Abstract:
As most of the government organizations in Sri Lanka are moving towards providing
connected on-line services to the citizens, the growing number of defects in
information system and illegal invasion is pushing them to invest more on
information security.
Information security problems are as old as information exchange. But the decisions
about the respective defense measures are mostly still taken based on heuristics and
experience. There is a lack of general and reliable information security strategy that a
government organization could use in order to make such decisions. As a result of
that the information security status of government organizations are not at a level
where it should be.
Therefore it is very important to have a acceptable information security strategy for
information security investments in government sector organizations.
In general, before spending money on a product or service, decision makers want to
know that the investment is financially justified. Information security is no different,
it has to make business sense.
Typically it is necessary to use very robust analysis techniques to determine how best
to spend resources in order to increase revenue and decrease costs or losses. But in
the case of information security investments there is a lack of key performance and
evaluation metrics to take proper investment decisions.
Using a case study approach, series of interviews were conducted with five
government organizations in a variety of sectors in order to understand their
investment and implementation strategies for information security. Also the general
IS awareness of decision-makers and users are evaluated which has a major impact
on the investment strategy of any organization.
This paper proposes an IS investment strategy by providing strategic approach for
each stage in the investment life cycle: Select, Control and Evaluate.