This paper, a research in progress, presents a balanced scorecard based framework for managing and evaluating the performance of information security in organizations. Acknowledging the multi-dimensionality of information security and the various value propositions of different constituents, we contend that for organizations to maximize the value of their information security effort, they should strike a balance between four information security capabilities pertaining to four perspectives: the financial, the customer, the internal processes, and the learning and growth perspectives. The proposed framework supplements the traditional financial perspective with three non-financial perspectives and thus accounts for the qualitative and intangible benefits of information security. Furthermore, it captures the technical and socio-organizational dimensions of information security. Finally, the proposed framework, through its robust theoretical and methodological foundation, holds the promise of maximizing the effectiveness of the information security endeavor in organizations.
Hamdan, Basil J., "EVALUATING THE PERFORMANCE OF INFORMATION SECURITY: A BALANCED SCORECARD APPROACH" (2013). SAIS 2013Proceedings. 11.