In this paper, we adopt an organizational perspective to the management of information security and analyze in a multi-period context how an organization should allocate its internal cash flows and available external funds to revenuegenerating (productive) and security assuring (protective)...