Wirtschaftliche Rechtfertigung von Cybersicherheitsinvestitionen – eine systematische Literaturanalyse zu Cybersicherheitskennzahlen
摘要
The sharp increase in damages caused by cyberattacks and cybersecurity budgets at German companies brings the economic justification of cybersecurity investments to the forefront. Quantifying these investments, however, is challenging since they aim to reduce losses from potential future incidents. In this context, metrics can prove to be a valuable instrument for quantifying relevant parameters.
In this paper, a systematic literature review is conducted to identify current metrics for the economic justification of cybersecurity investments and to classify them according to practice-relevant criteria. The analysis focuses on decision-theoretic approaches. A structured literature search across four academic databases identified 24 relevant articles containing 19 distinct metrics. The classification is based on five criteria: methodological approach (benefit maximization, cost minimization, ROI-based), temporal scope (static/dynamic), risk transfer to insurance, budget consideration, and application context. The analysis reveals that most metrics follow a static perspective and only a few consider risk transfer to insurance providers. Budget restrictions are frequently not explicitly incorporated into the metrics, and a general application context is typically assumed.
From a practical perspective, the findings demonstrate that the methodological approach has significant implications for investment recommendations, and that dynamic models with insurance integration can lead to more economically sound decisions. Future research on cybersecurity metrics should address the standardization of input variables, the development of integrated dynamic insurance models, and the empirical validation of theoretical models.