A Structural Model Approach for Assessing Information Security Value in Organizations

A Structural Model Approach for Assessing Information Security Value in Organizations

Daniel Schatz (University of East London, London, UK) and Rabih Bashroush (University of East London, London, UK)
Copyright: © 2018 |Pages: 23
DOI: 10.4018/IJSDS.2018100104

Abstract

Data is rapidly becoming one of the most important assets in global markets, and criminals are spotting opportunities to exploit new potential income sources. In response to this, organizations are dedicating increasing resources to information security programs. However, faced with unrelenting breach reports and rising costs, decision makers inevitably wonder which type of security investment is economically viable. In this article, the authors present an empirically tested model describing the underlying key constructs for assessing information security value in an organization. Based on identified latent variables previously put forward in the literature, the authors use a partial least squares structural equation modeling approach to verify the model's soundness. They identify five crucial variables for value-focused information security investment. The relationships among these latent variables are then investigated and contributions of the structural model assessed. The key findings are finally presented to highlight opportunities for security practitioners to apply the proposed model.
Article Preview
Top

Early discussion on information security was mostly driven by technical aspects (Hitchings, 1995; von Solms, 1996), but it quickly moved onto governance topics (Dhillon & Backhouse, 2000; Dutta & McCrohan, 2002; Shuchih Ernest & Chienta Bruce, 2006) as well as focusing on value (Bojanc & Jerman-Blažič, 2008; Dhillon & Torkzadeh, 2006). Work on the economic aspects of information security (Anderson, 2001; Gordon & Loeb, 2002a; Hoo, 2000) was rapidly extended upon by research investigating the allocation and optimization of security investment. For example, by taking into account the vulnerability of information and potential loss from a security breach, Gordon and Loeb (2002a) approach the topic as an optimal stopping problem and present a model to calculate optimal investment levels. Their model has been critically reviewed and extended by several researchers, including the original authors (Baryshnikov, 2012; Gordon et al., 2016; Matsuura, 2009; Willemson, 2010). Similarly, a return on investment (ROI) approach aligned with commonly used accounting principles was popular in the early days of research in this field (Al-Humaigani & Dunn, 2003; A. Davis, 2005; Mizzi, 2010; Sonnenreich, Albanese, & Stout, 2006). However, it also attracted criticism because of the ambiguity in the underlying data as well as general applicability of the metric to information security (Gordon & Loeb, 2002b; Wood & Parker, 2004). Indeed, the publication of research on this approach and other related accounting metrics such as net present value (NPV) has declined over time, as shown by the systematic literature review on this topic by Schatz and Bashroush (2016).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2021): Forthcoming, Available for Pre-Order
Volume 11: 4 Issues (2020): 1 Released, 3 Forthcoming
Volume 10: 4 Issues (2019)
Volume 9: 4 Issues (2018)
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing