A Framework for Aligning Cybersecurity and Business Strategy - From Cost to Investment

Abstract

In recent years, the situation surrounding cyberattacks has continued to grow increasingly sophisticated and cunning. Amidst this situation, companies, particularly operating businesses, need to advance their countermeasures against cyberattacks. However, it is difficult to say that cybersecurity measures are necessarily well-established. On the other hand, a survey on the actual state of information security measures among small and medium-sized enterprises (SMEs), published by the Information-technology Promotion Agency (IPA), an external organization of the Ministry of Economy, Trade and Industry (METI) which oversees Japan's information security sector, also reports that implementing countermeasures has reduced the damage from cyberattacks. Furthermore, due to additional regulations and heightened security awareness among client companies, security measures are increasingly being demanded by business partners. In this environment, companies must develop medium- to long-term security strategies, rather than focusing solely on short-term costs.In this paper, we analyze why companies struggle to advance security measures, examining the causes of the gap between business strategy and security strategy, and proposes solutions. The gap analysis references the Balanced Scorecard (BSC) and is conducted across four perspectives: financial, customer, internal processes, and people. It analyzes the causes within each category and suggests countermeasures. Furthermore, in this paper, we implement one countermeasure: creating a “Security Scorecard” that maps cybersecurity measures based on the BSC.

Keywords: cybersecurity, cybersecurity strategy, strategy framework

DOI: 10.54941/ahfe1007039