When I read a book like Against The Gods: The Remarkable Story Of Risk, my wife sees it as proof of just how hopelessly boring I am. But it's actually a lively book, exploring how the understanding and quantifying of risk became a foundation for decision making in business and other disciplines. Which makes it's a good read for anyone responsible for information security strategy or implementation.

We publish our annual information security survey this week, and, in analyzing the results, InformationWeek's Mike Fratto lays out a powerful case for why risk assessments must lie at the heart of security strategy. Anything else is wasting money, and probably not delivering the security that companies want.

Here's a taste from our exclusive research. Despite steady or increasing spending, only a third of IT security pros say they've reduced the risk of security breaches at their companies in the past year. Seven out of 10 companies use risk assessments for security, though just 41% of those use them to strategically drive budgets and planning. The risk assessment initiative is being driven in equal numbers by the CEO and the CIO. And of those with such initiatives, more than two-thirds think it will save the company money.

And, hey, there's nothing boring about saving money, right? Let us know how well companies are using risk management to drive IT security decisions.