Optimizing investment decisions in selecting information security remedies

This paper proposes a new framework for optimizing investment decisions when deciding about information security remedies.

The framework assumes that the organization is aware of a set of remedies that can be employed to address end‐effects that have been identified. The framework also assumes that the organization defines its information security policy by setting a minimum level of protection for each end‐effect. Given the two sets of costs, that of the end‐effect and the potential damage it can cause and that of the remedy and the required level of protection from each end‐effect, this framework can be used to identify the optimal set of remedies for a given budget that complies with the organization's information security policy. The framework is illustrated using a practical example concerning investment decision optimization in a financial organization.

The paper shows that exhausting the information security budget does not assure a higher level of security required by the organisation.

Concentrating on end‐effects and on the organizational requirements eases the process of remedy selection. The proposed methodology circumvents the common process of assuming probabilities of information security events.

This research proposes a practical and an easily implementable framework, enabling the information security manager to align the information security remedies and best practice methodological requirements with organizational budget constraints and business requirements while maintaining a required level of security.