I. Introduction
Security decision-making often involves choosing amongst different alternatives to tackle a security problem. This is a complex activity encountered in the production and maintenance of any system comprising valuable assets. It appears at different stages of a system's life cycle, from early requirements analysis to system design, through implementation and maintenance. In all of these stages there may be different alternatives available, each with pros and cons from a security perspective. Although it has been accepted that we could never have a completely secure system [1], the security of a system can generally be improved, with quality improvement resulting from better decisions.