An Alternative Model of Information Security Investment

An Alternative Model of Information Security Investment

Peter O. Orondo (Acclaim Consulting Group, Inc., USA)
DOI: 10.4018/978-1-60566-132-2.ch008
OnDemand PDF Download:


Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT security investment indicate that only a small portion of the firm’s business is IT asset value driven. It could also point to a misaligned corporate investment policy. Conversely, some firms may be investing more than is warranted given the value of their information asset holdings, thereby wasting shareholder resources. The question then becomes: What level of IT security investment is enough? Several models exist to help companies set their IT spending in general and Information Security spending in particular. The leading model out there is the Information Technology Portfolio Management (ITPM) model. This is really nothing more than financial portfolio management theory applied to the information technology realm. Thus ITPM tries to optimize IT spending based on a number of factors like business value, efficiency and cost reduction among others. Despite current vigorous research at esteemed institutions like the Center for Information Systems Research (CISR) at MIT and at the Free University of Amsterdam, ITPM is still in its infancy and the field would benefit from alternative models. In this chapter, we propose an alternative model of IT security spending that firms may readily apply when setting their Information Security budgets. The model is analytical and starts by developing a model for the business value of information. It then develops a model for the cost of an information security breach. Finally, we find the relationship between the value model and the cost model from.
Chapter Preview


The global spending on IT may only be considered as leviathan – $1.5 trillion in 2007 according to Forrester (Bartels, 2007), and is the driver for a very large segment of the global economy, especially in the western industrialized countries. At any individual firm, the $1.5 trillion figure typically translates to between 1% and 8% of revenues. Since any firm’s spending is a balancing act amongst multiple competing priorities, it becomes critical for CIOs and IT managers to justify every penny spent on IT.

As we mentioned earlier, the most common model appears to be the ITPM model which views IT spending as an investment just like any other that the firm makes. ITPM then creates metrics, processes and monitoring tools that ultimately measure Return on Investment (ROI) for each IT dollar spent (Symons, 2005).

The Forrester Research cited (Symons, 2005) also reveals that firms are most likely to optimize their IT spending around Business Value. In other words, the firms surveyed decided that the business value of IT spending outweighed other considerations like financial return, cost reductions and even efficiency (see Figure 1).

Figure 1.

IT portfolio optimization criteria (Symons, 2005)

This validates a key premise of our model, namely that IT Security Spending is integral to the firm’s value chain. We shall return to this notion of “Business Value” driven IT Security Spending later when we formulate our model.

ITPM however, is still in its infancy, and is fairly complicated to apply, monitor and measure in any given company. Additionally:

  • ITPM is ultimately based on financial theory of portfolio optimization. While it is plausible that the basic concepts of Modern Porfolio Theory (MPT) – see for example (Markowitz, 1952) - should apply to IT spending, the two problems are sufficiently different that substantial conceptual modifications to MPT are in order before it can make sense to the IT Line Manager. At the very least, it is not clear that MPT is the best approach to model IT Investment Portfolios. For example, the IT Investment portfolio is not as liquid as a stock portfolio, if at all.

  • ITPM is complicated and thus not easily accessible except to generally larger firms with a fair amount of resources devoted to IT process and operations modeling. This is evident from the Forrester study (Symons, 2005): of the mostly large firms surveyed, only 33% indicated that they had some form of an ITPM process. Combined with its immaturity as a practical model, we speculate that ITPM will not be accessible to a vast majority of firms as a practical tool to use when setting IT spending levels.

  • Even more ominous, the mentioned Forrester survey found that a vast majority of those firms with an ITPM process (82%) considered it to be an IT initiative. In other words, ITPM was not pervasive enough in the firm to be of any meaningful or lasting value beyond just another IT initiative.

