Organizations are accustomed to buying security and insurance to protect themselves against crime and its consequences. Spending on security is generally seen as being a necessary but irksome use of resources: necessary because the unchecked activities of criminals could jeopardize the business itself, but irksome because no matter how much is spent on security, the problem is never really solved. An assessment of a security risk should take account of criticality as well as probability, particularly in situations where security might be unduly difficult to apply, expensive or ineffective. The article examines the scope for using criticality-reducing tactics, other than insurance, to reduce the impact of security failure. It argues that the science of loss reduction needs to go further than crime prevention and consider the business impact of crime. It discusses, with reference to different types of business, the extent to which organizations already adopt such tactics in addition to or instead of security. Notes