Shall We Follow? Impact of Reputation Concern on Information Security Managers’ Investment Decisions

Information security (infosec) is important for organizations. While budgeting for infosec is a crucial resource allocation decision, infosec managers may choose to follow other fellow experts’ recommendations or baseline practices. The present paper uses reputational herding theory to explain the decision made by infosec managers to use a “let's follow others” strategy in this context. Based on a sample of 106 organizations in Finland, we find that infosec managers’ ability to accurately predict the benefit of infosec investment, as well as their reputations, have significant effects on motivating them to discount their own information. Infosec managers’ discounting of their own information, together with the strength of information that relates to infosec investment and mandatory requirements, motivates infosec investment. Our empirical results highlight the “let's follow others” strategy as an important alternative to cost–benefit analysis in terms of budgeting for infosec investment.