Although the framework we described above provides support for the management of security, it can by itself never be a substitute for proper management. Expert systems model knowledge of experts in the field and simulate their reasoning using representations of this knowledge. It is inherent to a heuristic approach that the solutions derived by the system may contain a degree of uncertainty or a margin of error. Machines also have no notion of creativity or human common sense. An adaptive security system that is built on top of an expert system cannot replace the security manager. It can alleviate every-day tasks by taking some degree of control over the operational environment, thereby allowing the security staff to concentrate on the more complex issues in security management.
An ASMS cannot autonomously undertake a risk assessment or create security awareness. Specialized people are needed in conjunction with business people to determine the risks and the possible impacts of a threat; next, one needs reassurance that the selected safeguards are effectively put in place and work. Regular audits see to it that rules and regulations are lived up to; appropriate training programmes should include awareness for security issues. Basically, the aim is to make protection as superfluous as possible - without obliterating it.
Beware of possible gaps between analysis, decision and implementation: a false feeling of security may be even more dangerous than not having proper protection in place at all. Finally, new threats keep on emerging. Even with an adaptive security management system, security management remains an ongoing process that has to be repeated in depth over time to adopt to changing circumstances. Only a part of this cycle can be supported by information systems, and only a fraction of the processes involved can be fully automated.