An Information Security Model and its Validation

Organizations are increasingly dependent upon information systems to increase productivity, minimize cost, and maximize profit. This dependency results in exposure to new threats and vulnerabilities that dramatically increase operational risk. Executive management is ultimately responsible for insuring that this risk is properly managed to assure organizational health, profitability, and compliance with all laws and regulations. Challenges in discharging this responsibility include difficulty in understanding undesirable events on organizational objectives, lack of modeling controls across multiple interdependent domains, and the tendency to allocate resources for security with a tactical view, rather than a strategic view, of the organization. In this paper, a conceptual model and its validation are presented. The model is canonical, comprehensive, flexible, scalable, and provides a means to document, communicate, and track security related expenditures.