In the realm of information systems (IS) security, a plethora of standards have come into existence. Too many IS security standards have been proposed, which an organization could adopt to secure its information systems. On what criteria then an organization shall base its decision as to what standards need to be implemented? We address this concern employing basic economic concepts. The core argument of research presented in this paper is that an organization should incorporate a minimum set of standards to cover maximum IS security needs of an organization. The position of adopting a different IS security standard for every process in an organization defies the concept of efficiency.