Enterprise information security strategies

Security decisions are made at every level of an organization and from diverse perspectives. At the tactical and operational levels of an organization, decision making focuses on the optimization of security resources, that is, an integrated combination of plans, personnel, procedures, guidelines and technology that minimize damages and losses. While these actions and tactics reduce the frequency and/or consequences of security breaches, they are bounded by the organization's global security budget. At the strategic, enterprise level management must answer the question, "What is the security budget (cost expenditures), where each dollar spent on security must be weighed against alternative non-security expenditures, that is justified by the foregone (prevented) losses and damages?" The answer to that question depends on the tolerances of decision makers for risk and the information employed to reach it. (c) 2008 Elsevier Ltd. All rights reserved.