Abstract
Information security policies are built as behavior standards of the information security in the enterprise activities, and the movement of constructing an information security management system (ISMS) begins to appear. But, activities of ISMS don't reach the enough level to be satisfied. This paper proposes a method that extracts ISMS activities from information security policy(ISP), calculates prevention costs using the activity-based costing (ABC), and evaluates information security activities. Furthermore, this paper examines the enterprise environment which makes easy to enforce ISP feasible.
