Beyond economic and financial analyses : A revelatory study of IT security investment decision-making process

Information Technology (IT) security breaches and the extent of damage they may cause to an organization are inherently uncertain. Therefore, managers’ decisions about whether to make IT security investment (ITSI) and how much, depend upon a subjective assessment of the economic value of the investment and the likelihood of the damage to the organization. When managers delay or fail to decide on whether and how much to invest in IT security, it can make organizations vulnerable to operational and strategic perils. Based upon interviews, document reviews, and observations in three organizations in Finland that made ITSI decisions to acquire a secure email application system, we examined the …