ABSTRACT
The nature of IT security has evolved rapidly in the relatively short life span of computer technology. Initially, security analysts and IT managers assumed they could simply eliminate security vulnerabilities in their computer and telecommunication systems and eliminate any chance of either intentional or unintentional exploitation of their information resources. This approach is more popularly known as risk avoidance. The risk avoidance strategy is a rather simplistic perspective that requires all vulnerabilities to be eliminated when they are identified. In theory, a risk avoidance approach would appear both logical and necessary to eliminate all potential risks to the assets in question. However, experience quickly taught both researchers and IT system managers that risk avoidance was simply untenable.
