Being able to determine the attacker or [[Principle]].
- Audit trails and logs, even in security failure there is a need to detect in order to react, and investigate after is system is re-secured.
- Secure timestamping (e.g. using OS, or network, attacker may attempt to damage integrity of logs)