Learning how to model security problem and evaluate operational information security and its financial implications can be a challenging task. The challenge is basically due to the complexity of information security, and it represents a problematic issue in today’s computing. In attempting to tackle such an issue, we offer security professionals and academic researchers a new tool, called the ISMM model, as a result of a structured research methodology that takes into account both of the quantitative and qualitative research approaches to validate the proposed work. The ISMM model is neither based on a specific technology or product, nor a particular business process, but rather an engineering approach towards controlled and efficient implementation of these elements. The model has the following characteristics: 1) it bounds the security problem anddefines its conceptual perimeters, 2) a layered architecture, 3) integrative in terms of security layers, controls and processes, and yet...