This is one of the best information security pieces I've read in the last years. If you have any interest in risk measurement, risk management and security decision making, go now read this very good pair of articles (in fact, one split in two pieces) with the transcription of a debate between Alex Hutton and Doug Hubbard. This is a very good indication of what's currently going on in this field and the revolution (evolution?) we are experiencing in Risk Management. Stop for a minute the implementation of that GRC crap and read this.