Strategic Planning for IS Security: Designing Objectives

Management of information systems (IS) security in organizations has been hampered by the apparent lack of inclusion of organizational security objectives in the traditional strategic planning process. In order to improve IS security strategic planning, we argue that there should be a renewed emphasis on security planning objectives. In this paper we present two sets of objectives – fundamental and means. We then define an evaluation mechanism for assessing the security posture of a firm. Based on case work in healthcare, we illustrate the usefulness of the security evaluation method for designing enterprise security.