A model of the information security investment decision-making process

Daniel Dor, Yuval Elovici

Research output: Contribution to journalArticlepeer-review


Following recent developments affecting the information security threat landscape, information security has become a complex managerial issue. Using grounded theory, we present a conceptual model that reflects the most up-to-date decision-making practices regarding information security investment in organizations for several industries. The framework described in this article generalizes the current decision-making processes, while taking into consideration that organizations may differ in many respects, including: the stakeholder who administers the information security budget, the Chief Information Security Officer's (CISO) role in the organization, the organization's industry sector, the organizational structure, and so on. Our findings indicate that the information security investment decision-making process contains 14 phases and 16 concepts that affect and are affected by these phases. The study shows that the decision-making process is heavily biased by different organizational and psychological factors. The conceptual model derived can assist decision makers/stakeholders in performing, reviewing, and manipulating the decision-making process in their organizations. It can also assist vendors and consultants in understanding and prioritizing various aspects of their sales cycle.

Original languageAmerican English
Pages (from-to)1-13
Number of pages13
JournalComputers and Security
StatePublished - 1 Nov 2016


  • Decision-making
  • Decision-processes
  • Grounded theory
  • Information security
  • Information security investments
  • Multi-criteria decision making

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • Law


Dive into the research topics of 'A model of the information security investment decision-making process'. Together they form a unique fingerprint.

Cite this