IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v19y2017i5d10.1007_s10796-016-9648-8.html
   My bibliography  Save this article

Economic valuation for information security investment: a systematic literature review

Author

Listed:
  • Daniel Schatz

    (Thomson Reuters)

  • Rabih Bashroush

    (University of East London)

Abstract

Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts.

Suggested Citation

  • Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    • Handle: RePEc:spr:infosf:v:19:y:2017:i:5:d:10.1007_s10796-016-9648-8
    DOI: 10.1007/s10796-016-9648-8
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-016-9648-8
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s10796-016-9648-8?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Huang, C. Derrick & Behara, Ravi S., 2013. "Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints," International Journal of Production Economics, Elsevier, vol. 141(1), pages 255-268.
    2. R. H. Strotz, 1955. "Myopia and Inconsistency in Dynamic Utility Maximization," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 23(3), pages 165-180.
    3. Maryam Alavi & John C. Henderson, 1981. "An Evolutionary Strategy for Implementing a Decision Support System," Management Science, INFORMS, vol. 27(11), pages 1309-1323, November.
    4. Richard H. Thaler & Cass R. Sunstein, 2023. "Libertarian paternalism," Chapters, in: Cass R. Sunstein & Lucia A. Reisch (ed.), Research Handbook on Nudges and Society, chapter 1, pages 10-16, Edward Elgar Publishing.
    5. Amanda Eisenga & Travis L. Jones & Walter Rodriguez, 2012. "Investing in IT Security: How to Determine the Maximum Threshold," International Journal of Information Security and Privacy (IJISP), IGI Global, vol. 6(3), pages 75-87, July.
    6. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    7. Thomas L. Saaty, 1994. "How to Make a Decision: The Analytic Hierarchy Process," Interfaces, INFORMS, vol. 24(6), pages 19-43, December.
    8. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    9. Cass R. Sunstein & Richard H. Thaler, 2003. "Libertarian paternalism is not an oxymoron," Conference Series ; [Proceedings], Federal Reserve Bank of Boston, vol. 48(Jun).
    10. Khansa, Lara & Liginlal, Divakaran, 2009. "Valuing the flexibility of investing in security process innovations," European Journal of Operational Research, Elsevier, vol. 192(1), pages 216-235, January.
    11. Lawrence Gordon & Martin Loeb & Tashfeen Sohail & Chih-Yang Tseng & Lei Zhou, 2008. "Cybersecurity, Capital Allocations and Management Control Systems," European Accounting Review, Taylor & Francis Journals, vol. 17(2), pages 215-241.
    12. Kjell Hausken, 2006. "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, Springer, vol. 8(5), pages 338-349, December.
    13. Gordon, Lawrence A. & Loeb, Stephen E., 1982. "Accounting and public policy," Journal of Accounting and Public Policy, Elsevier, vol. 1(1), pages 1-3.
    14. Hausken, Kjell, 2007. "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, Elsevier, vol. 26(6), pages 639-688.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Simon Trang & Benedikt Brendel, 2019. "A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research," Information Systems Frontiers, Springer, vol. 21(6), pages 1265-1284, December.
    2. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    3. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 2021. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 23(3), pages 773-790, June.
    4. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    5. David Rios Insua & Aitor Couce‐Vieira & Jose A. Rubio & Wolter Pieters & Katsiaryna Labunets & Daniel G. Rasines, 2021. "An Adversarial Risk Analysis Framework for Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 41(1), pages 16-36, January.
    6. Blakely, Benjamin & Kurtenbach, Jim & Nowak, Lovila, 2022. "Exploring the information content of cyber breach reports and the relationship to internal controls," International Journal of Accounting Information Systems, Elsevier, vol. 46(C).
    7. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 0. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 0, pages 1-18.
    8. Tejaswini C. Herath & Hemantha S. B. Herath & David Cullum, 2023. "An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks," Information Systems Frontiers, Springer, vol. 25(2), pages 681-721, April.
    9. Petar Radanliev & David Roure & Max Kleek & Uchenna Ani & Pete Burnap & Eirini Anthi & Jason R. C. Nurse & Omar Santos & Rafael Mantilla Montalvo & La’Treall Maddox, 2021. "Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems: cyber risk at the edge," Environment Systems and Decisions, Springer, vol. 41(2), pages 236-247, June.
    10. Martin (Dae Youp) Kang & Anat Hovav, 2020. "Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation," Information Systems Frontiers, Springer, vol. 22(1), pages 221-242, February.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    2. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    3. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    4. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    5. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    6. Xinbao Liu & Xiaofei Qian & Jun Pei & Panos M. Pardalos, 2018. "Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size," Journal of Global Optimization, Springer, vol. 70(2), pages 413-436, February.
    7. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    8. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    9. Yosra Miaoui & Noureddine Boudriga, 0. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 0, pages 1-40.
    10. Markus Haavio & Kaisa Kotakorpi, 2012. "Sin Licenses Revisited," CESifo Working Paper Series 4010, CESifo.
    11. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    12. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    13. Guizhou Wang & Jonathan W. Welburn & Kjell Hausken, 2020. "A Two-Period Game Theoretic Model of Zero-Day Attacks with Stockpiling," Games, MDPI, vol. 11(4), pages 1-26, December.
    14. Maria Alessandra Antonelli & Valeria De Bonis & Angelo Castaldo & Alessandrao Gandolfo, 2022. "Sin goods taxation: an encompassing model," Public Finance Research Papers 52, Istituto di Economia e Finanza, DSGE, Sapienza University of Rome.
    15. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    16. Axel H. Börsch-Supan & Tabea Bucher-Koenen & Michael D. Hurd & Susann Rohwedder, 2018. "Saving Regret," NBER Working Papers 25238, National Bureau of Economic Research, Inc.
    17. Kjell Hausken & Jonathan W. Welburn, 2021. "Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits," Information Systems Frontiers, Springer, vol. 23(6), pages 1609-1620, December.
    18. Linda Thunström & Jonas Nordström & Jason F. Shogren & Mariah Ehmke & Klaas Veld, 2016. "Strategic self-ignorance," Journal of Risk and Uncertainty, Springer, vol. 52(2), pages 117-136, April.
    19. Krügel, Sebastian & Uhl, Matthias, 2023. "Is only one of my selves authentic? An empirical approach," Journal of Behavioral and Experimental Economics (formerly The Journal of Socio-Economics), Elsevier, vol. 102(C).
    20. Daniel Serra, 2019. "Neuroeconomics and modern neuroscience," CEE-M Working Papers halshs-02160907, CEE-M, Universtiy of Montpellier, CNRS, INRA, Montpellier SupAgro.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:19:y:2017:i:5:d:10.1007_s10796-016-9648-8. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.