Ett ramverk för behandling av osäkerhet inom ledningssystem för informationssäkerhet presenteras. Ramverket baseras på teorier från corporate finance. En fallstudie visar hur ramverket kan appliceras.
The paper addresses three main problems resulting from uncertainty in information security management: i)dynamically changing security requirements of an organization ii) externalities caused by a security system and iii)obsolete evaluation of security concerns. A framework based on options reasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture and decision-making for handling these issues at organizational level. The adaptation as methodology is demonstrated by a large case study validating its efficacy.