5 Decision‑Making Models Every Security Leader Should Know

Decision‑Making Under Pressure
Written By Francisco Javier Milian, CPP®

Making tough calls is part of the day‑to‑day for cyber and physical security leaders. Whether you’re facing a potential data breach or managing a critical physical threat, understanding decision‑making models isn't just smart, it’s essential. Here’s a casual yet insightful look at five science‑backed models that can help you make better decisions when stakes are high.

1. Prospect Theory

The science: Prospect Theory, born from behavioral economics, reveals how people weigh risks and rewards in ways that depart from classical logic. Individuals tend to avoid risk when they face a gain but chase risk when trying to dodge a loss, this is due to how they frame outcomes.

In security: Consider investing in cyber defenses vs. buying insurance. Using Expected Utility Theory (a traditional model) might push you toward an even split. But many lean toward one option because a security incident feels like a potential loss, so they become more risk‑seeking.

Practical use: Frame decisions with your team in both "what we gain if we win" and "what we lose if we fail" terms. If you highlight possible losses (like reputational damage), you're more likely to push people toward stronger security behaviors.

2. Normative/Situation‑Aware Model (OODA‑Inspired)

The science: Normative decision models focus on how rational decision‑makers ideally should process information. One example blends concepts like Situation Awareness and the OODA loop (Observe‑Orient‑Decide‑Act) to guide security analysts through uncertainty.

In security: Imagine tracking a suspicious intrusion. You Observe logs, Orient through risk context, Decide which action mitigates the threat best, and Act, while keeping track of how and why you made each decision.

Practical use: Use this model to document your thought process during incidents. It helps with post-event reviews and makes decision rationale available for training and improvement.

3. Multicriteria Decision‑Making (MCDM)

The science: MCDM models let you evaluate complex scenarios involving multiple trade‑offs (like cost, speed, and impact). A 2024 review found that Analytic Hierarchy Process (AHP), often enhanced by fuzzy logic, is commonly used in public security.

In security: When rolling out a critical update, you balance patch time, system downtime, and training needs. An MCDM framework helps you rate each factor, weigh them, and make an informed decision.

Practical use: Set up a simple AHP-based tool. For each factor (say impact, cost, speed), rate options from 1 to 5 and weigh each criterion. Use a spreadsheet to calculate which option scores best overall.

4. Recognition‑Primed Decision Model (RPD)

The science: RPD explains how experts make fast, effective choices. Instead of weighing every option, they recognize familiar patterns and simulate what might happen next.

In security: A seasoned SOC analyst spots log activity that "feels like" a past breach pattern. Without analyzing every detail, they immediately know a likely scenario and respond.

Practical use: Develop recognition through case debriefs and scenario-based team sessions. Talk through past incidents: what were the initial cues? How did people react? Notice when intuition worked well, and when it didn’t.

5. Rational Choice Theory (Game‑Theoretic)

The science: Rational Choice Theory assumes decision‑makers list all possible options, compare outcomes, assign utilities, and pick the highest‑value one.

In security: For national or organizational security, leaders might calculate each action's payoffs: enhancing perimeter defenses, shifting monitoring to cloud, or collaborating with law enforcement. You compare costs, effectiveness, and likelihoods to pick what's best.

Practical use: Run a “premortem” session: assume a decision failed, why? Then assign rough probabilities and costs to each failure point. If one option still offers the highest "expected utility," you're on firmer ground.

How to Pick the Right Model

  • Urgent, high‑pressure scenario --> Recognition‑Primed Decision (RPD)

  • Routine evaluation of multiple factors --> Multicriteria Decision‑Making (MCDM)

  • Structured strategic decision --> Rational Choice / Expected Utility

  • Incident documentation & review --> Normative/OODA‑based model

  • Influencing team behavior --> Prospect Theory (framing)

Blending Models

These models aren’t rivals, they complement each other. Here’s how to blend:

  1. Train your team with RPD using real-world scenarios.

  2. In playbooks and decision logs, use the OODA/Situation‑Aware model to capture context.

  3. For strategic decisions, run a quick AHP exercise, then cross‑check outcomes using Rational Choice estimates.

  4. When communicating risks, use Prospect Theory-inspired framing to manage perceptions and guide behavior.

Why It Matters

  • Enhances situational awareness under pressure

  • Helps structure big, complex decisions

  • Improves training and onboarding through shared mental models

  • Strengthens after-action reviews by rooting them in documented thinking

  • Adjusts risk communication to align with how humans actually perceive risk

These models aren’t theoretical, they’re battle‑tested tools. When combined mindfully, they give you a decision‑making toolkit that’s robust, flexible, and ready for whatever comes your way.

References

Abisoye, A., & Akerele, J. I. (2021). A high‑impact data‑driven decision‑making model for integrating cutting‑edge cybersecurity strategies into public policy, governance, and organizational frameworks. International Journal of Multidisciplinary Research and Growth Evaluation, 2(1), 623–637.

Costa, J., & Silva, M. (2024). Multicriteria decision‑making in public security: A systematic review. Mathematics, 12(11), 1754.

Dailey, S. F., Campbell, L. N. P., & Ramsdell, J. (2024). Law enforcement officer naturalistic decision‑making in high‑stress conditions. Policing, Advance online publication.

Gomez, A. M., Faily, S., McAlaney, J., Kadobayashi, Y., & Miyamoto, D. (2026). A normative decision‑making model for cyber security. Information and Computer Security Journal.

Klein, G., & Crandall, B. (1996). Recognition‑primed decision strategies. U.S. Army Research Institute Research Note, 96‑36. U.S. Army Research Institute for the Behavioral and Social Sciences.

Mintz, A., & Redd, S. B. (2013). Policy perspectives on national security and foreign policy decision making. Policy Studies Journal, 41(S1), S1–S27.

Francisco Javier Milian, CPP®

Founder of The Educated Risk Company

Previous

How Incident Commanders Make Irreversible Decisions Under Pressure, And What Security Leaders Can Learn
Next

The Critical Moment: How Security Leaders Can Make Rapid, High‑Impact Decisions in Terror Crises