Conceptual design of a method to support IS security investment decisions within the context of critical business processes

In order to safeguard the compliance of information systems, private enterprises and governmental organizations can implement a large variety of distinct measures, ranging from technical measures to organizational measures. Especially in the context of critical information system infrastructure e.g. data centers, the decision for specific safeguards is complex. An appropriate method for the profitability assessment of alternative IS security measures in the context of critical business processes has not so far been developed. With this article we propose a conceptual design for a method which enables the determination of the success of alternative security investments on the basis of a process-oriented perspective. Within the scope of a design science approach we combine established artifacts of the field of IS security management with those of the field of process management and controlling. On that basis we develop a concept that allows decision-makers to prioritize the investments for dedicated IS safeguards in the context of critical business processes.