Title:
|
MEASURING THE FINANCIAL IMPLICATIONS OF IS SECURITY INVESTMENTS BY MEANS OF IT-BUSINESS-ALIGNMENT |
Author(s):
|
Heinz Lothar Grob , Gereon Strauch , Christian Buddendick |
ISBN:
|
978-972-8924-57-7 |
Editors:
|
Miguel Baptista Nunes, Pedro IsaĆas and Philip Powell |
Year:
|
2008 |
Edition:
|
Single |
Keywords:
|
Security Management, Risk Analysis and Management, Information Systems Security, Business Processes, IT-Business
Alignment. |
Type:
|
Full Paper |
First Page:
|
81 |
Last Page:
|
90 |
Language:
|
English |
Cover:
|
|
Full Contents:
|
click to dowload
|
Paper Abstract:
|
The security of information systems is a vital factor for companies today. In order to achieve an adequate level of
security, a variety of distinct measures are available, ranging from technical measures (e.g. employment of a firewall) to
organizational measures (e.g. implementation of a security awareness management). The realization of such measures
requires investments with a uncertain future return as most of the IT-related investments. The results of implementing
such measures in an organization can only be observed indirectly by means of (future) risk reduction and corresponding
prospective payments. Up to now suitable methods for decision support especially for the assessment of the profitability
of alternative IS security measures can neither be found in literature nor in practice. Proposed methods can be
characterized by two shortcomings: from a theoretic perspective they are not sound (e.g. Return on Security Investment
(ROSI) approaches) or they are too complex to be applied in practical projects. With this article we propose a method
framework that enables the analysis of the results of alternative security investments from a process-oriented perspective.
As a basis we have conducted an in-deep analysis of the state-of-the-art in the fields of IT-Business-Alignment and IS
security management in order to identify suitable concepts for the framework. The proposed method takes the long-term
monetary decision consequences into account as well as the omnipresent uncertainty. As a result of applying this
framework, a direct comparison of the distinctive returns of alternative measures is possible. Hence decision-makers are
able to prioritize investments for dedicated IS security measures. |
|
|
|
|