A Process-Based Approach to Information Security Investment Evaluation: Design, Implementation, and Evaluation

Abstract

In recent years, the importance of information security has grown significantly due to the rise of cyber threats and attacks. However, evaluating investments in information security can be challenging, as traditional methods often rely solely on monetary factors and fail to capture the dynamic nature of business processes. This paper introduces a novel process-based evaluation method for assessing the effect of investments in information security on business processes. The paper outlines practical design requirements for the method and its instantiation as a prototype, which is then evaluated using a three-step approach with two companies from the healthcare and energy sectors. The evaluation results demonstrate the proposed method\u27s usefulness in information security investment decisions. This paper contributes to the field of information security investment evaluation by providing a proof-of-concept that potentially paves the way for future research to increase the quality and economics of investments in information security