Document Type

Conference Proceeding

Publication Date



As the structure of modern organizations shifts, so correspondingly must the methodologies which underlie the evaluation and development of the security posture of their information systems. We have witnessed an ever-growing gap between organizational policy and technology. We have also witnessed an ever increasing complexity of decisions regarding the planning and design of IS security. Within this paper, we propose a decision support framework consistent with security and decision theory and develop a model of the decision analysis space suitable for multiple criteria decision making (MCDM). The adoption of MCDM techniques within the context of this model can show inherent trade-offs between alternatives in a security decision, encapsulate qualitative as well as quantitative elements within the analysis space, and facilitate group-decision making thereby dealing with conflicting perspectives of multiple stakeholders. The paper concludes with a demonstration of the proposed model through a case study conducted with a major financial services provider.