Here is my impressionistic transcript of Bruce Schneier's keynote, "Following the Money, or Why Security has so Little to do with Security" from the ToorCon infosec conference in San Diego.

* We want to get the most security for the least trade-off

* Determine the acceptable risk-level

* Figure out the trade-offs

THE BEST WAY TO DO THIS IS TO MAKE THE PERSON WHO CAN FIX THE PROBLEM ON THE HOOK FOR FIXING THE PROBLEM.

We have no choice but to accept some residual risk. "No terrorism is acceptable" in nonsense: there IS an amount of rat-droppings that are acceptable in your breakfast cereal. Some risk is inherent in everything. We've decided that 40k auto deaths/year is OK. In the end, there's an amt of danger that we are willing to accept.

Link