Aligning information security investments with a firm's risk tolerance

Technology continually places greater demands on a firm to maintain, process, and communicate information. The security of this information, with respect to confidentiality, integrity, and availability, is important to the firm. More often then not the department charged with the securing of the information has different strategic goals then the firm. Because the way success of information security investments is measured compared to the way investments that the rest of the firm makes is different, it is difficult for a firm to decide how much to invest in information security. This paper proposes a way to measure information security investments potential by calculating how the investment affects the firm's level or risk averseness. This gives management a better idea of how information security investments will affect the bottom line the by trying to determine the ROI of such an investment. This paper concludes with a discussion on the limitations of this risk tolerance model.