At some point about six weeks ago I once again was hit with arguments that pointed to people considering security as black and white; you are either secure or you are not. Security is not now, nor has it ever been, a binary decision. There are a lot of factors we need to consider, all of which should be rooted in what you need to accomplish with the systems, the threats they are subject to, and whether the mitigation is less palatable than the risk itself. Having the incredible luxury to do so, I wrote a column on it. The column is entitled Microsoft Small Business Server and Security: It's All About Risk Management! and just came out in the Microsoft Security Newsletter today. While I use Small Business Server as the example, as the title says, it is all about risk management!