I already blogged about one of my favorite presentations at Metricon in which Bryan Ware showed a model of combining risk and effectivness to identify areas to focus on.
Of course, the upper right quadrant of highly effective controls for high risk items make sense to fund, but the harder choices lie in quadrants 2 & 3. Would you rather really make a dent in solving a relatively lower risk problem or partially solve a higher risk item? Bryan's guidance was to incentivize high effectiveness (quadrant 3) over lower effectiveness (quadrant 2). This is a bold move, because it may be seen as ignoring higher risk items, however in the long run it may drive organizations to work towards higher effectiveness.
One area that organizations struggle with is - how to get started in application security? There are a lot of types of controls to consider like static analysis tools, sdlc, threat modeling, strong authentication, federated identity and so on. I have seen several enterprises conduct tradeoff analysis on Web App Firewalls (WAF) which offer some protection web applications from SQL injection and the like and XML Security Gateways (XSG) which protect XML messages and Web Services. So I used Bryan Ware's quadrant to analyze where it would make sense to focus efforts if an organization could choose only one. This is at the 20,000 foot level and both risk and effectiveness are subjective, so YTMMV (Your Threat Model May Vary).
If we assume that risk is higher in the apps that WAFs generally protect, Internet facing portals, than in what XSGs generally protect, say B2B apps on VPNs. Then the WAF goes in the higher risk quadrant than the XSG.
If we further assume that WAFs use a lot of educated guesswork due to performance constraints of signature and anomaly detection on unstructured data in web apps speed then their relative effectiveness is downgraded versus XSGs that may operate on asychronous systems on structured data, and, of course, XSGs can leverage interoperable security standards like WS-Security whereas WAFs rely on patter recognition. Then the relative effectiveness may prove higher for XSGs, again YTMMV. Assuming the above, the decision looks this way.
Depending architecture, threat model and other factors a XML Security Gateway may be a logical choice if you have to choose since it may prove to have higher effectiveness than a WAF. Of course, these need to be mapped to your particular organization, and there are a lot of other controls to consider besides these two, but in my view this model works really well as a decision support tool for hard security architecture choices.