http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1060169,00.html

"Are we secure" is a critical question that top executives and security professionals need to answer. Securing information systems goes beyond process, policy or regulatory compliance. It means understanding our increasing or decreasing propensity to manage information systems risk. Measuring this risk requires us to focus on the literal meaning of risk — the probability that an unwanted "event" will occur.

We can classify compromises in three ways: manifest risk, inherent risk and contributory risk. This allows us to measure the probability of security risk for events based on associated processes and performance, and provides a method for tracking our efforts at risk reduction. Finish reading…