Skip to main content

Research Repository

Advanced Search

A normative decision-making model for cyber security.

M'manga, Andrew; Faily, Shamal; McAlaney, John; Williams, Chris; Kadobayashi, Youki; Miyamoto, Daisuke


Andrew M'manga

John McAlaney

Chris Williams

Youki Kadobayashi

Daisuke Miyamoto


The purpose of this paper is to investigate security decision-making during risk and uncertain conditions, and to propose a normative model capable of tracing the decision rationale. The proposed risk rationalisation model is grounded in literature and studies on security analysts' activities. The model design was inspired by established awareness models, including the situation awareness and observe–orient–decide–act (OODA). Model validation was conducted using cognitive walkthroughs with security analysts. The results indicate that the model may adequately be used to elicit the rationale or provide traceability for security decision-making. The results also illustrate how the model may be applied to facilitate design for security decision makers. The proof of concept is based on a hypothetical risk scenario. Further studies could investigate the model's application in actual scenarios. The paper proposes a novel approach to tracing the rationale behind security decision-making during risk and uncertain conditions. The research also illustrates techniques for adapting decision-making models to inform system design.


M'MANGA, A., FAILY, S., MCALANEY, J., WILLIAMS, C., KADOBAYASHI, Y. and MIYAMOTO, D. 2019. A normative decision-making model for cyber security. Information and computer security [online], 27(5), pages 636-646. Available from:

Journal Article Type Article
Acceptance Date Mar 21, 2019
Online Publication Date Jun 17, 2019
Publication Date Oct 23, 2019
Deposit Date Sep 16, 2021
Publicly Available Date Nov 23, 2021
Journal Information and computer security
Print ISSN 2056-4961
Publisher Emerald
Peer Reviewed Peer Reviewed
Volume 27
Issue 5
Pages 636-646
Keywords Uncertainty; Decision-making; Risk analysis; Perception; Security; Awareness; Rationalisation; Normative
Public URL


You might also like

Downloadable Citations