Abstract
With the growing importance of information security due to the arrival of information society and the spread of the internet, information security is emerging as a tool to guarantee competitive advantage and is at the same time an indispensable requirement for stable business execution for companies and organizations. Additionally, the value of tangible and intangible assets that need to be protected as components of corporate assets are on the rise, where the importance of efficient and effective information asset management and information security investment is increasing for the organizations and companies managing them. However, despite an increase in the information security investment of an organization, there is a lack of systematic methodology pertaining to performance appraisals, which makes decision-making activities and determining means of improvement difficult. The existing financially focused information security investment is inadequate for systematic analyses and understanding due to the opportunity cost type characteristics of information security investment and the difficulty involved in presenting future strategic direction. This paper, considering the characteristics of the effects of information security investment, analyzes from a balanced score card perspective information security investment strategies and performance relationships. In short, critical success factors and key performance indicators are initially obtained from previous research related to information security investment, and the data collected through surveys at related companies and organizations are empirically analyzed utilizing the structural equation model.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Al-Humaigani M., Dunn D. B. (2003) A model of return on investment for information systems security. Circuits and Systems 1: 483–485
Anderson, R. (2001). Why information security is hard-an economic perspective. Computer Security Application Conference (pp. 358-365).
Anderson J. C., Gerbing D. W. (1988) Structural equation modeling in practice: a review and recommended two-step approach. Psychological Bulletin 103: 411–423
Bae, B. R. (2007). Principles and practice of structural equation modeling using Amos 7. South Korea: Cheongram (in Korean).
Bagozzi R. P., Yi Y. (1991) Multitrait-multimethod matrices in consumer research. Journal of Consumer Research 17(4): 426–439
Bagozzi R. P. (1988) Performance and satisfaction in and industrial sales force: An examination of their antecedents and simultaneity. Journal of Marketing 44: 65–77
Blakely B. (2001) Returns on security investment: An imprecise but necessary calculation. Secure Business Quarterly 1(2): 27
Blatchford C. (1995) Information Security Controls Are They Cost-effective. Computer Audit Journal 3: 11–19
Bodin L. D., Gordon L. A., Loeb M. P. (2005) Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 48: 79–83
Campbell K., Gordon L. A., Loeb M. P., Zhou L. (2003) The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11(3): 431–448
Cavusoglu, H., Mishra, B. K., & Raghunathan, S. (2002). Optimal design of IT security architecture. Working Paper. TX: University of Texas at Dallas.
Cavusoglu H., Cavusoglu H., Raghunathan S. (2004a) Economics of IT security management: Four improvements to current security practices. Communications of the Association for Information System 14: 65–75
Cavusoglu H., Mishra B., Raghunathan S. (2004b) A model for evaluating IT security investments. Communications of the ACM 47(7): 87–92
Chaiy, S. I. (1995). Social Science Research Methodology. South Korea: Hakhyunsa (in Korean).
Davis A. (2005) Return on security investment—proving it’s worth it. Network Security 2: 8–10
Devaraj S., Fan M., Kohli R. (2002) Antecedent of B2C channel satisfaction and preference: Validating e-Commerce metrics. Information Systems Research 13(3): 316–333
Fornell C., Larcker D. (1981) Evaluating structural equations models with unobservable variables and measurement error. Journal of Marketing Research 18: 39–50
Gal-Or, E., & Ghose, A. (2004). The economic incentives for sharing security information. Working Paper. Pittsburgh: University of Pittsburgh and Carnegie Mellon University.
Gordon L. A., Loeb M. P. (2002) The economics of information security investment. ACM Transactions on Information and System Security 5(4): 438–457
Gordon L. A., Loeb, M. P., & Lucyshyn, W. (2002). An economics perspective on the sharing of information related to security breaches. In Proceedings of Workshop on the Economics of Information Security.
Gwon, Y. O., & Kim, B. D. (2007) The effect of information security breach and security investment announcement on the market value of Korean firms. Information Systems Review, 9(1), 105–120. (in Korean).
