A model of the information security investment decision-making process

Daniel Dor, Yuval Elovici

Computers & security 63, 1-13, 2016

Following recent developments affecting the information security threat landscape, information security has become a complex managerial issue. Using grounded theory, we present a conceptual model that reflects the most up-to-date decision-making practices regarding information security investment in organizations for several industries. The framework described in this article generalizes the current decision-making processes, while taking into consideration that organizations may differ in many respects, including: the stakeholder who administers the information security budget, the Chief Information Security Officer’s (CISO) role in the organization, the organization’s industry sector, the organizational structure, and so on. Our findings indicate that the information security investment decision-making process contains 14 phases and 16 concepts that affect and are affected by these phases. The study shows that …