In this paper, we introduced a framework and a metric tool to help companies begin to transform their information security effort into a business asset.
Our contention is that we are dealing with is fundamentally a managerial problem, not a technological one.
We should concentrate on strategies, policies and procedures rather than technology.
We believe that culture, behaviour and values will ultimately carry the day in the battle for information security.