Information Security Investments: How to Prioritize?

Resumo

Context: In an increasingly digitalized world with more complex supply chains, there is concern about the security of sharing information. To highlight the associated risk, companies carry out Information Security Risk Assessments (ISRAs), to measure the risk associated with sharing information with a third party. There are dozens of risk frameworks that are used as a basis for creating Information Security Risk Assessment forms. These forms, in most cases, are adapted to the reality of each company, generating a large number of questions that can be asked or topics that are priorities. This wide range of possibilities generates inefficiencies in the information security supplier management process. In addition, this makes it difficult to prioritize efforts on topics, that most contribute to increasing a company’s information security maturity or the suitability of these companies to what the market demands. Problem: Companies do not have unlimited resources for investments in information security. Due to the increase in cybercrimes and consequently market demands, it is important that human and financial resources are directed to the themes and adjustments most required by the market. Current research on this topic is focused on comparing risky frameworks or trying to improve their efficiency, however, there is very little research about what the market is demanding. Method: In this work, a qualitative analysis was carried out on 5 information security risk assessment forms sent by multinational companies to a Brazilian healthcare operator. Atlas TI tool was used to identify the most recurrent themes. Results: The most relevant topics for the 5 companies evaluated are the existence of information security policies, incident prevention and response plans, adaptation to legislation and compliance, and ensuring the protection and privacy of data. The ISRA of the company in the financial sector was the one with the highest number of questions, which indicates greater maturity of this sector in terms of supplier management in information security topics.