Investments in Information Security

EXAMINERS:
1. Dr. Heng Cheng Suang
2. Dr. Huang Ke-Wei

ABSTRACT:

This paper comprises the analysis and assessment of IS literature on information security investments. We have chosen a narrow knowledge domain and conducted in-depth literature review. We focused only on small set of papers in order to identify, articulate and challenge the assumptions, prevailing in this literature. Our analysis showed that topic of investments in information security is seen as a problem of organizational decision making, and that the rationality assumption prevails in literature. In addition, the literature relies on assumption that better estimates of risks and investment efficiency leads to an optimum investment. However, nothing is known about the impact of imprecise estimates on the decision making process and its outcomes.

Thus, as we tried to move away from the rationality assumptions and shift the focus to individual decision-making, we have identified several potential research directions. First direction of research is to look into decision dynamics to understand how individual decisions are further translated into organizational strategy. Second direction is to investigate the individual decision making problem. We have designed two studies that are in line with second direction. Both studies are focused on the problem of individual who wants to protect her information in the organizational context.

In Study I, we assess how most of the salient investment problem characteristic, namely the large uncertainty, impacts the decision making and changes willingness to pay for the security software.

In Study II, we continue scrutinizing the individual investment decision and we turn our attention to efficiency of investment. We attempt to improve the performance of a decision-maker by using the additional information, which is relevant to the problem domain, but is not typically used in investment equations.