308 Int. J. Information and Computer Security, Vol. 2, No. 3, 2008 Copyright © 2008 Inderscience Enterprises Ltd. A Layered Decision Model for cost-effective system security Huaqiang Wei*, Jim Alves-Foss and Terrence Soule Department of Computer Science, University of Idaho, Moscow, ID 83844-1010, USA Fax: 1-208-885-9052 E-mail: hwei@vandals.uidaho.edu E-mail: jimaf@cs.uidaho.edu E-mail: tsoule@cs.uidaho.edu *Corresponding author Hugh Pforsich Department of Accountancy, California State University, Sacramento, 6000 J Street, Sacramento, CA 95819, USA Fax: 1-916-278-6489 E-mail: pforsich@csus.edu Du Zhang Department of Computer Science, California State University, Sacramento, 6000 J Street Sacramento, CA 95819, USA Fax: 1-916-278-6774 E-mail: zhangd@ecs.csus.edu Deborah Frincke National Security Directorate, Pacific Northwest National Laboratory, Richland, WA, 99352, USA Fax: 1-509-375-2668 E-mail: Deborah.frincke@pnl.gov Abstract: System security involves decisions in at least three areas: identification of well-defined security policies, selection of cost-effective defence strategies, and implementation of real-time defence tactics. Although choices made in each of these areas affect the others, existing decision models typically handle these three decision areas in isolation. There is no comprehensive tool that can integrate them to provide a single efficient model for safeguarding a network. In addition, there is no clear way to determine which particular combinations of defence decisions result in cost-effective solutions. To address these problems, this paper introduces a Layered Decision Model (LDM) for use in deciding how to address defence decisions based on their cost-effectiveness. To validate the LDM and illustrate how it is used, we used simulation to test model rationality and applied the LDM to the design of system security for an e-commercial business case.