Authors: Shivraj Kanungo, Vikas Jain, Ernest H. Forman
Addresses: Department of Decision Sciences, The George Washington University, 2201 G St NW, Washington DC 22052, USA. ' Department of Information and Technology Management, Sykes College of Business, University of Tampa, 401 W Kennedy Blvd, Tampa, FL 33606, USA. ' Department of Decision Sciences, The George Washington University, 2201 G St NW, Washington DC 22052, USA
Abstract: Organisational IT security spending is expected to increase substantially in the next few years. The challenge for IT managers and CIOs continues to grow in terms of allocating IT security investments across competing projects, products, or initiatives. Past approaches suggest use of sorting mechanism based on the analytic hierarchy process (AHP) to allocate resources across portfolio of IT security applications. It has also been suggested that using cost-benefit ratio provides a better way to prioritise resource allocations. Using the case of resource allocation for IT security at a large financial institution, we show that optimisation is a better approach than sorting to allocate IT security resources. We also show that cost-benefit ratio is not always the most effective way for evaluating IT security resource allocations. The findings of this study have significant implications for IT security managers who often face the challenge of maintaining balance between IT security budget and addressing maximum number of potential vulnerabilities.
Keywords: resource allocation; analytical hierarchy process; AHP; organisational security; security spending; information technology; communications technology; ICT; security investments; CIOs; chief information officers; security managers; competing initiatives; competing projects; competing products; sorting mechanisms; security applications; cost-benefit ratios; prioritisation; financial institutions; optimisation; evaluation; balance; budgets; potential vulnerabilities; USA; United States; business information systems.
International Journal of Business Information Systems, 2011 Vol.7 No.2, pp.166 - 180
Published online: 30 Sep 2014 *Full-text access for editors Access for subscribers Purchase this article Comment on this article