It seems to be a fairly common assertion these days that security should be thought of like insurance. I disagree (surprised?).  Insurance is what you do with the residual risk after you’ve done all you can (or want to). The "all you can" part is security. The leftover is giving up – that is insurance. So security and insurance are complementary, but insurance is more like "not-security."

This is illustrated fairly easily when you consider your premium for insurance if you buy a cybersecurity policy. Premiums go up with weak security. Another way to think about it is as preventive maintenance (we do this today with cars and our health).

Security adds structure and control to our computing environment.