Good post catch, That is something I will definately file away for future reference. The only problem I have is that it assumes the company even cares. All sarcasm aside (in case you missed it ), I find that more often companies adopt the "needle-in-a-haystack" theory, and in that case you can do nothing except voice your concerns.

The company I work for regularly transmits unencrypted databases with very sensitive information. I found the problem and suggested several fixes.... that was some months ago. I even explained how burning a haystack helps you find the needle in no time, but the analogy was lost on them. There is no system of patching, or updating, or monitoring of usage.. and when spit hits the fan, I will say nothing.

I would be interested in how you compile your threat index, and how you weigh the values of each in order to plug them in to your formula. Maybe if I present it to them in that manner, it may get their attention. I'm not sure how to put a value on ID theft though.

Cheers