If risk can't be eliminated, a practical security plan can reduce it to an acceptable level. Countermeasures are the only part of our formula that can be managed to reduce risk. They are security measures that aim to mitigate threats and/or vulnerabilities. Defining security programs in business terms, your security program is the implementation of countermeasures to mitigate your organization's vulnerabilities.
The reason that I specifically say "vulnerabilities" and do not mention threat is because it is nearly impossible to effectively diminish threat. For example, even though you can avoid putting your data center in an earthquake-prone area, you can't prevent earthquakes. Maybe a background check will help weed out people with criminal records, but you can't predict which people without criminal records will commit illegal acts. You are not going to be able to hunt down all script kiddies on the planet. It's just not realistic to focus on eliminating threats.
The trick is for an information security manager to determine how to best allocate limited countermeasures to mitigate vulnerabilities and thus manage risk. The fact is that not all vulnerabilities should be mitigated. For example, it might cost millions of dollars to reduce a vulnerability that puts an asset of only small value at risk. To take an extreme example, you could assign a security guard to protect a tape 24 hours a day, but if the tape were blank, it would clearly be a waste of money.
The figure below depicts the relationship of countermeasures and vulnerabilities. Assuming that the countermeasures address real vulnerabilities, as you implement countermeasures, you decrease your vulnerabilities. The area under the vulnerabilities curve represents potential loss in financial terms.
Threats enter into this equation when they increase the probability that particular vulnerabilities will be exploited. If you understand the threats, you know what methods attackers are likely to use, what vulnerabilities they are likely to exploit and what type of value they want to compromise. As you increase countermeasures and decrease your potential loss, the cost of your countermeasures -- that is, of your security program -- increases.