Security is often addressed as something that is either present or absent. However, security is not a dichotomy. Security is a process and exists somewhere along a continuum between absolute security and the complete lack thereof. Security is subjective. Two individuals in the same environment will perceive security differently, and each may have very good reasons for his or her opinion.
How does the security professional deal with such subjectivity? Sometimes decisions are made by those who control the purse strings, and it becomes a relatively simple matter of how much security an organization can afford. Absolute security does not exist. Often, the closer absolute security is reached, the higher the price tag. Thus, a balance must be struck between cost and efficacy. Security is a value proposition for many organizations. To find the appropriate balance, it is necessary to conduct a formal (or informal) security risk assessment.