Add Thesis

Adding value to business performance through cost benefit analyses of information security investments

Written by Lucas Cardholm

Paper category

Master Thesis


Business Administration>Management




Master Thesis: The value of information and the necessity of protection The organizational principles of information security and IT management of large multinational companies introduced in this report are mainly based on the research of MIT Sloan School of Management. Their research shows that although information has always been important in enterprises, with the development of current technology, the role and value of information have undergone significant changes in recent years. Information: 4• Easier to collect and digitize• More and more important in products and services• Difficult to value or price• Shorter and shorter half-lives• Increasing risk exposure (eg, security and privacy) • Is important The cost of most companies and these factors combine to make information and IT the least understood and worst-utilized key assets of many companies. 5 Information security governance is a part of enterprise infrastructure and asset management. Shirley M. Hufstedler, board member of Harman International Industries, said: “The rising trend of cybercrime and threats to key information assets require the board and senior management to fully participate in governance to ensure safety and integrity. 6 Governance and internal control principles As companies strive to improve the security of their workplace assets, the ability to execute corporate strategies will depend on the effectiveness of their management infrastructure. In this context, infrastructure management solutions will help companies release funds to reinvest in their core business , Improve overall operational efficiency by reducing management costs, improve employee productivity through better infrastructure performance, and plan and execute security upgrades more effectively. 7 Assess, improve and monitor operational efficiency and management’s internal control environment for today’s business Implementation is critical. As regulatory requirements increase, such as the Sarbanes-Oxley Act of 2002 or European Directive 89, any investment in governance structure or internal control environment not only needs to meet these external requirements, but also Committed to improving corporate performance to avoid negative impacts. 10 With the introduction of modern enterprise resource planning (ERP) systems, in order to strengthen the corporate financial control environment, from the perspective of infrastructure, hidden and unplanned challenges have emerged. The most obvious challenge is the IT organization. ERP implementation needs to transform and upgrade the edge-networked, proprietary, unmanaged, and unreliable distributed client-server network into a highly reliable, commercial-quality distributed computing platform. Information security investment process The information security investment process includes aspects such as how much money is spent, where it is spent, and how to coordinate the needs of different stakeholders. But in order to be able to solve these problems correctly, the investment process needs to be understood from the perspective of governance: • Who makes investment decisions? • How to measure investment decisions based on effective management? • How to capture and monitor these decisions financially? Information security investment should bring value. These should be optimized to support organizational goals. Security activities consume resources. The optimal level of investment occurs when the security strategic goals are achieved and the organization achieves an acceptable risk profile at the lowest possible cost. Consider the following methods to cover these aspects: 1. Understand the main reasons for investing in safety 2. Identify stakeholders and strategic objectives 3. Perform cost-benefit analysis 4. Verify that the results are related to stakeholders and strategic objectives. There are three main driving forces. This is Information security investment creates the main reason. The first is for someone (from inside or outside the company) to identify the risks or gaps that need to be addressed in the current control environment. The second is business-driven IT investment, which requires security mechanisms to reduce investment-related risks. The third and less common alternative is to identify safe investment opportunities that can increase profitability, increase asset utilization, or promote corporate growth. After clarifying the main reasons for security investment, security professionals need to identify stakeholders and understand strategic goals to ensure that cost-benefit analysis can provide valuable input for investment decisions. In order to identify decision makers, information security professionals need to ensure that the corporate governance model is properly understood. The governance arrangements matrix provided by the MIT Sloan School of Management can help determine which prototype governance arrangements exist for a particular investment. An enterprise is driven by the overall business plan. The business plan is broken down into strategic decisions, and the key goals and strategic goals that management needs to achieve. According to the different stakeholders involved in investment decision-making, their different goals and objectives will have different impacts on the decision-making. Information security professionals need to ensure that they correctly understand the key goals and strategic objectives that drive decision makers in this particular situation, as well as the source of funding. It is not always the same as the group of decision makers evaluating cost-benefit analysis. Read Less