As we have noted, in the real world of information protection, it is not possible to evaluate in any quantitative sense the factors in the risk management algorithm. The cost of some countermeasures like alarm systems or insurance may be ascertainable, although acquiring information about the cost of countermeasures turns out to be surprisingly difficult using current methods of accounting. What portion of the cost of a wall is attributable to security?

If computers that are shielded against emission of potentially compromising radiations are an option, are both cases (with and without shielding) costed independently and compared? Even if it were easy to determine the cost of potential countermeasures, the likelihood of the threat successfully attacking, the extent of our vulnerabilities and the impact of a possible loss are at best uncertain. As with most management problems, insufficient information makes security decisions more of an art form and less of a science.

Typically, to make any asset less vulnerable raises its cost, not just in the design and development phase but also due to more extensive validation and testing to ensure the functionality and utility of security features, and in the application of countermeasures during the operation and maintenance phase as well.