TITLE:
Optimum Spending on Cybersecurity Measures: Part II
AUTHORS:
Sherita Tara Kissoon
KEYWORDS:
Information Security, Risk Management, Strategy, Governance, Organizational Decision Making
JOURNAL NAME:
Journal of Information Security,
Vol.12 No.1,
January
21,
2021
ABSTRACT: The purpose of this research is to
investigate the decision-making process for cybersecurity investments in
organizations through development and utilization of a digital cybersecurity
risk management framework. The initial article, Optimum Spending on
Cybersecurity Measures is published on Emerald Insight at: https://www.emerald.com/insight/1750-6166.htm, contains the detailed literature review, and the data results from
Phase I and Phase II of this research REF _Ref61862658 \r \h \* MERGEFORMAT [1]. This article will
highlight the research completed in the area of organizational decision-making
on cybersecurity spend. In leveraging the review of additional studies, this
research utilizes a regression framework and case study methodology to
demonstrate that effective risk-based decisions are necessary when implementing
cybersecurity controls. Through regression analysis, the effectiveness of
current implemented cybersecurity measures in organizations is explored when connecting a dependent variable with several independent
variables. The focus of this article is on the strategic decisions made by
organizations when implementing cybersecurity measures. This research belongs
to the area of risk management, and various models within the field of 1)
information security; 2) strategic management; and 3) organizational decision-making to determine optimum spending on
cybersecurity measures for risk taking organizations. This research resulted in
the development of a cyber risk investment model and a digital cybersecurity risk management framework. Using a case study methodology,
this model and framework were leveraged to evaluate
and implement cybersecurity measures. The case study methodology provides an
in-depth view of a risk-taking organization’s risk mitigation strategy within
the bounds of the educational environment focusing on five areas identified
within a digital cyber risk model: 1) technology landscape and application
portfolio; 2) data centric focus; 3) risk management
practices; 4) cost-benefit analysis for cybersecurity measures; and 5) strategic development. The outcome of this research provides
greater insight into how an organization makes decisions when implementing
cybersecurity controls. This research shows that most organizations are
diligently implementing security measures to effectively monitor and detect
cyber security attacks, specifically showing
that risk taking organizations implemented cybersecurity measures to meet
compliance and audit obligations with an annual spend of $3.18 million. It also
indicated that 23.6% of risk-taking organizations incurred more than 6
cybersecurity breaches with an average dollar loss of $3.5 million. In
addition, the impact of a cybersecurity breach on risk taking organizations is
as follows: 1) data loss; 2) brand/reputational
impact; 3) financial loss fines; 4) increase oversight
by regulators/internal audit; and 5)
customer/client impact. The implication this research has on practice is
extensive, as it focuses on a broad range of areas to include risk, funding and
type and impact of cyber security breaches encountered. The survey study
clearly demonstrated the need to develop and utilize a digital cybersecurity
risk management framework to integrate current industry frameworks within the
risk management practice to include continuous compliance management. This type
of framework would provide a balanced approach to managing the gap between a
risk-taking organization and a risk averse organization when implementing
cybersecurity measures.