An Alternative Model of Information Security Investment

Abstract

Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT security investment indicate that only a small portion of the firm’s business is IT asset value driven. It could also point to a misaligned corporate investment policy. Conversely, some firms may be investing more than is warranted given the value of their information asset holdings, thereby wasting shareholder resources. The question then becomes: What level of IT security investment is enough? Several models exist to help companies set their IT spending in general and Information Security spending in particular. The leading model out there is the Information Technology Portfolio Management (ITPM) model. This is really nothing more than financial portfolio management theory applied to the information technology realm. Thus ITPM tries to optimize IT spending based on a number of factors like business value, efficiency and cost reduction among others. Despite current vigorous research at esteemed institutions like the Center for Information Systems Research (CISR) at MIT and at the Free University of Amsterdam, ITPM is still in its infancy and the field would benefit from alternative models. In this chapter, we propose an alternative model of IT security spending that firms may readily apply when setting their Information Security budgets. The model is analytical and starts by developing a model for the business value of information. It then develops a model for the cost of an information security breach. Finally, we find the relationship between the value model and the cost model from.