In this paper, a quantitative approach is proposed that addresses various decision making challenges within the IT security process of an organization. The approach serves as a framework that facilitates multiple applications to optimize the security of IT systems in different environmental settings. Addressing this problem is a critical challenge for almost all organizations and it still lacks a comprehensive and consistent quantitative treatment. The key question of the corresponding decision problem is which safeguards to select in order to achieve sufficient security. The proposed framework addresses this by establishing a generally applicable problem structure and by reusing existing knowledge in order to reduce implementation costs of the approach. Based on this foundation, efficient MILP models are applied to support the establishment of an effective IT security strategy. Depending on the knowledge an organization is able to provide, decisions take uncertainty and even dynamic aspects into account. As a result, deployed safeguards are robust against uncertain security threats and remain stable over several planning periods even if the system or the threat environment changes. This is a significant advancement that results in higher security in the short-term and lower costs in the mid- and long-term.

• 出版日期2017-9