How easy has it been getting business owners to participate? Not easy. I would still say that we get 50-50 direct participation of business users. Sometimes it is a business-aligned IT guy who is engaged in the evaluation process.

The evaluation process itself is sort of self-correcting and is really quite sensitive to overvaluation. If I walked into one of our heads of business line's office and asked him how valuable a system is, his natural reaction is to say "high." They always say "high," and that experience has been confirmed when using our wizards as well. What we've found gets better business involvement is when we go back and say to them, "OK, you have gone through this valuation process and come out with a 5 for confidentiality, integrity and availability. You do realize that means that you've got to make the maximum investment in securing those systems?"