Which approach treats remediation options as a structured, investment-like portfolio?

Remediation options should be evaluated like an investment portfolio: each option comes with its own cost, the amount of security risk it reduces, how long it takes to implement, and its overall impact on the organization’s risk posture. Framing them this way lets you allocate resources to the options that offer the best balance of cost and risk reduction, while considering timing, dependencies, and risk tolerance. This structured, portfolio-like thinking provides a clear method to compare options, prioritize them, and fund them in a way that optimizes overall security outcomes under a fixed budget. Cost-center budgeting concentrates on tracking expenses by department and doesn’t optimize risk reduction across options. Ad-hoc selection lacks a formal framework, leading to scattered, reactive choices. Compliance scoring measures adherence to regulatory requirements, not the strategic allocation of remediation investments to maximize risk reduction.