Incident-Centered Information Security: Managing a Strategic Balance between Prevention and Response