To Calculate or To Follow Others: How Do Information Security Managers Make Investment Decisions?

Economic models of information security investment suggest estimating cost and benefit to make an information security investment decision. However, the intangible nature of information security investment prevents managers from applying costbenefit analysis in practice. Instead, information security managers may follow experts’ recommendations or the practices of other organizations. The present paper examines factors that influence information security managers’ investment decisions from the reputational herding perspective. The study was conducted using survey questionnaire data collected from 106 organizations in Finland. The findings of the study reveal that the ability and reputation of the security manager and the strength of the information about the security investment significantly motivate the security manager to discount his or her own information. Herding, as a following strategy, together with mandatory requirements are significant motivations for information security investment.

[1]  J. Roldán,et al.  Applying Maximum Likelihood and PLS on Different Sample Sizes: Studies on SERVQUAL Model and Employee Behavior Model , 2010 .

[2]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[3]  Christopher J. Meyer,et al.  Personal reputation in organizations: Two-study constructive replication and extension of antecedents and consequences , 2012 .

[4]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[5]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[6]  Darren C. Treadway,et al.  Personal reputation in organizations. , 2003 .

[7]  Joseph F. Hair,et al.  Partial Least Squares Structural Equation Modeling , 2021, Handbook of Market Research.

[8]  J. Graham Herding Among Investment Newsletters: Theory and Evidence , 1998 .

[9]  Günter Müller Budgeting process for information security expenditures , 2006, Wirtsch..

[10]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[11]  Shirley Gregor,et al.  The Nature of Theory in Information Systems , 2006, MIS Q..

[12]  H. P. Sims,et al.  Perceptions of Managerial Power as a Consequence of Managerial Behavior and Reputation , 1983 .

[13]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[14]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[15]  Lukas Menkhoff,et al.  The noise trading approach — questionnaire evidence from foreign exchange , 1998 .

[16]  Jeffrey Zwiebel,et al.  Corporate Conservatism and Relative Compensation , 1995, Journal of Political Economy.

[17]  Ping Wang,et al.  Chasing the Hottest IT: Effects of Information Technology Fashion on Organizations , 2010, MIS Q..

[18]  Ben Polak,et al.  When Managers Cover Their Posteriors: Making the Decisions the Market Wants to See , 1996 .

[19]  M. Sarstedt,et al.  A new criterion for assessing discriminant validity in variance-based structural equation modeling , 2015 .

[20]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[21]  Qing Hu,et al.  Chapter 3 Economics of Information Security Investment , 2007 .

[22]  Xiaotong Li,et al.  Informational cascades in IT adoption , 2004, CACM.

[23]  Charles Cresson Wood,et al.  Why ROI and similar financial tools are not advisable for evaluating the merits of security projects , 2004 .

[24]  Xiao-Liang Shen,et al.  Understanding Information Adoption in Online Review Communities: The Role of Herd Factors , 2014, 2014 47th Hawaii International Conference on System Sciences.

[25]  D. Hirshleifer Investor Psychology and Asset Pricing , 2001 .

[26]  Scott B. MacKenzie,et al.  Construct Measurement and Validation Procedures in MIS and Behavioral Research: Integrating New and Existing Techniques , 2011, MIS Q..

[27]  J. Pfeffer,et al.  The Power and the Glory@@@Managing with Power: Politics and Influence in Organizations. , 1992 .

[28]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[29]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[30]  Herbert A. Simon The new science of management decision. , 1960 .

[31]  Bin Gu,et al.  Informational Cascades and Software Adoption on the Internet: An Empirical Investigation , 2008, MIS Q..

[32]  I. Helland Partial least squares regression and statistical models , 1990 .

[33]  Frances J. Milliken Three Types of Perceived Uncertainty About the Environment: State, Effect, and Response Uncertainty , 1987 .

[34]  Joseph F. Hair,et al.  Partial Least Squares : The Better Approach to Structural Equation Modeling ? , 2012 .

[35]  Heshan Sun,et al.  A Longitudinal Study of Herd Behavior in the Adoption and Continued Use of Technology , 2013, MIS Q..

[36]  Michael Parent,et al.  Mimetic Isomorphism and Technology Evaluation: Does Imitation Transcend Judgment? , 2002, J. Assoc. Inf. Syst..

[37]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[38]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[39]  Charles A. Holt,et al.  Information Cascades in the Laboratory , 1998 .

[40]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[41]  S. Bikhchandani,et al.  Herd Behavior in Financial Markets: A Review , 2000, SSRN Electronic Journal.

[42]  L. Cronbach Essentials of psychological testing , 1960 .

[43]  D. Scharfstein,et al.  Herd Behavior and Investment , 1990 .

[44]  W. Powell,et al.  The iron cage revisited institutional isomorphism and collective rationality in organizational fields , 1983 .

[45]  L. Summers,et al.  The Noise Trader Approach to Finance , 1990 .

[46]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[47]  Anne Beaudry,et al.  The Other Side of Acceptance: Studying the Direct and Indirect Effects of Emotions on Information Technology Use , 2010, MIS Q..

[48]  R. Kauffman PAYOFF EXTERNALITIES , INFORMATIONAL CASCADES AND MANAGERIAL INCENTIVES : A THEORETICAL FRAMEWORK FOR IT ADOPTION HERDING , 2003 .