With the increase in the number and diversity of attacks, a main concern for organizations is to keep their network and systems secure. Existing frameworks to manage Information Technology (IT) security include empirical evaluations, security risk assessments, cost-benefit analyses, and adversary-based evaluations. These techniques are often not easy to apply and their results are usually difficult to convey. This dissertation presents a model to help reasoning about security and to support communication between IT security experts and managers. The model identifies major components of security: threat, user, organization, asset, and emphasizes the human element. Characteristics for each component are determined and cover the attacker's motivations, the user's risk perception, the IT security team expertise, and the depth of protection of the asset. These characteristics are linked through causal influences that can represent positive or negative relationships and be leveraged to rank alternatives through a set of weights. The described formalism allows IT security officers to brainstorm about IT security issues, to evaluate the impacts of alternative solutions on characteristics of security, and ultimately on the level of security, and to communicate their findings to managers.

The contributions of this dissertation are three-fold. First, we introduce an approach to develop and validate a model for IT security decision making, given known issues related to this task: difficulties in sharing security data, lack of accepted security metrics, limitation in available information and use of experts. We propose a development and validation process that relies on two sources of information: experts and data. Second, we provide the results of the model development for academic environments. The resulting model is based on extended discussions with the Director of Security at the University of Maryland (UMD), two interviewed experts, fifteen surveyed experts, and empirical data collected at UMD. Finally, we demonstrate the use of the model to justify IT security decisions and present methodological steps towards measuring various characteristics of the model.