Skip to Main Content
Many organizations still rely on deterrence to control insider threats and on purely preventive strategies to control outsider threats. Such a simple approach to organizational information security is no longer viable given the increasing operational sophistication of current security threat agents and the complexity of information technology infrastructure. Effective implementation of security requires organizations to select a combination of strategies that work in tandem and best suits their security situation. This paper addresses the identification and classification of factors that influence implementation of security strategies in organizations. In this paper, we develop a preliminary architecture that aims to assist organizations in deciding how strategies can be designed to complement each other to improve the cost-effectiveness of security.