You are here: Home Contents V1 N2 V1N2_Ramachandran.html
Personal tools

Methodology to Assess the Impact of Investments in Security Tools and Products



Full text

Journal of Information System Security
Volume 1, Number 2 (2005)
Pages 325
ISSN 1551-0123
Sriraman Ramachandran — The University of Texas at San Antonio, USA
Greg B. White — The University of Texas at San Antonio, USA
Information Institute Publishing, Washington DC, USA




Investments in Information Technology Security Tools and Products (ITSTP) create both tangible benefits such as increased server availability time as well as intangible benefits such as increased protection and increased customer confidence and trust. Existing estimators such as Annual Loss Expectancy (ALE) and Cost Benefit Analysis (CBA) have been widely used to quantitatively perform risk analysis and to identify tangible benefits from investments in IT-STPs. Intangible benefits from IT-STPs, which are as critical as tangible benefits, are harder to measure. The lack of metrics for assessing these intangibles provides a challenge for comprehensively assessing the value of investment in IT-STPs. This paper explores past IT payoff literature to develop a comprehensive methodology for assessing the impact of IT-STPs, which can better assess both the tangible and intangible benefits. In this light, we present a Complementarity Based First-Order Effects (CoBFOE) approach to assess the impact of investments in IT-STPs based on Barua et al.’s (1995) Business Value Complementarity (BVC) model. An illustration of how the CoBFOE approach could be used in an organizational setting is also discussed.




Security Investment, Tangible and Intangible Benefits, Complementarity Based First-Order Effects




Archer, K., Core, J. Cothren, C., Davis, R. DiCenso, D., Good, T. White, G. B., and Williams, D (2001) Voice and Data Security, Sams Publishing, Indianapolis, IN.

Banker, R. D., Kauffman, R. J., and Mahmood, M. O (1993) Strategic Information Technology Management: Perspectives on Organizational Growth and Competitive Advantage, Idea Group Pub., Harrisburg, PA.

Barney, J. B. (1991) Firm Resources and Sustained Competitive Advantage, Journal of Management, 17, 1, 99-120.

Barua, A., Koanana, P., Whinston, A. B., and Yin, F. (2001) Driving EBusiness Excellence, MIT Sloan Management Review, Fall, 36-44.

Barua, A., Kriebel, C. H., and Mukhopadhyay, T. (1995) Information Technologies and Business Value: An Analytical and Empirical Investigation, Information Systems Research, 6, 1, 3-23.

Barua, A., and Mukhopadhyay, T. (2000) Information Technology and Business Performance: Past, Present and Future, Framing the Domains of IT Management, R. W. Zmud (Ed.), Pinnaflex Educational Resources Inc., Cincinnati, OH.

Barua, A., and Whinston, A. B. (1998) Complementarity Based Decision Support for Managing Organizational Design Dynamics, Decision Support Systems, 22, 45-58.

Benaroch, M. (2002) Managing Information Technology Investment Risk: A Real Options Perspective, Journal of Management Information Systems, 19, 2, 43-84.

Benaroch, M., and Kauffman, R. J. (1999) A Case for Using Real Options Pricing Analysis to Evaluate Information Technology Project Investments, Information Systems Research, 10, 1, 70-86.

Berger, P., Sutherland, D., and Kobelious, J. (1988) Measuring Business Value of Information Technologies, International Center for Information Technologies, Washington, D.C.

Berinato, S. (2002) Finally, A Real Return on Security Spending, CIO Magazine, Feb 15.

Bharadwaj, A. S., Bharadwaj, S., and Konsynski, B. R. (1999) Information Technology Effects on Firm Performance as Measured by Tobin’s q, Management Science, 45, 7, 1008-1024.

Bishop, M. (2003) Computer Security: Art and Science, Pearson Education Inc, New York, NY.

Black, F., and Scholes, M. (1973) The Pricing of Options and Corporate Liabilities, Journal of Political Economy, 81., IT Security Cookbook, 

Brennan, M. J., and Schwartz, E. S. (1985) Evaluating Natural Resource Investments, Journal of Business, 58, 2.

Brynjolfsson, E., and Yang, S. (1996) Information Technology and Productivity: A Review of Literature, Advanced Computing, 43.

Campbell, R. P. (1979) A Modular Approach To Computer Security RiskManagement, AFIPS Conference Proceedings, AFIPS Press.

Campbell, K., Gordon, L. A., Loeb, M. P., and Zhou, L. (2003) The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market, Journal of Computer Security, 11, 431-448.

Cavusgolu, H., Mishra, B., and Ragunathan, S. (2002) The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers, The University of Texas at Dallas.

Cavusgolu, H., Mishra, B., and Ragunathan, S. (2004) “A Model for Evaluating IT Security Investments”, Communications of the ACM, 47, 7.

Chatterjee, D., Pacini, C., and Sambamurthy, V. (2002) The shareholderwealth and trading-volume effects of information-technology infrastructureinvestments, Journal of Management Information Systems, 19, 4, 7-42.

Clemons, E. K., and Row, M. (1987) Structural Differences among Firms: A Potential Source of Competitive Advantage in the Application of Information Technology, Proceedings of the Eight International Conference on Information Systems, 1-9.

Clemons, E. K., and Row, M. (1991) Sustaining IT Advantage: The Role of Structural Differences, MIS Quarterly, 15, 3, 275-292., Center for Medicare and Medicaid Services,

Cron, W., and Sobol, M. (1983) The Relationship Between Computerization and Performance: A Strategy For Maximizing Economic Benefits of Computerization, Information and Management, 6, 171-181.

