The prudent management of an enterprise is the responsibility of senior management. Human safety is always the highest priority. Ethical standards must be included within the framework of governance. Management must be the consistent enforcer of policy.

The security program must support the (typically revenue-generating) needs of the business. Maximize profits and avoid losses by cost justifying all countermeasures. Protect the confidentiality, integrity, and availability of the valuable assets of the organization.

Vulnerabilities and matching threats produce risk. Risk is quantified by its likelihood and its impact on the asset. Mitigate risk, transfer risk, and avoid risk until the level of residual risk is acceptable (risk acceptance). ...