Abstract
As organizations increasingly rely on information systems as the primary way to conduct operations, keeping such systems secure requires increasing emphasis. This paper provides information security professionals and top management a framework through which usable security strategy and policy for applications can be created and maintained in line with the standard information technology life cycle. This framework, the Policy Framework for Interpreting Risk in E-Business Security (PFIRES), was initially developed for e-commerce activities and has since been generalized to handle security policy for all types of organizations engaged in computing and Internet operations. This framework offers a possible starting point for understanding a security policy's impact on an organization, and is intended to guide organizations in developing, implementing, and maintaining security policy.
