INFORMATION SECURITY INVESTMENT MODEL: RESOURCE REPRESENTATION AND ORGANIZATIONAL TRAINING
Main Article Content
Abstract
Information technology (IT) protection is a key economic concern for organizations. While research in the field of investment in IT security is growing rapidly, they lack the theoretical basis for combining economic and technological phenomena and research directions. The proposed theoretical model is based on the use of the theory of organizational behavior and resource representation. The combined application of these theories allows, within the framework of one model, to present the organizational effects of training that arise when developing the protection of organizational resources using countermeasures of IT security. Identified approaches to the study of investments in information security, which boil down to the following: microeconomic approaches based on game theory, financial analysis based on return on investment (ROI), net present value (NPV) and internal rate of return (IRR), and management approaches based on decision theory, risk management and organization theory. The combination of various theories and approaches leads to the formation of a multi-theoretical model, which allows you to combine the methods of these research areas within the framework of a comprehensive model based on the resource representation and the theory of organizational learning. The difficulties of developing a theoretical model for investment in information security are indicated, namely: the diversity of the nature of countermeasures, covering strategic and operational issues, taking into account legal, technical and organizational aspects; the intended purpose of investments in information security (risk reduction, not profit); the complementarity of the prospects for the operational and strategic periods. Various points of view on investment problems are presented, namely, resource representation and representation in the framework of the theory of organizational learning. The proposed approach allowed us to build an integrated model of investment in information security. Answers to questions arising from the analysis of the integrated model of investment in information security can not only determine future research, but also have managerial consequences that will help firms make informed investment decisions in the field of information security.
Article Details
References
Anderson, R. (2001), “Why Information Security is Hard - An Economic Perspective”, Annual Computer Security Applications Conference (ACSAC 2001), pp. 358-365.
Frost & Sullivan. 2013. “The 2013 (ISC)2 Global Information Security Workforce Study”, available at https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/2013-ISC2-Global-Information-Security-Workforce-Study.pdf.
Gartner (2011), “Magic Quadrant for Security Information and Event Management,”, Gartner RAS Core Research.
Gartner (2012), “IT Key Metrics Data 2012: IT Enterprise Summary Report,”, Gartner RAS Core Research.
Whitman, M. E. (2003), “Enemy at the Gate: Threats to Information Security,” Communications of the ACM, pp. 91-95.
Bandyopadhyay, T., Mookeijee, V. S., and Rao, R. C. (2009), “Why IT Managers Don’t Go for Cyber-Insurance Products,” Communications of the ACM (52:11), pp. 68-73.
McAfee (2014), “Net Losses: Estimating the Global Cost of Cybercrime,”, June (available at http://www.mcafee.com/uk/resources/reports/rp-economic-impact-cybercrime2.pdf).
Anderson, R., and Schneier, B. (2005), “Guest Editors’ Introduction: Economics of Information Security,” IEEE Security & Privacy (3:1), pp. 12-13.
Gordon, L. A., and Loeb, M. P. (2006), “Economic Aspects of Information Security: An Emerging Field of Research,” Information Systems Frontiers (8:5), pp. 335-337.
Grossklags, J., Christin, N., and Chuang, J. (2008a), “Secure or Insure?: A Game-theoretic Analysis of Information Security Games,” Proceedings of the 17th International Conference on World Wide Web, pp. 209-218.
Grossklags, J., Christin, N., and Chuang, J. (2008b), “Security and Insurance Management in Networks with Heterogeneous Agents,” Proceedings of the 9th ACM Conference on Electronic Commerce, pp. 160-169.
Buck, K., Das, P., and Hanf, D. (2008), “Applying ROI Analysis to Support SOA Information Security Investment Decisions,” IEEE Conference on Technologies for Homeland Security, pp. 359-366.
Hoo, K. J. S. (2000), How much is enough? A Risk Management Approach to Computer Security, Stanford University.
Cohen, F. (2006), IT Security Governance Guidebook with Security Program Metrics on CD-ROM, CRC Press.
Kwon, J., and Johnson, M. E. (2014), “Proactive Versus Reactive Security Investments in the Healthcare Sector,” MIS Quarterly (38:2), pp. 451-471.
Sim, W., Kong, X., He, D., and You, X. (2008), “Information Security Problem Research Based on Game Theory,” in International Symposium on Electronic Commerce and Security, pp. 554-557.
