Identifying the Business Value of Information Security

Identifying the Business Value of Information Security

Lucas Cardholm (Coromatic Group, Sweden)
DOI: 10.4018/978-1-4666-4983-5.ch010
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Management may see information security as an inhibitor to daily operations if the investment is not well aligned with current business activities or is presented in financial terms not relevant to their agenda. While this chapter shows that information security improvements create bottom-line business benefits, there is still a need for security managers to focus on quantifying those benefits in relevant financial terms. The purpose is to demystify the principles of general investment processes and criteria for calculating the benefits and costs of investments while accentuating alignment to the imperatives of the organization that makes the investment. As information security investments are assessed alongside other investment projects, it helps to consider them on an equal footing, implying the use of similar, and ideally the same, methods of financial cost projection. It is equally important to position and present the proposed investment in a relevant business context.
Chapter Preview
Top

Introduction

When top level management makes investment decisions it strives to find a balance between risk and reward for the company to meet the overall goals and ambitions. These goals could be defined as single year financial targets combined with annual budgets and rolling forecasts or they could be related to more long-term metrics used to drive a change.

Since 2008 we have witnessed unprecedented changes in the global economic environment that has presented new risks and challenges combined with new technologies, where some have helped improve information security and some have brought new risks and concerns.

Many security professionals struggle with the fact that costs associated with information security incidents can have large components which are difficult to quantify. Information security decisions still need not be taken with a complete lack of quantified value. Quite to the contrary, in the manner of any investment request, there are often numerous opportunities to collect data and trend information in order to measure the effectiveness of the investment.

If investments in information security are assessed alongside other investment projects it helps to consider them on an equal footing, implying the use of similar (and ideally the same) methods of financial cost projection. Benefits that cannot be measured with quantitative values may mean less to senior management. They may see information security as an inhibitor to their daily operations if the investment is not well aligned with current business activities or is presented in financial terms that seem not relevant to their agenda (Tsiakis and Pekos, 2008).

This chapter is aimed at providing information security professionals with a brief introduction to performing cost benefit analyses of information security investments and presenting them to management in order to bridge the gap between security professionals and business leaders.

It is based on recent reports and previous research on the topic, and should be considered as a summary only. For a deeper analysis and broader perspectives on obtaining support and funding from senior management, please refer to the full reports.

Complete Chapter List

Search this Book:
Reset