More and more attention has been devoted to the alignment of information technology (IT) spending and initiatives with organizational strategic objectives. IT spending across organizations and industries has a high opportunity cost and involves a substantial opportunity for deviations from support for the highest priorities of business units. The business justification and rationale for information security has come under similar scrutiny at a time when the nature of many organizations is being transformed by the network economy. More and more business functions and processes are enabled by information assets and capabilities that are vulnerable to new and adapting threats. This paper examines the impact of the strategic alignment of information security spending with organizational goals and with the risk tolerances of decision makers. It provides an explanation for and insight into the observed differences in executive responses to cyber threats and risk assessments. It models the relationship between security resources and risk mitigation, and it identifies the premiums that organizations expect to receive or pay for bearing or avoiding information security risk.
Note: The Institute of Electrical and Electronics Engineers, Incorporated is distributing this Article with permission of the International Business Machines Corporation (IBM) who is the exclusive owner. The recipient of this Article may not assign, sublicense, lease, rent or otherwise transfer, reproduce, prepare derivative works, publicly display or perform, or distribute the Article.
IBM Journal of Research and Development
- ISSN :
- Date of Publication :
- Date of Current Version :
13 May 2010
- Issue Date :
- Sponsored by :