The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an organization; externalities caused by a security system; and obsolete evaluation of security concerns.
In order to address these critical concerns, a framework based on options reasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture and decision making for handling these issues at organizational level. The adaptation as a methodology is demonstrated by a large case study validating its efficacy.
The paper shows through three examples that it is possible to have a coherent methodology, building on options theory to deal with uncertainty issues in information security at an organizational level.
To validate the efficacy of the methodology proposed in this paper, it was applied to the Spridnings‐och Hämtningssystem (SHS: dissemination and retrieval system) system. The paper introduces the methodology, presents its application to the SHS system in detail and compares it to the current practice.
This research is relevant to information security management in organizations, particularly issues on changing requirements and evaluation in uncertain circumstances created by progress in technology.
