The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
The Value of Intrusion Detection Systems in Information Technology Security Architecture
Information Systems Research
Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication, and Access
Investments in Information Security: A Real Options Perspective with Bayesian Postaudit
Journal of Management Information Systems
Conceptual model for online auditing
Decision Support Systems
Building the evaluation model of the IT general control for CPAs under enterprise risk management
Decision Support Systems
Understanding Cloud Computing Vulnerabilities
IEEE Security and Privacy
| Hi-index | 0.00 |
Compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority for most organizations. Information security and systems audits for assessing the effectiveness of IT controls are important for proving compliance. Information security and systems audits, however, are not mandatory to all organizations. Given the various costs, including opportunity costs, the problem of deciding when to undertake a security audit and the design of managerial incentives becomes an important part of an organization's control process. In view of these considerations, this paper develops an IT security performance evaluation decision model for whether or not to conduct an IT security audit. A Bayesian extension investigates the impact of new information regarding the security environment on the decision. Since security managers may act in an opportunistic manner, the model also incorporates agency costs to determine the incentive payments for managers to conduct an audit. Cases in which the agency model suggests that it is optimal not to conduct an IT security audit are also discussed.