I believe that was covered, but it was under the context of security policy vs a more direct description. The key point I'd pull out is: "The goal isn't to eliminate risk entirely, but bring it down to an acceptable level."
There could be (and probably are) entire books written about how to define what "an acceptable level" means... but that is the same point you are getting at - security is not a guaranteed lockdown of your assets, it is self-defined sufficient deterrence to attack. Sometimes that means light security, sometime that means heavy... but it is up to you to make those decisions.
There could be (and probably are) entire books written about how to define what "an acceptable level" means... but that is the same point you are getting at - security is not a guaranteed lockdown of your assets, it is self-defined sufficient deterrence to attack. Sometimes that means light security, sometime that means heavy... but it is up to you to make those decisions.