TY  - JOUR
AB  - Purpose The purpose of this paper is to investigate security decision-making during risk and uncertain conditions and to propose a normative model capable of tracing the decision rationale.Design/methodology/approach The proposed risk rationalisation model is grounded in literature and studies on security analysts’ activities. The model design was inspired by established awareness models including the situation awareness and observe–orient–decide–act (OODA). Model validation was conducted using cognitive walkthroughs with security analysts.Findings The results indicate that the model may adequately be used to elicit the rationale or provide traceability for security decision-making. The results also illustrate how the model may be applied to facilitate design for security decision makers.Research limitations/implications The proof of concept is based on a hypothetical risk scenario. Further studies could investigate the model’s application in actual scenarios.Originality/value The paper proposes a novel approach to tracing the rationale behind security decision-making during risk and uncertain conditions. The research also illustrates techniques for adapting decision-making models to inform system design.
VL  - 27
IS  - 5
SN  - 2056-4961
DO  - 10.1108/ICS-01-2019-0021
UR  - https://doi.org/10.1108/ICS-01-2019-0021
AU  - M’manga Andrew
AU  - Faily Shamal
AU  - McAlaney John
AU  - Williams Chris
AU  - Kadobayashi Youki
AU  - Miyamoto Daisuke
PY  - 2019
Y1  - 2019/01/01
TI  - A normative decision-making model for cyber security
T2  - Information & Computer Security
PB  - Emerald Publishing Limited
SP  - 636
EP  - 646
Y2  - 2024/04/26
ER  -