The bit that's missing is the business. Instead of asking "What's your threat model?" as the first question, it should be "What's your business model?" Security asks that last, and only partly, but asking questions like "what's are the risks?"Clearly this is what I'm calling Business Model B - what is the source of value for this enterprise - rather than Business Model C - the line-and-box diagrams drawn by Enterprise Architects. See Two Kinds of Business Model.
Gunnar takes an asset-based approach to building such a business model - what are the assets and how do we protect them. Gunnar has always argued that security should be proportional to asset value. I think that's a reasonable starting point, as long as we take a broad view of what counts as an asset, and whose assets are included. In particular, companies should expect to accept liability for any loss or damage to customer assets or third-party assets. See my post Services Like Laundry, where I argue that the potential liability for a dry-cleaner is based on the likely cost of replacing any damaged item, rather than just the cost of the dry-cleaning service.
But the asset perspective is not the only way of thinking about business-driven security. Consider a large retailer, deciding what policies and mechanisms to adopt against shoplifting. This will partly be based on the expected value of the shoplifted items - so the small higher-priced items may have higher levels of protection. But this should be balanced against the business process or cashflow perspective. Is it better to lock goods into cabinets, lose fewer to shoplifters but maybe sell fewer as well? Or is it better to encourage shoppers to handle the goods, resulting in more sales as well as more theft? This is clearly a business judgement, which should not be solely based on the value of the goods. [And see my post on Shoplifting]
Overall, we need a business model that defines the sources of business value. This may include a broad concept of asset, but also broad concepts of capability and viability. Then I absolutely agree with Gunnar and Ian - the security model must be driven by the business model.
Note: Ian's blog Financial Cryptography has an security certificate that is not recognized by Firefox or Internet Explorer, for reasons he explains in the comments to Gunnar's blog. Visit it at your own risk.
Note: The RESG hosted a masterclass on Security Risk Analysis and Management in January 2003. See report with my comment in the RESG Newsletter (RQ28 Feb 2003).