Possibility theory is an alternative to probability theory as a basis for security management in settings where information resources are elements of national information infrastructure. Probability theory is founded on the assumption that one cannot totally rule out an intrusion. Possibility theory operates under a contrasting assumption. While persistent, well-supported, and highly professional intrusion attacks will have a higher probability of success, operating instead against the possibility of intrusion places defenders in a theoretical framework more suitable for high-stakes protection. The purpose of this chapter is to introduce this alternative quantitative approach to information security evaluation. It is suitable for information resources that are potential targets of intensive professional attacks. This approach operates from the recognition that information resource security is only an opinion of officials responsible for security.