Bojanc, R., and Jerman-Blazic, B. (2008a), “Towards a Standard Approach for Quantifying an ICT Security Investment,” Computer Standards & Interfaces (30:4), pp. 216-222.
Bojanc, R., and Jerman-Blazic, B. (2008b), “An Economic Modelling Approach to Information Security Risk Management,” International Journal of Information Management (28:5), pp. 413-422.
Huang, C. D., and Goo, J. (2009), “Investment Decision on Information System Security: A Scenario Approach,” in AMCIS 2009 Proceedings.
Hagen, J. M., Albrechtsen, E., and Hovden, J. (2008), “Implementation and Effectiveness of Organizational Information Security Measures,” Information Management & Computer Security (16:4), pp. 377- 397.
Weishaupl, E., Yasasin, E., and Schiyen, G. (2015), “IT Security Investments through the Lens of the Resource-based View: A new theoretical Model and Literature Review,” ECIS 2015 Completed Research Papers.
Bohme, R., and Nowey, T. (2008), “Economic Security Metrics,” Dependability Metrics, pp. 176-187.
Wade, M., and Hulland, J. (2004), “Review: The Resource-Based View and Information Systems Research: Review, Extension, and Suggestions for Future Research,” MIS Quarterly (28:1), pp. 107-142.
Elsenhardt, K. M., and Martin, J. A. (2000), “Dynamic Capabilities: What are they?,” Strategic Management Journal (21:1), pp. 1105-1121.
Kraaijenbrink, J., Spender, J.-C., and Groen, A. J. (2010), “The Resource-Based View: A Review and Assessment of its Critiques,” Journal of Management (36:1), pp. 349-372.
Schwandt, D., and Marquardt, M. J. (1999), Organizational learning, CRC Press.
Melville, N., Kraemer, K., and Gurbaxani, V. (2004), “Review: Information Technology and Organizational Performance: An Integrative Model of IT Business Value,” MIS Quarterly (28:2), pp. 283-322.
Kraaijenbrink, J., Spender, J.-C., and Groen, A. J. (2010), “The Resource-Based View: A Review and Assessment of its Critiques,” Journal of Management (36:1), pp. 349-372.
Chandler, A. D. (1977), The Visible Hand, Cambridge, MA: Belknap Press.
Penrose, E. T. (1959), The Theory of the Growth of the Firm, New York: John Wiley & Sons.
Stigler, G. J. (1961), “The Economics of Information,” The Journal of Political Economy (69:3), pp. 213-225.
Wernerfelt, B. (1984), “A Resource-Based View of the Firm,” Strategic Management Journal (5:2), pp. 171- 180.
Barney, J. (1991), “Firm Resources and Sustained Competitive Advantage,” Journal of Management (17:1), pp. 99-120.
Barney, J. B. (1994), “Bringing Managers Back in: A Resource-Based Analysis of the Role of Managers in Creating and Sustaining Competitive Advantages for Firms,” Does Management Matter, pp. 1-36.
Barney, J. B. (1997), Gaining and Sustaining Competitive Advantage, Addison-Wesley Reading, MA.
Cavusoglu, H., Mishra, B., and Raghunathan, S. (2004), “The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers,” International Journal of Electronic Commerce (9:1), pp. 70-104.
Demirhan, D. (2005), “Factors Affecting Investment in IT: A Critical Review,” Journal of Information Technology Theory and Application (JITTA) (6:4), pp. 1-13.
Jiang, L., Anantharam, V., and Walrand, J. (2008), “Efficiency of Selfish Investments in Network Security,” in Proceedings of the 3rd International Workshop on Economics of Networked Systems, pp. 31- 36.
Torrellas, G. A. S., and Vargas, L. A. V. (2003), “Modelling a Flexible Network Security Systems Using Multi- agents Systems: Security Assessment Considerations,” in Proceedings of the 1st International Symposium on Information and Communication Technologies, pp. 365-371.
Beautement, A., Sasse, M. A., and Wonham, M. (2008), “The Compliance Budget: Managing Security Behaviour in Organisations,” in Proceedings of the 2008 Workshop on New Security Paradigms, pp. 47-58.
Liu, S., and Silverman, M. (2001), “A Practical Guide to Biometric Security Technology,” IT Professional (3:1), pp.27-32.
