Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor

The purpose of this paper is to investigate the optimality of various strategies for spending on information security. Being able to understand the strengths and weaknesses of spending strategies is useful to organizations.

The author's analysis begins with a whole‐systems view of the security spending decision that encompasses people, technology, and economics and a taxonomy of justifications is presented for spending on information security. Each justification within the taxonomy is discussed, with that analysis used to examine the apparent rationality of a number of common spending strategies. A model is constructed that can be used in a practical manner to enable an organization to select a rational approach to spending on information security.

The author describes two spending strategies intended to be simple and straightforward for an organization to employ in a practical manner. These strategies account for a number of weaknesses in common justifications for spending on information security. They also take into consideration the observation that a number of pressures push companies towards inefficiency in their spending.

When faced with budgeting decisions, managers are bound by fiduciary duty to identify those investments that will maximize shareholder value. As such, decisions about spending must be carefully considered and evaluated in rational economic terms. This paper provides useful thinking on this important topic.