A model of the information security investment decision-making process

Following recent developments affecting the information security threat landscape, information security has become a complex managerial issue. Using grounded theory, we present a conceptual model that reflects the most up-to-date decision-making practices regarding information security investment in organizations for several industries. The framework described in this article generalizes the current decision-making processes, while taking into consideration that organizations may differ in many respects, including: the stakeholder who administers the information security budget, the Chief Information Security Officer's (CISO) role in the organization, the organization's industry sector, the organizational structure, and so on. Our findings indicate that the information security investment decision-making process contains 14 phases and 16 concepts that affect and are affected by these phases. The study shows that the decision-making process is heavily biased by different organizational and psychological factors. The conceptual model derived can assist decision makers/stakeholders in performing, reviewing, and manipulating the decision-making process in their organizations. It can also assist vendors and consultants in understanding and prioritizing various aspects of their sales cycle.