The Management of Security: How Robust is the Justification Process?

Security management literature pays considerable attention to the process of justifying security-related decisions in the context of an organisation. This process, which is widely assumed as being subject to management considerations and obtained by means of managerial techniques, is frequently related to a financial comparison of a posteriori and a priori assessments of a given security initiative. The application of this paradigm might raise issues of knowledge, rationality and reliability, thus opening the door to weaknesses in matters of blame and liability. This paper identifies a number of these weaknesses, with a view to assisting security managers in strengthening their case and, hopefully, instigating more academic research.