“Submarines are designed so that they can travel completely submerged in water for long periods of time. One obvious requirement is that the sub must effectively keep water from leaking into its interior. If the design fails to meet this requirement by even a small margin, the entire sub and its crew are at risk. Managing an IT infrastructure is no different than the submarine analogy. …. But like water surrounding a sub, as long as criminals exist you’ll need to protect and defend yourself as they constantly try to “seep” in.”
The SIR is 184 pages of analysis of the security environment, with a very good dataset.
http://blogs.technet.com/msrc/archive/2009/04/08/microsoft-security-intelligence-report-volume-6.aspx