Nevertheless, many companies do not adequately protect their business information. Information losses can be considered from four viewpoints: 1) the circumstances of the loss or exposure; 2) the individuals who stole, destroyed, or observed the information; 3) the mental, written, or electronic medium involved in the loss or exposure; and 4) the value of the exposure. To manage information properly, companies should develop information policies that have the visible support of top management and that cover all the permanent requirements of information management. They should classify and protect the truly critical pieces of information. In most businesses, only 10 percent of the information should be classified, with only 1 percent at the highest classification level. The classification should represent business requirements for information security and availability and should also meet legal requirements. The security program should also include training and supervision of employees and establishment of controls and separation of duties as appropriate to the information's value.