It’s easy to see where an organization underspent or overspent in the evaluation and mitigation of risks - there’s almost always a point where, in hindsight, the right amount of control is discovered.
The solution, according to Peter Spier, is a mix between business minded and technical risk management. The balance helps create a solution that is both cost and needs effective.
By using a Common Vulnerability Scoring System (CVSS), an organization can identify “vulnerability access vectors, complexity, authentication requirements, and the potential impact to confidentiality, integrity, and availability.” However, having these security controls in place doesn’t make you invulnerable:
For example, suppose a database server is identified as being prone to one or more SQL injection vulnerabilities. It is isolated to a dedicated network segment with established access controls restricting communications to authorized internal hosts and the entirety of network assets protected by host-based and perimeter security controls including, respectively, both anti-virus protection and an intrusion prevention system. While the probability of exploit is arguably contained, the vulnerability remains.
This is one of the reasons why understanding vulnerability is essential: without understanding it is impossible to recognize what will and will not be effective in managing them, what risks will still exist, or what vulnerabilities were not addressed.