Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.