Analysing potential risk and the allocation of resources for computer network security and
business continuity require strategic, long-term planning. Most companies tend to be reactive and
respond with quick infrastructure solutions. The purpose of risk analysis should be to assist managers
in making informed decisions about investment and developing risk management policies. High
countermeasures expenditure on every aspect of an information system is out of question in a
commercial organisation. Therefore, this expenditure must be directed to reduce corporate exposure to
information system risks in the context of overall business risks. The aim of this paper is to report the
on going research to justify funding for network security expenditure through risk assessment
practice
