Investments and Trade-offs in the Economics of Information Security

Purpose The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work.. Research limitations/implications The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches.

Download Full-text

The economics of information security investment

ACM Transactions on Information and System Security ◽

10.1145/581271.581274 ◽

2002 ◽

Vol 5 (4) ◽

pp. 438-457 ◽

Cited By ~ 587

Author(s):

Lawrence A. Gordon ◽

Martin P. Loeb

Keyword(s):

Information Security ◽

Economics Of Information ◽

Security Investment ◽

Information Security Investment

Download Full-text

Workarounds and trade-offs in information security – an exploratory study

Information and Computer Security ◽

10.1108/ics-02-2016-0017 ◽

2017 ◽

Vol 25 (4) ◽

pp. 402-420 ◽

Cited By ~ 3

Author(s):

Rogier Woltjer

Keyword(s):

Information Security ◽

Exploratory Study ◽

Design Methodology ◽

White Collar ◽

Policy Compliance ◽

Content Type ◽

Trade Offs ◽

Policies And Procedures ◽

White Collar Workers ◽

Work Done

Purpose The purpose of this paper is to investigate relationships between workarounds (solutions to handling trade-offs between competing or misaligned goals and gaps in policies and procedures), perceived trade-offs, information security (IS) policy compliance, IS expertise/knowledge and IS demands. Design/methodology/approach The research purpose is addressed using survey data from a nationwide sample of Swedish white-collar workers (N = 156). Findings Responses reinforce the notion that workarounds partly are something different from IS policy compliance and that workarounds-as-improvisations are used more frequently by employees that see more conflicts between IS and other goals (r = 0.351), and have more IS expertise/knowledge (r = 0.257). Workarounds-as-non-compliance are also used more frequently when IS trade-offs are perceived (r = 0.536). These trade-offs are perceived more by people working in organizations that handle information with high security demands (r = 0.265) and those who perform tasks with high IS demands (r = 0.178). Originality/value IS policies are an important part of IS governance. They describe the procedures that are supposed to provide IS. Researchers have primarily investigated how employees’ compliance with IS policies can be predicted and explained. There has been an increased interest in how tradeoffs and conflicts between following policies and other goals lead employees to make workarounds. Workarounds may leave management unaware of how work actually is done within the organization and may besides getting work done lead to new vulnerabilities. This study furthers the understanding of workarounds and trade-offs, which should be subject to further research.

Download Full-text