Risk management involves assessing threats and vulnerability, the cost of reducing or eliminating vulnerability, and the risk level management is willing to accept. Security education includes informing employees about company policy regarding computer crime, including the seriousness of such crime and the legal consequences. Disaster planning and recovery consists of contingency plans if confidential business data are lost. This may consist of daily backup of the data and storing them on computer tapes off site. Computer access control involves management's analyzing and assessing employees' responsibilities and determining the information they should receive for the performance of their duties. Employee access to files would be limited to that required for job tasks. Software is available to have division of access to various programs according to task groupings. The key to any access control system is to provide user authentication at all levels. One security measure is a cryptographic lock that scrambles words on files to unreadable nonsense. Some software security programs are briefly described.