hig.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard-cite-them-right
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • sv-SE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • de-DE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Adding value to business performance through cost benefit analyses of information security investments: MBA-thesis in marketing
University of Gävle, Department of Business Administration and Economics.
2007 (English)Independent thesis Basic level (degree of Bachelor), 10 points / 15 hpStudent thesis
Abstract [en]

The purpose of this thesis is to present an approach for good practice with regards to using cost benefit analysis (CBA) as a value-adding activity in the information security investment process for large enterprises. The approach is supported by empirical data.

From a MIO model perspective, this report is focused on the phase of strategic choices regarding organization, i.e. trying to find optimal investments for efficient operations. To assess, improve and monitor the operational effectiveness and management’s internal control environment is essential in today’s business execution. Executive management and boards are increasingly looking for an information security governance framework that encompasses information technology and information security: a single framework through which all information assets and activities within the organisation can be governed, to provide the optimum capability for meeting the organisation’s objectives, in terms of functionality and security.

The investment decision is one of the most visible and controversial key decisions in an enterprise. Some projects are approved, others are bounced, and the rest enter the organisational equivalent of suspended animation with the dreaded request from the decision makers to “redo the business case” or “provide more information.”

The concept of cost benefit analyses of information security helps management to make decisions on which initiatives to fund with how much, as there needs to be an approach for measuring and comparing different alternatives and how they meet business objectives of the enterprise. Non-financial metrics are identified using different approaches: governance effectiveness, risk analysis, business case analysis or game theory. The financial performance metrics are driven by the main value disciplines of an enterprise. These lead to the use of formulas enabling the measurement of asset utilisation, profit or growth: ROI (ROIC), NPV, IRR (MIRR), FCF, DCF, Payback Period, TCO, TBO, EVA, and ROSI.

The author shows research in the field of good corporate governance and the investment approval process, as well as case studies from two multinational enterprises. The case from Motorola demonstrates how IT governance principles are equally applicable to information security governance, while the case from Ericsson demonstrates how an information security investment decision can be supported by performing a cost benefit analysis using traditional marketing approaches of business case analysis (BCA) and standard financial calculations.

The suggested good practice presented in this thesis is summarised in four steps:

1. Understand main rationale for the security investment

2. Identify stakeholders and strategic goals

3. Perform Cost Benefit Analysis (non-financial and financial performance metrics)

4. Validate that the results are relevant to stakeholders and strategic goals

DISCLAIMER

This report is intended for academic training only and should not be used for any other purposes. The contents are not to be considered legal or otherwise professional advice. No liability is taken, whatsoever, by the author.

Place, publisher, year, edition, pages
2007. , p. 58
Keywords [en]
cost benefit analysis, information security investment, TBO, EVA, ROSI, business performance, business case, information technology, ROI (ROIC), NPV, IRR (MIRR), FCF, DCF, Payback Period, TCO
National Category
Economics and Business
Identifiers
URN: urn:nbn:se:hig:diva-238Archive number: E3BA: DiVA 102/07OAI: oai:DiVA.org:hig-238DiVA, id: diva2:119787
Uppsok
samhälle/juridik
Supervisors
Available from: 2007-12-18 Created: 2007-12-18

Open Access in DiVA

fulltext(539 kB)4510 downloads
File information
File name FULLTEXT01.pdfFile size 539 kBChecksum MD5
8a877376d83ae622681e1b4114c8b458d23cd5a6979f8040f7d8973ec7ed855bee05dbd9
Type fulltextMimetype application/pdf

By organisation
Department of Business Administration and Economics
Economics and Business

Search outside of DiVA

GoogleGoogle Scholar
Total: 4511 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 3758 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard-cite-them-right
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • sv-SE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • de-DE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf