Choosing an optimal investment in information security is an issue most companies face these days. Which security controls to adopt to protect the information infrastructure of a company in the best way ? Selecting a subset of security controls among many available ones can be seen as a resource allocation problem. The choice should be guided by importance of assets to be protected, their vulnerabilities and existing threats that might exploit those vulnerabilities. Moreover, conflicting objectives and constraints need to be considered. In particular, the security of the system should be improved by minimising all existing cyber risks to the most important assets and minimising cost of such protection simultaneously. There might be some limitation or constraints to be considered, such as limited budged or other resources, e.g. human resources. In this work, the security controls subset selection problem is formulated as a portfolio optimization problem well known in financial management. We propose to solve such a problem using existing single and multiobjective optimization approaches.