I think FUD is not going to cut it anymore.
There is currently no standard, vendor-neutral methodology tp quantify information security risk and justify technology purchases.
Maybe during the GFC as budgets dwindle down and threats ratchet up – security analysts will finally get some real work done.
In order for a company to decide what security countermeasures are best for them – they must measure the movement and value of their data, and weigh that in terms of a threat model. We conclude by suggesting a series of questions to ask in order to test two hypotheses – 1) that information leakage is currently happening and 2) that a cost-effective risk mitigation plan can be defined and implemented.
For more read Preventing internal threats on a budget