Organizations are becoming more aware about the importance of economic, financial and risk management aspects of information system security. As a result, the balance between preventive and corrective security strategies must be studied. We understand Preventive Security as the ability of organizations to avoid the impact of an incident and Corrective Security as the ability of the firm to recover from the losses generated by an incident. This paper presents a model to analyze the Preventive-Corrective security balance. The main objective of this model is to simulate and analyze the impact that two security behaviors (security investments and strategy) can have one a given enterprise environment. After running 54 simulations, some interesting security behaviors called our attention.