) Proceedings of the Fifteenth European Conference on Information Systems (ECIS 2007), Universität St. Gallen, pp. 1596–1607 (2007)

    Google Scholar 

  38. Konrad, P.: Geschäftsprozeßorientierte Simulation der Informationssicherheit: Entwicklung und empirische Evaluation eines Systems zur Unterstützung des Sicherheitsmanagements. Dissertation, Köln, Josef Eul Verlag, Lohmar (1998)

    Google Scholar 

  39. Röhrig, S.: Using Process Models to Analyse IT Security Requirements. Dissertation, Zürich (2003)

    Google Scholar 

  40. Sitzberger, S., Nowey, T.: Lernen vom Business Engineering-Ansätze für ein systematisches, modellgestütztes Vorgehensmodell zum Sicherheitsmanagement. In: Lehner, F., Nösekabel, H., Kleinschmidt, P. (eds.) Multikonferenz Wirtschaftsinformatik 2006, Tagungsband 2, pp. 155–165. Gito, Berlin (2006)

    Google Scholar 

  41. Königs, H.-P.: IT-Risiko-Management mit System. Von den Grundlagen bis zur Realisierung — Ein praxisorientierter Leitfaden. Vieweg, Wiesbaden (2005)

    Google Scholar 

  42. Franke, W.D.: FMEA: Fehlermöglichkeits-und-einflussanalyse in der industriellen Praxis. Verl. Moderne Industrie, Landsberg/Lech (1989)

    Google Scholar 

  43. Pichardt, K.: Qualitätsmanagement Lebensmittel: vom Rohstoff bis zum Fertigprodukt. Springer, Heidelberg (1997)

    Google Scholar 

  44. Schneeweiss, W.: Die Fehlerbaum-Methode. Aus dem Themenkreis Zuverlässigkeits-und Sicherheits-Technik. LiLoLe-Verlag, Hagen (1999)

    Google Scholar 

  45. Brabander, E., Ochs, H.: Analyse und Gestaltung prozessorientierter Risikomanagementsysteme mit Ereignisgesteuerten Prozessketten. In: Nüttgens, M., Rump, F. (eds.) Geschäftsprozessmanagement mit Ereignisgesteuerten Prozessketten (EPK 2002), pp. 17–35. Trier (2002)

    Google Scholar 

  46. zur Muehlen, M., Rosemann, M.: Integrating Risks in Business Process Models. In: Australasian Conference on Information Systems (ACIS 2005) Manly, Sydney (2005)

    Google Scholar 

  47. Rieke, T.: Prozessorientiertes Risikomanagement. Ein informationsmodellorientierter Ansatz. Dissertation, Wirtschaftswissenschaftliche Fakultät Westfälische Wilhelms-Universität Münster (2008)

    Google Scholar 

  48. Kesten, R., Schröder, H., Wozniak, A.: Konzept zur Nutzenbewertung von IT-Investitionen. Arbeitspapiere der Nordakademie Elmshorn Elmshorn (2006)

    Google Scholar 

  49. Küker, S., Haasis, H.-D.: Geschäftsprozeßmodellierung als Basis einer informationswirtschaftlichen Unterstützung für ein AQU-Management. In: Rautenstrauch, C., Schenk, M. (eds.) Umweltinformatik 99-Umweltinformatik zwischen Theorie und Industrieanwendung, 13. Internationales Symposium “Informatik für den Umweltschutz”, pp. 256–268. Metropolisverlag, Marburg (1999)

    Google Scholar 

  50. Müller, A., von Thienen, L., Schröder, H.: IT-Controlling: So messen Sie den Beitrag der Informationstechnologie zum Unternehmenserfolg. Arbeitspapiere der Nordakademie Elmshorn Elmshorn (2004)

    Google Scholar 

  51. Neubauer, T., Klemen, M., Biffl, S.: Business process-based valuation of IT-security. In: Sullivan, K. (ed.) Proceedings of the seventh international workshop on Economics-driven software engineering research, pp. 1–5. ACM Press, St. Louis (2005)

    Chapter  Google Scholar 

  52. Grob, H.L.: Investitionsrechnung mit vollständigen Finanzplänen. Vahlen, München (1989)

    Google Scholar 

  53. vom Brocke, J., Grob, H. L., Buddendick, C. and Strauch, G.: Return on Security Investments. Towards a Methodological Foundation of Measurement Systems. Proceedings of the 13th Americas Conference on Information Systems (AMCIS 2007), Keystone (2007), forthcoming

    Google Scholar 

  54. Hertz, D.B.: Risk Analysis in Capital Investment. Harvard Business Review 42(1), 95–106 (1964)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. European Research Center for Information Systems, University of Muenster, Leonardo-Campus 3, 48149, Muenster, Germany

    Heinz Lothar Grob, Gereon Strauch & Christian Buddendick

Authors
  1. Heinz Lothar Grob
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gereon Strauch
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christian Buddendick
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Engineering and Advanced Technology, Massey University, Private Bag 756, Wellington, New Zealand

    Roland Kaschek

  2. Institute of Applied Informatics Research Group Application Engineering, Alpen-Adria-Universität Klagenfurt, Universitätsstraße 65-67, 9020, Klagenfurt, Austria

    Christian Kop , Claudia Steinberger  & Günther Fliedl ,  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Grob, H.L., Strauch, G., Buddendick, C. (2008). Conceptual Design of a Method to Support IS Security Investment Decisions. In: Kaschek, R., Kop, C., Steinberger, C., Fliedl, G. (eds) Information Systems and e-Business Technologies. UNISCON 2008. Lecture Notes in Business Information Processing, vol 5. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78942-0_43

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-78942-0_43

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-78941-3

  • Online ISBN: 978-3-540-78942-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation