Risk management is a process-oriented method, choosing decision models that work with the available information. In today's world of sophisticated malware and ubiquitous connectivity, this means ensuring all systems have some baseline of protection. It also means identifying information that is especially critical to meeting business goals, including regulatory compliance, and finding cost-effective ways to exceed the baseline level of systems protection. For many companies, data leaking from inside is finally being recognized as the type of information risk that most needs addressing.

A growing number of organizations are finding that risk management techniques, usually qualitative ...