Denning, D. (2000) Reflections on Cyberweapons Controls, Computer Security Journal, 16, 4, 3-53.

Dixit, A. K., and Pindyck, R. S. (1994) Investment Under Uncertainty, Princeton University Press, New Jersey, NJ.

Dos Santo, B. L., Peffers, K., and Mauer, D.C. (1993) The Impact of Information Technology Investment Announcements on the Market Value of the Firm, Information Systems Research, 4, 1, 1-24, 1993.

Gordon, L. A., and Loeb, M. P. (2002) The Economics of Information Security Investment, ACM Transactions of IS Security, 16, 4, 43-53.

Gordon, L. A., Loeb, M. P., and Sohail, T. (2003) A Framework for Using Insurance for Cyber-Risk Management, Communications of the ACM, 46, 3, 81-85.

Hitt, L. M., and Brynjolfsson, E. (1996) Productivity, Business Profitability and Consumer Surplus: Three Different Measures of Information Technology Value, MIS Quarterly, 20, 2, 121-142.

Hoo, K. J. S. (2000) How much is enough? A Risk Management Approach to computer security, PhD Dissertation, Stanford University.

IM, K. S., Dow, K. E., and Grover, V. (2001) A Reexamination of IT Investment and the Market Value of the Firm: An Event Study Methodology, Information Systems Research, 12, 1, 103-117.

Itami, H. (1987) Mobilizing Invisible Assets, Harvard University Press: Cambridge, MA.

Kambil, A., Hederson, C. J., and Mohsenzadeh, H. (1993) Strategic Management of Information Technology: An Options Perspective, Strategic Information Technology Management: Perspectives on Organizational Growth and Competitive Advantage, Idea Group Publishing, Middletown, PA.

Kumar, R. L. (1996) A Note on Project Risk and Option Values of Investments in Information Technologies, Journal of Management Information Systems, 13, 1.

Kulatilaka, N., Balasubramanian, P., and Strock, J. (1999) Using Real Options to Frame the IT Investment Problem, Real Options and Business Strategy: Applications to Decision-Making, RISK Books, London.

Lee, W., Fan, W., Miller, M., and Stolfo, S. J. (2000), Cost-based modeling for Intrusion Detection and Response, North Carolina State University.

Lee, W., Fan, W., Miller, M., and Stolfo, S. J. (2002), Toward Cost-sensitive modeling for Intrusion Detection and Response, Journal of Computer Security, 10, 5-22.

Lippman, S., and Rumelt, R. (1982) Uncertain Imitability: An Analysis of Interfirm Differences in Efficiency Under Competition, Bell Journal of Economics, 13, 418-438.

Longstaff, T., Chittister, C., Pethia, R., and Haimes, Y. (2000) Are We Forgetting The Risk of Information Technology, IEEE Computer, December.

Loveman, G. W. (1994) An Assessment of the Productivity Impact of Information Technologies, Information Technology and Corporation of the 1990’s, T. J. Allen and M. Scott Morton (Eds.). Oxford University Press.

Mahmood, M., and Mann, G. (1993) Measuring the Organizational Impact of Information Technology Investment: An Exploratory Study, Journal Management Information Systems, 10, 1.

McGrath, R. G. (1997) A Real Options Logic for Initiating Technology Positioning Investments, Academy of Management Review, 22, 4.

Menon, N. M., Lee, B., and Eldenburg, L. (200) Productivity of Information Systems in the Healthcare Industry, Information Systems Research, 11, 1, 83-92.,

Panayi, S., and Trigeorgis, L. (1998) Multi-Stage Real Options: The Cases of Information Technology Infrastructure and International Bank Expansion, Quarterly Review of Economics, 38.

Pfeleeger, C. (1997) Security Computing, Prentice-Hall Inc. Prattipati, S. N., and Mensah, M. O. (1997) Information Systems Variables and Management Productivity, Information Management, 33, 1, 33-43.

Ray, G., Barney, J. B., and Muhanna, W. A. (2004) Capabilities, Business Processes and Competitive Advantage: Choosing The Dependent Variable in Empirical Tests of the Resource Based View, Strategic Management Journal, 25, 23-37.

Roach, S. S. (1987) America’s Technology Dilemma: A Profile of the Information Economy, Special Economic Study, Morgan Stanley and Co.,

SBQ (2001), Special Issue on Return on Security Investment, Secure Business Quarterly, 2, 1.

Schwartz, E. S., and Zazoya-Gorostiza, C. (2003) Investment Under Uncertainty in Information Technology: Acquisition and Development Projects, Management Science, 49, 1, 57-70.

Soh, C., and Markus, M. (1995) How IT Creates Business Value: A Process Theory Synthesis, Proceedings of the 16th International Conference on Information Systems, Amsterdam, The Netherlands, 29-41.

Summers, R. (1997) Secure Computing, McGraw-Hill.

Turner, J., and Lucas, H. C. Jr. (1985) Developing Strategic Information Systems, Handbook of Business Strategy, W. Guth (ed.), Warre, Gorham and Lamont, Boston, MA, 21, 21/1-21/35.

Wei, H., Frinke, D., Carter, O., and Ritter, C. (2001) Cost-Benefit Analysis for Intrusion Detection Systems, CSI 28th Annual Computer Security Conference, Washington D.C.

Weill, P. (1992) The Relationship Between Investment in Information Technology and Firm Performance: A Study of The Valve Manufacturing Sector, Information Systems Research, 3, 4.

Weill, P., and Olson, M. H. (1989) Managing Investment in Information Technology: Mini Case Examples and Implication, MIS Quarterly, 13, 1, 2-17.