I see Gunnar Peterson has beaten me to posting about Bryan Ware’s decision matrix that he uses to advise the U.S. DHS on investing in security. One axis is risk, high or low. The other axis is effectiveness, high or low, as in the likely effectiveness of the funded organization at actually doing something about the problem. High risk and high effectiveness spells best investment; High risk and low effectiveness not so much; Low risk and high effectiveness, invest some to incentivize high effectiveness, and low risk and low effectiveness “Apply minimal funding”.

Bryan mentioned that they have no data as to how well this risk-based funding scheme works, but at least they’re trying.

-jsq