Security countermeasures help ensure information
security: confidentiality, integrity and availability(CIA), by mitigating
possible risks associated with the security event. Due to
the fact, that it is often difficult to measure such an impact
quantitatively, it is also difficult to deploy appropriate security
countermeasures. In this paper, we demonstrate a model of
quantitative risk analysis, where an optimisation routine is
developed to help a human decision maker to determine the
preferred trade-off between investment cost and resulting risk.
An offline optimisation routine deploys a genetic algorithm to
search for the best countermeasure combination, while multiple
risk factors are considered. We conduct an experimentation with
real world data, taken from the PTA(Practical Threat Analysis)
case study to show that our method is capable of delivering
solutions for real world problem data sets. The results show that
the multi-objective genetic algorithm (MOGA) approach provides
high quality solutions, resulting in better knowledge for decision
making.