The convergence of many interdependent events, including the expansion of unprotected Internet connected applications, the global war on international terrorism and the large financial impacts of information and identity theft, has made IT security a core element of most corporate and government IT plans. During 2003, two examples illustrate the scope and cost of the security problem: Cyber attacks increased 40% in the first three quarters of the year, and the cost of cleaning up multiple worm and virus attacks during the summer cost $3.5 billion, according to the CERT Coordination Center, a cyber security-monitoring agency. Interwoven with capacity, performance and reliability factors, internal security strategies have expanded past keeping external hackers and crackers out to authenticating users through biometric and other factors, tracking authorized access inside firewalls by system users, and forensic analysis of destructive software. Given the economic con- straints placed on business expenses, however, these efforts have often been too little, too late to stop determined individuals from gaining access to information assets. Adding to the technical complexity of security are legal issues concerning user privacy, liability issues for not preventing the theft of customer records and identities, and government compliance with HIPAA, GLBA, FCRA, NORPDA, PIPEDA, SAFETY, Sarbanes- Oxley, and the U.S. Patriot Act regulations. Overlaying proactive longterm plans and operations are immediate reactive limitation activities to network and system-wide attacks caused by malicious software (also called “malware”) such as worms, viruses, Trojan horses and zombies. As technology reliability has moved user expectations to a 24×7 availability level, the level of management complexity associated with that degree of service has required larger equipment investments, more staffing, and increased awareness of the consequences of each decision made concerning IT security. By default, IT managers and executives have been forced to become experts — with associated responsibilities — on many different topics outside the traditional IT community.