LAUSR

Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts.