Article Preview
TopEarly discussion on information security was mostly driven by technical aspects (Hitchings, 1995; von Solms, 1996), but it quickly moved onto governance topics (Dhillon & Backhouse, 2000; Dutta & McCrohan, 2002; Shuchih Ernest & Chienta Bruce, 2006) as well as focusing on value (Bojanc & Jerman-Blažič, 2008; Dhillon & Torkzadeh, 2006). Work on the economic aspects of information security (Anderson, 2001; Gordon & Loeb, 2002a; Hoo, 2000) was rapidly extended upon by research investigating the allocation and optimization of security investment. For example, by taking into account the vulnerability of information and potential loss from a security breach, Gordon and Loeb (2002a) approach the topic as an optimal stopping problem and present a model to calculate optimal investment levels. Their model has been critically reviewed and extended by several researchers, including the original authors (Baryshnikov, 2012; Gordon et al., 2016; Matsuura, 2009; Willemson, 2010). Similarly, a return on investment (ROI) approach aligned with commonly used accounting principles was popular in the early days of research in this field (Al-Humaigani & Dunn, 2003; A. Davis, 2005; Mizzi, 2010; Sonnenreich, Albanese, & Stout, 2006). However, it also attracted criticism because of the ambiguity in the underlying data as well as general applicability of the metric to information security (Gordon & Loeb, 2002b; Wood & Parker, 2004). Indeed, the publication of research on this approach and other related accounting metrics such as net present value (NPV) has declined over time, as shown by the systematic literature review on this topic by Schatz and Bashroush (2016).