| This research quantifies the maximum potential loss due to a breach of security to help decision makers understand and justify the expenses necessary to properly protect information systems and identify the optimally priced security features that will provide the maximum cost benefit ratio. The purpose is to help assess and reduce the value of risk such that it is as close to zero as possible, where companies are not spending too little or too much on security prevention. The research uses decision analysis, specifically a "decision tree" and "influence diagram" to model the problem, quantify the losses, and gauge the risk associated with network intrusions and security technologies applied to an organization. The model is designed to help decision makers balance the costs of security procedures against the potential costs of internal and external information systems misuse and computer crime whether the attack is intentional or unintentional. The methodology can be used to better plan for the prevention of attacks. The model incorporates sufficient flexibility to accommodate the different risks and associated costs faced by different organizations. The model will help managers understand and justify the expenses necessary to protect information systems properly. |
