A framework for evaluating IT security investments in a banking environment

The amount of effort that can be expended on information security depends on funds available and management decisions. Organisations therefore have to prepare an annual budget for the maintenance and improvement of their information security systems. Two of the key issues that confront IT management, when dealing with IT security investments, are how to spend the IT security budget most effectively, and how to make the case for an increase in funds to maintain and further enhance information security. The aim of this paper is to present a quantitative framework as an alternative way of analysing IT security investments in a banking environment in order to address the two issues mentioned above. A two step framework is proposed. The first step utilizes a cluster analysis (CA) technique and the second step employs a linear programming technique called data envelopment analysis (DEA). The purpose of the clustering step is to ensure that evaluations are carried out in groups of homogenous bank branches while the purpose of the DEA model is to determine which of the branches make efficient use of the IT security resources available to them. Following a brief discussion of the proposed framework and techniques used, an illustrative example, based on a well known South African financial institution, is presented.