What's security about? Well, the bottom line is that we're specialist risk managers.

Why bring this up? Well, I've recently sat through a talk on securing applications where the speaker said "You must always encrypt communications between the application and the server" and "You must always add PrincipalPermission checks on your components".

Not true. If you tried to apply security to every aspect of every application, you just wouldn't ever finish.

The important question is "What is the cost to the organisation of the breach?"

If the data within an application is of no value, can be released to the public, and will not cause the company harm if the integrity is breached, then I'd suggest there are some instances where you wouldn't apply security at all. Notice my italics.

There are lots of calculations and methodologies involved, but I'd suggest looking at ISO 27001 as a starting point.