Assessing Future Value of Investments in Security‑Related IT Governance Control Objectives … Surveying IT Professionals

Authors

  • Waldo Rocha Flores
  • Teodor Sommestad
  • Hannes Holm
  • Mathias Ekstedt

Keywords:

IT governance, control objectives, information security, net present value

Abstract

Optimizing investments in IT governance towards a better information security is an understudied topic in the academic literature. Further, collecting empirical evidence by surveying IT professionals on their relative opinion in this matter has not yet been explored to its full potential. This paper has tried to somewhat overcome this gap by surveying IT professionals on the expected future value from investments in security‑related IT governance control objectives. The paper has further investigated if there are any control objectives that provide more value than others and are therefore more beneficial to invest in. The Net Present Value (NPV) technique has been used to assess the IT professional’s relative opinion on the generated future value of investments in 19 control objectives. The empirical data was collected through a survey distributed to professionals from the IT security, governance and/or assurance domain and analyzed using standard statistical tools. The results indicate that the vast majority of investments in control objectives is expected to yield a positive NPV, and are beneficial to an organization. This result implies that investments in control objectives are expected to generate future value for a firm, which is an important finding since many of the benefits from an investment are indirectly related and may occur well into the future. The paper moreover contributes in strengthening the link between IT governance and information security.

Downloads

Published

1 Sep 2011

Issue

Vol. 14 No. 2 (2011)

Section

Articles

License

Open Access Publishing

The Electronic Journal of Information Systems Evaluation operates an Open Access Policy. This means that users can read, download, copy, distribute, print, search, or link to the full texts of articles, crawl them for indexing, pass them as data to software, or use them for any other lawful purpose, without financial, legal, or technical barriers other than those inseparable from gaining access to the internet itself. The only constraint on reproduction and distribution, and the only role for copyright in this domain, is that authors control  the integrity of their work, which should be properly acknowledged and cited.

Creative Commons License

This Journal is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.