Date of Award

Fall 12-1-2005

Document Type

Thesis

Degree Name

Master of Science in Information Systems (MSIS)

First Advisor

Rick Christoph

Second Advisor

Zehai Zhou

Third Advisor

Wayne Pauli

Abstract

In an increasingly global environment, any organization and or individual who seek to make a positive difference cannot ignore the need for an information strategy that would position them to be winners rather than losers in the market place. Given the growing scarcity of resources, such a strategy has to be carefully planned in such a way that it is cost effective and financially sustainable. The internal security measures should be such that they don't consume the resources of the organization and leave it unable to build a sustainable information security base. On the other hand there is always the risk of an under investment in information security and this may have disastrous effects. A fundamental question to be explored in this study is how to come up with an optimal level of investment in information security. The costs and benefits of security should be carefully examined in monetary terms to ensure that the cost of controls does not exceed expected benefits. Information technology departments are finding themselves working under strict budget allocation. Security expenditure is considered an expense and every manager is under obligation to justify such expenditure using business metrics such as Returns on Investment (ROI). Managers are fa��ed with making difficult decisions on what security measures to employ or how to balance the human factors and technology. It's this balancing that is critical to a successful security program. This thesis discusses three dimensions of information security i.e. technical, human and economic dimensions. While attempting to discuss these dimensions, this thesis will try to address the following questions from an economic point of view: o Why is cost effectiveness an issue and for who is it an issue? In order to address this question, secondary data from financial analyses of trends in expenditure from a selected number of companies will be presented and questions raised as to the issues those trends present to the sustainability of such organizations. o What is a bad practice in information security management? An attempt will be made to highlight some of the bad practices and a justification to the effect that the underlying issue in such practices is more financial than anything else, hence the need for this cost effectiveness study. o What is an efficient secure system and what lenses are we using to assess efficiency? What constitutes an economical security system? Here an economic model will be developed that can be used to answer the questions above. This thesis presents an economic model that management can use to make appropriate decisions on how best to utilize dollars allocated for security. Whilst this model does not underestimate the significance of human and technical dimensions of the information security, it is important that any economically sound security program create a balance between the technical and human dimensions of an information security system. The model emphasizes the tradeoff between the technology and human dimensions of security thus increasing the opportunity cost of the human dimensions.

Comments

dsu-th-237

Share

COinS