The heightened attention to information security in boardrooms, subjecting security programs to increased scrutiny from senior business leaders. This focus is novel for security professionals, given the historically limited interest from non-executive directors. Using the Grounded Theory approach, the authors conducted interviews with senior professionals to identify key factors influencing information security investment decisions. The findings are presented in a simplified framework for security practitioners to assess and enhance investment decisions in their environments.

Evolution of Information Security Research

Information asset security has been a subject of extensive research, with early studies examining the economic impact of information security risks. Despite initial interest, academic research remained limited until the early 2000s when scholars like Hoo, Anderson, Gordon, and Loeb heightened focus on the topic. However, research primarily centered on the dynamic field of information security risks, often grounded in theoretical models. While these models contribute to a better understanding of information security investments, they frequently lack practical applicability, leaving key challenges unaddressed.

Objectives and Methodology of the Study

This study aims to identify current practices in information security investment prioritization and evaluation within organizations. Utilizing a qualitative data analysis approach through semi-structured interviews, the research seeks to uncover key factors, core challenges, and common practices experienced by information security practitioners. The investigation revolves around several research questions, including the approach to information security investments, factors and challenges considered, the role of information security management systems, and the use of traditional accounting metrics.