The role of Cost-Benefit Analysis (CBA) of information security measures for investment justification
The research study was conducted within Kenyan environment on the role of Cost benefit analysis of information security for investment justification. The cost benefit analysis (CBA) of Information security is unfortunately a very difficult task for the Information Technology (IT) manager when it comes to justifying quantitatively its investment. In this research, a descriptive (qualitative and quantitative) and design research was undertaken which aims to develop a framework of CBA for information security project justification. The main objective of the research is to bring together senior management and IT managers on common ground of understanding based upon the comprehensive cost benefit analysis framework during information security investment justification. A purposive sample of IT and non-IT managers was used to select a representative population. The methodology used to collect the sample’s view is a survey through questionnaire and interview. It has been added in the list of one-off costs the user compliance budget which is usually overlooked in many information security projects. The user compliance cost is accepted by 70% of IT managers and 80% of non-IT managers. The CBA is important in information security (InfoSec) justification of project. That is the viewpoint of 80% of non-IT managers and 50% of IT managers. The role of CBA is determined also in this research and set a basis ground for informed decision. The developed framework is based on the quantitative risk assessment, return on information security investment and return of attacker from a successful attack of information security mechanism. It was validated through a consultative and approval process with professionals in the different sectors of industries. The outcome of this research can help and be a reference for the business organization managers when they are discussing and justifying investment in information security.