If you've been around the information security block a few times, you're bound to remember Winn Schwartau. I finally got a chance to meet Winn at the GFIRST conference earlier this week. He was kind enough to pass me copies of a few of his books, like Time-Based Security. In the book, Winn tries to steer readers away from their "fortress mentality" and towards a model of security centered on attack duration.
I like the idea of rating a security system by the amount of time it takes an intruder to compromise it. That system is used to rate safes, as defined by Underwriters' Laboratories, Inc. (and explained here, here, here, and here). A time-based model acknowledges that any system can be compromised, as long as an intruder is willing to dedicate the resources to the project. It is easy to know how long it takes a script kiddie to compromise a target with an unpatched, public vulnerability for which there is a reliable exploit. It is more difficult to know how long it takes a professional intruder to compromise a target with no known vulnerabilities. Still, estimates can be made, and those estimates can help direct monitoring and access control defense-in-depth strategies.
Winn is now running The Security Awareness Company, which provides (wait for it) Security Awarness materials and training. His team also operates the Security Awareness Blog. I saw some of his company's products, which included posters for Florida-based financial giant Raymond James. Keep Winn in mind if you're trying to make your company's users security-conscious.
Update: Here are a few links to discussions of time-based security.