[Dshield] The Cost of Security

John B. Holmblad jholmblad at aol.com
Sun Nov 18 16:19:49 GMT 2007 

Pete,

I don't have pointers to any specific stats relating to the cost of 
network intrusions for you.

However, in the context of the broader question of cost-benefit analysis 
of investments in information assurance/info security, I can suggest the 
following text:

    Managing Cyber-Security Resources a Cost-Benefit Analysis

Here is the url to the www page at the Amazon www site for the book:


    http://www.amazon.com/Managing-Cybersecurity-Resources-Cost-Benefit-Mcgraw-Hill/dp/0071452850/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1195401777&sr=8-1

Best Regards,

 

John Holmblad

 

Televerage International

GSEC Gold,   GCWN Gold,   GAWN,  GGSC-0100,   NSA-IAM,  NSA-IEM

Information security, telecommunications, and information technology 
consulting

 

(M) 703 407 2278

(F)  703 620 5388

primary email address:  jholmblad at aol.com

backup email address:  jholmblad at verizon.net

 



Pete Cap wrote:
> Hello List,
>
> Does anyone know of any really good whitepapers on evaluating the cost to an organization as a result of network intrusions?
>
> Pretty much all of the numbers I've seen over the past six years have been pulled directly from someone's hind end.  The best assessments I have seen to date consider "security" to be analogous to a form of insurance; you invest NOW so that WHEN (not if) you suffer an intrusion, you have certain response capabilities available and can recover quickly.  Nobody buys life insurance to prevent death, and nobody who goes another year without dying feels their money was wasted.
>
> Alternately, if an organization keeps accurate incident handling records (and, having consulted with almost a hundred, I have yet to find one that does) I suppose I could tally up the hours necessary to recover, times the average salary of their staff...but I feel as if this is a false cost because, since most outfits do not have dedicated security staff, they would be paying the sysadmins the same amount whether they were mitigating an incident or changing people's passwords at the helpdesk.
>
> So far in my literature review it seems as if this is not a very mature area of our field; so has anyone got any bright ideas?
>
> Thanks in advance,
>
> Pete
>
>  __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors.  http://www.sans.org/info/9346
>
>

More information about the list mailing list