Traditional cyber security modeling approaches either do not explicitly consider system participants or assume a fixed set of participant behaviors that are independent of the system. Increasingly, accumulated cyber security data indicate that system participants can play an important role in the creation or elimination of cyber security vulnerabilities. Thus, there is a need for cyber security analysis tools that take into account the actions and decisions of human participants. In this paper, we present a modeling approach for quantifying how participant decisions can affect system security. Specifically, we introduce a definition of a cyber-human system (CHS) and its elements, the opportunity-willingness-capability (OWC) ontology for classifying CHS elements with respect to system tasks, the human decision point (HDP) as a first-class system model element, and the multiple-asymmetric-utility system modeling framework for evaluating the effects of HDPs on a CHS. This modeling approach provides a structured and quantitative means of analyzing cyber security problems whose outcomes are influenced by human-system interactions.