A Holistic View on Organizational IT Security: The Influence of Contextual Aspects During IT Security Decisions

Decisions regarding organizational IT security are often approximated by models drawing on normative statistical decision theories even though several IS researchers and studies in cognate disciplines have argued for the importance of contextual aspects. Based on findings in organizational and behavioral science and 25 expert interviews, this paper proposes a framework, postulating that IT security (investment) decisions are largely influenced by such contextual aspects: organizational, environmental, economic, and not least of all by cognitive and behavioral aspects of decision-makers. Subsequently, we review organizational IT security literature building on Straub and Welke’s Security Risk Planning Model and the previously postulated conceptual framework. This critical literature review highlights the scarcity of studies analyzing IT security decision-making from a behavioral, environmental, and organizational perspective and thus argues for the importance and future consideration of contextual aspects regarding IT security decisions.

[1]  Loren Paul Rees,et al.  Necessary measures: metric-driven information security risk assessment and decision making , 2007, CACM.

[2]  Lara Khansa,et al.  Quantifying the benefits of investing in information security , 2009, Commun. ACM.

[3]  Rossouw von Solms,et al.  A Formalized Approach to the Effective Selection and Evaluation of Information Security Control , 2000, Comput. Secur..

[4]  Uwe Aickelin,et al.  Modelling cyber-security experts' decision making processes using aggregation operators , 2016, Comput. Secur..

[5]  Sergio B. Guarro Principles and procedures of the LRAM approach to information systems risk analysis and management , 1987, Comput. Secur..

[6]  Paul Benjamin Lowry,et al.  Global Journal Prestige and Supporting Disciplines: A Scientometric Study of Information Systems Journals , 2004, J. Assoc. Inf. Syst..

[7]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[8]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[9]  Paulo B. Góes,et al.  Editor's comments: information systems research and behavioral economics , 2013 .

[10]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[11]  Colin Camerer Strategizing in the Brain , 2003, Science.

[12]  Harvey S. James,et al.  Owner as Manager, Extended Horizons and the Family Firm , 1999 .

[13]  Ravi S. Behara,et al.  Optimal information security investment in a Healthcare Information Exchange: An economic analysis , 2014, Decis. Support Syst..

[14]  George Baltas,et al.  Organisational innovation in SMEs , 2004 .

[15]  Richard Baskerville,et al.  Risk analysis as a source of professional knowledge , 1991, Comput. Secur..

[16]  Izak Benbasat,et al.  Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources , 2015, Inf. Manag..

[17]  Hsiu-Fang Hsieh,et al.  Three Approaches to Qualitative Content Analysis , 2005, Qualitative health research.

[18]  Loren Paul Rees,et al.  Decision support for Cybersecurity risk planning , 2011, Decis. Support Syst..

[19]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[20]  H. Simon Rational Decision Making in Business Organizations , 1978 .

[21]  John Newton,et al.  Strategies for Problem Prevention , 1985, IBM Syst. J..

[22]  Charles Cresson Wood A context for information systems security planning , 1988, Comput. Secur..

[23]  Dylan Walker,et al.  Creating Social Contagion Through Viral Product Design: A Randomized Trial of Peer Influence in Networks , 2010, ICIS.

[24]  M. Breitner,et al.  Information security awareness and behavior: a theory-based literature review , 2014 .

[25]  V. Vroom,et al.  Leadership and decision-making , 1975 .

[26]  Thomas Zellweger,et al.  Time Horizon, Costs of Equity Capital, and Generic Investment Strategies of Firms , 2007 .

[27]  Stefan Fenz,et al.  Information Security Risk Management: In Which Security Solutions Is It Worth Investing? , 2011, Commun. Assoc. Inf. Syst..

[28]  Dennis Longley,et al.  Information security management and modelling , 1999, Inf. Manag. Comput. Secur..

[29]  Robert J. Kauffman,et al.  Profit-maximizing firm investments in customer information security , 2011, Decis. Support Syst..

