Greetings Jim and August,
Silviu Burcea wrote:And the last one: we cannot prevent every single attack on Earth ... how much security effort means secure enough?
While there are no clear-cut definitions that state "If 'x' is your system, then 'y' is what you need to be secure...", during this race that the governments have been running to be at the top of the Cyber-powers, they have been coming up with some good guidelines to check against your own applications and systems to see how serious you should
be about security, called FIPS-199. (Q.v. NIST FIPS-199 Final PDF
In a nutshell, it checks three aspects of a given system/dataset/application, namely Confidentiality, Integrity and Availability, against what it would be like if any of those aspects were compromised, and gives a rating to how bad the damage would be considered.
That should give you a good base to start from as to how serious you should take the security of your applications and systems.