In this paper, we present a new quantitative optimization model to support decision makers in determining how much to invest in information security and how to allocate funds. The approach considers uncertain properties of security risks and provides concrete investment recommendations. Evaluating the problem in a holistic way improves insight into the problem structure and leads to better decision making. By using methods of mathematical optimization, available budget can be utilized most effectively. An exemplary case study demonstrates how the approach is applied to increase security of a cloud-based information system. To test our model, we use very detailed as well as vague input data. In both cases, good results are produced which can be the basis for further decision making. The approach is designed to be used within the framework of an existing risk management process.
Schilling, Andreas and Werners, Brigitte, "Optimal Information Security Expenditures Considering Budget Constraints" (2015). PACIS 2015 Proceedings. 251.