Anecdotal evidence from our Identity and Access Management (IAM) consulting in a wide array of industries from financial services, pharmaceuticals and health care services industries also supports Forrester’s results: most firms we work with, small and large, don’t have any consistent way to model or allocate their IT spending. Rather, they tend to focus on broad goals or generalities, for example:

Key Terms in this Chapter

Information Asset Breach: Compromise of security, in terms of confidentiality, integrity or availability, of assets that support business functions by providing secure access to information.

IT Economics: It is a concept that related to understanding and applying knowledge of costs and benefits of managing IT assets from a monetary terms.

Identity and Access Management: Managing digital identities, of stakeholders such as employees, partners, suppliers, contractors, etc, and access to information resources that are required to perform and support business functions of an organization.

Security Economics: Field of study and area of application that analyzes and evaluates costs and benefits, in financial terms, of acquisition, deployment and maintenance of resources such as systems and personnel to provide security of information and informational assets.

IT Portfolio Management: Process of defining and managing combination of different types of IT resources such as applications, infrastructure, personnel as portfolio; and aim to optimize their utility in terms of business value add.

IT Asset Value: Value of an asset that stores, processes or transmits information in terms of value added to business by deploying and supporting it.

Business Loss Index: The percentage of an organization’s business that is lost due to information security breach.

