Information security operations - necessary to protect the confidentiality, integrity, and availability of an organization's information systems against attacks - represent substantial investments in technologies, tools, and human resources. Typically, the relationship between the supplier of an information system and its users is regulated by a Service Level Agreement, and the supplier must determine the appropriate level of investment in operational resources in order to meet its contractual obligations whilst maintaining its economic viability. We contend that investment decisions should be based on analytic models of the behaviour of information systems in the context of the environmental threats they face. We describe a mathematical framework, together with a modelling philosophy, for capturing the structural and dynamical properties of systems and their associated security operations. We describe how a modelling tool (Demos2k) can be used to capture much of our conceptual framework, giving a detailed, experimental example. We show that our models are able to predict the economic consequences of investment decisions for security operations. 23 Pages