Just because yesterday's enemies have become today's friends does not imply lessened security needs. Moreover, today's tight money requires achieving security intelligently, no more than needed, and within budget. This paper explains how to achieve optimal risk management for computer- and information-security systems with a new software tool integrating two existing approaches: LAVA (the Los Alamos Vulnerability/Risk Assessment system, developed by Smith at Los Alamos National Laboratory) and VAM (the Value Added Model), developed by Gale et.al. at the University of Pennsylvania's Wharton School). The LAVA/VAM amalgamation is a comprehensive tool for optimally upgrading security systems, based on potential exposure to loss (risk), subject to budget constraints. The combined tool calculates loss exposures as a function of the weaknesses or vulnerabilities in the existing baseline safeguards (countermeasures) system, the current threat strength, and the impact (cost) on the organization of successful threat attacks. Its reports describe vulnerability, threat, and loss exposure values in monetary and linguistic terms; these reports also give a linguistic cost/benefit basis for implementing strategies for upgrading missing or inadequate countermeasures. Then it identifies in monetary terms the baseline system's net present value (NPV) to the organization; a monetary cost/benefit analysis on possible upgrade strategies calculates the strategy's NPV and an internal rate of return (IRR) for the possible strategies. Optimal strategy candidates maximize NPV and have IRRs at least as large as the opportunity cost of capital, benefit-to-cost ratios greater than unity, and minimized vulnerability and loss exposure in areas most of interest to the organization.