Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

An Analytical Approach to Cost-Effective, Risk-Based Budgeting for Federal Information System Security



Barbara C. Lippiatt, S Fuller


The purpose of this report is to identify and illustrate an approach to simplify and strengthen capital planning for information system security in compliance with federal policy and guidance. The report provides the theoretical underpinnings of a methodology that will enable budgeting officials, system owners, and managers to select cost-effective strategies for optimizing the level of information system security to be achieved, given the level of vulnerability faced by the organization. The method of evaluation used is the Analytic Hierarchy Process (AHP), a multi-attribute decision approach. It integrates quantitative and qualitative information in a hierarchical structure in such a way that decision-makers can logically and consistently evaluate all the alternatives in a complex decision problem. An illustrative case study applies the AHP to the selection of a cost-effective security investment, given the likelihood and magnitude of threats to the information system. Expert judgments of risks, overall agency goals, and existing system weaknesses are merged with investment costs to illustrate the AHP process for calculating a measure of merit for evaluating investment alternatives.
NIST Interagency/Internal Report (NISTIR) - 7385
Report Number


analytic hierarchy process, computer systems, cost-effective investments, economic analysis, information system security, IT investment budgets, multi-attribute decision tool


Lippiatt, B. and Fuller, S. (2017), An Analytical Approach to Cost-Effective, Risk-Based Budgeting for Federal Information System Security, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD (Accessed July 18, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created February 19, 2017