Investment decisions in acquiring information security measures: An empirical investigation

As a result of increased reliance on information technology, information systems and assets have become increasingly important for organizations and for individuals. Ensuring the security of these assets has therefore become a major concern, creating a huge demand for different types of security products and services. Gartner, for example, has forecasted that the worldwide expenditure on information security will increase from $77 billion in 2015 to about $108 billion in 2019, a 40% increase. In this environment, many decision makers struggle to determine how much they need to invest in security. The best answer can perhaps be obtained by applying quantitative risk analysis methods. However, applying these methods is often difficult and most decision makers rely on non-quantitative methods to decide on their security expenditure, introducing a considerable amount of subjectivity to the problem. In spite of this, research in this area has left an important empirical question underexplored: How efficient is a typical decision maker in allocating monitory resources to security given a certain security scenario? Also, a security solution is comprised of different types of security measures. Two important types of security measures are those geared toward prevention and those geared toward detection and response. A certain overall amount of security money can be allocated to these two types of security measures in different ways, resulting in different levels of overall effectiveness. Theory and real world evidence suggest that decision makers are not fully competent in allocating security budgets appropriately because they are biased toward funding prevention. Accordingly, an important question needing empirical investigation is: How does a typical decision maker structure his security investment? In summary, a main goal of this research is to determine empirically how efficient human decision makers are in allocating monetary resources to security when the key attributes of the risk environment as well the key attributes of the available risk mitigating measures are known. The other main goal is to investigate empirically how a certain security budget is allocated to prevention and to detection and response measures as two main classes of security products and practices. Results from this study indicate that a typical decision maker tends to react to small security risks by investing in security when no security investment is economically justified. A typical decision maker also tends to overreact to larger risks by overspending on security when a much smaller investment is needed, though the magnitude of this overinvestment as a percentage of the justified investment amount tends to decline for higher levels of risk. Interestingly, the absolute value of overinvestment in security as a percentage of asset value remains stable at around 13%, regardless of risk level. Decision makers in the study also demonstrated a bias by investing more in preventive security measures even though investing in detection and response yielded the same return on security investment. The magnitude of this prevention bias was quite high, ranging from 30% to 60%. Implications of the findings from this research are not limited to the theory and practice of information security, but also inform the theory and practice of security and safety in general.