Skip to Main Content
The growing number of defects in information system and illegal invasion is pushing worldwide organizations to invest more on information security (IS). Security experts and IT specialists usually carry out security system infrastructure plans, while stakeholders often wonder whether their money is well spent and the risks for information system are reduced to an acceptable level. This paper proposed an optimal IS investment strategy using a multi-object model: 1) minimize the opportunity cost of risks, which are indirectly quantified by losing of confidentiality, integrity and availability; and 2) the investment return, or benefit, on security investment must be larger than the investment. The model transforms the risks of information by opportunity cost, measures the efficiency of security related tools and policies by impact factor, and then gets the optimal investment strategy with several selectable constrains. A case study of a small company at the end demonstrates the validness. Stakeholder and IT manager can use this model to justify and measure whether their budget on information security is consistent with the expected risks.