The traditional notion of information security, rooted in a solidly technical foundation, has within the past decade seen wide criticism within academia - much of which has originated from the social sciences community - as being narrow and technology-centric instead of holistic and organizational in its focus. As information security awareness encompasses an ever-greater scope of organizational dynamics, it becomes necessary for us to develop design methodologies and ultimately, systems, capable of dealing practically with the complex and multifaceted nature of the decision-making of information systems security which is entailed by the emerging notions of a new paradigm for security. To this end, we present an architecture which implements a web-based multi-user decision support system (DSS) driven by an operational security model within a qualitative multi-criteria framework that utilizes AHP as its inference engine. The system is then demonstrated in action, by addressing a multi-criteria security control selection decision.