Investment strategy for information security in government sector organizations in Sri Lanka

Abstract

As most of the government organizations in Sri Lanka are moving towards providing connected on-line services to the citizens, the growing number of defects in information system and illegal invasion is pushing them to invest more on information security. Information security problems are as old as information exchange. But the decisions about the respective defense measures are mostly still taken based on heuristics and experience. There is a lack of general and reliable information security strategy that a government organization could use in order to make such decisions. As a result of that the information security status of government organizations are not at a level where it should be. Therefore it is very important to have a acceptable information security strategy for information security investments in government sector organizations. In general, before spending money on a product or service, decision makers want to know that the investment is financially justified. Information security is no different, it has to make business sense. Typically it is necessary to use very robust analysis techniques to determine how best to spend resources in order to increase revenue and decrease costs or losses. But in the case of information security investments there is a lack of key performance and evaluation metrics to take proper investment decisions. Using a case study approach, series of interviews were conducted with five government organizations in a variety of sectors in order to understand their investment and implementation strategies for information security. Also the general IS awareness of decision-makers and users are evaluated which has a major impact on the investment strategy of any organization. This paper proposes an IS investment strategy by providing strategic approach for each stage in the investment life cycle: Select, Control and Evaluate.