How would you evaluate whether a security measure is necessary for a given business context at Moody's?