The role of Cost-Benefit Analysis (CBA) of information security measures for investment justification
Date
2012
Authors
Yedji, Mabngsoua
Journal Title
Journal ISSN
Volume Title
Publisher
Strathmore University
Abstract
The research study was conducted within Kenyan environment on the role of Cost
benefit analysis of information security for investment justification. The cost benefit
analysis (CBA) of Information security is unfortunately a very difficult task for the
Information Technology (IT) manager when it comes to justifying quantitatively its
investment.
In this research, a descriptive (qualitative and quantitative) and design research was
undertaken which aims to develop a framework of CBA for information security project
justification.
The main objective of the research is to bring together senior management and IT
managers on common ground of understanding based upon the comprehensive cost
benefit analysis framework during information security investment justification.
A purposive sample of IT and non-IT managers was used to select a representative
population. The methodology used to collect the sample’s view is a survey through
questionnaire and interview. It has been added in the list of one-off costs the user
compliance budget which is usually overlooked in many information security projects.
The user compliance cost is accepted by 70% of IT managers and 80% of non-IT
managers.
The CBA is important in information security (InfoSec) justification of project. That is
the viewpoint of 80% of non-IT managers and 50% of IT managers. The role of CBA is
determined also in this research and set a basis ground for informed decision.
The developed framework is based on the quantitative risk assessment, return on
information security investment and return of attacker from a successful attack of
information security mechanism. It was validated through a consultative and approval
process with professionals in the different sectors of industries.
The outcome of this research can help and be a reference for the business organization
managers when they are discussing and justifying investment in information security.
Description
Submitted in partial fulfillment of the requirements for the Degree of Master of Science in
Information Technology at Strathmore University