The selection of cost-effective controls (security measures) for the protection of data and of the means of processing them is dependent upon a reasonably accurate problem definition. To the extent that those who attempt the selection and implementation of such controls believe the principal threat to be technically-sophisticated intrusions into their systems by highly-skilled technical personnel with extensive resources and very high motivation, they will usually fail. Errors and omissions made by people whose loyalty and honesty are unquestioned will always tower over dishonest conduct as a source of loss. In a poor second place are dishonest employees who neither need nor possess significant technical skills, but who abuse the resources extended to them for the conduct of their normal jobs. The conversion of manual systems to a computer-based operation provides an opportunity to materially reduce losses previously experienced, but only if the threat is properly defined.