Expected benefits of information security investments

Ryan, Julie J.C.H.; Ryan, Daniel J.

doi:10.1016/j.cose.2006.08.001

Cited by 42 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It uses survivor and failure functions, but since the available data are censored and therefore biased, the quality of the results is questionable. For this reason, Ryan and Ryan (2006) introduce the Kaplan-Meier and Nelson-Aalen estimators that can be used instead. The basic assumption is that an investment in security reduces the risk of successful attacks.…”

Section: Related Researchmentioning

confidence: 99%

“…Willemson (2006), however, emphasizes that the suggested upper limit of the model may not be correct when the model is applied to the general case and to all possible vulnerability functions. Ryan and Ryan (2006) view security as an inversion of the risk and establish a quantitative approach to measure the gains in security through expected-loss risk measurements. The approach of basing an investment decision on the expected loss is suggested by Gordon and Loeb (2002), and the rule of thumb is that a positive expected net benefit is an attractive investment.…”

Section: Related Researchmentioning

confidence: 99%

See 1 more Smart Citation

A Quantitative Model for Information-Security Risk Management

Bojanc¹,

Jerman-Blažič

2013

Engineering Management Journal

View full text Add to dashboard Cite

Section: Related Researchmentioning

confidence: 99%

Section: Related Researchmentioning

confidence: 99%

A Quantitative Model for Information-Security Risk Management

Bojanc¹,

Jerman-Blažič

2013

Engineering Management Journal

View full text Add to dashboard Cite

“…Evidently, most studies largely focus on economic aspects of IT security decisions by proposing a valueat-risk or return on (security) investment approach (ROSI) [e.g., [33][34][35]. This is also reflected by the slight surplus of predominantly normative studies (56%) based on mathematical modelling (64% proportionately) [2,6,10,33,34,[36][37][38][39][40][41][42][43][44][45][46][47][48][49][50][51][52][53][54]. Whereas two studies pursue a purely qualitative approach [20,55] and six are purely conceptual [56][57][58][59][60][61], eleven studies employ a combination of several approaches [4,14,33,35,37,39,40,41,48,51,62] and three are based on panel data [3,…”

Section: Literature Analysismentioning

confidence: 99%

“…The investment nuances that are most often considered in these specific investment studies, but also in publications that pursue a more generic approach, are the specific area or content and the optimal level of investment [4,10,33,34,47,53,56,60,62]. Only a single study is dedicated towards to the decision regarding the source or origin of the investment [48] and a total of six studies consider the fundamental decision whether to invest at all [31,38,44,47,54,55].…”

Section: Literature Analysismentioning

confidence: 99%

A Holistic View on Organizational IT Security: The Influence of Contextual Aspects During IT Security Decisions

Heidt

Gerlach

Buxmann

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Decisions regarding organizational IT security are often approximated by models drawing on normative statistical decision theories even though several IS researchers and studies in cognate disciplines have argued for the importance of contextual aspects. Based on findings in organizational and behavioral science and 25 expert interviews, this paper proposes a framework, postulating that IT security (investment) decisions are largely influenced by such contextual aspects: organizational, environmental, economic, and not least of all by cognitive and behavioral aspects of decision-makers. Subsequently, we review organizational IT security literature building on Straub and Welke's Security Risk Planning Model and the previously postulated conceptual framework. This critical literature review highlights the scarcity of studies analyzing IT security decision-making from a behavioral, environmental, and organizational perspective and thus argues for the importance and future consideration of contextual aspects regarding IT security decisions.

show abstract

“…Gerber and Solms (2001) have stated that ensuring the availability of the required information at the right time is extremely important, because when the organization cannot get the information at the right time, it may not be able to perform the required operations effectively, which leads to the loss of the chance of gaining the competitive advantage over the others. According to Ryan and Ryan (2006), any one of integrity, confidentiality or availability, security objectives regarding information resources, can be compromised by illicit access even if the other two security objectives are preserved.…”

Section: Information Systems Security (Iss) Objectivementioning

confidence: 99%

Evaluation of Information Systems Security Awareness in Higher Education: An Empirical Study of Kuwait University

Al‐Alawi¹,

Al-Kandari²,

Abdel-Razek³

2016

JIBBP

View full text Add to dashboard Cite

The purpose of this study is to evaluate the levels of knowledge, attitude, and behavior of the end-user regarding Information Systems Security Awareness (ISSA) in higher education, specifically Kuwait University (KU), and to identify the areas which require attention. Factors such as knowledge, attitude and behavior affecting human awareness were identified and the Value-Focus-Thinking was used to identify Information Systems Security (ISS) focus-areas. The six ISS Focus-Areas were obtained such as commitment to ISS policy; effective use of passwords; safe usage of Internet and e-mail; being aware of ISS threats; backing up the important files; and required updates for operating system and antivirus programs. Furthermore, a questionnaire was designed based on the human awareness factors and the ISS focus-areas. The research population included the end-users of KU colleges. The study presents useful results for decision-makers in the field of ISS, to identify recent findings regarding the level of ISSA among end-users, and in order to develop better strategies to implement the required solutions such as training programs. In addition to the organizations, this study through concentrating on ISSA may assist individuals to protect their personal data privacy during their use of computers. The study recommends few relevant actions to improve the long term levels of knowledge, attitude and behavior, with the priority for improving attitude due to its identified poor level. Regarding the KU colleges, the study recommends giving priority to improvements to the seven colleges that had poor levels of ISSA.

show abstract

Expected benefits of information security investments

Cited by 42 publications

References 8 publications

A Quantitative Model for Information-Security Risk Management

A Quantitative Model for Information-Security Risk Management

A Holistic View on Organizational IT Security: The Influence of Contextual Aspects During IT Security Decisions

Evaluation of Information Systems Security Awareness in Higher Education: An Empirical Study of Kuwait University

Contact Info

Product

Resources

About