Emergency response as a discipline extensively uses the concepts of readiness, response, and recovery — the three R's — to organize and plan efforts. Information security as a similar discipline can also benefit using these ideas to manage projects, activities, spending, and resource allocation. Security and risk professionals should compare budgets and costs for each of the three R's to understand the relationships among them. In all disciplines, the correct focus on readiness should reduce downstream costs for response and recovery. Understanding this relationship, and using this tool to measure the changes in spending for these three categories over time, can help you determine the effectiveness of your security program.