Security metrics involve assessing resources, new technology, risks, and mitigation: relating operations to risk reduction. Mitigation costs should be less than the expected cost of the risk, but the cost of rare events is difficult to assess. However, if doomsday scenarios are ignored, so is potential catastrophic damage to the company. Spending on improvements is required to avoid expensive adverse effects of unforeseen events. Security can also add value by enhancing the firm’s risk management, thereby enabling it to enter a new market or country.