Information security investment decisions: Evaluating the Balanced Scorecard method

Justifying security investments has been challenging for managers and executives alike for several well-published reasons. With the growing importance of security measures, companies are increasing the share of security investments in their overall Information Technology (IT) budgets. This paper presents a practical application of the Balanced Scorecard method in evaluating the investment decisions made on the acquisition of security technologies by an organisation. The research shows that this methodology can be used effectively in comparative analysis situations where two or more investments are being considered using a set of best choices per organisational goal. The proposed methodology incorporates the percentages of financial, customer, business and growth goals defined in a set of metrics and places a weighted value on those percentages to achieve an overall percentage of met goals. The research is carried out in a US-based large public university's IT division.