[Dshield] The Cost of Security
Jon R. Kibler
Jon.Kibler at aset.com
Sat Nov 10 15:38:19 GMT 2007
Pete Cap wrote:
> Hello List,
>
> Does anyone know of any really good whitepapers on evaluating the cost to an organization as a result of network intrusions?
>
> Pretty much all of the numbers I've seen over the past six years have been pulled directly from someone's hind end. The best assessments I have seen to date consider "security" to be analogous to a form of insurance; you invest NOW so that WHEN (not if) you suffer an intrusion, you have certain response capabilities available and can recover quickly. Nobody buys life insurance to prevent death, and nobody who goes another year without dying feels their money was wasted.
>
> Alternately, if an organization keeps accurate incident handling records (and, having consulted with almost a hundred, I have yet to find one that does) I suppose I could tally up the hours necessary to recover, times the average salary of their staff...but I feel as if this is a false cost because, since most outfits do not have dedicated security staff, they would be paying the sysadmins the same amount whether they were mitigating an incident or changing people's passwords at the helpdesk.
>
> So far in my literature review it seems as if this is not a very mature area of our field; so has anyone got any bright ideas?
>
> Thanks in advance,
>
> Pete
>
The CSI/FBI annual security report has good figures. See: http://www.gocsi.com/
Jon
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
(843) 849-8214
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
More information about the list
mailing list