IT security has become a major issue for organizations as they need to protect their assets, including IT resources, intellectual property and business processes, against security attacks. Disruptions of IT-based business activities can easily lead to economic damage, such as loss of productivity, revenue and reputation. \ \ Organizations need to decide (1) which assets need which level of protection, (2) which technical,managerial and organizational security countermeasures lead to this protection and (3) how much should be spent on which countermeasure in the presence of budget constraints. Answering these questions requires both making IT security investment decisions and evaluating the effectiveness and efﬁciency of these decisions. \ \ The literature has contributed to this ﬁeld adopting approaches from micro-economics, ﬁnance and management, among others. However, the literature is rather fragmented and lacks a shared theoretical basis. As a consequence, it remains partly open what we can learn from past research and how we can \ direct and stimulate still missing research activities. \ \ In order to address these deﬁciencies, we draw on the resource-based view (RBV) and provide a theoretical model for IT security investments. We use this RBV model to review the IT security investment literature and to identify research gaps.
Weishäupl, Eva; Yasasin, Emrah; and Schryen, Guido, "IT Security Investments Through the Lens of the Resource-Based View: A new Theoretical Model and Literature Review" (2015). ECIS 2015 Completed Research Papers. Paper 198.