Towards a standard approach for quantifying an ICT security investment

The rise of the potential risks from different attacks on ICT systems means the investment in security technology is growing and is becoming a serious economic issue for many organizations. The assessment of the appropriate investment that is economically affordable and provides enough protection for the enterprise information system is an issue that is analysed here. The paper discusses the identification of the assets, the threats, the vulnerabilities of the ICT systems and provides an approach for the quantification of the necessary investment. The paper concludes with a recommendation for a standard approach to security-information investment assessment.