Gunnar has a good post about evolving risk. A small startup company has high business risk (easy to fail) and low security risk (not much to steal), while a big successful company has low business risk and high security risk. Pretending those different kinds of risk don’t change, or that they change in the same direction, leads to problems:

When the business reality is dynamic and the security model is static, then errors creep in.

Paul Madsen on Evolving Risk, Gunnar Peterson, 1 Raindrop, 20 Nov 2006