Dov Shirtz, Yuval Elovici
Information Management & Computer Security 19 (2), 95-112, 2011
This paper proposes a new framework for optimizing investment decisions when deciding about information security remedies.The framework assumes that the organization is aware of a set of remedies that can be employed to address end‐effects that have been identified. The framework also assumes that the organization defines its information security policy by setting a minimum level of protection for each end‐effect. Given the two sets of costs, that of the end‐effect and the potential damage it can cause and that of the remedy and the required level of protection from each end‐effect, this framework can be used to identify the optimal set of remedies for a given budget that complies with the organization’s information security policy. The framework is illustrated using a practical example concerning investment decision optimization in a financial organization.