With increasing level of security threats and constant budget limitations, it is critical for a company to know how much and where to invest in information security. To date, all of the studies—academia or practitioner—focus on risk reduction as the primary effect of security investments, assuming that they generate no direct business benefits. However, some potential business values such as brand reputation and data stability are not only real but also quite important. This study addresses related research questions and extends the existing model to take into account direct business benefits in optimizing security investments, filling a significant research gap. As such, this research makes contribution to both theory development in information security management and management implications in practice.