Finance plays a crucial role in the development and operation of an effective and efficient information security (IS) program. On one hand, the role of finance in security relates to expenditures and business priorities. As Gordon and Loeb (2002) explain,
To protect the confidentiality, integrity, and availability of information, while also assuring authenticity and non-repudiation, organizations are investing large sums of money in IS activities. Since security investments are competing for funds that could be used elsewhere, its’ not surprising that CFOs are demanding a rational economic approach to such expenditures. (p. 26)
On the other hand, finance represents a significant target for attackers and a strong influence on the business’ security culture. As Spontak (2006) states,
These are the non-technical elements that speak to the heart of the organization and influence people’s behavior: the business culture, policies and procedures, separation of duties and security awareness. The financial executive can exert considerable influence in these areas and become an important part of the organization’s security arsenal. (p. 51)
From either point of view, finance plays a critical role in information security. Unfortunately, information security is often focused on technical issues and does not incorporate business factors that matter to finance into risk analyses.
Salmela (2008) undertakes to evaluate the use of business process analysis (BPA) to improve information security availability risks by incorporating business losses – a measure that finance understands well. Salmela utilizes action research to evaluate the use of BPA to incorporate business losses into IS risk assessments at two companies: a paper mill and a credit card department. Salmela found that using BPA increased the awareness of participants regarding security related business losses. Salmela concludes that the problem is complex and that more research is needed,
For years, such managers and researchers have been aware of the significant negative effect that computer problems can have on business operations. Still, this effect has often been considered as complex and difficult to analyse. The findings herein – that business process analysis can be used to systematically assess the nature and significance of such effects – should stimulate the imaginations of IS security managers and researchers alike. (p. 201)
BPA was not a panacea for the challenge of incorporating business losses into IS risk analyses. While Salmela’s method resulted in improvements, “the business process analysis needs to be complemented with other loss evaluation methods” (p. 200).
Finance plays an important role in information security. However, the inclusion of meaningful business loss calculations in IS technical risk assessments remains a challenging prospect. Business methods such as business process analysis offer a means for bridging the gap between finance and IS. However, BPA as a means of incorporating business losses into IS risk measures is not perfect and additional research and exploration is required. As Salmela states, “more research on the methods that assist in identification of business losses is needed” (p. 201)
Gordon, L. A., & Loeb, M. P. (2002). Return on information security investments: Myths vs. realities. Strategic Finance, 84(5), 26. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=229418161&Fmt=7&clientId=62763&RQT=309&VName=PQD
Salmela, H. (2008). Analysing business losses caused by information systems risk: A business process analysis approach. Journal of Information Technology, 23(3), 185. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1534334211&Fmt=7&clientId=62763&RQT=309&VName=PQD
Spontak, S. (2006). DEFENSE IN DEPTH: How financial executives can boost IT security. Financial Executive, 22(10), 51. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1182662141&Fmt=7&clientId=62763&RQT=309&VName=PQD