At Textron, "we looked at [risk-based security] because, like everybody else, we've got a finite amount to spend on risk mitigation," Avesian says. The new model, he adds, "has helped us develop a consistent framework when evaluating risk, and it's forcing us to think more strategically." The company has long emphasized process and views the risk-based model as a complement to its efforts to comply with the Sarbanes-Oxley Act and its devotion to both the Six Sigma quality-control methodology and Control Objectives for Information and Related Technology (Cobit), a set of best practices for IT management.

Sarbanes-Oxley and Cobit each introduced robust controls, Avesian says, while Textron's Six Sigma history taught it to standardize processes wherever possible -- which, in turn, entailed measuring progress on that standardization. Indeed, Textron has a resident Six Sigma Black Belt (a rare level of expertise) who is the company's risk-based "process owner."

Analysts and security managers say the growing importance of regulatory compliance has encouraged the adoption of risk-based security. Many demands of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act and other regulations not only help companies become aware of security risks they may have overlooked, but also dictate controls to plug the holes.

That's what happened at Canadian Pacific Railway Ltd., a multibillion-dollar business with about 8,500 SAP users. In its push to comply with Sarbanes-Oxley (which the company had to follow because it does extensive business with U.S. trading partners), the railway ran Compliance Calculator, a tool from Fremont, Calif.-based Virsa Systems Inc. According to Margaret Sokolov, SAP security and controls lead at Calgary, Alberta-based Canadian Pacific, the compliance software demonstrated that "we had some segregation-of-duties issues" that were problematic for both Sarbanes-Oxley compliance and information security.

The security risks uncovered involved an area in which most businesses underspend: company insiders. Like most large SAP users, Canadian Pacific has a cadre of "superusers" and subject-matter experts who push SAP development forward. These end users had been granted extraordinary access to data and code so that they could tweak interfaces and processes.