Paper Type

Complete

Description

In recent years, the importance of information security has grown significantly due to the rise of cyber threats and attacks. However, evaluating investments in information security can be challenging, as traditional methods often rely solely on monetary factors and fail to capture the dynamic nature of business processes. This paper introduces a novel process-based evaluation method for assessing the effect of investments in information security on business processes. The paper outlines practical design requirements for the method and its instantiation as a prototype, which is then evaluated using a three-step approach with two companies from the healthcare and energy sectors. The evaluation results demonstrate the proposed method's usefulness in information security investment decisions. This paper contributes to the field of information security investment evaluation by providing a proof-of-concept that potentially paves the way for future research to increase the quality and economics of investments in information security.

Paper Number

1929

Comments

SIG SEC

Share

COinS
Top 25 Paper Badge
 
Aug 10th, 12:00 AM

A Process-Based Approach to Information Security Investment Evaluation: Design, Implementation, and Evaluation

In recent years, the importance of information security has grown significantly due to the rise of cyber threats and attacks. However, evaluating investments in information security can be challenging, as traditional methods often rely solely on monetary factors and fail to capture the dynamic nature of business processes. This paper introduces a novel process-based evaluation method for assessing the effect of investments in information security on business processes. The paper outlines practical design requirements for the method and its instantiation as a prototype, which is then evaluated using a three-step approach with two companies from the healthcare and energy sectors. The evaluation results demonstrate the proposed method's usefulness in information security investment decisions. This paper contributes to the field of information security investment evaluation by providing a proof-of-concept that potentially paves the way for future research to increase the quality and economics of investments in information security.

When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.