Security objectives determine the levels to which the solution will protect itself and its assets. There may be data that needs to be protected, regulatory requirements, or intangible assets such as company reputation, trade secrets, or intellectual property. Security objectives should be specific, testable statements about what is to be protected. They should not specify how. Security objectives usually start with a "verb" such as "Prevent unauthorized users from obtaining account information for our customers". The asset should be clearly identified.