A model of the information security investment decision-making process

Daniel Dor, Yuval Elovici

Research output: Contribution to journalArticlepeer-review

25 Scopus citations

Abstract

Following recent developments affecting the information security threat landscape, information security has become a complex managerial issue. Using grounded theory, we present a conceptual model that reflects the most up-to-date decision-making practices regarding information security investment in organizations for several industries. The framework described in this article generalizes the current decision-making processes, while taking into consideration that organizations may differ in many respects, including: the stakeholder who administers the information security budget, the Chief Information Security Officer's (CISO) role in the organization, the organization's industry sector, the organizational structure, and so on. Our findings indicate that the information security investment decision-making process contains 14 phases and 16 concepts that affect and are affected by these phases. The study shows that the decision-making process is heavily biased by different organizational and psychological factors. The conceptual model derived can assist decision makers/stakeholders in performing, reviewing, and manipulating the decision-making process in their organizations. It can also assist vendors and consultants in understanding and prioritizing various aspects of their sales cycle.

Original languageEnglish
Pages (from-to)1-13
Number of pages13
JournalComputers and Security
Volume63
DOIs
StatePublished - 1 Nov 2016

Keywords

  • Decision-making
  • Decision-processes
  • Grounded theory
  • Information security
  • Information security investments
  • Multi-criteria decision making

Fingerprint

Dive into the research topics of 'A model of the information security investment decision-making process'. Together they form a unique fingerprint.

Cite this