IT Security: Securing different components of information technology by ensuring confidentiality, integrity and availability of information stored, processed and transmitted by them.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
John Walp
Manish Gupta, Raj Sharman
Chapter 1
C. Warren Axelrod
This chapter examines the impact of catastrophes on information security and suggests who might have responsibility for maintaining an appropriate... Sample PDF
Responsibilities and Liabilities with Respect to Catastrophes
Chapter 2
David Porter
This chapter discusses the latest developments in the shifting threat landscape and their impact on the world of information security. It describes... Sample PDF
The Complex New World of Information Security
Chapter 3
Ahmed Awad E. Ahmed
In recent years, many studies have highlighted the unprecedented growth in security threats from multiple and varied sources faced by corporate, as... Sample PDF
Employee Surveillance Based on Free Text Detection of Keystroke Dynamics
Chapter 4
Arunabha Mukhopadhyay, Samir Chatterjee, Debashis Saha, Ambuj Mahanti, Samir K. Sadhukhan
An online business organization spends millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature, and encryption... Sample PDF
E-Risk Insurance Product Design: A Copula Based Bayesian Belief Network Model
Chapter 5
Guoling Lao
E-commerce mode aggravates information asymmetry so that honesty-credit problems become more serious. This chapter discusses the honesty-credit... Sample PDF
E-Commerce Security and Honesty-Credit
Chapter 6
Zhixiong Zhang, Xinwen Zhang, Ravi Sandhu
This chapter addresses the problem that traditional role-base access control (RBAC) models do not scale up well for modeling security policies... Sample PDF
Towards a Scalable Role and Organization Based Access Control Model with Decentralized Security Administration
Chapter 7
Chandan Mazumdar
There has been an unprecedented thrust in employing Computers and Communication technologies in all walks of life. The systems enabled by... Sample PDF
Enterprise Information System Security: A Life-Cycle Approach
Chapter 8
Peter O. Orondo
Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT... Sample PDF
An Alternative Model of Information Security Investment
Chapter 9
George O.M. Yee
The growth of the Internet is increasing the deployment of e-services in such areas as e-commerce, e-learning, and e-health. In parallel, the... Sample PDF
Avoiding Pitfalls in Policy-Based Privacy Management
Chapter 10
Supriya Singh
Enabling customers to influence the way they are represented in the bank’s databases, is one of the major personalization, responsiveness, and... Sample PDF
Privacy and Banking in Australia
Chapter 11
Madhusudhanan Chandrasekaran, Shambhu Upadhyaya
Phishing scams pose a serious threat to end-users and commercial institutions alike. E-mail continues to be the favorite vehicle to perpetrate such... Sample PDF
A Multistage Framework to Defend Against Phishing Attacks
Chapter 12
Ghita Kouadri Mostefaoui, Patrick Brézillon
In recent years, the security research community has been very active in proposing different techniques and algorithms to face the proliferating... Sample PDF
A New Approach to Reducing Social Engineering Impact
Chapter 13
Yang Wang
Privacy-enhancing technologies (PETs), which constitute a wide array of technical means for protecting users’ privacy, have gained considerable... Sample PDF
Privacy-Enhancing Technologies
Chapter 14
Douglas P. Twitchell
This chapter introduces and defines social engineering, a recognized threat to the security of information systems. It also introduces a taxonomy... Sample PDF
Social Engineering and its Countermeasures
Chapter 15
Tom S. Chan
Social networking has become one of the most popular applications on the Internet since the burst of the dot-com bubble. Apart from being a haven... Sample PDF
Social Networking Site: Opportunities and Security Challenges
Chapter 16
James W. Ragucci, Stefan A. Robila
Fraudulent e-mails, known as phishing attacks, have brought chaos across the digital world causing billions of dollars of damage. These attacks are... Sample PDF
Designing Antiphishing Education
Chapter 17
Serkan Ada
This chapter discusses the recent theories used in information security research studies. The chapter initially introduces the importance of the... Sample PDF
Theories Used in Information Security Research: Survey and Agenda
Chapter 18
Samuel Liles
Information assurance education is an interdisciplinary endeavor that only when taken as a holistic and inclusive educational activity can be... Sample PDF
Information Assurance and Security Curriculum Meeting the SIGITE Guidelines
Chapter 19
Gary Hinson
This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by... Sample PDF
Information Security Awareness
Chapter 20
Nick Pullman, Kevin Streff
Security training and awareness is often overlooked or not given sufficient focus in many organizations despite being a critical component of a... Sample PDF
Creating a Security Education, Training, and Awareness Program
Chapter 21
E. Kritzinger, S.H von Solms
This chapter introduces information security within the educational environments that utilize electronic resources. The education environment... Sample PDF
Information Security Within an E-Learning Environment
Chapter 22
Donald Murphy, Manish Gupta, H.R. Rao
We present five emerging areas in information security that are poised to bring the radical benefits to the information security practice and... Sample PDF
Research Notes on Emerging Areas of Conflict in Security
Chapter 23
C. Orhan Orgun
This chapter develops a linguistically robust encryption system, LunabeL, which converts a message into syntactically and semantically innocuous... Sample PDF
The Human Attack in Linguistic Steganography
Chapter 24
Sérgio Tenreiro de Magalhães, Kenneth Revett, Henrique M.D. Santos, Leonel Duarte dos Santos, André Oliveira, César Ariza
The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the... Sample PDF
Using Technology to Overcome the Password's Contradiction
Chapter 25
Antonio Cerone
Reducing the likelihood of human error in the use of interactive systems is increasingly important. Human errors could not only hinder the correct... Sample PDF
Formal Analysis of Security in Interactive Systems
Chapter 26
Tejaswini Herath
It is estimated that over 1 billion people now have access to the Internet. This unprecedented access and use of Internet by individuals around the... Sample PDF
Internet Crime: How Vulnerable Are You? Do Gender, Social Influence and Education play a Role in Vulnerability?
Chapter 27
Jarrod Trevathan
Shill bidding is where spurious bids are introduced into an auction to drive up the final price for the seller, thereby defrauding legitimate... Sample PDF
Detecting Shill Bidding in Online English Auctions
Chapter 28
Carsten Röcker, Carsten Magerkurth, Steve Hinske
In this chapter we present a novel concept for personalized privacy support on large public displays. In the first step, two formative evaluations... Sample PDF
Information Security at Large Public Displays
Chapter 29
Yuko Murayama, Carl Hauser, Natsuko Hikage, Basabi Chakraborty
The sense of security, identified with the Japanese term, Anshin, is identified as an important contributor to emotional trust. This viewpoint... Sample PDF
The Sense of Security and Trust
About the Contributors