Networks have become very important for conducting business in government, industry, and academic organizations. Networked systems allow access to needed information rapidly, improve communications while reducing costs, enable collaboration with partners, provide better customer services, and conduct electronic commerce. Organizations have moved to client-server architectures where servers and workstations communicate through networks. While computer networks revolutionize the way business is done, the risks they introduce can be fatal. Attacks on networks can lead to lost money, time, products, reputation, sensitive information, and even lives. Information protection decisions are often incomplete or ineffective because they are based on the organization's prior experience with vulnerabilities and current threats. While managing information security risks and vulnerabilities help ensure that information protection strategies are appropriate, most risk assessments are incomplete, or are conducted by external consultants who have little knowledge of the organization's unique requirements.