Egal:

My response wasn't "pointed" at any previous response or person.... but I have to make the following comment since you brought it up:-

I said B for the second one simply based on a generality that under normal circumstances the best way to gage your strengths and weaknesses in most circumstances is while and after being attacked.
Yes, you can say that is true....But the point of the risk asessment is to determine the "value" to the organization of the information. If the "value" is high then there are two things you can do, spend a lot of money and time to protect it while making it publicly available or, simply, not making it publicly avaliable.

The word "publicly" is very important here... I _can_ make data available to any IP on the internet, thus making it "publicly" available but I _will_ make you authenticate yourself twice, in two different ways, before you have access to the data. If you can cross both authentication schemes without playing games that my IDS or other systems can't alert on then _I_ have a problem.

Your comment implies that, regardless of the risk assessment's conclusions, you would place critical data into the public domain and learn how it gets attacked as you go.... That's a flawed principle since you are relying on your ability to see and recognize an attack by watching _every_ packet.. We both know that can't be done... So the, more simple, principle, of minimizing your exposure applies.

That's my 2c.... FWIW...