The complex nature of recent attacks on cyber-physical systems calls for more expressive models for contingency prediction and response. In this paper, in an attempt to address the primary difficulties facing the design of models for cyber-physical systems security, we propose a general model, termed secure contingency prediction and response (SCPR), that explicitly links the security status of the cyber layer with the operational status of the physical system. This is achieved by describing the security status of the cyber layer as the progression of an attacker through an attack graph and drawing a correspondence between compromised nodes in the attack graph and attacker capabilities in the physical layer. Using the proposed model, we formulate a novel cyber-physical systems security problem, termed control-aware intrusion response, in which actions in the cyber layer take into account the structural controllability of the physical system. The expressiveness of the proposed model is further illustrated by briefly discussing its applicability to some foundational cyber-physical systems security problems.