Information Security Investments: An Exploratory Multiple Case Study on Decision-Making and Evaluation
Abstract
The need to protect resources against attackers is reflected by huge information security invest-ments of firms worldwide. Facing budget constraints and requirements at the firm, industry and national level, key tasks for firms are (1) to effectively allocate security budgets/make security investments and (2) to evaluate the effectiveness and to learn from evaluations. Extant research has addressed these challenges by focusing on a single level and studying decision making and evaluations and learning separately. To address this lack of a coherent perspective, we draw on the Resource-based View and the Organizational Learning Theory and use this multi-theoretical perspective to conduct an exploratory multiple case study. Our results indicate that (1) invest-ments are predominantly driven by factors at the industry and national level, (2) security pro-cesses are mainly implemented due to external pressure and (3) decision making, evaluation and learning primarily occur at an ad-hoc basis.