Firm objectives, IT alignment, and information security

More and more attention has been devoted to the alignment of information technology (IT) spending and initiatives with organizational strategic objectives. IT spending across organizations and industries has a high opportunity cost and involves a substantial opportunity for deviations from support for the highest priorities of business units. The business justification and rationale for information security has come under similar scrutiny at a time when the nature of many organizations is being transformed by the network economy. More and more business functions and processes are enabled by information assets and capabilities that are vulnerable to new and adapting threats. This paper examines the impact of the strategic alignment of information security spending with organizational goals and with the risk tolerances of decision makers. It provides an explanation for and insight into the observed differences in executive responses to cyber threats and risk assessments. It models the relationship between security resources and risk mitigation, and it identifies the premiums that organizations expect to receive or pay for bearing or avoiding information security risk.

[1]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[2]  M Schwartz Computer security: planning to protect corporate assets. , 1990, The Journal of business strategy.

[3]  Andrew Stewart,et al.  On risk: perception and direction , 2004, Comput. Secur..

[4]  Peter G. Neumann Information system security redux , 2003, CACM.

[5]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[6]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[7]  John A. Wilson,et al.  An Information Architecture For Risk Assessment And Management , 1997, IEEE Software.

[8]  Anna M. Rose,et al.  The Evaluation of Risky Information Technology Investment Decisions , 2004, J. Inf. Syst..

[9]  Ray Bernard,et al.  Information Lifecycle Security Risk Assessment: A tool for closing security gaps , 2007, Comput. Secur..

[10]  Leslie P. Willcocks,et al.  Risk assessment and information systems , 1993, ECIS.

[11]  Rolf Moulton,et al.  Operationalizing IT Risk Management , 2003, Comput. Secur..

[12]  J. March,et al.  Managerial perspectives on risk and risk taking , 1987 .

[13]  B. Wernerfelt,et al.  Why Do Firms Reduce Business Risk , 1990 .

[14]  Birgit Pfitzmann,et al.  Optimized enterprise risk management , 2007, IBM Syst. J..

[15]  Daniel J. Ryan,et al.  Expected benefits of information security investments , 2006, Comput. Secur..

[16]  C.J. Mozina Digital defense , 2004, IEEE Industry Applications Magazine.

[17]  Lance J. Hoffman Risk analysis and computer security: Towards a theory at last , 1989, Comput. Secur..

[18]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[19]  Rossouw von Solms,et al.  From information security to ... business security? , 2005, Comput. Secur..

[20]  Daniel E. Geer,et al.  Information Security: Why the Future Belongs to the Quants , 2003, IEEE Secur. Priv..

[21]  Dan Shoemaker,et al.  Information Assurance for the Enterprise: A Roadmap to Information Security , 2006 .

[22]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series) , 2005 .

[23]  Gary Klein,et al.  Information system success as impacted by risks and development strategies , 2001, IEEE Trans. Engineering Management.

[24]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[25]  M. Whitman,et al.  Management Of Information Security , 2004 .

[26]  Sarma R. Nidumolu A Comparison of the Structural Contingency and Risk-Based Perspectives on Coordination in Software Development Projects , 1996, J. Manag. Inf. Syst..

[27]  Thomas R. Peltier,et al.  Developing an Enterprisewide Policy Structure , 2004, Inf. Secur. J. A Glob. Perspect..

[28]  Rossouw von Solms,et al.  From Risk Analysis to Security Requirements , 2001, Comput. Secur..

[29]  Linda G. Wallace,et al.  Is Information Security Under Control?: Investigating Quality in Information Security Management , 2007, IEEE Security & Privacy.

[30]  Timothy W. Ruefli,et al.  Strategic risk: an ordinal approach , 1992 .

[31]  Philip Bromiley,et al.  Risk and Return in Organizational Decision Making , 1999 .

[32]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[33]  George Stephanides,et al.  The economic approach of information security , 2005, Comput. Secur..

[34]  Lars Mathiassen,et al.  Managing Risk in Software Process Improvement: An Action Research Approach , 2004, MIS Q..

[35]  Bill Farquhar One approach to risk assessment , 1991, Comput. Secur..

[36]  Vijay Sethi,et al.  Rationality in Strategic Information Technology Decisions: The Impact of Shared Domain Knowledge and IT Unit Structure , 2002, Decis. Sci..

[37]  Suzanne Rivard,et al.  Toward an Assessment of Software Development Risk , 1993, J. Manag. Inf. Syst..

[38]  Steven R. Elliott Experiments in decision-making under risk and uncertainty: thinking outside the box , 1998 .

[39]  Jan H. P. Eloff,et al.  Computer security methodology: Risk analysis and project definition , 1990, Comput. Secur..

[40]  Peter R. Dickson,et al.  How Believing in Ourselves Increases Risk Taking: Perceived Self‐Efficacy and Opportunity Recognition , 1994 .

[41]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[42]  Kalle Lyytinen,et al.  Attention Shaping and Software Risk - A Categorical Analysis of Four Classical Risk Management Approaches , 1998, Inf. Syst. Res..

[43]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[44]  Jeffrey J. Reuer,et al.  MEASURING ORGANIZATIONAL DOWNSIDE RISK , 1996 .

[45]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[46]  William A. Wallace,et al.  Multi-expert operational risk management , 2000, IEEE Trans. Syst. Man Cybern. Part C.

[47]  Mark W. Doll,et al.  Defending the Digital Frontier: Practical Security for Management, 2nd Edition , 2004 .

[48]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[49]  Mark Kroll,et al.  Influences of top management team incentives on firm risk taking , 2007 .

[50]  Kalle Lyytinen,et al.  Components of Software Development Risk: How to Address Them? A Project Manager Survey , 2000, IEEE Trans. Software Eng..

[51]  Thomas Peltier,et al.  Risk Analysis and Risk Management , 2004 .

[52]  E. Norton,et al.  What's the Risk? A simple approach for estimating adjusted risk measures from nonlinear models including logistic regression. , 2009, Health services research.

[53]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[54]  John Leach Security engineering and security RoI , 2003, Comput. Secur..

[55]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..

[56]  W. Marsden I and J , 2012 .