[30]  Chitu Okoli,et al.  A Guide to Conducting a Systematic Literature Review of Information Systems Research , 2010 .

[31]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[32]  Jackie Rees Ulmer,et al.  Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach , 2006, Decis. Support Syst..

[33]  David W. Williams,et al.  The Impact of Role Identities on Entrepreneurs’ Evaluation and Selection of Opportunities , 2017 .

[34]  Yulin Fang,et al.  Managing information security risks during new technology adoption , 2012, Comput. Secur..

[35]  John C. Windsor,et al.  Empirical Evaluation of Information Security Planning and Integration , 2010, Commun. Assoc. Inf. Syst..

[36]  Suprateek Sarker,et al.  Guest editorial: qualitative studies in information systems: a critical review and some guiding principles , 2013 .

[37]  Daniel J. Ryan,et al.  Expected benefits of information security investments , 2006, Comput. Secur..

[38]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[39]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[40]  Yuval Elovici,et al.  A model of the information security investment decision-making process , 2016, Comput. Secur..

[41]  D. Kahneman Maps of Bounded Rationality: Psychology for Behavioral Economics , 2003 .

[42]  Ken Kelley,et al.  When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches , 2017, MIS Q..

[43]  Sangkyun Kim,et al.  A study on decision consolidation methods using analytic models for security systems , 2007, Comput. Secur..

[44]  Nicolas Christin,et al.  Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents , 2008, WEIS.

[45]  Björn Niehaves,et al.  Reconstructing the giant: On the importance of rigour in documenting the literature search process , 2009, ECIS.

[46]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[47]  R. Dholakia,et al.  Factors Impacting the Adoption of the Internet among SMEs , 2004 .

[48]  M. Lisa Yeo,et al.  Market Impact on IT Security Spending , 2013, Decis. Sci..

[49]  Keith H. Brigham,et al.  Long–Term Orientation and Intertemporal Choice in Family Firms , 2011 .

[50]  Omar F. El-Gayar,et al.  A web-based multi-perspective decision support system for information security planning , 2010, Decis. Support Syst..

[51]  Thomas Finne,et al.  The three categories of decision-making and information security , 1998, Comput. Secur..

[52]  Vijay S. Mookerjee,et al.  Knowledge sharing and investment decisions in information security , 2011, Decis. Support Syst..

[53]  Rahul Roy,et al.  Dynamics of organizational information security , 2003 .

[54]  Love Ekenberg,et al.  A cost model for managing information security hazards , 1995, Comput. Secur..

[55]  Jae Choi,et al.  A system dynamics model for information security management , 2015, Inf. Manag..

[56]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[57]  Tawei Wang,et al.  Cost and benefit analysis of authentication systems , 2011, Decis. Support Syst..

[58]  Guido Schryen,et al.  Information security investments: An exploratory multiple case study on decision-making, evaluation and learning , 2018, Comput. Secur..

[59]  Rabih Bashroush,et al.  Economic valuation for information security investment: a systematic literature review , 2016, Information Systems Frontiers.

[60]  Chris Hankin,et al.  Comparing Decision Support Approaches for Cyber Security Investment , 2015, ArXiv.

[61]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[62]  Rajiv Kohli,et al.  Investing in Information Systems: On the Behavioral and Institutional Search Mechanisms Underpinning Hospitals' IS Investment Decisions , 2015, MIS Q..

[63]  Lawrence A. Gordon,et al.  Economic aspects of information security: An emerging field of research , 2006, Inf. Syst. Frontiers.

[64]  P. Mayring Qualitative content analysis: theoretical foundation, basic procedures and software solution , 2014 .

[65]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[66]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[67]  J. Thong,et al.  CEO characteristics, organizational characteristics and information technology adoption in small businesses , 1995 .

[68]  H. Cooper Organizing knowledge syntheses: A taxonomy of literature reviews , 1988 .

[69]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[70]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..