2011 was for the world of IT security what Queen Elizabeth II would probably call an “annus horribilis”—a terrible year. It started with WikiLeaks publishing decrypted diplomatic cables, but the knock-on effect this had was significantly worse for organizations worldwide. Hackers such as Anonymous don’t just want to make shady political events accessible to all—they also highlight uncomfortable data protection issues. Suddenly, every organization and every authority, regardless of whether a giant company or government organization, had to assume that confidential customer data could be dragged into the public domain. This of course is the worst-case scenario. Such a situation is not about resolving a technical security problem. With such actions, an organization incurs costs in the form of loss of trust and damage to its reputation, which are rather high considering the expensive communication campaigns required as remedy.

In such dramatic cases, it is clear to all members of an IT department that they must drop everything in order to resolve this acute problem as quickly as possible. Fortunately, “near catastrophes” are the exception in everyday life, but they make it particularly clear that the work items an IT team has to process out differ in the impact they have upon the business. Thus, it is expedient to differentiate between work according to type and extent of the consequences. We are confronted with different performance, services, and treatment ...