Deploying an appropriate collection of information security countermeasures in an organization should result in high-level blocking power against existing threats. In this chapter, a new knapsack-based approach is proposed for finding out which subset of countermeasures is the best at preventing probable security attacks. In this regard, an effectiveness score is defined for each countermeasure based on its mitigation level against all threats. Organizations are always looking for more effective low-cost solutions, so another consideration is that ...