Article Preview
Top1. Introduction
Information asset security has been a subject of extensive research over the past years, largely focusing on technological risks. While there was early research on the economic impact of information security risks (Ekenberg, Oberoi, & Orci, 1995; Finne, 1997; Francke & Blind, 1996), academic research had been limited until the turn of the millennium when papers by Hoo (2000), Anderson (2001), as well as Gordon and Loeb (2002) raised levels of interest regarding this topic. However, studies remain focussed on the fast-moving area of information security risks in general. Much of the security economics research, particularly earlier approaches, is firmly footed in theoretical model space, leaving key challenges unmentioned or unsolved. Although such models are contributing towards a better approach for information security investments, they often suffer from their overly theoretical methodology and, as such, are not properly well suited for real-world application. The aim of this study is to identify current practices of information security investment prioritisation and evaluation in organisations. Based on a series of semi-structured interviews, a qualitative data analysis approach is followed so as to understand key factors, core challenges, and common practices as experienced by information security practitioners. In particular, this paper investigates the following research questions:
- •
How are information security investments in organisations currently approached by practitioners?
- •
What are the key factors and challenges considered by practitioners in relation to information security investments?
- •
How do information security management systems and information security governance models support practitioners in this regard?
- •
How are traditional accounting metrics (net present value (NPV), return on investment (ROI), etc.) used?
The remainder of the paper is structured as follows: in the next section, related work is presented. Section 3 discusses the research methodology and design, as well as the interview framework including sample strategy, data collection procedures, coding approach and analysis. Section 4 presents the results of the data analysis process including details on the responses of participants. And finally, in Sections 5 and 6, the limitations of the approach presented in this study are thoroughly reviewed and conclusive thoughts are provided.