The document discusses information security risk management in financial institutions. It begins by asking if the reader has ever been hacked and discusses the components of a typical security program. It notes that security programs should focus on facilitating the business rather than just securing systems. The document then discusses how security risk is calculated based on vulnerabilities, threats, and business impact. It outlines the evolution of information security maturity from 1998 to 2006, showing a shift from reactive approaches to more proactive continuous improvement processes. Finally, it leaves the reader with some brief security-related tips and sayings.