[Dshield] The Cost of Security
Pete Cap
peteoutside at yahoo.com
Sat Nov 10 14:31:47 GMT 2007
Hello List,
Does anyone know of any really good whitepapers on evaluating the cost to an organization as a result of network intrusions?
Pretty much all of the numbers I've seen over the past six years have been pulled directly from someone's hind end. The best assessments I have seen to date consider "security" to be analogous to a form of insurance; you invest NOW so that WHEN (not if) you suffer an intrusion, you have certain response capabilities available and can recover quickly. Nobody buys life insurance to prevent death, and nobody who goes another year without dying feels their money was wasted.
Alternately, if an organization keeps accurate incident handling records (and, having consulted with almost a hundred, I have yet to find one that does) I suppose I could tally up the hours necessary to recover, times the average salary of their staff...but I feel as if this is a false cost because, since most outfits do not have dedicated security staff, they would be paying the sysadmins the same amount whether they were mitigating an incident or changing people's passwords at the helpdesk.
So far in my literature review it seems as if this is not a very mature area of our field; so has anyone got any bright ideas?
Thanks in advance,
Pete
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the list
mailing list