---
_id: '5586'
abstract:
- lang: eng
  text: The need to protect resources against attackers is reflected by huge information
    security investments of firms worldwide. In the presence of budget constraints
    and a diverse set of assets to protect, organizations have to decide in which
    IT security measures to invest, how to evaluate those investment decisions, and
    how to learn from past decisions to optimize future security investment actions.
    While the academic literature has provided valuable insights into these issues,
    there is a lack of empirical contributions. To address this lack, we conduct a
    theory-based exploratory multiple case study. Our case study reveals that (1)
    firms? investments in information security are largely driven by external environmental
    and industry-related factors, (2) firms do not implement standardized decision
    processes, (3) the security process is perceived to impact the business process
    in a disturbing way, (4) both the implementation of evaluation processes and the
    application of metrics are hardly existent and (5) learning activities mainly
    occur at an ad-hoc basis.
author:
- first_name: Eva
  full_name: Weishäupl, Eva
  last_name: Weishäupl
- first_name: Emrah
  full_name: Yasasin, Emrah
  last_name: Yasasin
- first_name: Guido
  full_name: Schryen, Guido
  id: '72850'
  last_name: Schryen
citation:
  ama: 'Weishäupl E, Yasasin E, Schryen G. Information Security Investments: An Exploratory
    Multiple Case Study on Decision-Making, Evaluation and Learning. <i>Computers
    &#38; Security</i>. 2018;77:807-823.'
  apa: 'Weishäupl, E., Yasasin, E., &#38; Schryen, G. (2018). Information Security
    Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation
    and Learning. <i>Computers &#38; Security</i>, <i>77</i>, 807–823.'
  bibtex: '@article{Weishäupl_Yasasin_Schryen_2018, title={Information Security Investments:
    An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning},
    volume={77}, journal={Computers &#38; Security}, publisher={Elsevier}, author={Weishäupl,
    Eva and Yasasin, Emrah and Schryen, Guido}, year={2018}, pages={807–823} }'
  chicago: 'Weishäupl, Eva, Emrah Yasasin, and Guido Schryen. “Information Security
    Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation
    and Learning.” <i>Computers &#38; Security</i> 77 (2018): 807–23.'
  ieee: 'E. Weishäupl, E. Yasasin, and G. Schryen, “Information Security Investments:
    An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning,”
    <i>Computers &#38; Security</i>, vol. 77, pp. 807–823, 2018.'
  mla: 'Weishäupl, Eva, et al. “Information Security Investments: An Exploratory Multiple
    Case Study on Decision-Making, Evaluation and Learning.” <i>Computers &#38; Security</i>,
    vol. 77, Elsevier, 2018, pp. 807–23.'
  short: E. Weishäupl, E. Yasasin, G. Schryen, Computers &#38; Security 77 (2018)
    807–823.
date_created: 2018-11-14T11:24:37Z
date_updated: 2022-01-06T07:02:03Z
ddc:
- '000'
department:
- _id: '277'
extern: '1'
file:
- access_level: open_access
  content_type: application/pdf
  creator: hsiemes
  date_created: 2018-12-07T11:26:53Z
  date_updated: 2018-12-13T15:06:10Z
  file_id: '6022'
  file_name: JOURNAL VERSION.pdf
  file_size: 809490
  relation: main_file
file_date_updated: 2018-12-13T15:06:10Z
has_accepted_license: '1'
intvolume: '        77'
keyword:
- Information Security Investments
- Multiple Case Study
- Organizations
- Single Loop Learning
- Double Loop Learning
language:
- iso: eng
oa: '1'
page: 807 - 823
publication: Computers & Security
publisher: Elsevier
status: public
title: 'Information Security Investments: An Exploratory Multiple Case Study on Decision-Making,
  Evaluation and Learning'
type: journal_article
user_id: '61579'
volume: 77
year: '2018'
...