Corporate Information Security Investment Decisions: A Qualitative Data Analysis Approach

Corporate Information Security Investment Decisions: A Qualitative Data Analysis Approach

Daniel Schatz (University of East London, London, UK) and Rabih Bashroush (University of East London, London, UK)
Copyright: © 2018 |Pages: 20
DOI: 10.4018/IJEIS.2018040101
OnDemand PDF Download:
No Current Special Offers


This article describes how with information security steadily moving up on board room agendas, security programs are found to be under increasing scrutiny by practitioners. This level of attention by senior business leaders is new to many security professionals as their field has been of limited interest to non-executive directors so far. Currently, they have to regularly report on efficiency and value of their security capabilities whilst being measured against business priorities. Based on the Grounded Theory approach, the authors analysed the data gathered in a series of interviews with senior professionals in order to identify key factors in the context of information security investment decisions. The authors present detailed findings in context of a simplified framework that security practitioners can utilise for critical review or improvements of investment decisions in their own environments. Extensive details for each category as extracted through a qualitative data analysis are provided along with a category network analysis that highlights strong relationships within the framework.
Article Preview

1. Introduction

Information asset security has been a subject of extensive research over the past years, largely focusing on technological risks. While there was early research on the economic impact of information security risks (Ekenberg, Oberoi, & Orci, 1995; Finne, 1997; Francke & Blind, 1996), academic research had been limited until the turn of the millennium when papers by Hoo (2000), Anderson (2001), as well as Gordon and Loeb (2002) raised levels of interest regarding this topic. However, studies remain focussed on the fast-moving area of information security risks in general. Much of the security economics research, particularly earlier approaches, is firmly footed in theoretical model space, leaving key challenges unmentioned or unsolved. Although such models are contributing towards a better approach for information security investments, they often suffer from their overly theoretical methodology and, as such, are not properly well suited for real-world application. The aim of this study is to identify current practices of information security investment prioritisation and evaluation in organisations. Based on a series of semi-structured interviews, a qualitative data analysis approach is followed so as to understand key factors, core challenges, and common practices as experienced by information security practitioners. In particular, this paper investigates the following research questions:

  • How are information security investments in organisations currently approached by practitioners?

  • What are the key factors and challenges considered by practitioners in relation to information security investments?

  • How do information security management systems and information security governance models support practitioners in this regard?

  • How are traditional accounting metrics (net present value (NPV), return on investment (ROI), etc.) used?

The remainder of the paper is structured as follows: in the next section, related work is presented. Section 3 discusses the research methodology and design, as well as the interview framework including sample strategy, data collection procedures, coding approach and analysis. Section 4 presents the results of the data analysis process including details on the responses of participants. And finally, in Sections 5 and 6, the limitations of the approach presented in this study are thoroughly reviewed and conclusive thoughts are provided.

Complete Article List

Search this Journal:
Volume 18: 4 Issues (2022): Forthcoming, Available for Pre-Order
Volume 17: 4 Issues (2021)
Volume 16: 4 Issues (2020)
Volume 15: 4 Issues (2019)
Volume 14: 4 Issues (2018)
Volume 13: 4 Issues (2017)
Volume 12: 4 Issues (2016)
Volume 11: 4 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing