Our model showed the association between risk assessment related to security level and
investment cost. This model could be derived into 16 mathematic formulas. These sixteen
formulas were grouped and attained based on 7 steps, namely 1) system identification, 2)
threat and risk identification, 3) risk assessment, 4) business impact analysis, 5) risk
determination, 6) control recommendations and 7) implementation and continuous
improvement. It was believed this model in this research could be utilized by company
management as a policy in decision making when considering an investment for network
security, specifically when they shared the same judgment on financial and business aspects