| In an increasingly interconnected environment, we are consistently required to develop better and more cost-effective defenses for our information systems. In the past when information security was the realm of governments and the military and when security was only concernd with the confidentiality of the information, then the concept of “absolute” security was adopted and millions (billions?) of dollars spent in chasing this holy grail. In more recent years, the requirements of the commercial sector, a growing level of experience, and a touch of reality have changed this, and it is now the norm to seek “cost-effective security.”There is also a growing realization, in trying to achieve this aim, that some degree of “risk” must be accepted and managed. In cold hard terms, if the risk assessment is not carried out effectively, then the organization will either waste money or be exposed to an unacceptable risk.
A global environment in which there is dependence on available technologies presents a very different problem from that which pertained just a few years ago. In the past, when risk was assessed, it was normally in terms of the natural and physical disasters or possibly the loss of research and development knowledge to a competitor. Now, as shown by recent experience, the problem has shifted considerably. Unfortunately, so far, the way in which we address the problem has not. |