As the structure of modern organizations shifts, so correspondingly must the methodologies which underlie the evaluation and development of the security posture of their information systems. We have witnessed an ever-growing gap between organizational policy and technology. We have also witnessed an ever increasing complexity of decisions regarding the planning and design of IS security. Within this paper, we propose a decision support framework consistent with security and decision theory and develop a model of the decision analysis space suitable for multiple criteria decision making (MCDM). The adoption of MCDM techniques within the context of this model can show inherent trade-offs between alternatives in a security decision, encapsulate qualitative as well as quantitative elements within the analysis space, and facilitate group-decision making thereby dealing with conflicting perspectives of multiple stakeholders. The paper concludes with a demonstration of the proposed model through a case study conducted with a major financial services provider.
El-Gayar, Omar and Fritz, Brian, "A Framework for Decision Support in Information Systems Security" (2004). AMCIS 2004 Proceedings. 178. http://aisel.aisnet.org/amcis2004/178