As we have discussed in the problem analysis of this thesis, there are still many challenges regarding decision making process in the context of Information Security that include (1) risk assessment, (2) security controls analysis, and (3) selection of security controls to mitigate risks in a cost-effective manner. For that reason, the goal of our proposed thesis is to develop a decision making method that supports the selection of security controls, in the way that it would be easier for security consultants and organization to make sufficient security investment and strengthen their security baseline. In order to achieve the overall research aim, this thesis contributes with four main artifacts grounded on its set of success criteria: (1) The checklist for security consultants, (2) The tool support, (3) The process of decision making method, and (4) The approach to cost-effectiveness modeling. These success criteria help us to design and evaluate the results as well as the success of our research at later state. Besides, case study and action research that provide sufficient degree of generality, precision and realism have been chosen as research method for conducting the research. The results gained from the evaluation through case study include a list of suggested security controls with corresponding estimated costs, expected effect and benefit, together with cost-effectiveness models showing correlation between the risk picture and total cost of implementation.