Cost-Benefit Analysis of Information Systems Security

Document Type


Publication Date



Economic aspects of information systems (IS) security are growing concern to small organizations in recent years due to security breaches. A recent study sponsored by IBM corporation’s security division states that on average, the cost of a security failure has increased to $4 million per incident-up 29% since 2013. The cost of a breached system varies widely by type of industry, according to findings of this study. Healthcare, a highly-regulated industry that deals with the most intimate personal information-which can include patient names, medical histories, credit card data, and Social Security numbers-has the highest cost per stolen record at $355 (Hackett, 2016). From a business standpoint cost-benefit-justifications for information systems security are in the focus. Today, the question is not whether more security is needed but how much to spend for added security. And yet investing in Information Systems Security has always been hard-sell for IS managers. There are a wide range of new security technologies to select from and yet if anything is certain is that none of them can provide full security. Each choice involves risk. Security managers need a structured cost-benefit methodology to examine and compare IS security solutions in relation to prevailing security risks. While most of the published research has applied economics models for security investments, this paper proposes using cost-benefit analysis for IS security enhancement projects.


Additional Files