Using Real Option Thinking to Improve Decision Making in Security Investment Virginia N. L. Franqueira ⋆1 , Siv Hilde Houmb 2 , and Maya Daneva 1 1 University of Twente Enschede, The Netherlands {franqueirav, m.daneva}@ewi.utwente.nl 2 SecureNOK Ltd. Sandnes, Norway sivhoumb@securenok.com Abstract. Making well-founded security investment decisions is hard: several alternatives may need to be considered, the alternatives’ space is often diffuse, and many decision parameters that are traded-off are uncer- tain or incomplete. We cope with these challenges by proposing a method that supports decision makers in the process of making well-founded and balanced security investment decisions. The method has two fundamen- tal ingredients, staging and learning, that fit into a continuous decision cycle. The method takes advantage of Real Options thinking, not only to select a decision option, but also to compound it with other options in following decision iterations, after reflection on the decision alternatives previously implemented. Additionally, our method is supported by the SecInvest tool for trade-off analysis that considers decision parameters, including cost, risks, context (such as time-to-market and B2B trust), and expected benefits when evaluating the various decision alternatives. The output of the tool, a fitness score for each decision alternative, allows to compare the evaluations of the decision makers involved as well as to include learning and consequent adjustments of decision parameters. We demonstrate the method using a three decision alternatives example. Keywords: Security Decision Support, Security Economics, Extended Enter- prise, Bayesian Belief Network (BBN), Real Option Analysis, Outsourcing 1 Introduction The financial crises has brought with it an even tighter budget frame and an increased need to do well-founded and balanced investments decisions. However, this is an especially difficult task for security investments because security is not easy to understand and risks often refer to future and potential events, which may or may not happen, and for which little empirical historical data is available. Risk levels can in these cases be estimated as “guesstimates” only and are at ⋆ Supported by the research program Sentinels, http://www.sentinels.nl. The original publication is available at www.springerlink.com The original publication is available at www.springerlink.com