Decisions regarding organizational IT security are often approximated by models drawing on normative statistical decision theories even though several IS researchers and studies in cognate disciplines have argued for the importance of contextual aspects. Based on findings in organizational and behavioral science and 25 expert interviews, this paper proposes a framework, postulating that IT security (investment) decisions are largely influenced by such contextual aspects: organizational, environmental, economic, and not least of all by cognitive and behavioral aspects of decision-makers. Subsequently, we review organizational IT security literature building on Straub and Welke's Security Risk Planning Model and the previously postulated conceptual framework. This critical literature review highlights the scarcity of studies analyzing IT security decision-making from a behavioral, environmental, and organizational perspective and thus argues for the importance and future consideration of contextual aspects regarding IT security decisions.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.