A closer look at information security costs

Abstract

Economic aspects of information security are of growing interest to researchers and to decision-makers in IT-dependent companies. From a business-perspective, cost-benefit justifications for information security investments are in focus. While previous research has mostly focused on economic models for security investments, or on how to quantify the benefits of information security, this chapter aims to take a closer look at the costs of information security. After providing the reader with basic knowledge and motivation for the topic, we identify and describe the problems and difficulties in quantifying an enterprise’s cost for information security in a comprehensive and comparable way. Of these issues, the lack of a common model of costs of information security is the most prominent one. This chapter also discusses four approaches to categorize and determine the costs of information security in an enterprise. Starting with the classic approach frequently used in surveys, we continue by describing three alternative approaches. To support research on the costs of information security we propose two metrics. We conclude with input for future research, especially for an empirical analysis of the topic.