The protection of assets, including IT resources, intellectual property and business processes, against security attacks has become a challenging task for organizations. From an economic perspective, firms need to minimize the probability of a successful security incident or attack while staying within the boundaries of their information security budget in order to optimize their investment strategy. In this paper, an optimization model to support information security investment decision-making in organizations is proposed considering the two convicting objectives (simultaneously minimizing the costs of countermeasures while maximizing the security level). Decision models that support the firms’ decisions considering the trade-off between the security level and the investment allocation are beneficial for organizations to facilitate and justify security investment choices.