Neubauer, T., and Heurix, J. (2008), “Defining Secure Business Processes with Respect to Multiple Objectives,” in 3rd International Conference on Availability, Reliability and Security (ARES 2008),pp. 187-194.
Wang, X., Zhang, Y., and Shi, H. (2008), “Access Control for Human Tasks in Service Oriented Architecture,” in International Conference on e-Business Engineering (ICEBE), pp. 455-460.
Wattel, B. (2002), “Business Process Security”, Integrity, Internal Control and Security in Information Systems, pp. 177-186.
Dehning, B., and Richardson, V. J. (2002), “Returns on Investments in Information Technology: A Research Synthesis,” Journal of Information Systems (16:1), pp. 7-30.
Davenport, T. (1993), Process Innovation: Reengineering Work Through Information Technology, Boston: Harvard Business School Press.
Khansa, L., and Liginlal, D. (2009), “Valuing the Flexibility of Investing in Security Process Innovations,” European Journal of Operational Research (192:1), pp. 216-235.
Devaraj, S., and Kohli, R. (2000), “Information Technology Payoff in the Health-care Industry: A Longitudinal Study,” Journal of Management Information Systems (16:4), pp. 41-67.
Barua, A., Kriebel, C. H., and Mukhopadhyay, T. (1995), “Information Technologies and Business Value: An Analytic and Empirical Investigation,” Information Systems Research (6:1), pp. 3-23.
Smith, K. A., Vasudevan, S. P., and Tanniru, M. R. (1996), “Organizational Learning and Resource-Based Theory: An Integrative Model,” Journal of Organizational Change Management (9:6), pp. 41-53.
Hamdan, B. J. (2013), “Evaluating the Performance of Information Security: A Balanced Scorecard Approach,” in SAIS 2013 Proceedings.
Argyris, C. (1976), “Single-Loop and Double-Loop Models in Research on Decision Making,” Administrative Science Quarterly, pp. 363-375.
Culnan, M. J., and Williams, C. C. (2009), “How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches,” MIS Quarterly, pp. 673-687.
Culnan, M. J., Foxman, E. R., and Ray, A. W. (2008), “Why IT Executives should help Employees Secure their Home Computers,” MIS Quarterly Executive (7:1), pp. 49-56.
Argyris, C., Putnam, R., and Smith, D. M. (1985), “Action Science: Concepts, Methods, and Skills for Research and Intervention,”,Jossey-Bass San Francisco, CA.
Argote, L. (2011), “Organizational Learning Research: Past, Present and Future,” Management Learning (42:4), PP. 439-446.
Fiol, C. M., and Lyles, M. A. (1985), “Organizational Learning,” Academy of Management Review (10:4), pp. 803-813.
Law on Information Protection in Information and Telecommunication Systems. Verkhovna Rada of Ukraine, №80/94-ВР, 05.07.1994.
Daneva, M. (2006), “Applying Real Options Thinking to Information Security in Networked Organizations”, Centre for Telematics and Information Technology, University of Twente.
Stephanou, A. (2009), The Impact of Information Security Awareness Training on Information Security Behaviour.
Romme, G., and Dillen, R. (1997), “Mapping the Landscape of Organizational Learning,” European Management Journal (15:1), pp. 68-78.
Argyris, C. (1983), “Action Science and Intervention,” The Journal of Applied Behavioral Science (19:2), pp. 115-135.
Argyris, C., and Schon, D. A. (1978), Organizational Learning: A Theory of Action Perspective, Addison-Wesley Reading, MA, pp. 345-348.
Argyris, C. (1977), “Organizational Learning and Management Information Systems,” Accounting, Organizations and Society (2:2), pp. 113-123.
Derrick Huang, C., Hu, Q., and Behara, R. S. (2008), “An Economic Analysis of the Optimal Information Security Investment in the Case of a Risk-averse Firm,” International Journal of Production Economics (114:2), pp. 793-804.
Shen, D., and Jones, B. L. (2005), “A New Implication for China’s Rural Education Reform: Organizational Learning Theory,” Journal of International Agricultural and Extension Education (12:1), pp. 27- 36.
Ghose, A., and Rajan, U. (2006), “The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare.,” Workshop on the Economics of Information Security 2006 (WEIS).