Paper Type
Complete
Description
In recent years, the importance of information security has grown significantly due to the rise of cyber threats and attacks. However, evaluating investments in information security can be challenging, as traditional methods often rely solely on monetary factors and fail to capture the dynamic nature of business processes. This paper introduces a novel process-based evaluation method for assessing the effect of investments in information security on business processes. The paper outlines practical design requirements for the method and its instantiation as a prototype, which is then evaluated using a three-step approach with two companies from the healthcare and energy sectors. The evaluation results demonstrate the proposed method's usefulness in information security investment decisions. This paper contributes to the field of information security investment evaluation by providing a proof-of-concept that potentially paves the way for future research to increase the quality and economics of investments in information security.
Paper Number
1929
Recommended Citation
Matschak, Tizian; Nastjuk, Ilja; Niedzela, Laura; Kuehnel, Stephan; and Trang, Simon, "A Process-Based Approach to Information Security Investment Evaluation: Design, Implementation, and Evaluation" (2023). AMCIS 2023 Proceedings. 30.
https://aisel.aisnet.org/amcis2023/sig_sec/sig_sec/30
A Process-Based Approach to Information Security Investment Evaluation: Design, Implementation, and Evaluation
In recent years, the importance of information security has grown significantly due to the rise of cyber threats and attacks. However, evaluating investments in information security can be challenging, as traditional methods often rely solely on monetary factors and fail to capture the dynamic nature of business processes. This paper introduces a novel process-based evaluation method for assessing the effect of investments in information security on business processes. The paper outlines practical design requirements for the method and its instantiation as a prototype, which is then evaluated using a three-step approach with two companies from the healthcare and energy sectors. The evaluation results demonstrate the proposed method's usefulness in information security investment decisions. This paper contributes to the field of information security investment evaluation by providing a proof-of-concept that potentially paves the way for future research to increase the quality and economics of investments in information security.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
SIG SEC