ABSTRACT
Despite the structural di¤erences between organizations, the threat or regulation environment, or even across economic conditions, there is always a limit to the available funding and sta¤ required to perform security initiatives. It is not enough to know a set of desired security projects for the organization to improve its security posture. Security managers need to be able to justify their next project and defend these decisions.
