A Framework for Assessing IT Security Investment Portfolios

摘要

Organizations are faced with different types of information security threats and implement several security technologies to mitigate these security threats. The security technologies vary in their ability to deal with different types of security threats and hence, organizations usually implement a portfolio of security technologies. A key challenge for organizations is to evaluate and determine the value of the counter-measures in the context of these portfolios. This research develops a framework for systematically evaluating the value of portfolios of different types of security investments given the threats and business environment faced by an organization. The proposed framework builds on the theory of financial asset valuation and develops a simulation model that considers a variety of factors such as type of threat, frequency of arrival, possible damage, and recovery time from damage.