Much is said on the importance of investing in information security (Potter 2004; Ernst & Young 2003), but little is known on the extent and effectiveness of such sucurity programmes. A model that analyses the mechanics of an information security programme is presented and will serve as the founding work of future research in this area. The model attempts to put an upper-bound on the amount that should be sprent on an information security programme and estimates the amount an attacker is likely to spend to break into a system depending on the information assets at stake of the organisation in question.

This document is in PDF format. To view it click here.