As the structure of modern organizations shifts, so correspondingly must the methodologies which underlie the evaluation and development of the security posture of their information systems. We have witnessed an ever-growing gap between organizational policy and technology. We have also witnessed an ever increasing complexity of decisions regarding the planning and design of IS security. Within this paper, we propose a decision support framework consistent with security and decision theory and develop a model of the decision analysis space suitable for multiple criteria decision making (MCDM). The adoption of MCDM techniques within the context of this model can show inherent trade-offs between alternatives in a security decision, encapsulate qualitative as well as quantitative elements within the analysis space, and facilitate group-decision making thereby dealing with conflicting perspectives of multiple stakeholders. The paper concludes with a demonstration of the proposed model through a case study conducted with a major financial services provider