Security is unattainable. What security programs are trying to achieve is risk management. In other words, they are trying to cost effectively control the potential loss. Risk is a combination of value, threat, vulnerability, and countermeasures. Traditionally, a security program strives to implement countermeasures that primarily mitigate the vulnerabilities that, if exploited, will create a loss of value.

This chapter categorizes the factors that contribute to, and mitigate, risk. The goal is not to get rid of all risk, as that is not practical, but to optimize the risk, given the potential loss and available resources.