One of the most difficult problems in securing any business that depends on information technology is working out what “secure enough” looks like.  Every stakeholder will have a different view, and offer a different opinion on the ideal outcome.  These opinions come from the business decisions about priorities, and hopefully a risk framework that reaches far beyond the technology walls of the information systems alone.  For example the UK government started out with CRAMM, from the CCTA (now the Office for Government Commerce) back in 1987.  CRAMM v5.1 is now…