In some cases, security mechanisms may provide only
partial support for the best practices, and may need to be
complemented. This should reflect in the weighting process.
This issue can considered using two alternative approaches:
either we value mechanisms that provide partial support only
when their complementary counterparts are also present or
we count them always as providing half of the support
(having half the weight of the original importance). We
decided for the second choice due to the simple fact that,
even though a complementary mechanism might not exist in
the package, the existence of a partial mechanism already
helps the administrator, in the sense that it can be used for
supporting part of the best practice implementation. Notice,
however, that counting partial mechanisms as “half” is also
open for debate. The problem is that determining how much
a mechanism actually fulfils of the best practice (e.g., 80% of
the practice or 30% of the practice) is impossible as this
depends also on other resources available to the
administrator (which may vary from case to case). We
decided that, for the purpose of the benchmark, partial
mechanisms provide on average half the support, even if
under the specific conditions of a real environment that
might not be true.