The increasing frequency and total cost of security incidents require organizations to apply proper IS risk management in order to assess the economically reasonable usage of security measures. In this paper, we contribute a model that supports risk-related investment decisions in service-based information systems. The model supports decision makers in analyzing the cost-benefit trade-off related to security measures by solving the key problem of efficiently calculating the probability density function of the potential losses for a given information system. Based on the proposed model, it is possible to derive individual metrics, such as the Value-at-Risk, that can be used to choose the optimal security level, i.e., the most economically reasonable combination of security measures. Furthermore, we demonstrate the model's application in the context of an existing real-life e-commerce system by evaluating and comparing two alternative security investments for this business process.