with the laws and regulations the organization is operating in. A
            security plan cannot be restrictive when the culture of the
            organization encourages taking the risk. The program cannot be
            trusting and open in an organization that is cautious and
            conservative. In this way, the security manager must develop
            and implement a security strategy that reflects the goals and
            culture of the organization.



            The Security Triad

            As discussed earlier in this chapter, security is an abstract term
            that can be hard to explain, measure, or understand. Therefore,
            for many years, the concept of IT security has been defined
            using the CIA triad. This approach emphasizes security
            measurably and understandably.