Optimizing investment decisions in selecting information security remedies

Dov Shirtz, Yuval Elovici

Research output: Contribution to journalArticlepeer-review

19 Scopus citations


Purpose - This paper proposes a new framework for optimizing investment decisions when deciding about information security remedies. Design/methodology/approach - The framework assumes that the organization is aware of a set of remedies that can be employed to address end-effects that have been identified. The framework also assumes that the organization defines its information security policy by setting a minimum level of protection for each end-effect. Given the two sets of costs, that of the end-effect and the potential damage it can cause and that of the remedy and the required level of protection from each end-effect, this framework can be used to identify the optimal set of remedies for a given budget that complies with the organization's information security policy. The framework is illustrated using a practical example concerning investment decision optimization in a financial organization. Findings - The paper shows that exhausting the information security budget does not assure a higher level of security required by the organisation. Practical implications - Concentrating on end-effects and on the organizational requirements eases the process of remedy selection. The proposed methodology circumvents the common process of assuming probabilities of information security events. Originality/value - This research proposes a practical and an easily implementable framework, enabling the information security manager to align the information security remedies and best practice methodological requirements with organizational budget constraints and business requirements while maintaining a required level of security.

Original languageEnglish
Pages (from-to)95-112
Number of pages18
JournalInformation Management and Computer Security
Issue number2
StatePublished - 30 Jun 2011


  • Data security
  • Information management
  • Investments

ASJC Scopus subject areas

  • Management Information Systems
  • Business and International Management
  • Management Science and Operations Research
  • Library and Information Sciences


Dive into the research topics of 'Optimizing investment decisions in selecting information security remedies'. Together they form a unique fingerprint.

Cite this