Since there's no public version available in English, I summarize here the main points of the research findings.
Earlier research on information security investments is based on following assumptions:
- decision makers can assess risks neutrally
- decision makers are able to make rational decisions based on complex calculations
- investment has a linear effect to risks
- all relevant information is available
- decision makers know all the possible choices
- decision makers always try to maximize net profits
In reality the assumptions are not realistic:
- information is asymmetric and incomplete
- some information is subjective (opinions) or guesses
- adversaries may have other goals than maximising profit
- calculations require simplified models
The research:
- questionnaire was sent to 690 biggest Finnish businesses
- 134 answers, mostly CEOs, Executive Vice President and some CIOs
- questions were information security investment scenarios and the respondents were asked about their decision
- each person got five scenarios, which were randomly selected from 162 different scenarios
- scenarios had elements like: negative vs. positive presentation approach, likelihood and possible impact of the security threat, cost of mitigation/countermeasures (security investment)
The goal was to study decision making styles (rational vs. emotional) and persuasion methods.
Findings from the study:
- in general persons who respond to emotional arguments, tend to support the investment proposal presented in a negative manner (e.g. emphasizing threats, losses)
- in general persons who respond to rational/factual arguments, tend to support the investment proposal presented in a positive manner (e.g. emphasizing benefits)
- increasing likelihood and severity of the threat effected positively and linearly to the investment decision
- increasing costs of the investment decreased linearly the willingness to invest
- investment proposal presented using negative language (threats) is more likely to be accepted than the proposal emphasizing positive outcomes
- even investments meant to tackle low level threats are not so easily rejected, when presented in a negative manner
- information security investment is a complicated process, which success factors are rarely understood by any individual alone
- ROI and ROSI do not play any significant role in information security investment decisions
- CISO must get allies from different levels of the organization
- CISO needs to understand both the management view and the "regular" staff view
- CISO's communications skills and personal relationships to other players are very important
- a justified need for the information security investment coming from the organization helps to get the investment accepted
- one key challenge is that the need for the information security investment is usually crystal clear for the CISO, but it's not so for the management and the staff
- clear organizational responsibilities are important
- In general, staff support of the information security solution (investment) and solution's usability, suitability to current processes and social acceptance are more important factors than strength/quality of the solution or ROI/ROSI calculations
I hope I managed to catch the core points of the research. I can't give more background information or justifications of the results since I'm not the researcher:-) It's easy for me to agree with the results, though.
