Journal of Management Information Systems, 2008, Volume 25,
Issue 2, Page 241-279.
Organizations are faced with a variety of information security threats and implement several information system security countermeasures (ISSCs) to mitigate possible damage due to security attacks. These security countermeasures vary in their ability to deal with different types of security attacks and, hence, are implemented as a portfolio of ISSCs. A key challenge for organizations is to understand the economic consequences of security attacks relative to the ISSC portfolio implemented. This paper combines the risk analysis and disaster recovery perspectives to build an integrated simulation model of ISSC portfolio value. The model incorporates the characteristics of an ISSC portfolio relative to the threat and business environments and includes the type of attack, frequency of attacks, possible damage, and the extent and time of recovery from damage. The simulation experiments provide interesting insights into the interactions between ISSC portfolio components and characteristics of business and threat environments in determining portfolio value.
Keywords: business value of IT; economics of IS security; information systems security; IT asset valuation