This report describes a framework intended to be an aid when investigating how decisions on a management level in an organization have consequences in the form of IT security vulnerabilities. This work is done by so called tracing, which consists of investigating backwards from a discovered vulnerability to its underlying reason(s).