Determining the value of information security investments: A decision support system

Advances in the technological era are making information security breaches a more common occurrence. A vital part of ensuring an organisation is well protected from these increasingly complex threats is a suitable security solution. Suitability of a security solution should not only be measured in terms of goals such as reducing down time or reducing the risk of a certain threat, but also meet stakeholder and executive goals in terms of being cost effective. Currently, cost effective is determined by calculating a return on security investment calculation, where the cost of a solution is evaluated against any savings resulting after purchasing the solution to determine whether the option is viable. The current implementation of return on security investment calculations however is often subjective and inaccurate as calculations are performed in an ad-hoc manner. When there are multiple factors to consider, with uncertain or incomplete values available, a multi-attribute decision making method that utilises uncertainty is required in order to allow the decision maker to assess all possible options in the most logical and objective manner, whilst keeping in mind the goals of the organisation. In this paper we present and evaluate a conceptual, analytical framework that, with the use of multi-attribute utility theory under uncertainty, is able to model return on security investment calculations in a novel way. This new calculation is introduced as a Value of Information Security Investment calculation. The final goal is to create a framework that allows for repeatable, predictable and mature, calculations that determine the value of an information security investment.