Hair J. F. Jr., Black W. C., Babin B. J., Anderson R. E., Tatham R. L. (2006) Multivariate data Analysis 6th ed. Prentice-Hall International, NJ
Harris S. (2001) CISSP All-in-One Exam Guide. McGraw-Hill, New York
Hausken K. (2006) Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information System Frontiers 8(5): 338–349
Hong, K. H. (2003). A study on the effect of information security controls and processes on the performance on the performance of information security. South Korea: Kook-Min University. (in Korean).
Kaplan R. S., Norton D. P. (1996) The balanced scorecard—translating strategy into action. Harvard Business School Press, Boston
Kaplan, R. S., & Norton, D. P. (1992). The balanced scorecard—measures that drive. Harvard Business Review, Jan/Fab (pp. 71–79).
Kaplan R. S., Norton D. P. (2001) The Strategy-focused organization. Harvard Business School Press, Boston
Kim S. K., Lee H. J. (2005) Cost-benefit analysis of security investments: methodology and case study. International Conference on Computational Science and its Applications 3482: 1239–1248
Kim, J. D., & Park, J. E. (2003) A study on TCO-based return on security investment (ROSI). In Proceedings of the Korea Digital Policy Conference (Vol. 1, pp. 251–261) (in Korean).
Kline R. B. (2000) Principles and practice of structural equation modeling. The Guilford Press, New Jersey
Kumar K. L. (2004) A framework for assessing the business value of information technology infrastructures. Journal of management Information Systems 21(2): 11–32
Lee V. C. S. (2003) A fuzzy multi-criteria decision model for information system security investment. Lecture Notes in Computer Science 2690: 436–441
Lee, J. S. & Lee, H. J. (2007). Evaluating information security investment using TCO-based Security ROI. In: Proceedings of the Korea Information Processing Society Conference (pp. 1125–1128) (in Korean).
Mun, J. T., Shin, M. S., & Jung, M. Y. (2009). A goal-oriented trust model for virtual organization creation. Journal of Intelligent Manufacturing. http://www.springerlink.com/content/03685347x1837440/.
Nam, S. H. (2006). An empirical study on the impact of security events to the stock price in the analysis method of enterprise security investment effect. South Korea: Korea University. (in Korean).
NIST (1996) An introduction to computer security. NIST Special Publication 800-12.
Romero, D., Galeano, N., & Molina1, A. (2008). Virtual organisation breeding environments value system and its elements. Journal of Intelligent Manufacturing. http://www.springerlink.com/content/x2374786057w57j3/.
Roper C. A. (1999) Risk management for security professionals. Butterworth-Heinemann, London
Scott D. (1998) Security Investment Justification and Success Factors. Gartner, Stamford
Scott, D. (2002). Best practices and trends in business continuity Planning, U.S. Symposium/ITxpo.
Shin, I. S. (2004). Review the economics means to information security. Information Security Review, 1(1), 27–40. (in Korean).
Soo Hoo K. J. (2000) How much is enough? A risk-management approach to computer security. Stanford University, Palo Alto, CA
Sun, H. G. (2005). A Study on the effect of information security policy and organization on the performance of information security. In Proceedings of the Korea management information system international conference, (pp. 1087–1095) (in Korean).
Tanaka H., Matuura K., Sudoh O. (2005) Vulnerability and information security investment: An empirical analysis of E-local government in Japan. Journal of Accounting and Public Policy 24: 37–59
Tsiakis T., Stephanides G. (2005) The economic approach of information security. Computers and Security 24(2): 105–108
Witty R. J., Girard J., Graff J. W., Hallawell A., Hildreth B., MacDonald N., Malik W. J., Pescatore J., Reynolds M., Russell K., Wheatman V., Dubiel J. P., Weintraub A. (2001) The price of information security. Gartner, Stamford
Yu J. E., Ha Choi M. K., Rho J. J. (2005) Extending the TAM for a t-commerce. Information and Management 42: 965–976
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kong, HK., Kim, TS. & Kim, J. An analysis on effects of information security investments: a BSC perspective. J Intell Manuf 23, 941–953 (2012). https://doi.org/10.1007/s10845-010-0402-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10845-010-0402-7