Managing the investment in information security technology by use of a quantitative modeling

► Innovative quantitative model for evaluating investments in information security technology. ► Simulation of random events and probability elements in provision of risk management. ► Examples based on empirical research. ► Standard procedure for selecting optimal security solutions and associated investment. This paper presents a mathematical model for an optimal security-technology investment evaluation and decision-making processes based on a quantitative analysis of the security risks and a digital-assets assessment in an organization. The model makes use of a quantitative analysis of different security measures that counteract individual risks by identifying the information-system processes in an enterprise and the potential threats. The model comprises the target security levels for all the identified core business processes and the probability of a security accident together with the possible loss the organization may suffer. The model allows in-depth analyses and computations providing quantitative assessments of different options for investments, which translate into recommendations that facilitate the selection of the best solution and the associated decision-making. The model was tested using empirical examples and mathematical simulations with data from a real business environment.